diff options
| -rw-r--r-- | src/authorization/cedar_authorizer.rs | 65 | ||||
| -rw-r--r-- | tests/authorization/cedar_authorizer_test.rs | 30 | ||||
| -rw-r--r-- | tests/authorization/check_service_test.rs | 14 |
3 files changed, 81 insertions, 28 deletions
diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs index 163f5b83..61142b71 100644 --- a/src/authorization/cedar_authorizer.rs +++ b/src/authorization/cedar_authorizer.rs @@ -70,45 +70,70 @@ impl Authorizer for CedarAuthorizer { None => return false, }; + tracing::info!( + method = %http_request.method, + host = %http_request.host, + path = %http_request.path, + scheme = %http_request.scheme, + protocol = %http_request.protocol, + "Processing HTTP request" + ); + if http_request.host == "sparkle.staging.runway.gitlab.net" { if http_request.method == "GET" && http_request.path == "/" { + tracing::info!( + host = %http_request.host, + "Allowing health check request" + ); return true; } } - let headers = match request - .attributes - .as_ref() - .and_then(|attr| attr.request.as_ref()) - .and_then(|req| req.http.as_ref()) - .map(|http| &http.headers) - { - Some(headers) => headers, - None => return false, - }; + let headers = &http_request.headers; - // Extract authorization token let bearer_token = headers .get("authorization") .and_then(|auth| auth.strip_prefix("Bearer ")) .unwrap_or(""); - // Extract request path for static asset checking - let path = headers - .get(":path") - .or_else(|| headers.get("path")) - .map_or("", |v| v.as_str()); + tracing::info!( + path = %http_request.path, + has_bearer_token = !bearer_token.is_empty(), + user_agent = ?headers.get("user-agent"), + x_request_id = ?headers.get("x-request-id"), + content_type = ?headers.get("content-type"), + "Extracted request details" + ); - // Create Cedar entities and request - match self.create_cedar_request(bearer_token, path) { + match self.create_cedar_request(bearer_token, &http_request.path.to_string()) { Ok(cedar_request) => { let entities = Entities::empty(); let response = self.authorizer .is_authorized(&cedar_request, &self.policies, &entities); - matches!(response.decision(), cedar_policy::Decision::Allow) + + let decision = response.decision(); + let is_allowed = matches!(decision, cedar_policy::Decision::Allow); + + tracing::info!( + method = %http_request.method, + host = %http_request.host, + path = %http_request.path, + decision = ?decision, + allowed = is_allowed, + "Authorization decision" + ); + + is_allowed + } + Err(e) => { + tracing::error!( + error = %e, + path = %http_request.path, + "Failed to create Cedar request" + ); + false } - Err(_) => false, } } } diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 76bf06df..79f83c00 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -45,9 +45,18 @@ mod tests { #[test] fn test_cedar_authorizer_allows_static_assets() { let request = build_request(|item: &mut HttpRequest| { - item.headers = build_with(|item: &mut HashMap<String, String>| { - item.insert(String::from(":path"), String::from("/public/style.css")); - }); + let method = String::from("GET"); + let host = String::from("sparkle.staging.runway.gitlab.net"); + let path = "/public/style.css"; + + item.method = method.clone(); + item.path = path.to_string(); + item.host = host.to_string(); + item.headers = build_headers(vec![ + (String::from(":path"), path.to_string()), + (String::from(":method"), method), + (String::from(":authority"), host), + ]); }); assert!(build_cedar_authorizer().authorize(request)); @@ -55,10 +64,19 @@ mod tests { #[test] fn test_cedar_authorizer_allows_js_assets() { - let mut headers = HashMap::new(); - headers.insert(":path".to_string(), "/app.js".to_string()); let request = build_request(|item: &mut HttpRequest| { - item.headers = headers; + let method = String::from("GET"); + let host = String::from("sparkle.staging.runway.gitlab.net"); + let path = "/app.js"; + + item.method = method.clone(); + item.path = path.to_string(); + item.host = host.to_string(); + item.headers = build_headers(vec![ + (String::from(":path"), path.to_string()), + (String::from(":method"), method), + (String::from(":authority"), host), + ]); }); assert!(build_cedar_authorizer().authorize(request)); diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 0a2997cf..a4b8f2ee 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -58,8 +58,18 @@ mod tests { ]; for path in static_paths { - let request = tonic::Request::new(build_request(|http| { - http.headers = build_headers(vec![(":path".to_string(), path.to_string())]); + let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { + let method = String::from("GET"); + let host = String::from("sparkle.staging.runway.gitlab.net"); + + item.method = method.clone(); + item.path = path.to_string(); + item.host = host.to_string(); + item.headers = build_headers(vec![ + (String::from(":path"), path.to_string()), + (String::from(":method"), method), + (String::from(":authority"), host), + ]); })); let response = subject().check(request).await; |