2 files changed, 17 insertions, 23 deletions

diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar
index 034e81b5..56457622 100644
--- a/etc/authzd/policy0.cedar
+++ b/etc/authzd/policy0.cedar
@@ -18,3 +18,15 @@ when {
     context.path like "*.html"
   )
 };
+
+permit(principal, action, resource)
+when {
+  context has host && context has method && context has path && (
+    context.host == "sparkle.staging.runway.gitlab.net" &&
+      context.method == "GET" && (
+        context.path == "/" ||
+        context.path == "/app.js" ||
+        context.path == "/callback"
+      )
+  )
+};
diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs
index f90e8d8b..96a406d8 100644
--- a/src/authorization/cedar_authorizer.rs
+++ b/src/authorization/cedar_authorizer.rs
@@ -78,27 +78,6 @@ impl Authorizer for CedarAuthorizer {
             "Processing HTTP request"
         );
 
-        if http_request.host == "sparkle.staging.runway.gitlab.net"
-            && http_request.method == "GET"
-            && http_request.path == "/"
-        {
-            return true;
-        }
-
-        if http_request.host == "sparkle.staging.runway.gitlab.net"
-            && http_request.method == "GET"
-            && http_request.path == "/application.js"
-        {
-            return true;
-        }
-
-        if http_request.host == "sparkle.staging.runway.gitlab.net"
-            && http_request.method == "GET"
-            && http_request.path == "/callback"
-        {
-            return true;
-        }
-
         match self.map_from(http_request.clone()) {
             Ok(cedar_request) => {
                 let entities = Entities::empty();
@@ -109,6 +88,7 @@ impl Authorizer for CedarAuthorizer {
                 matches!(response.decision(), cedar_policy::Decision::Allow)
             }
             Err(e) => {
+                println!("error: {}", e);
                 tracing::error!(
                     error = %e,
                     path = %http_request.path,
@@ -128,9 +108,9 @@ impl CedarAuthorizer {
         let principal = self.principal_from(&http_request)?;
         let permission = self.permission_from(&http_request)?;
         let resource = self.resource_from(&http_request)?;
-        let context = self.context_from(http_request);
+        let context = self.context_from(http_request)?;
 
-        CedarRequest::new(principal, permission, resource, context?, None)
+        CedarRequest::new(principal, permission, resource, context, None)
             .map_err(|e| Box::new(e) as Box<dyn std::error::Error>)
     }
 
@@ -171,6 +151,8 @@ impl CedarAuthorizer {
         let mut items = std::collections::HashMap::new();
 
         items.insert("bearer_token".to_string(), self.token_from(&http_request));
+        items.insert("host".to_string(), self.safe_string(&http_request.host));
+        items.insert("method".to_string(), self.safe_string(&http_request.method));
         items.insert("path".to_string(), self.safe_string(&http_request.path));
 
         Context::from_pairs(items.into_iter().collect::<Vec<_>>())