1 files changed, 97 insertions, 0 deletions

diff --git a/src/authorization/check_service.rs b/src/authorization/check_service.rs
new file mode 100644
index 00000000..7ca39fcd
--- /dev/null
+++ b/src/authorization/check_service.rs
@@ -0,0 +1,97 @@
+use envoy_types::ext_authz::v3::CheckResponseExt;
+use envoy_types::ext_authz::v3::pb::{CheckRequest, CheckResponse};
+use tonic::{Request, Response, Status};
+
+use super::authorizer::Authorizer;
+use super::cedar_authorizer::CedarAuthorizer;
+
+#[derive(Debug, Default)]
+pub struct CheckService;
+
+#[tonic::async_trait]
+impl envoy_types::ext_authz::v3::pb::Authorization for CheckService {
+    async fn check(
+        &self,
+        request: Request<CheckRequest>,
+    ) -> Result<Response<CheckResponse>, Status> {
+        let request = request.into_inner();
+
+        let authorizer = CedarAuthorizer::new();
+        if authorizer.authorize(request) {
+            Ok(Response::new(CheckResponse::with_status(Status::ok("OK"))))
+        } else {
+            Ok(Response::new(CheckResponse::with_status(
+                Status::unauthenticated("Unauthorized"),
+            )))
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use envoy_types::ext_authz::v3::pb::{Authorization, CheckRequest};
+    use envoy_types::pb::envoy::service::auth::v3::{AttributeContext, attribute_context};
+    use std::collections::HashMap;
+    use tonic::Request;
+
+    fn create_test_request_with_headers(headers: HashMap<String, String>) -> Request<CheckRequest> {
+        let http_request = attribute_context::HttpRequest {
+            headers,
+            ..Default::default()
+        };
+
+        let request_context = attribute_context::Request {
+            http: Some(http_request),
+            ..Default::default()
+        };
+
+        let attributes = AttributeContext {
+            request: Some(request_context),
+            ..Default::default()
+        };
+
+        let check_request = CheckRequest {
+            attributes: Some(attributes),
+            ..Default::default()
+        };
+
+        Request::new(check_request)
+    }
+
+    fn create_headers_with_auth(auth_value: &str) -> HashMap<String, String> {
+        let mut headers = HashMap::new();
+        headers.insert("authorization".to_string(), auth_value.to_string());
+        headers
+    }
+
+    #[tokio::test]
+    async fn test_check_allows_valid_bearer_token() {
+        let token = String::from("valid-token");
+        let server = CheckService::default();
+        let headers = create_headers_with_auth(&format!("Bearer {}", token));
+        let request = create_test_request_with_headers(headers);
+
+        let response = server.check(request).await;
+
+        assert!(response.is_ok());
+        let check_response = response.unwrap().into_inner();
+        assert!(check_response.status.is_some());
+        let status = check_response.status.unwrap();
+        assert_eq!(status.code, tonic::Code::Ok.into());
+    }
+
+    #[tokio::test]
+    async fn test_check_denies_invalid_bearer_token() {
+        let server = CheckService::default();
+        let request = create_test_request_with_headers(HashMap::new());
+
+        let response = server.check(request).await;
+
+        assert!(response.is_ok());
+        let check_response = response.unwrap().into_inner();
+        assert!(check_response.status.is_some());
+        let status = check_response.status.unwrap();
+        assert_eq!(status.code, tonic::Code::Unauthenticated.into());
+    }
+}