From fa92e7d1b3a61deb3d16db2f6546677040e395cd Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Mon, 14 Jul 2025 11:34:18 -0600
Subject: chore: add make targets to setup spice schema

---
 etc/authzd/spice.schema | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 etc/authzd/spice.schema

(limited to 'etc/authzd')

diff --git a/etc/authzd/spice.schema b/etc/authzd/spice.schema
new file mode 100644
index 00000000..74d0a7d6
--- /dev/null
+++ b/etc/authzd/spice.schema
@@ -0,0 +1,7 @@
+definition user {}
+definition post {
+  relation reader: user
+  relation writer: user
+  permission read = reader + writer
+  permission write = writer
+}
-- 
cgit v1.2.3


From 30ffd692e3749e38f9ab05d04a15d0dcdf186610 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Mon, 14 Jul 2025 11:45:00 -0600
Subject: chore: rework examples to use project and gitlab roles

---
 Makefile                | 12 +++++++++---
 etc/authzd/spice.schema | 10 +++++-----
 2 files changed, 14 insertions(+), 8 deletions(-)

(limited to 'etc/authzd')

diff --git a/Makefile b/Makefile
index 35886d64..8eeadc86 100644
--- a/Makefile
+++ b/Makefile
@@ -83,8 +83,14 @@ production-entities: $(AUTHZD_BIN) check-gitlab-token
 run-spicedb:
 	@spicedb serve --grpc-preshared-key "secret"
 
-run-spice-schema-load:
+run-spicedb-setup:
 	@zed --endpoint ":50051" --token "secret" --insecure schema write etc/authzd/spice.schema
-
-run-spice-schema-read:
 	@zed --endpoint ":50051" --token "secret" --insecure schema read
+	@zed --endpoint ":50051" --token "secret" --insecure relationship create project:1 maintainer user:mokhax
+	@zed --endpoint ":50051" --token "secret" --insecure relationship create project:1 developer user:tanuki
+
+run-spicedb-permission-check:
+	@zed --endpoint ":50051" --token "secret" --insecure permission check project:1 read user:mokhax
+	@zed --endpoint ":50051" --token "secret" --insecure permission check project:1 write user:mokhax
+	@zed --endpoint ":50051" --token "secret" --insecure permission check project:1 read user:tanuki
+	@zed --endpoint ":50051" --token "secret" --insecure permission check project:1 write user:tanuki
diff --git a/etc/authzd/spice.schema b/etc/authzd/spice.schema
index 74d0a7d6..0d6a6482 100644
--- a/etc/authzd/spice.schema
+++ b/etc/authzd/spice.schema
@@ -1,7 +1,7 @@
 definition user {}
-definition post {
-  relation reader: user
-  relation writer: user
-  permission read = reader + writer
-  permission write = writer
+definition project {
+  relation developer: user
+  relation maintainer: user
+  permission read = developer + maintainer
+  permission write = maintainer
 }
-- 
cgit v1.2.3


From 56276ca9000d0ada5c6412fcb6437024ae6358d7 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Mon, 14 Jul 2025 15:16:46 -0600
Subject: feat: allow access to sparkle in development

---
 etc/authzd/policy1.cedar                     | 11 +++++++++++
 tests/authorization/cedar_authorizer_test.rs | 18 ++++++++++++++++++
 2 files changed, 29 insertions(+)

(limited to 'etc/authzd')

diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar
index 15776ab7..6fe51b16 100644
--- a/etc/authzd/policy1.cedar
+++ b/etc/authzd/policy1.cedar
@@ -28,3 +28,14 @@ when
   context.host == "sparkle.staging.runway.gitlab.net" &&
   principal has username
 };
+
+permit (
+  principal == User::"1",
+  action == Action::"GET",
+  resource == Resource::"/dashboard"
+)
+when
+{
+  context has host &&
+  context.host == "localhost:10000"
+};
diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs
index 7a99a7d9..58563832 100644
--- a/tests/authorization/cedar_authorizer_test.rs
+++ b/tests/authorization/cedar_authorizer_test.rs
@@ -128,4 +128,22 @@ mod tests {
         let authorizer = subject();
         assert_eq!(authorizer.authorize(request), true);
     }
+
+    #[test]
+    fn test_sparkle_dashboard() {
+        let request = build_request(|item: &mut HttpRequest| {
+            item.method = "GET".to_string();
+            item.path = "/dashboard".to_string();
+            item.host = "localhost:10000".to_string();
+            item.headers = build_headers(vec![
+                (String::from("x-jwt-claim-sub"), "1".to_string()),
+                (String::from(":path"), item.path.to_string()),
+                (String::from(":method"), item.method.to_string()),
+                (String::from(":authority"), item.host.to_string()),
+            ]);
+        });
+
+        let authorizer = subject();
+        assert_eq!(authorizer.authorize(request), true);
+    }
 }
-- 
cgit v1.2.3


From 7893dc14eeb28770c85860a1ae453edbdfa5a8f2 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Mon, 14 Jul 2025 15:59:15 -0600
Subject: chore: fix linter error in cedar policy

---
 etc/authzd/policy1.cedar | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

(limited to 'etc/authzd')

diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar
index 6fe51b16..966bbcfb 100644
--- a/etc/authzd/policy1.cedar
+++ b/etc/authzd/policy1.cedar
@@ -34,8 +34,4 @@ permit (
   action == Action::"GET",
   resource == Resource::"/dashboard"
 )
-when
-{
-  context has host &&
-  context.host == "localhost:10000"
-};
+when { context has host && context.host == "localhost:10000" };
-- 
cgit v1.2.3