From 894e270ab5a15de2b664cc6f4ee6fd8369985f75 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 2 Apr 2025 13:32:22 -0600
Subject: refactor: combine cedar policies and add tests

---
 pkg/authz/cedar.go | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

(limited to 'pkg/authz')

diff --git a/pkg/authz/cedar.go b/pkg/authz/cedar.go
index 7a92f8e4..80bb2a3a 100644
--- a/pkg/authz/cedar.go
+++ b/pkg/authz/cedar.go
@@ -1,25 +1,33 @@
 package authz
 
 import (
+	"net"
 	"net/http"
 
 	cedar "github.com/cedar-policy/cedar-go"
+	"gitlab.com/mokhax/spike/pkg/gid"
+	xlog "gitlab.com/mokhax/spike/pkg/log"
 	"gitlab.com/mokhax/spike/pkg/policies"
 )
 
 func WithCedar() Authorizer {
 	return AuthorizerFunc(func(r *http.Request) bool {
+		host, _, err := net.SplitHostPort(r.Host)
+		if err != nil {
+			xlog.WithFields(r, xlog.Fields{"error": err})
+			return false
+		}
 		subject, found := TokenFrom(r).Subject()
 		if !found {
-			subject = "*"
+			subject = "gid://User/*"
 		}
 
 		return policies.Allowed(cedar.Request{
-			Principal: cedar.NewEntityUID("Subject", cedar.String(subject)),
-			Action:    cedar.NewEntityUID("Action", cedar.String(r.Method)),
-			Resource:  cedar.NewEntityUID("Path", cedar.String(r.URL.Path)),
+			Principal: gid.NewEntityUID(subject),
+			Action:    cedar.NewEntityUID("HttpMethod", cedar.String(r.Method)),
+			Resource:  cedar.NewEntityUID("HttpPath", cedar.String(r.URL.Path)),
 			Context: cedar.NewRecord(cedar.RecordMap{
-				"Host": cedar.String(r.Host),
+				"host": cedar.String(host),
 			}),
 		})
 	})
-- 
cgit v1.2.3