From e5142a2786b499291f6e98f328e10a9c44901ad2 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Fri, 18 Jul 2025 13:26:30 -0600
Subject: feat: authorize http resources

---
 pkg/authz/check_service.go |  7 ++++++-
 pkg/authz/init.go          | 25 +++++++++++++++++++++----
 2 files changed, 27 insertions(+), 5 deletions(-)

(limited to 'pkg/authz')

diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go
index 75ba3963..3e14c008 100644
--- a/pkg/authz/check_service.go
+++ b/pkg/authz/check_service.go
@@ -52,7 +52,12 @@ func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest)
 		return false
 	}
 
-	response, err := svc.client.CheckPermission(ctx, mapper.MapFrom[*auth.CheckRequest, *v1.CheckPermissionRequest](r))
+	request := mapper.MapFrom[*auth.CheckRequest, *v1.CheckPermissionRequest](r)
+	response, err := svc.client.CheckPermission(ctx, request)
+	log.WithFields(ctx, log.Fields{
+		"spice_request":  request,
+		"spice_response": response,
+	})
 	if err != nil {
 		pls.LogError(ctx, err)
 		return false
diff --git a/pkg/authz/init.go b/pkg/authz/init.go
index e902e6d1..21927145 100644
--- a/pkg/authz/init.go
+++ b/pkg/authz/init.go
@@ -1,11 +1,14 @@
 package authz
 
 import (
+	"net/http"
+
 	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
 	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	"github.com/xlgmokha/x/pkg/log"
 	"github.com/xlgmokha/x/pkg/mapper"
 	"github.com/xlgmokha/x/pkg/x"
+	"google.golang.org/protobuf/types/known/structpb"
 )
 
 func init() {
@@ -24,8 +27,8 @@ func init() {
 
 	mapper.Register[*auth.CheckRequest, *v1.ObjectReference](func(r *auth.CheckRequest) *v1.ObjectReference {
 		return &v1.ObjectReference{
-			ObjectType: "project",
-			ObjectId:   "1",
+			ObjectType: "resource",
+			ObjectId:   r.Attributes.Request.Http.Path,
 		}
 	})
 
@@ -33,7 +36,7 @@ func init() {
 		//TODO:: username is not ideal but it works for demo purposes
 		username := r.Attributes.Request.Http.Headers["x-jwt-claim-username"]
 		if x.IsZero(username) {
-			username = "*"
+			username = "public"
 		}
 
 		return &v1.SubjectReference{
@@ -45,7 +48,20 @@ func init() {
 	})
 
 	mapper.Register[*auth.CheckRequest, Permission](func(r *auth.CheckRequest) Permission {
-		return "read"
+		switch r.GetAttributes().Request.Http.Method {
+		case http.MethodGet:
+			return "read"
+		case http.MethodPost:
+			return "create"
+		case http.MethodPut:
+			return "update"
+		case http.MethodPatch:
+			return "update"
+		case http.MethodDelete:
+			return "delete"
+		default:
+			return "read"
+		}
 	})
 
 	mapper.Register[*auth.CheckRequest, *v1.CheckPermissionRequest](func(r *auth.CheckRequest) *v1.CheckPermissionRequest {
@@ -53,6 +69,7 @@ func init() {
 			Resource:   mapper.MapFrom[*auth.CheckRequest, *v1.ObjectReference](r),
 			Permission: mapper.MapFrom[*auth.CheckRequest, Permission](r).String(),
 			Subject:    mapper.MapFrom[*auth.CheckRequest, *v1.SubjectReference](r),
+			Context:    x.Must(structpb.NewStruct(map[string]any{})),
 		}
 	})
 }
-- 
cgit v1.2.3