diff options
| -rw-r--r-- | etc/authzd/policy0.cedar | 21 | ||||
| -rw-r--r-- | tests/authorization/check_service_test.rs | 101 |
2 files changed, 103 insertions, 19 deletions
diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar index 56457622..75cf8178 100644 --- a/etc/authzd/policy0.cedar +++ b/etc/authzd/policy0.cedar @@ -22,11 +22,28 @@ when { permit(principal, action, resource) when { context has host && context has method && context has path && ( - context.host == "sparkle.staging.runway.gitlab.net" && + context.host == "sparkle.staging.runway.gitlab.net" && ( context.method == "GET" && ( context.path == "/" || - context.path == "/app.js" || + context.path == "/callback" || + context.path == "/dashboard/nav" || + context.path == "/health" || + context.path == "/signout" || + context.path == "/sparkles" || + context.path like "*.bmp" || + context.path like "*.css" || + context.path like "*.gif" || + context.path like "*.html" || + context.path like "*.ico" || + context.path like "*.jpeg" || + context.path like "*.jpg" || + context.path like "*.js" || + context.path like "*.png" || context.path == "/callback" ) + ) || ( + context.method == "POST" && ( + context.path == "/sparkles/restore" + ) ) }; diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 73812fa1..5ea0cb95 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -125,26 +125,9 @@ mod tests { #[tokio::test] async fn test_public_sparkle_endpoints() { - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/application.js"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/callback"}}, // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/dashboard/nav"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/favicon.ico"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/favicon.png"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/favicon.png"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/health"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/htmx.js"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/index.html"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/logo.png"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/pico.min.css"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/signout"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/sparkles"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/vue.global.js"}}, // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "POST", Path: "/sparkles", Headers: loggedInHeaders}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "POST", Path: "/sparkles/restore"}}, - // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard"}}, // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, - // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "POST", Path: "/sparkles"}}, let test_cases = vec![ ( @@ -165,6 +148,90 @@ mod tests { "sparkle.staging.runway.gitlab.net", tonic::Code::Ok, ), + ( + "GET", + "/dashboard/nav", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/favicon.ico", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/favicon.png", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/health", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/htmx.js", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/index.html", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/logo.png", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/pico.min.css", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/signout", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/sparkles", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/vue.global.js", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "POST", + "/sparkles/restore", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/dashboard", + "sparkle.staging.runway.gitlab.net", + tonic::Code::PermissionDenied, + ), + ( + "POST", + "/sparkles", + "sparkle.staging.runway.gitlab.net", + tonic::Code::PermissionDenied, + ), ]; for (method, path, host, expected_status_code) in test_cases { |