diff options
Diffstat (limited to 'src/authorization')
| -rw-r--r-- | src/authorization/cedar_authorizer.rs | 63 |
1 files changed, 43 insertions, 20 deletions
diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs index e56640f9..1780eddd 100644 --- a/src/authorization/cedar_authorizer.rs +++ b/src/authorization/cedar_authorizer.rs @@ -85,6 +85,20 @@ impl Authorizer for CedarAuthorizer { return true; } + if http_request.host == "sparkle.staging.runway.gitlab.net" + && http_request.method == "GET" + && http_request.path == "/application.js" + { + return true; + } + + if http_request.host == "sparkle.staging.runway.gitlab.net" + && http_request.method == "GET" + && http_request.path == "/callback" + { + return true; + } + match self.map_from(http_request.clone()) { Ok(cedar_request) => { let entities = Entities::empty(); @@ -111,10 +125,7 @@ impl CedarAuthorizer { &self, http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, ) -> Result<CedarRequest, Box<dyn std::error::Error>> { - // Create principal entity - let principal_id = EntityId::from_str("client")?; - let principal_type = EntityTypeName::from_str("User")?; - let principal = EntityUid::from_type_name_and_id(principal_type, principal_id); + let principal = self.principal_from(&http_request)?; // Create action entity let action_id = EntityId::from_str("check")?; @@ -131,30 +142,42 @@ impl CedarAuthorizer { .map_err(|e| Box::new(e) as Box<dyn std::error::Error>) } + fn principal_from( + &self, + _http_request: &envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, + ) -> Result<cedar_policy::EntityUid, Box<dyn std::error::Error>> { + let principal_id = EntityId::from_str("client")?; + let principal_type = EntityTypeName::from_str("User")?; + let principal = EntityUid::from_type_name_and_id(principal_type, principal_id); + Ok(principal) + } + fn context_from( &self, http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, ) -> Result<cedar_policy::Context, cedar_policy::ContextCreationError> { - let mut context_map = std::collections::HashMap::new(); + let mut items = std::collections::HashMap::new(); + + items.insert("bearer_token".to_string(), self.token_from(&http_request)); + items.insert("path".to_string(), self.safe_string(&http_request.path)); - let headers = &http_request.headers; - let bearer_token = headers + Context::from_pairs(items.into_iter().collect::<Vec<_>>()) + } + + fn token_from( + &self, + http_request: &envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, + ) -> cedar_policy::RestrictedExpression { + let bearer_token = &http_request + .headers .get("authorization") .and_then(|auth| auth.strip_prefix("Bearer ")) .unwrap_or(""); - if !bearer_token.is_empty() { - context_map.insert( - "bearer_token".to_string(), - cedar_policy::RestrictedExpression::new_string(bearer_token.to_string()), - ); - } - if !http_request.path.is_empty() { - context_map.insert( - "path".to_string(), - cedar_policy::RestrictedExpression::new_string(http_request.path.clone()), - ); - } - Context::from_pairs(context_map.into_iter().collect::<Vec<_>>()) + self.safe_string(bearer_token) + } + + fn safe_string(&self, item: &str) -> cedar_policy::RestrictedExpression { + cedar_policy::RestrictedExpression::new_string(item.to_string()) } } |