From 5c870c548107085c2582f856e3b2d63b747dcd1e Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 2 Apr 2025 14:24:07 -0600
Subject: refactor: attempt to model a public policy in cedar

---
 pkg/policies/entities.json    |  6 ------
 pkg/policies/gtwy.cedar       | 16 ++++++++++++++++
 pkg/policies/init.go          |  2 +-
 pkg/policies/policies_test.go | 32 ++++++++++++++++++++++++++++++++
 pkg/policies/rest.cedar       | 12 ------------
 5 files changed, 49 insertions(+), 19 deletions(-)
 create mode 100644 pkg/policies/gtwy.cedar
 delete mode 100644 pkg/policies/rest.cedar

diff --git a/pkg/policies/entities.json b/pkg/policies/entities.json
index 3df6e43e..2a7aa96a 100644
--- a/pkg/policies/entities.json
+++ b/pkg/policies/entities.json
@@ -302,11 +302,5 @@
         "id": "4"
       }
     ]
-  },
-  {
-    "uid": {
-      "type": "HttpPath",
-      "id": "/projects.json"
-    }
   }
 ]
diff --git a/pkg/policies/gtwy.cedar b/pkg/policies/gtwy.cedar
new file mode 100644
index 00000000..763ab5fa
--- /dev/null
+++ b/pkg/policies/gtwy.cedar
@@ -0,0 +1,16 @@
+permit (
+  principal == User::"1",
+  action in [
+    HttpMethod::"GET",
+    HttpMethod::"POST",
+    HttpMethod::"PUT",
+    HttpMethod::"PATCH",
+    HttpMethod::"DELETE",
+    HttpMethod::"HEAD"
+  ],
+  resource
+) when {
+  context.host == "api.example.com" ||
+  context.host == "idp.example.com" ||
+  context.host == "ui.example.com"
+};
diff --git a/pkg/policies/init.go b/pkg/policies/init.go
index a10526f7..42a23223 100644
--- a/pkg/policies/init.go
+++ b/pkg/policies/init.go
@@ -62,7 +62,7 @@ func init() {
 
 func Allowed(request cedar.Request) bool {
 	ok, diagnostic := All.IsAuthorized(Entities, request)
-	fmt.Printf("%v: %v -> %v %v%v\n", ok, request.Principal, request.Action, request.Context.Map(), request.Resource)
+	fmt.Printf("%v: %v -> %v %v%v\n", ok, request.Principal, request.Action.ID, request.Context.Map(), request.Resource.ID)
 
 	if len(diagnostic.Errors) > 0 {
 		for err := range diagnostic.Errors {
diff --git a/pkg/policies/policies_test.go b/pkg/policies/policies_test.go
index e038edbe..67179a7f 100644
--- a/pkg/policies/policies_test.go
+++ b/pkg/policies/policies_test.go
@@ -30,6 +30,38 @@ func TestAllowed(t *testing.T) {
 		build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("PATCH")) }),
 		build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("DELETE")) }),
 		build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("HEAD")) }),
+		build(func(r *cedar.Request) {
+			r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/organizations.json"))
+		}),
+		build(func(r *cedar.Request) { r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/groups.json")) }),
+		build(func(r *cedar.Request) {
+			r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/openid-configuration"))
+			r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+		}),
+		build(func(r *cedar.Request) {
+			r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/oauth-authorization-server"))
+			r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+		}),
+		// build(func(r *cedar.Request) {
+		// 	r.Principal = gid.NewEntityUID("gid://User/*")
+		// 	r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/openid-configuration"))
+		// 	r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+		// }),
+		// build(func(r *cedar.Request) {
+		// 	r.Principal = gid.NewEntityUID("gid://User/*")
+		// 	r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/oauth-authorization-server"))
+		// 	r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+		// }),
+		build(func(r *cedar.Request) {
+			r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("POST"))
+			r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/twirp/authx.rpc.Ability/Allowed"))
+			r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+		}),
+		build(func(r *cedar.Request) {
+			r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("GET"))
+			r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/index.html"))
+			r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("ui.example.com")})
+		}),
 	}
 
 	for _, tt := range allowed {
diff --git a/pkg/policies/rest.cedar b/pkg/policies/rest.cedar
deleted file mode 100644
index c6c4f745..00000000
--- a/pkg/policies/rest.cedar
+++ /dev/null
@@ -1,12 +0,0 @@
-permit (
-  principal == User::"1",
-  action in [
-    HttpMethod::"GET",
-    HttpMethod::"POST",
-    HttpMethod::"PUT",
-    HttpMethod::"PATCH",
-    HttpMethod::"DELETE",
-    HttpMethod::"HEAD"
-  ],
-  resource
-) when { context.host == "api.example.com" };
-- 
cgit v1.2.3