1 files changed, 103 insertions, 0 deletions

diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs
new file mode 100644
index 00000000..2efbda28
--- /dev/null
+++ b/src/authorization/cedar_authorizer.rs
@@ -0,0 +1,103 @@
+use super::authorizer::Authorizer;
+use envoy_types::ext_authz::v3::pb::CheckRequest;
+
+pub struct CedarAuthorizer {}
+
+impl CedarAuthorizer {
+    pub fn new() -> CedarAuthorizer {
+        CedarAuthorizer {}
+    }
+}
+
+impl Default for CedarAuthorizer {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl Authorizer for CedarAuthorizer {
+    fn authorize(&self, request: CheckRequest) -> bool {
+        let headers = request
+            .attributes
+            .as_ref()
+            .and_then(|attr| attr.request.as_ref())
+            .and_then(|req| req.http.as_ref())
+            .map(|http| &http.headers)
+            .unwrap();
+
+        if let Some(authorization) = headers.get("authorization") {
+            if authorization == "Bearer valid-token" {
+                return true;
+            }
+        }
+
+        false
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use envoy_types::pb::envoy::service::auth::v3::{AttributeContext, attribute_context};
+    use std::collections::HashMap;
+
+    fn create_test_request_with_headers(headers: HashMap<String, String>) -> CheckRequest {
+        let http_request = attribute_context::HttpRequest {
+            headers,
+            ..Default::default()
+        };
+
+        let request_context = attribute_context::Request {
+            http: Some(http_request),
+            ..Default::default()
+        };
+
+        let attributes = AttributeContext {
+            request: Some(request_context),
+            ..Default::default()
+        };
+
+        CheckRequest {
+            attributes: Some(attributes),
+            ..Default::default()
+        }
+    }
+
+    #[test]
+    fn test_cedar_authorizer_allows_valid_token() {
+        let authorizer = CedarAuthorizer::new();
+        let mut headers = HashMap::new();
+        headers.insert(
+            "authorization".to_string(),
+            "Bearer valid-token".to_string(),
+        );
+        let request = create_test_request_with_headers(headers);
+
+        let result = authorizer.authorize(request);
+        assert!(result);
+    }
+
+    #[test]
+    fn test_cedar_authorizer_denies_invalid_token() {
+        let authorizer = CedarAuthorizer::new();
+        let mut headers = HashMap::new();
+        headers.insert(
+            "authorization".to_string(),
+            "Bearer invalid-token".to_string(),
+        );
+        let request = create_test_request_with_headers(headers);
+
+        let result = authorizer.authorize(request);
+        assert!(!result);
+    }
+
+    #[test]
+    fn test_cedar_authorizer_denies_missing_header() {
+        let authorizer = CedarAuthorizer::new();
+        let headers = HashMap::new();
+        let request = create_test_request_with_headers(headers);
+
+        let result = authorizer.authorize(request);
+        assert!(!result);
+    }
+}