From 2e26e151c273cbcc063eba2d08d28dc2ba5a33ec Mon Sep 17 00:00:00 2001 From: mo khan Date: Thu, 19 Jun 2025 17:45:39 -0600 Subject: refactor: split types into separate files --- src/authorization/check_service.rs | 97 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 src/authorization/check_service.rs (limited to 'src/authorization/check_service.rs') diff --git a/src/authorization/check_service.rs b/src/authorization/check_service.rs new file mode 100644 index 00000000..7ca39fcd --- /dev/null +++ b/src/authorization/check_service.rs @@ -0,0 +1,97 @@ +use envoy_types::ext_authz::v3::CheckResponseExt; +use envoy_types::ext_authz::v3::pb::{CheckRequest, CheckResponse}; +use tonic::{Request, Response, Status}; + +use super::authorizer::Authorizer; +use super::cedar_authorizer::CedarAuthorizer; + +#[derive(Debug, Default)] +pub struct CheckService; + +#[tonic::async_trait] +impl envoy_types::ext_authz::v3::pb::Authorization for CheckService { + async fn check( + &self, + request: Request, + ) -> Result, Status> { + let request = request.into_inner(); + + let authorizer = CedarAuthorizer::new(); + if authorizer.authorize(request) { + Ok(Response::new(CheckResponse::with_status(Status::ok("OK")))) + } else { + Ok(Response::new(CheckResponse::with_status( + Status::unauthenticated("Unauthorized"), + ))) + } + } +} + +#[cfg(test)] +mod tests { + use super::*; + use envoy_types::ext_authz::v3::pb::{Authorization, CheckRequest}; + use envoy_types::pb::envoy::service::auth::v3::{AttributeContext, attribute_context}; + use std::collections::HashMap; + use tonic::Request; + + fn create_test_request_with_headers(headers: HashMap) -> Request { + let http_request = attribute_context::HttpRequest { + headers, + ..Default::default() + }; + + let request_context = attribute_context::Request { + http: Some(http_request), + ..Default::default() + }; + + let attributes = AttributeContext { + request: Some(request_context), + ..Default::default() + }; + + let check_request = CheckRequest { + attributes: Some(attributes), + ..Default::default() + }; + + Request::new(check_request) + } + + fn create_headers_with_auth(auth_value: &str) -> HashMap { + let mut headers = HashMap::new(); + headers.insert("authorization".to_string(), auth_value.to_string()); + headers + } + + #[tokio::test] + async fn test_check_allows_valid_bearer_token() { + let token = String::from("valid-token"); + let server = CheckService::default(); + let headers = create_headers_with_auth(&format!("Bearer {}", token)); + let request = create_test_request_with_headers(headers); + + let response = server.check(request).await; + + assert!(response.is_ok()); + let check_response = response.unwrap().into_inner(); + assert!(check_response.status.is_some()); + let status = check_response.status.unwrap(); + assert_eq!(status.code, tonic::Code::Ok.into()); + } + + #[tokio::test] + async fn test_check_denies_invalid_bearer_token() { + let server = CheckService::default(); + let request = create_test_request_with_headers(HashMap::new()); + + let response = server.check(request).await; + + assert!(response.is_ok()); + let check_response = response.unwrap().into_inner(); + assert!(check_response.status.is_some()); + let status = check_response.status.unwrap(); + assert_eq!(status.code, tonic::Code::Unauthenticated.into()); + } +} -- cgit v1.2.3