From 894e270ab5a15de2b664cc6f4ee6fd8369985f75 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 2 Apr 2025 13:32:22 -0600
Subject: refactor: combine cedar policies and add tests

---
 pkg/rpc/ability_service.go |  7 ++++---
 pkg/rpc/server_test.go     | 10 +++++-----
 2 files changed, 9 insertions(+), 8 deletions(-)

(limited to 'pkg/rpc')

diff --git a/pkg/rpc/ability_service.go b/pkg/rpc/ability_service.go
index bf299da9..18327d52 100644
--- a/pkg/rpc/ability_service.go
+++ b/pkg/rpc/ability_service.go
@@ -4,6 +4,7 @@ import (
 	context "context"
 
 	"github.com/cedar-policy/cedar-go"
+	"gitlab.com/mokhax/spike/pkg/gid"
 	"gitlab.com/mokhax/spike/pkg/policies"
 )
 
@@ -17,9 +18,9 @@ func NewAbilityService() *AbilityService {
 
 func (h *AbilityService) Allowed(ctx context.Context, req *AllowRequest) (*AllowReply, error) {
 	ok := policies.Allowed(cedar.Request{
-		Principal: cedar.NewEntityUID("User", cedar.String(req.Subject)),
-		Action:    cedar.NewEntityUID("Action", cedar.String(req.Permission)),
-		Resource:  cedar.NewEntityUID("Album", cedar.String(req.Resource)),
+		Principal: gid.NewEntityUID(req.Subject),
+		Action:    cedar.NewEntityUID("Permission", cedar.String(req.Permission)),
+		Resource:  gid.NewEntityUID(req.Resource),
 		Context:   cedar.NewRecord(cedar.RecordMap{}),
 	})
 	return &AllowReply{Result: ok}, nil
diff --git a/pkg/rpc/server_test.go b/pkg/rpc/server_test.go
index 0871173b..66a177d5 100644
--- a/pkg/rpc/server_test.go
+++ b/pkg/rpc/server_test.go
@@ -31,7 +31,7 @@ func TestServer(t *testing.T) {
 	defer connection.Close()
 	client := NewAbilityClient(connection)
 
-	t.Run("returns false", func(t *testing.T) {
+	t.Run("forbids", func(t *testing.T) {
 		reply, err := client.Allowed(t.Context(), &AllowRequest{
 			Subject:    "",
 			Permission: "",
@@ -41,17 +41,17 @@ func TestServer(t *testing.T) {
 		assert.False(t, reply.Result)
 	})
 
-	t.Run("returns true for alice:view:jane_vacation", func(t *testing.T) {
+	t.Run("allows alice:view:jane_vacation", func(t *testing.T) {
 		reply, err := client.Allowed(t.Context(), &AllowRequest{
-			Subject:    "alice",
+			Subject:    "gid://User/alice",
 			Permission: "view",
-			Resource:   "jane_vacation",
+			Resource:   "gid://Album/jane_vacation",
 		})
 		require.NoError(t, err)
 		assert.True(t, reply.Result)
 	})
 
-	t.Run("returns gid://User/1:read:gid://Organization/2", func(t *testing.T) {
+	t.Run("allows gid://User/1 read gid://Organization/2", func(t *testing.T) {
 		reply, err := client.Allowed(t.Context(), &AllowRequest{
 			Subject:    "gid://User/1",
 			Permission: "read",
-- 
cgit v1.2.3