feat: connect check service to a minimal cedar policy

1 files changed, 20 insertions, 9 deletions

diff --git a/src/authorization/check_service.rs b/src/authorization/check_service.rs
index 7ca39fcd..a4d0ec7b 100644
--- a/src/authorization/check_service.rs
+++ b/src/authorization/check_service.rs
@@ -1,12 +1,20 @@
 use envoy_types::ext_authz::v3::CheckResponseExt;
 use envoy_types::ext_authz::v3::pb::{CheckRequest, CheckResponse};
+use std::sync::Arc;
 use tonic::{Request, Response, Status};
 
 use super::authorizer::Authorizer;
-use super::cedar_authorizer::CedarAuthorizer;
 
-#[derive(Debug, Default)]
-pub struct CheckService;
+#[derive(Debug)]
+pub struct CheckService {
+    authorizer: Arc<dyn Authorizer + Send + Sync>,
+}
+
+impl CheckService {
+    pub fn new(authorizer: Arc<dyn Authorizer + Send + Sync>) -> Self {
+        Self { authorizer }
+    }
+}
 
 #[tonic::async_trait]
 impl envoy_types::ext_authz::v3::pb::Authorization for CheckService {
@@ -16,8 +24,7 @@ impl envoy_types::ext_authz::v3::pb::Authorization for CheckService {
     ) -> Result<Response<CheckResponse>, Status> {
         let request = request.into_inner();
 
-        let authorizer = CedarAuthorizer::new();
-        if authorizer.authorize(request) {
+        if self.authorizer.authorize(request) {
             Ok(Response::new(CheckResponse::with_status(Status::ok("OK"))))
         } else {
             Ok(Response::new(CheckResponse::with_status(
@@ -30,9 +37,11 @@ impl envoy_types::ext_authz::v3::pb::Authorization for CheckService {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use super::super::cedar_authorizer::CedarAuthorizer;
     use envoy_types::ext_authz::v3::pb::{Authorization, CheckRequest};
     use envoy_types::pb::envoy::service::auth::v3::{AttributeContext, attribute_context};
     use std::collections::HashMap;
+    use std::sync::Arc;
     use tonic::Request;
 
     fn create_test_request_with_headers(headers: HashMap<String, String>) -> Request<CheckRequest> {
@@ -68,7 +77,8 @@ mod tests {
     #[tokio::test]
     async fn test_check_allows_valid_bearer_token() {
         let token = String::from("valid-token");
-        let server = CheckService::default();
+        let authorizer = Arc::new(CedarAuthorizer::new());
+        let server = CheckService::new(authorizer);
         let headers = create_headers_with_auth(&format!("Bearer {}", token));
         let request = create_test_request_with_headers(headers);
 
@@ -78,12 +88,13 @@ mod tests {
         let check_response = response.unwrap().into_inner();
         assert!(check_response.status.is_some());
         let status = check_response.status.unwrap();
-        assert_eq!(status.code, tonic::Code::Ok.into());
+        assert_eq!(status.code, tonic::Code::Ok as i32);
     }
 
     #[tokio::test]
     async fn test_check_denies_invalid_bearer_token() {
-        let server = CheckService::default();
+        let authorizer = Arc::new(CedarAuthorizer::new());
+        let server = CheckService::new(authorizer);
         let request = create_test_request_with_headers(HashMap::new());
 
         let response = server.check(request).await;
@@ -92,6 +103,6 @@ mod tests {
         let check_response = response.unwrap().into_inner();
         assert!(check_response.status.is_some());
         let status = check_response.status.unwrap();
-        assert_eq!(status.code, tonic::Code::Unauthenticated.into());
+        assert_eq!(status.code, tonic::Code::Unauthenticated as i32);
     }
 }