diff options
| -rw-r--r-- | etc/authzd/policy1.cedar | 12 | ||||
| -rw-r--r-- | etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json | 8 | ||||
| -rw-r--r-- | src/authorization/entities.rs | 2 | ||||
| -rw-r--r-- | src/gitlab/member.rs | 2 | ||||
| -rw-r--r-- | tests/authorization/cedar_authorizer_test.rs | 14 | ||||
| -rw-r--r-- | tests/support/factory_bot.rs | 7 |
6 files changed, 31 insertions, 14 deletions
diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar index 2306aaae..15776ab7 100644 --- a/etc/authzd/policy1.cedar +++ b/etc/authzd/policy1.cedar @@ -16,3 +16,15 @@ when context.path == "/sparkles")) || (context.method == "POST" && (context.path == "/sparkles/restore")))) }; + +permit ( + principal is User, + action == Action::"POST", + resource == Resource::"/sparkles" +) +when +{ + context has host && + context.host == "sparkle.staging.runway.gitlab.net" && + principal has username +}; diff --git a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json index ef479736..72d50bce 100644 --- a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json +++ b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json @@ -22,9 +22,7 @@ "id": "1675940" }, "attrs": { - "username": "mokhax", - "name": "mo khan", - "access_level": 50 + "username": "mokhax" }, "parents": [] }, @@ -34,9 +32,7 @@ "id": "1676317" }, "attrs": { - "username": "jayswain", - "name": "Jay Swain", - "access_level": 30 + "username": "jayswain" }, "parents": [] }, diff --git a/src/authorization/entities.rs b/src/authorization/entities.rs index a26cace2..dd5894f8 100644 --- a/src/authorization/entities.rs +++ b/src/authorization/entities.rs @@ -75,8 +75,6 @@ impl EntitiesRepository { }, attrs: serde_json::json!({ "username": member.username, - "name": member.name, - "access_level": member.access_level, }), parents: vec![], }); diff --git a/src/gitlab/member.rs b/src/gitlab/member.rs index 0b4997e9..7e7f212e 100644 --- a/src/gitlab/member.rs +++ b/src/gitlab/member.rs @@ -4,7 +4,5 @@ use serde::Deserialize; pub struct Member { pub id: u64, pub username: String, - pub name: String, pub state: String, - pub access_level: u8, } diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index f2dfebd4..f056c8c7 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -91,12 +91,22 @@ mod tests { ]); }); - let user = build_user("1675940"); + let mut attrs = std::collections::HashMap::new(); + attrs.insert( + "username".to_string(), + cedar_policy::RestrictedExpression::new_string("tanuki".to_string()), + ); + let user = build_user("1675940", attrs); let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); assert!(authorizer.authorize(request.clone())); - let user = build_user("1"); + let mut attrs = std::collections::HashMap::new(); + attrs.insert( + "username".to_string(), + cedar_policy::RestrictedExpression::new_string("root".to_string()), + ); + let user = build_user("1", attrs); let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); assert!(!authorizer.authorize(request.clone())); diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs index 969080a3..ba0d9c38 100644 --- a/tests/support/factory_bot.rs +++ b/tests/support/factory_bot.rs @@ -58,13 +58,16 @@ where f(build_channel(addr).await) } -pub fn build_user(id: &str) -> cedar_policy::Entity { +pub fn build_user( + id: &str, + attrs: std::collections::HashMap<String, cedar_policy::RestrictedExpression>, +) -> cedar_policy::Entity { cedar_policy::Entity::new( cedar_policy::EntityUid::from_type_name_and_id( cedar_policy::EntityTypeName::from_str("User").unwrap(), cedar_policy::EntityId::from_str(id).unwrap(), ), - std::collections::HashMap::new(), + attrs, std::collections::HashSet::new(), ) .unwrap() |