diff options
| -rw-r--r-- | app/services/ability.go | 2 | ||||
| -rw-r--r-- | pkg/policies/allowed.go | 29 | ||||
| -rw-r--r-- | pkg/policies/init.go | 22 | ||||
| -rw-r--r-- | pkg/policies/policies_test.go | 4 |
4 files changed, 34 insertions, 23 deletions
diff --git a/app/services/ability.go b/app/services/ability.go index 871a9a9b..2f119dcc 100644 --- a/app/services/ability.go +++ b/app/services/ability.go @@ -17,7 +17,7 @@ func NewAbilityService() *AbilityService { } func (h *AbilityService) Allowed(ctx context.Context, req *rpc.AllowRequest) (*rpc.AllowReply, error) { - ok := policies.Allowed(cedar.Request{ + ok := policies.Allowed(ctx, cedar.Request{ Principal: gid.NewEntityUID(req.Subject), Action: cedar.NewEntityUID("Permission", cedar.String(req.Permission)), Resource: gid.NewEntityUID(req.Resource), diff --git a/pkg/policies/allowed.go b/pkg/policies/allowed.go new file mode 100644 index 00000000..328ecdbc --- /dev/null +++ b/pkg/policies/allowed.go @@ -0,0 +1,29 @@ +package policies + +import ( + "context" + + "github.com/cedar-policy/cedar-go" + "github.com/cedar-policy/cedar-go/types" + "github.com/xlgmokha/x/pkg/log" +) + +func Allowed(ctx context.Context, request cedar.Request) bool { + ok, diagnostic := All.IsAuthorized(Entities, request) + + log.WithFields(ctx, log.Fields{ + "ok": "ok", + "principal": request.Principal, + "action": request.Action, + "context": request.Context, + "resource": request.Resource, + }) + + if len(diagnostic.Errors) > 0 { + log.WithFields(ctx, log.Fields{"errors": diagnostic.Errors}) + } + if len(diagnostic.Reasons) > 0 { + log.WithFields(ctx, log.Fields{"reasons": diagnostic.Reasons}) + } + return ok == types.Allow +} diff --git a/pkg/policies/init.go b/pkg/policies/init.go index f5225a91..bc270763 100644 --- a/pkg/policies/init.go +++ b/pkg/policies/init.go @@ -1,16 +1,13 @@ package policies import ( + "context" "embed" _ "embed" - "fmt" "io/fs" - "os" "strings" "github.com/cedar-policy/cedar-go" - "github.com/cedar-policy/cedar-go/types" - "github.com/rs/zerolog" "github.com/xlgmokha/x/pkg/log" ) @@ -19,7 +16,6 @@ var files embed.FS var All *cedar.PolicySet = cedar.NewPolicySet() var Entities cedar.EntityMap = cedar.EntityMap{} -var Logger *zerolog.Logger = log.New(os.Stderr, log.Fields{"pkg": "policies"}) func init() { err := fs.WalkDir(files, ".", func(path string, d fs.DirEntry, err error) error { @@ -59,20 +55,6 @@ func init() { }) if err != nil { - Logger.Err(err) + log.WithFields(context.Background(), log.Fields{"error": err}) } } - -func Allowed(request cedar.Request) bool { - ok, diagnostic := All.IsAuthorized(Entities, request) - fmt.Printf("%v: %v -> %v %v%v\n", ok, request.Principal, request.Action.ID, request.Context.Map(), request.Resource.ID) - - if len(diagnostic.Errors) > 0 { - log.New(os.Stderr, log.Fields{"errors": diagnostic.Errors}) - Logger.Error().Fields(log.Fields{"errors": diagnostic.Errors}.ToMap()) - } - if len(diagnostic.Reasons) > 0 { - Logger.Warn().Fields(log.Fields{"reasons": diagnostic.Reasons}.ToMap()) - } - return ok == types.Allow -} diff --git a/pkg/policies/policies_test.go b/pkg/policies/policies_test.go index 9dc98bcd..d44d049d 100644 --- a/pkg/policies/policies_test.go +++ b/pkg/policies/policies_test.go @@ -107,7 +107,7 @@ func TestAllowed(t *testing.T) { for _, tt := range allowed { t.Run(fmt.Sprintf("allows: %v/%v %v %v%v", tt.Principal.Type, tt.Principal.ID, tt.Action.ID, tt.Context.Map()["host"], tt.Resource.ID), func(t *testing.T) { - assert.True(t, Allowed(*tt)) + assert.True(t, Allowed(t.Context(), *tt)) }) } @@ -140,7 +140,7 @@ func TestAllowed(t *testing.T) { for _, tt := range denied { t.Run(fmt.Sprintf("denies: %v/%v %v %v%v", tt.Principal.Type, tt.Principal.ID, tt.Action.ID, tt.Context.Map()["host"], tt.Resource.ID), func(t *testing.T) { - assert.False(t, Allowed(*tt)) + assert.False(t, Allowed(t.Context(), *tt)) }) } } |