From fc4bbd8efd805411239406c6323a37537d4534f2 Mon Sep 17 00:00:00 2001 From: mo khan Date: Sat, 5 Jul 2025 11:29:37 -0600 Subject: fix: fix typo in cedar policy file --- etc/authzd/policy0.cedar | 1 + src/authorization/cedar_authorizer.rs | 110 +++++++++++++-------------- tests/authorization/cedar_authorizer_test.rs | 18 +++-- tests/authorization/check_service_test.rs | 4 +- 4 files changed, 68 insertions(+), 65 deletions(-) diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar index 75cf8178..e1037457 100644 --- a/etc/authzd/policy0.cedar +++ b/etc/authzd/policy0.cedar @@ -44,6 +44,7 @@ when { ) || ( context.method == "POST" && ( context.path == "/sparkles/restore" + ) ) ) }; diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs index 96a406d8..9fb7513a 100644 --- a/src/authorization/cedar_authorizer.rs +++ b/src/authorization/cedar_authorizer.rs @@ -49,58 +49,7 @@ impl CedarAuthorizer { Ok(policies) } -} - -impl Default for CedarAuthorizer { - fn default() -> Self { - Self::new_from(std::path::Path::new("/etc/authzd")) - } -} - -impl Authorizer for CedarAuthorizer { - fn authorize(&self, request: CheckRequest) -> bool { - let http_request = match request - .attributes - .as_ref() - .and_then(|attr| attr.request.as_ref()) - .and_then(|req| req.http.as_ref()) - { - Some(http) => http, - None => return false, - }; - - tracing::info!( - method = %http_request.method, - host = %http_request.host, - path = %http_request.path, - scheme = %http_request.scheme, - protocol = %http_request.protocol, - "Processing HTTP request" - ); - match self.map_from(http_request.clone()) { - Ok(cedar_request) => { - let entities = Entities::empty(); - let response = - self.authorizer - .is_authorized(&cedar_request, &self.policies, &entities); - - matches!(response.decision(), cedar_policy::Decision::Allow) - } - Err(e) => { - println!("error: {}", e); - tracing::error!( - error = %e, - path = %http_request.path, - "Failed to create Cedar request" - ); - false - } - } - } -} - -impl CedarAuthorizer { fn map_from( &self, http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, @@ -110,8 +59,9 @@ impl CedarAuthorizer { let resource = self.resource_from(&http_request)?; let context = self.context_from(http_request)?; - CedarRequest::new(principal, permission, resource, context, None) - .map_err(|e| Box::new(e) as Box) + Ok(CedarRequest::new( + principal, permission, resource, context, None, + )?) } fn principal_from( @@ -147,7 +97,7 @@ impl CedarAuthorizer { fn context_from( &self, http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, - ) -> Result { + ) -> Result> { let mut items = std::collections::HashMap::new(); items.insert("bearer_token".to_string(), self.token_from(&http_request)); @@ -155,7 +105,7 @@ impl CedarAuthorizer { items.insert("method".to_string(), self.safe_string(&http_request.method)); items.insert("path".to_string(), self.safe_string(&http_request.path)); - Context::from_pairs(items.into_iter().collect::>()) + Ok(Context::from_pairs(items.into_iter().collect::>())?) } fn token_from( @@ -175,3 +125,53 @@ impl CedarAuthorizer { cedar_policy::RestrictedExpression::new_string(item.to_string()) } } + +impl Default for CedarAuthorizer { + fn default() -> Self { + Self::new_from(std::path::Path::new("/etc/authzd")) + } +} + +impl Authorizer for CedarAuthorizer { + fn authorize(&self, request: CheckRequest) -> bool { + let http_request = match request + .attributes + .as_ref() + .and_then(|attr| attr.request.as_ref()) + .and_then(|req| req.http.as_ref()) + { + Some(http) => http, + None => return false, + }; + + tracing::info!( + method = %http_request.method, + host = %http_request.host, + path = %http_request.path, + scheme = %http_request.scheme, + protocol = %http_request.protocol, + "Processing HTTP request" + ); + + let entities = Entities::empty(); + + match self.map_from(http_request.clone()) { + Ok(cedar_request) => { + let response = + self.authorizer + .is_authorized(&cedar_request, &self.policies, &entities); + + matches!(response.decision(), cedar_policy::Decision::Allow) + } + Err(e) => { + println!("error: {}", e); + tracing::error!( + error = %e, + path = %http_request.path, + "Failed to create Cedar request" + ); + false + } + } + } +} diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 317ef67f..ccf8a1f8 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -5,16 +5,18 @@ mod tests { use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; use std::collections::HashMap; + fn subject() -> authzd::CedarAuthorizer { + build_cedar_authorizer() + } + #[test] fn test_cedar_authorizer_allows_valid_token() { - let request = build_request(|item: &mut HttpRequest| { + assert!(subject().authorize(build_request(|item: &mut HttpRequest| { item.headers = build_headers(vec![( "authorization".to_string(), "Bearer valid-token".to_string(), )]); - }); - - assert!(build_cedar_authorizer().authorize(request)); + }))); } #[test] @@ -26,7 +28,7 @@ mod tests { )]); }); - assert!(!build_cedar_authorizer().authorize(request)); + assert!(!subject().authorize(request)); } #[test] @@ -35,7 +37,7 @@ mod tests { item.headers = HashMap::new(); }); - assert!(!build_cedar_authorizer().authorize(request)); + assert!(!subject().authorize(request)); } #[test] @@ -55,7 +57,7 @@ mod tests { ]); }); - assert!(build_cedar_authorizer().authorize(request)); + assert!(subject().authorize(request)); } #[test] @@ -75,6 +77,6 @@ mod tests { ]); }); - assert!(build_cedar_authorizer().authorize(request)); + assert!(subject().authorize(request)); } } diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 5ea0cb95..a32f2a2c 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -224,13 +224,13 @@ mod tests { "GET", "/dashboard", "sparkle.staging.runway.gitlab.net", - tonic::Code::PermissionDenied, + tonic::Code::Unauthenticated, ), ( "POST", "/sparkles", "sparkle.staging.runway.gitlab.net", - tonic::Code::PermissionDenied, + tonic::Code::Unauthenticated, ), ]; -- cgit v1.2.3