1 files changed, 54 insertions, 0 deletions

diff --git a/pkg/authz/option.go b/pkg/authz/option.go
new file mode 100644
index 00000000..585deedf
--- /dev/null
+++ b/pkg/authz/option.go
@@ -0,0 +1,54 @@
+package authz
+
+import (
+	"context"
+	"io"
+	"strings"
+
+	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
+	authzed "github.com/authzed/authzed-go/v1"
+	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/xlgmokha/x/pkg/mapper"
+	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/pls"
+)
+
+func WithProjectIDs(ctx context.Context, client *authzed.Client, request *auth.CheckRequest) x.Option[*auth.CheckResponse_OkResponse] {
+	return x.With[*auth.CheckResponse_OkResponse](func(response *auth.CheckResponse_OkResponse) {
+		if x.IsZero(client) {
+			return
+		}
+
+		stream, err := client.LookupResources(ctx, &v1.LookupResourcesRequest{
+			ResourceObjectType: "project",
+			Permission:         "read_project",
+			Subject:            mapper.MapFrom[*auth.CheckRequest, *v1.SubjectReference](request),
+		})
+		if err != nil {
+			pls.LogError(ctx, err)
+			return
+		}
+
+		var projectIDs []string
+		for {
+			result, err := stream.Recv()
+			if err == io.EOF {
+				break
+			}
+			if err != nil {
+				pls.LogError(ctx, err)
+				break
+			}
+			projectIDs = append(projectIDs, result.ResourceObjectId)
+		}
+
+		response.OkResponse.Headers = append(response.OkResponse.Headers, &core.HeaderValueOption{
+			Header: &core.HeaderValue{
+				Key:   "x-project-ids",
+				Value: strings.Join(projectIDs, ","),
+			},
+			AppendAction: core.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD,
+		})
+	})
+}