diff options
| -rw-r--r-- | src/authorization/cedar_authorizer.rs | 26 | ||||
| -rw-r--r-- | tests/authorization/check_service_test.rs | 27 |
2 files changed, 36 insertions, 17 deletions
diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs index 4eeaf645..e56640f9 100644 --- a/src/authorization/cedar_authorizer.rs +++ b/src/authorization/cedar_authorizer.rs @@ -111,12 +111,6 @@ impl CedarAuthorizer { &self, http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, ) -> Result<CedarRequest, Box<dyn std::error::Error>> { - let headers = &http_request.headers; - let bearer_token = headers - .get("authorization") - .and_then(|auth| auth.strip_prefix("Bearer ")) - .unwrap_or(""); - // Create principal entity let principal_id = EntityId::from_str("client")?; let principal_type = EntityTypeName::from_str("User")?; @@ -132,7 +126,22 @@ impl CedarAuthorizer { let resource_type = EntityTypeName::from_str("Resource")?; let resource = EntityUid::from_type_name_and_id(resource_type, resource_id); + let context = self.context_from(http_request); + CedarRequest::new(principal, action, resource, context?, None) + .map_err(|e| Box::new(e) as Box<dyn std::error::Error>) + } + + fn context_from( + &self, + http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, + ) -> Result<cedar_policy::Context, cedar_policy::ContextCreationError> { let mut context_map = std::collections::HashMap::new(); + + let headers = &http_request.headers; + let bearer_token = headers + .get("authorization") + .and_then(|auth| auth.strip_prefix("Bearer ")) + .unwrap_or(""); if !bearer_token.is_empty() { context_map.insert( "bearer_token".to_string(), @@ -146,9 +155,6 @@ impl CedarAuthorizer { ); } - let context = Context::from_pairs(context_map.into_iter().collect::<Vec<_>>())?; - - CedarRequest::new(principal, action, resource, context, None) - .map_err(|e| Box::new(e) as Box<dyn std::error::Error>) + Context::from_pairs(context_map.into_iter().collect::<Vec<_>>()) } } diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 4ff7a89b..73812fa1 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -125,7 +125,6 @@ mod tests { #[tokio::test] async fn test_public_sparkle_endpoints() { - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/"}}, // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/application.js"}}, // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/callback"}}, // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, @@ -147,12 +146,26 @@ mod tests { // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "POST", Path: "/sparkles"}}, - let test_cases = vec![( - "GET", - "/", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - )]; + let test_cases = vec![ + ( + "GET", + "/", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/application.js", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/callback", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ]; for (method, path, host, expected_status_code) in test_cases { let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { |