4 files changed, 212 insertions, 0 deletions

diff --git a/src/authorization/authorizer.rs b/src/authorization/authorizer.rs
new file mode 100644
index 00000000..0f700ba7
--- /dev/null
+++ b/src/authorization/authorizer.rs
@@ -0,0 +1,5 @@
+use envoy_types::ext_authz::v3::pb::CheckRequest;
+
+pub trait Authorizer {
+    fn authorize(&self, request: CheckRequest) -> bool;
+}
diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs
new file mode 100644
index 00000000..2efbda28
--- /dev/null
+++ b/src/authorization/cedar_authorizer.rs
@@ -0,0 +1,103 @@
+use super::authorizer::Authorizer;
+use envoy_types::ext_authz::v3::pb::CheckRequest;
+
+pub struct CedarAuthorizer {}
+
+impl CedarAuthorizer {
+    pub fn new() -> CedarAuthorizer {
+        CedarAuthorizer {}
+    }
+}
+
+impl Default for CedarAuthorizer {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl Authorizer for CedarAuthorizer {
+    fn authorize(&self, request: CheckRequest) -> bool {
+        let headers = request
+            .attributes
+            .as_ref()
+            .and_then(|attr| attr.request.as_ref())
+            .and_then(|req| req.http.as_ref())
+            .map(|http| &http.headers)
+            .unwrap();
+
+        if let Some(authorization) = headers.get("authorization") {
+            if authorization == "Bearer valid-token" {
+                return true;
+            }
+        }
+
+        false
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use envoy_types::pb::envoy::service::auth::v3::{AttributeContext, attribute_context};
+    use std::collections::HashMap;
+
+    fn create_test_request_with_headers(headers: HashMap<String, String>) -> CheckRequest {
+        let http_request = attribute_context::HttpRequest {
+            headers,
+            ..Default::default()
+        };
+
+        let request_context = attribute_context::Request {
+            http: Some(http_request),
+            ..Default::default()
+        };
+
+        let attributes = AttributeContext {
+            request: Some(request_context),
+            ..Default::default()
+        };
+
+        CheckRequest {
+            attributes: Some(attributes),
+            ..Default::default()
+        }
+    }
+
+    #[test]
+    fn test_cedar_authorizer_allows_valid_token() {
+        let authorizer = CedarAuthorizer::new();
+        let mut headers = HashMap::new();
+        headers.insert(
+            "authorization".to_string(),
+            "Bearer valid-token".to_string(),
+        );
+        let request = create_test_request_with_headers(headers);
+
+        let result = authorizer.authorize(request);
+        assert!(result);
+    }
+
+    #[test]
+    fn test_cedar_authorizer_denies_invalid_token() {
+        let authorizer = CedarAuthorizer::new();
+        let mut headers = HashMap::new();
+        headers.insert(
+            "authorization".to_string(),
+            "Bearer invalid-token".to_string(),
+        );
+        let request = create_test_request_with_headers(headers);
+
+        let result = authorizer.authorize(request);
+        assert!(!result);
+    }
+
+    #[test]
+    fn test_cedar_authorizer_denies_missing_header() {
+        let authorizer = CedarAuthorizer::new();
+        let headers = HashMap::new();
+        let request = create_test_request_with_headers(headers);
+
+        let result = authorizer.authorize(request);
+        assert!(!result);
+    }
+}
diff --git a/src/authorization/check_service.rs b/src/authorization/check_service.rs
new file mode 100644
index 00000000..7ca39fcd
--- /dev/null
+++ b/src/authorization/check_service.rs
@@ -0,0 +1,97 @@
+use envoy_types::ext_authz::v3::CheckResponseExt;
+use envoy_types::ext_authz::v3::pb::{CheckRequest, CheckResponse};
+use tonic::{Request, Response, Status};
+
+use super::authorizer::Authorizer;
+use super::cedar_authorizer::CedarAuthorizer;
+
+#[derive(Debug, Default)]
+pub struct CheckService;
+
+#[tonic::async_trait]
+impl envoy_types::ext_authz::v3::pb::Authorization for CheckService {
+    async fn check(
+        &self,
+        request: Request<CheckRequest>,
+    ) -> Result<Response<CheckResponse>, Status> {
+        let request = request.into_inner();
+
+        let authorizer = CedarAuthorizer::new();
+        if authorizer.authorize(request) {
+            Ok(Response::new(CheckResponse::with_status(Status::ok("OK"))))
+        } else {
+            Ok(Response::new(CheckResponse::with_status(
+                Status::unauthenticated("Unauthorized"),
+            )))
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use envoy_types::ext_authz::v3::pb::{Authorization, CheckRequest};
+    use envoy_types::pb::envoy::service::auth::v3::{AttributeContext, attribute_context};
+    use std::collections::HashMap;
+    use tonic::Request;
+
+    fn create_test_request_with_headers(headers: HashMap<String, String>) -> Request<CheckRequest> {
+        let http_request = attribute_context::HttpRequest {
+            headers,
+            ..Default::default()
+        };
+
+        let request_context = attribute_context::Request {
+            http: Some(http_request),
+            ..Default::default()
+        };
+
+        let attributes = AttributeContext {
+            request: Some(request_context),
+            ..Default::default()
+        };
+
+        let check_request = CheckRequest {
+            attributes: Some(attributes),
+            ..Default::default()
+        };
+
+        Request::new(check_request)
+    }
+
+    fn create_headers_with_auth(auth_value: &str) -> HashMap<String, String> {
+        let mut headers = HashMap::new();
+        headers.insert("authorization".to_string(), auth_value.to_string());
+        headers
+    }
+
+    #[tokio::test]
+    async fn test_check_allows_valid_bearer_token() {
+        let token = String::from("valid-token");
+        let server = CheckService::default();
+        let headers = create_headers_with_auth(&format!("Bearer {}", token));
+        let request = create_test_request_with_headers(headers);
+
+        let response = server.check(request).await;
+
+        assert!(response.is_ok());
+        let check_response = response.unwrap().into_inner();
+        assert!(check_response.status.is_some());
+        let status = check_response.status.unwrap();
+        assert_eq!(status.code, tonic::Code::Ok.into());
+    }
+
+    #[tokio::test]
+    async fn test_check_denies_invalid_bearer_token() {
+        let server = CheckService::default();
+        let request = create_test_request_with_headers(HashMap::new());
+
+        let response = server.check(request).await;
+
+        assert!(response.is_ok());
+        let check_response = response.unwrap().into_inner();
+        assert!(check_response.status.is_some());
+        let status = check_response.status.unwrap();
+        assert_eq!(status.code, tonic::Code::Unauthenticated.into());
+    }
+}
diff --git a/src/authorization/mod.rs b/src/authorization/mod.rs
new file mode 100644
index 00000000..7d3856a5
--- /dev/null
+++ b/src/authorization/mod.rs
@@ -0,0 +1,7 @@
+pub mod authorizer;
+pub mod cedar_authorizer;
+pub mod check_service;
+
+pub use authorizer::Authorizer;
+pub use cedar_authorizer::CedarAuthorizer;
+pub use check_service::CheckService;