From 2694c82d97005ca39f29f540e26249c18a21f6d6 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 18 Jun 2025 17:11:42 -0600
Subject: refactor: switch to a pure rust implementation

---
 Dockerfile | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

(limited to 'Dockerfile')

diff --git a/Dockerfile b/Dockerfile
index d4e2b99d..3bb0e723 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,13 @@
 # syntax=docker/dockerfile:1
-FROM golang:1.24.0 AS build
-ENV CGO_ENABLED=0
+FROM rust:latest AS builder
 WORKDIR /app
+RUN rustup target add x86_64-unknown-linux-musl
 COPY . ./
-RUN go build -o authzd ./cmd/authzd/main.go && mv ./authzd /bin/authzd
-
+RUN cargo build --release --target x86_64-unknown-linux-musl
+RUN ls -alh /app
 
 FROM scratch
-ENV BIND_ADDR=":http"
-EXPOSE 80
+EXPOSE 50051
 WORKDIR /var/www/
-COPY --from=build /bin/authzd /bin/authzd
+COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/authzd /bin/authzd
 CMD ["/bin/authzd"]
-- 
cgit v1.2.3


From b7cabd7fb1adce8a8f05ac397feea00712d04575 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 18 Jun 2025 17:15:35 -0600
Subject: chore: remove unnecessary ls from Dockerfile

---
 Dockerfile | 1 -
 1 file changed, 1 deletion(-)

(limited to 'Dockerfile')

diff --git a/Dockerfile b/Dockerfile
index 3bb0e723..2a367c7a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,6 @@ WORKDIR /app
 RUN rustup target add x86_64-unknown-linux-musl
 COPY . ./
 RUN cargo build --release --target x86_64-unknown-linux-musl
-RUN ls -alh /app
 
 FROM scratch
 EXPOSE 50051
-- 
cgit v1.2.3


From 59f90b902cfd523e0fafec43d345a66c60e28b49 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 25 Jun 2025 16:10:06 -0600
Subject: chore: install musl lib c in docker builder image

---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

(limited to 'Dockerfile')

diff --git a/Dockerfile b/Dockerfile
index 2a367c7a..0c0bf256 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1
 FROM rust:latest AS builder
 WORKDIR /app
+RUN apt-get update && apt-get install -y musl-tools musl-dev
 RUN rustup target add x86_64-unknown-linux-musl
 COPY . ./
 RUN cargo build --release --target x86_64-unknown-linux-musl
-- 
cgit v1.2.3


From 5738d27bae33122544f389922b855cff5d375334 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 25 Jun 2025 16:55:35 -0600
Subject: chore: build optimized docker image

---
 .dockerignore | 10 ++++++++++
 Dockerfile    | 13 +++++++------
 2 files changed, 17 insertions(+), 6 deletions(-)
 create mode 100644 .dockerignore

(limited to 'Dockerfile')

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..e8da7cb4
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,10 @@
+target/
+.git/
+.gitignore
+*.md
+tests/
+.env*
+Dockerfile*
+.dockerignore
+tags
+mise.toml
diff --git a/Dockerfile b/Dockerfile
index 0c0bf256..0faffb8e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,14 @@
 # syntax=docker/dockerfile:1
-FROM rust:latest AS builder
+FROM rust:alpine AS builder
+RUN apk add --no-cache musl-dev
 WORKDIR /app
-RUN apt-get update && apt-get install -y musl-tools musl-dev
-RUN rustup target add x86_64-unknown-linux-musl
 COPY . ./
 RUN cargo build --release --target x86_64-unknown-linux-musl
+RUN strip /app/target/x86_64-unknown-linux-musl/release/authzd
 
-FROM scratch
+FROM gcr.io/distroless/static-debian12:nonroot
 EXPOSE 50051
-WORKDIR /var/www/
+WORKDIR /var/www
 COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/authzd /bin/authzd
-CMD ["/bin/authzd"]
+COPY --from=builder /app/policies /etc/authzd/policies
+ENTRYPOINT ["/bin/authzd"]
-- 
cgit v1.2.3


From 187c02e9bf32f152cbca9fd5790f4a6070dbb37d Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Thu, 26 Jun 2025 15:30:41 -0600
Subject: refactor: try to move policy files to /etc/authzd/

