diff options
| -rw-r--r-- | Dockerfile | 2 | ||||
| -rw-r--r-- | etc/authzd/policy0.cedar (renamed from policies/auth_policy.cedar) | 4 | ||||
| -rw-r--r-- | src/authorization/cedar_authorizer.rs | 11 | ||||
| -rw-r--r-- | src/main.rs | 2 | ||||
| -rw-r--r-- | tests/authorization/cedar_authorizer_test.rs | 10 | ||||
| -rw-r--r-- | tests/authorization/check_service_test.rs | 4 | ||||
| -rw-r--r-- | tests/integration_tests.rs | 4 |
7 files changed, 14 insertions, 23 deletions
@@ -10,5 +10,5 @@ FROM gcr.io/distroless/static-debian12:nonroot EXPOSE 50051 WORKDIR /var/www COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/authzd /bin/authzd -COPY --from=builder /app/policies /etc/authzd/policies +COPY --from=builder /app/etc/authzd /etc/authzd ENTRYPOINT ["/bin/authzd"] diff --git a/policies/auth_policy.cedar b/etc/authzd/policy0.cedar index c7eb6ce5..e01182c5 100644 --- a/policies/auth_policy.cedar +++ b/etc/authzd/policy0.cedar @@ -1,13 +1,9 @@ -// Authorization policies for the authzd service - -// Allow requests with valid Bearer tokens permit(principal, action == Action::"check", resource) when { context has bearer_token && context.bearer_token == "valid-token" }; -// Allow static assets to pass through without authentication permit(principal, action == Action::"check", resource) when { context has path && diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs index fb85012e..568bafbc 100644 --- a/src/authorization/cedar_authorizer.rs +++ b/src/authorization/cedar_authorizer.rs @@ -14,21 +14,16 @@ pub struct CedarAuthorizer { } impl CedarAuthorizer { - pub fn new() -> CedarAuthorizer { - let policy_src = include_str!("../../policies/auth_policy.cedar"); - let policies = policy_src.parse().expect("Failed to parse Cedar policies"); - let authorizer = CedarAuth::new(); - + pub fn new(policies: cedar_policy::PolicySet) -> CedarAuthorizer { CedarAuthorizer { policies, - authorizer, + authorizer: CedarAuth::new(), } } } - impl Default for CedarAuthorizer { fn default() -> Self { - Self::new() + Self::new(PolicySet::default()) } } diff --git a/src/main.rs b/src/main.rs index d847a2ee..1a3ff00c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -14,7 +14,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> { let (_health_reporter, health_service) = tonic_health::server::health_reporter(); - let authorizer = Arc::new(authorization::CedarAuthorizer::new()); + let authorizer = Arc::new(authorization::CedarAuthorizer::default()); let check_service = authorization::CheckService::new(authorizer); let server = Server::builder() diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index b13f48ad..6e1591eb 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -8,7 +8,7 @@ mod tests { #[test] fn test_cedar_authorizer_allows_valid_token() { - let authorizer = CedarAuthorizer::new(); + let authorizer = CedarAuthorizer::default(); let request = create_request(|item: &mut HttpRequest| { item.headers = build_with(|item: &mut HashMap<String, String>| { item.insert( @@ -23,7 +23,7 @@ mod tests { #[test] fn test_cedar_authorizer_denies_invalid_token() { - let authorizer = CedarAuthorizer::new(); + let authorizer = CedarAuthorizer::default(); let mut headers = HashMap::new(); headers.insert( "authorization".to_string(), @@ -39,7 +39,7 @@ mod tests { #[test] fn test_cedar_authorizer_denies_missing_header() { - let authorizer = CedarAuthorizer::new(); + let authorizer = CedarAuthorizer::default(); let headers = HashMap::new(); let request = create_request(|item: &mut HttpRequest| { item.headers = headers; @@ -51,7 +51,7 @@ mod tests { #[test] fn test_cedar_authorizer_allows_static_assets() { - let authorizer = CedarAuthorizer::new(); + let authorizer = CedarAuthorizer::default(); let mut headers = HashMap::new(); headers.insert(":path".to_string(), "/public/style.css".to_string()); let request = create_request(|item: &mut HttpRequest| { @@ -64,7 +64,7 @@ mod tests { #[test] fn test_cedar_authorizer_allows_js_assets() { - let authorizer = CedarAuthorizer::new(); + let authorizer = CedarAuthorizer::default(); let mut headers = HashMap::new(); headers.insert(":path".to_string(), "/app.js".to_string()); let request = create_request(|item: &mut HttpRequest| { diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 0582417e..a739b16a 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -11,7 +11,7 @@ mod tests { #[tokio::test] async fn test_check_allows_valid_bearer_token() { let token = create_token(); - let server = CheckService::new(Arc::new(CedarAuthorizer::new())); + let server = CheckService::new(Arc::new(CedarAuthorizer::default())); let mut headers = HashMap::new(); headers.insert("authorization".to_string(), format!("Bearer {}", token)); @@ -30,7 +30,7 @@ mod tests { #[tokio::test] async fn test_check_denies_invalid_bearer_token() { - let authorizer = Arc::new(CedarAuthorizer::new()); + let authorizer = Arc::new(CedarAuthorizer::default()); let server = CheckService::new(authorizer); let request = tonic::Request::new(create_request(|item: &mut HttpRequest| { item.headers = HashMap::new(); diff --git a/tests/integration_tests.rs b/tests/integration_tests.rs index 56321acb..a265c2be 100644 --- a/tests/integration_tests.rs +++ b/tests/integration_tests.rs @@ -9,7 +9,7 @@ mod common; #[tokio::test] async fn test_success_response() { - let authorizer = Arc::new(CedarAuthorizer::new()); + let authorizer = Arc::new(CedarAuthorizer::default()); let server = CheckService::new(authorizer); let request = tonic::Request::new(factory_bot::create_request(|item: &mut HttpRequest| { item.headers = factory_bot::build_headers(vec![( @@ -30,7 +30,7 @@ async fn test_success_response() { #[tokio::test] async fn test_multiple() { - let authorizer = Arc::new(CedarAuthorizer::new()); + let authorizer = Arc::new(CedarAuthorizer::default()); let server = CheckService::new(authorizer); let test_cases = vec![ |