From 5d7f37c6508c7308c17659630cff35f4ead6dae4 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Thu, 10 Jul 2025 14:58:52 -0600
Subject: fix: allow authenticated+authorized users to create Sparkles

---
 etc/authzd/policy1.cedar                                   | 12 ++++++++++++
 .../authorization/sparkle/team/entities.json               |  8 ++------
 src/authorization/entities.rs                              |  2 --
 src/gitlab/member.rs                                       |  2 --
 tests/authorization/cedar_authorizer_test.rs               | 14 ++++++++++++--
 tests/support/factory_bot.rs                               |  7 +++++--
 6 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar
index 2306aaae..15776ab7 100644
--- a/etc/authzd/policy1.cedar
+++ b/etc/authzd/policy1.cedar
@@ -16,3 +16,15 @@ when
       context.path == "/sparkles")) ||
     (context.method == "POST" && (context.path == "/sparkles/restore"))))
 };
+
+permit (
+  principal is User,
+  action == Action::"POST",
+  resource == Resource::"/sparkles"
+)
+when
+{
+  context has host &&
+  context.host == "sparkle.staging.runway.gitlab.net" &&
+  principal has username
+};
diff --git a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json
index ef479736..72d50bce 100644
--- a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json
+++ b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json
@@ -22,9 +22,7 @@
       "id": "1675940"
     },
     "attrs": {
-      "username": "mokhax",
-      "name": "mo khan",
-      "access_level": 50
+      "username": "mokhax"
     },
     "parents": []
   },
@@ -34,9 +32,7 @@
       "id": "1676317"
     },
     "attrs": {
-      "username": "jayswain",
-      "name": "Jay Swain",
-      "access_level": 30
+      "username": "jayswain"
     },
     "parents": []
   },
diff --git a/src/authorization/entities.rs b/src/authorization/entities.rs
index a26cace2..dd5894f8 100644
--- a/src/authorization/entities.rs
+++ b/src/authorization/entities.rs
@@ -75,8 +75,6 @@ impl EntitiesRepository {
                     },
                     attrs: serde_json::json!({
                         "username": member.username,
-                        "name": member.name,
-                        "access_level": member.access_level,
                     }),
                     parents: vec![],
                 });
diff --git a/src/gitlab/member.rs b/src/gitlab/member.rs
index 0b4997e9..7e7f212e 100644
--- a/src/gitlab/member.rs
+++ b/src/gitlab/member.rs
@@ -4,7 +4,5 @@ use serde::Deserialize;
 pub struct Member {
     pub id: u64,
     pub username: String,
-    pub name: String,
     pub state: String,
-    pub access_level: u8,
 }
diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs
index f2dfebd4..f056c8c7 100644
--- a/tests/authorization/cedar_authorizer_test.rs
+++ b/tests/authorization/cedar_authorizer_test.rs
@@ -91,12 +91,22 @@ mod tests {
             ]);
         });
 
-        let user = build_user("1675940");
+        let mut attrs = std::collections::HashMap::new();
+        attrs.insert(
+            "username".to_string(),
+            cedar_policy::RestrictedExpression::new_string("tanuki".to_string()),
+        );
+        let user = build_user("1675940", attrs);
         let entities = cedar_policy::Entities::from_entities([user], None).unwrap();
         let authorizer = subject_with(entities);
         assert!(authorizer.authorize(request.clone()));
 
-        let user = build_user("1");
+        let mut attrs = std::collections::HashMap::new();
+        attrs.insert(
+            "username".to_string(),
+            cedar_policy::RestrictedExpression::new_string("root".to_string()),
+        );
+        let user = build_user("1", attrs);
         let entities = cedar_policy::Entities::from_entities([user], None).unwrap();
         let authorizer = subject_with(entities);
         assert!(!authorizer.authorize(request.clone()));
diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs
index 969080a3..ba0d9c38 100644
--- a/tests/support/factory_bot.rs
+++ b/tests/support/factory_bot.rs
@@ -58,13 +58,16 @@ where
     f(build_channel(addr).await)
 }
 
-pub fn build_user(id: &str) -> cedar_policy::Entity {
+pub fn build_user(
+    id: &str,
+    attrs: std::collections::HashMap<String, cedar_policy::RestrictedExpression>,
+) -> cedar_policy::Entity {
     cedar_policy::Entity::new(
         cedar_policy::EntityUid::from_type_name_and_id(
             cedar_policy::EntityTypeName::from_str("User").unwrap(),
             cedar_policy::EntityId::from_str(id).unwrap(),
         ),
-        std::collections::HashMap::new(),
+        attrs,
         std::collections::HashSet::new(),
     )
     .unwrap()
-- 
cgit v1.2.3