---
 Dockerfile                                   |  2 +-
 etc/authzd/policy0.cedar                     | 19 +++++++++++++++++++
 policies/auth_policy.cedar                   | 23 -----------------------
 src/authorization/cedar_authorizer.rs        | 11 +++--------
 src/main.rs                                  |  2 +-
 tests/authorization/cedar_authorizer_test.rs | 10 +++++-----
 tests/authorization/check_service_test.rs    |  4 ++--
 tests/integration_tests.rs                   |  4 ++--
 8 files changed, 33 insertions(+), 42 deletions(-)
 create mode 100644 etc/authzd/policy0.cedar
 delete mode 100644 policies/auth_policy.cedar

(limited to 'Dockerfile')

diff --git a/Dockerfile b/Dockerfile
index 0faffb8e..744b4f3d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,5 +10,5 @@ FROM gcr.io/distroless/static-debian12:nonroot
 EXPOSE 50051
 WORKDIR /var/www
 COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/authzd /bin/authzd
-COPY --from=builder /app/policies /etc/authzd/policies
+COPY --from=builder /app/etc/authzd /etc/authzd
 ENTRYPOINT ["/bin/authzd"]
diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar
new file mode 100644
index 00000000..e01182c5
--- /dev/null
+++ b/etc/authzd/policy0.cedar
@@ -0,0 +1,19 @@
+permit(principal, action == Action::"check", resource)
+when {
+    context has bearer_token &&
+    context.bearer_token == "valid-token"
+};
+
+permit(principal, action == Action::"check", resource)
+when {
+    context has path &&
+    (context.path like "*.css" ||
+     context.path like "*.js" ||
+     context.path like "*.ico" ||
+     context.path like "*.png" ||
+     context.path like "*.jpg" ||
+     context.path like "*.jpeg" ||
+     context.path like "*.gif" ||
+     context.path like "*.bmp" ||
+     context.path like "*.html")
+};
diff --git a/policies/auth_policy.cedar b/policies/auth_policy.cedar
deleted file mode 100644
index c7eb6ce5..00000000
--- a/policies/auth_policy.cedar
+++ /dev/null
@@ -1,23 +0,0 @@
-// Authorization policies for the authzd service
-
-// Allow requests with valid Bearer tokens
-permit(principal, action == Action::"check", resource)
-when {
-    context has bearer_token &&
-    context.bearer_token == "valid-token"
-};
-
-// Allow static assets to pass through without authentication
-permit(principal, action == Action::"check", resource)
-when {
-    context has path &&
-    (context.path like "*.css" ||
-     context.path like "*.js" ||
-     context.path like "*.ico" ||
-     context.path like "*.png" ||
-     context.path like "*.jpg" ||
-     context.path like "*.jpeg" ||
-     context.path like "*.gif" ||
-     context.path like "*.bmp" ||
-     context.path like "*.html")
-};
diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs
index fb85012e..568bafbc 100644
--- a/src/authorization/cedar_authorizer.rs
+++ b/src/authorization/cedar_authorizer.rs
@@ -14,21 +14,16 @@ pub struct CedarAuthorizer {
 }
 
 impl CedarAuthorizer {
-    pub fn new() -> CedarAuthorizer {
-        let policy_src = include_str!("../../policies/auth_policy.cedar");
-        let policies = policy_src.parse().expect("Failed to parse Cedar policies");
-        let authorizer = CedarAuth::new();
-
+    pub fn new(policies: cedar_policy::PolicySet) -> CedarAuthorizer {
         CedarAuthorizer {
             policies,
-            authorizer,
+            authorizer: CedarAuth::new(),
         }
     }
 }
-
 impl Default for CedarAuthorizer {
     fn default() -> Self {
-        Self::new()
+        Self::new(PolicySet::default())
     }
 }
 
diff --git a/src/main.rs b/src/main.rs
index d847a2ee..1a3ff00c 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -14,7 +14,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
 
     let (_health_reporter, health_service) = tonic_health::server::health_reporter();
 
