summaryrefslogtreecommitdiff
path: root/pkg/authz/check_service.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/authz/check_service.go')
-rw-r--r--pkg/authz/check_service.go52
1 files changed, 3 insertions, 49 deletions
diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go
index 4df0ebe7..75ba3963 100644
--- a/pkg/authz/check_service.go
+++ b/pkg/authz/check_service.go
@@ -11,6 +11,7 @@ import (
auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
types "github.com/envoyproxy/go-control-plane/envoy/type/v3"
"github.com/xlgmokha/x/pkg/log"
+ "github.com/xlgmokha/x/pkg/mapper"
"github.com/xlgmokha/x/pkg/x"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls"
status "google.golang.org/genproto/googleapis/rpc/status"
@@ -41,7 +42,7 @@ func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest)
if !svc.validRequest(ctx, r) {
return false
}
- log.WithFields(ctx, svc.fieldsFor(r))
+ log.WithFields(ctx, mapper.MapFrom[*auth.CheckRequest, log.Fields](r))
if svc.isStaticAsset(ctx, r) {
return true
@@ -51,7 +52,7 @@ func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest)
return false
}
- response, err := svc.client.CheckPermission(ctx, svc.mapFrom(ctx, r))
+ response, err := svc.client.CheckPermission(ctx, mapper.MapFrom[*auth.CheckRequest, *v1.CheckPermissionRequest](r))
if err != nil {
pls.LogError(ctx, err)
return false
@@ -109,50 +110,3 @@ func (svc *CheckService) Denied(ctx context.Context) *auth.CheckResponse {
},
}
}
-
-func (svc *CheckService) fieldsFor(r *auth.CheckRequest) log.Fields {
- return log.Fields{
- "host": r.Attributes.Request.Http.Host,
- "id": r.Attributes.Request.Http.Id,
- "method": r.Attributes.Request.Http.Method,
- "path": r.Attributes.Request.Http.Path,
- "protocol": r.Attributes.Request.Http.Protocol,
- "request_id": r.Attributes.Request.Http.Headers["x-request-id"],
- "scheme": r.Attributes.Request.Http.Scheme,
- "subject": r.Attributes.Request.Http.Headers["x-jwt-claim-username"],
- }
-}
-
-func (svc *CheckService) mapFrom(ctx context.Context, r *auth.CheckRequest) *v1.CheckPermissionRequest {
- return &v1.CheckPermissionRequest{
- Resource: svc.resourceFrom(ctx, r),
- Permission: svc.permissionFrom(ctx, r),
- Subject: svc.subjectFrom(ctx, r),
- }
-}
-
-func (svc *CheckService) resourceFrom(ctx context.Context, r *auth.CheckRequest) *v1.ObjectReference {
- return &v1.ObjectReference{
- ObjectType: "project",
- ObjectId: "1",
- }
-}
-
-func (svc *CheckService) subjectFrom(ctx context.Context, r *auth.CheckRequest) *v1.SubjectReference {
- //TODO:: username is not ideal but it works for demo purposes
- username := r.Attributes.Request.Http.Headers["x-jwt-claim-username"]
- if x.IsZero(username) {
- username = "public"
- }
-
- return &v1.SubjectReference{
- Object: &v1.ObjectReference{
- ObjectType: "user",
- ObjectId: username,
- },
- }
-}
-
-func (svc *CheckService) permissionFrom(ctx context.Context, r *auth.CheckRequest) string {
- return "read"
-}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 02:32:53 +0000