From c6dd31046b369e6ac44ee85f6206a4384f9dd148 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 4 Jul 2025 18:13:28 -0600 Subject: refactor: extract method to parse principal --- src/authorization/cedar_authorizer.rs | 63 ++++++++++++++++++++++++----------- 1 file changed, 43 insertions(+), 20 deletions(-) (limited to 'src/authorization') diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs index e56640f9..1780eddd 100644 --- a/src/authorization/cedar_authorizer.rs +++ b/src/authorization/cedar_authorizer.rs @@ -85,6 +85,20 @@ impl Authorizer for CedarAuthorizer { return true; } + if http_request.host == "sparkle.staging.runway.gitlab.net" + && http_request.method == "GET" + && http_request.path == "/application.js" + { + return true; + } + + if http_request.host == "sparkle.staging.runway.gitlab.net" + && http_request.method == "GET" + && http_request.path == "/callback" + { + return true; + } + match self.map_from(http_request.clone()) { Ok(cedar_request) => { let entities = Entities::empty(); @@ -111,10 +125,7 @@ impl CedarAuthorizer { &self, http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, ) -> Result> { - // Create principal entity - let principal_id = EntityId::from_str("client")?; - let principal_type = EntityTypeName::from_str("User")?; - let principal = EntityUid::from_type_name_and_id(principal_type, principal_id); + let principal = self.principal_from(&http_request)?; // Create action entity let action_id = EntityId::from_str("check")?; @@ -131,30 +142,42 @@ impl CedarAuthorizer { .map_err(|e| Box::new(e) as Box) } + fn principal_from( + &self, + _http_request: &envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, + ) -> Result> { + let principal_id = EntityId::from_str("client")?; + let principal_type = EntityTypeName::from_str("User")?; + let principal = EntityUid::from_type_name_and_id(principal_type, principal_id); + Ok(principal) + } + fn context_from( &self, http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, ) -> Result { - let mut context_map = std::collections::HashMap::new(); + let mut items = std::collections::HashMap::new(); + + items.insert("bearer_token".to_string(), self.token_from(&http_request)); + items.insert("path".to_string(), self.safe_string(&http_request.path)); - let headers = &http_request.headers; - let bearer_token = headers + Context::from_pairs(items.into_iter().collect::>()) + } + + fn token_from( + &self, + http_request: &envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, + ) -> cedar_policy::RestrictedExpression { + let bearer_token = &http_request + .headers .get("authorization") .and_then(|auth| auth.strip_prefix("Bearer ")) .unwrap_or(""); - if !bearer_token.is_empty() { - context_map.insert( - "bearer_token".to_string(), - cedar_policy::RestrictedExpression::new_string(bearer_token.to_string()), - ); - } - if !http_request.path.is_empty() { - context_map.insert( - "path".to_string(), - cedar_policy::RestrictedExpression::new_string(http_request.path.clone()), - ); - } - Context::from_pairs(context_map.into_iter().collect::>()) + self.safe_string(bearer_token) + } + + fn safe_string(&self, item: &str) -> cedar_policy::RestrictedExpression { + cedar_policy::RestrictedExpression::new_string(item.to_string()) } } -- cgit v1.2.3