-    let authorizer = Arc::new(authorization::CedarAuthorizer::new());
+    let authorizer = Arc::new(authorization::CedarAuthorizer::default());
     let check_service = authorization::CheckService::new(authorizer);
 
     let server = Server::builder()
diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs
index b13f48ad..6e1591eb 100644
--- a/tests/authorization/cedar_authorizer_test.rs
+++ b/tests/authorization/cedar_authorizer_test.rs
@@ -8,7 +8,7 @@ mod tests {
 
     #[test]
     fn test_cedar_authorizer_allows_valid_token() {
-        let authorizer = CedarAuthorizer::new();
+        let authorizer = CedarAuthorizer::default();
         let request = create_request(|item: &mut HttpRequest| {
             item.headers = build_with(|item: &mut HashMap<String, String>| {
                 item.insert(
@@ -23,7 +23,7 @@ mod tests {
 
     #[test]
     fn test_cedar_authorizer_denies_invalid_token() {
-        let authorizer = CedarAuthorizer::new();
+        let authorizer = CedarAuthorizer::default();
         let mut headers = HashMap::new();
         headers.insert(
             "authorization".to_string(),
@@ -39,7 +39,7 @@ mod tests {
 
     #[test]
     fn test_cedar_authorizer_denies_missing_header() {
-        let authorizer = CedarAuthorizer::new();
+        let authorizer = CedarAuthorizer::default();
         let headers = HashMap::new();
         let request = create_request(|item: &mut HttpRequest| {
             item.headers = headers;
@@ -51,7 +51,7 @@ mod tests {
 
     #[test]
     fn test_cedar_authorizer_allows_static_assets() {
-        let authorizer = CedarAuthorizer::new();
+        let authorizer = CedarAuthorizer::default();
         let mut headers = HashMap::new();
         headers.insert(":path".to_string(), "/public/style.css".to_string());
         let request = create_request(|item: &mut HttpRequest| {
@@ -64,7 +64,7 @@ mod tests {
 
     #[test]
     fn test_cedar_authorizer_allows_js_assets() {
-        let authorizer = CedarAuthorizer::new();
+        let authorizer = CedarAuthorizer::default();
         let mut headers = HashMap::new();
         headers.insert(":path".to_string(), "/app.js".to_string());
         let request = create_request(|item: &mut HttpRequest| {
diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs
index 0582417e..a739b16a 100644
--- a/tests/authorization/check_service_test.rs
+++ b/tests/authorization/check_service_test.rs
@@ -11,7 +11,7 @@ mod tests {
     #[tokio::test]
     async fn test_check_allows_valid_bearer_token() {
         let token = create_token();
-        let server = CheckService::new(Arc::new(CedarAuthorizer::new()));
+        let server = CheckService::new(Arc::new(CedarAuthorizer::default()));
 
         let mut headers = HashMap::new();
         headers.insert("authorization".to_string(), format!("Bearer {}", token));
@@ -30,7 +30,7 @@ mod tests {
 
     #[tokio::test]
     async fn test_check_denies_invalid_bearer_token() {
-        let authorizer = Arc::new(CedarAuthorizer::new());
+        let authorizer = Arc::new(CedarAuthorizer::default());
         let server = CheckService::new(authorizer);
         let request = tonic::Request::new(create_request(|item: &mut HttpRequest| {
             item.headers = HashMap::new();
diff --git a/tests/integration_tests.rs b/tests/integration_tests.rs
index 56321acb..a265c2be 100644
--- a/tests/integration_tests.rs
+++ b/tests/integration_tests.rs
@@ -9,7 +9,7 @@ mod common;
 
 #[tokio::test]
 async fn test_success_response() {
-    let authorizer = Arc::new(CedarAuthorizer::new());
+    let authorizer = Arc::new(CedarAuthorizer::default());
     let server = CheckService::new(authorizer);
     let request = tonic::Request::new(factory_bot::create_request(|item: &mut HttpRequest| {
         item.headers = factory_bot::build_headers(vec![(
@@ -30,7 +30,7 @@ async fn test_success_response() {
 
 #[tokio::test]
 async fn test_multiple() {
-    let authorizer = Arc::new(CedarAuthorizer::new());
+    let authorizer = Arc::new(CedarAuthorizer::default());
     let server = CheckService::new(authorizer);
 
     let test_cases = vec![
-- 
cgit v1.2.3