summaryrefslogtreecommitdiff
path: root/pkg/authz/init.go
blob: 21927145cc90f4a56e3c88de0c08fbffe0e2aa80 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

package authz

import (
	"net/http"

	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
	"github.com/xlgmokha/x/pkg/log"
	"github.com/xlgmokha/x/pkg/mapper"
	"github.com/xlgmokha/x/pkg/x"
	"google.golang.org/protobuf/types/known/structpb"
)

func init() {
	mapper.Register[*auth.CheckRequest, log.Fields](func(r *auth.CheckRequest) log.Fields {
		return log.Fields{
			"host":       r.Attributes.Request.Http.Host,
			"id":         r.Attributes.Request.Http.Id,
			"method":     r.Attributes.Request.Http.Method,
			"path":       r.Attributes.Request.Http.Path,
			"protocol":   r.Attributes.Request.Http.Protocol,
			"request_id": r.Attributes.Request.Http.Headers["x-request-id"],
			"scheme":     r.Attributes.Request.Http.Scheme,
			"subject":    r.Attributes.Request.Http.Headers["x-jwt-claim-username"],
		}
	})

	mapper.Register[*auth.CheckRequest, *v1.ObjectReference](func(r *auth.CheckRequest) *v1.ObjectReference {
		return &v1.ObjectReference{
			ObjectType: "resource",
			ObjectId:   r.Attributes.Request.Http.Path,
		}
	})

	mapper.Register[*auth.CheckRequest, *v1.SubjectReference](func(r *auth.CheckRequest) *v1.SubjectReference {
		//TODO:: username is not ideal but it works for demo purposes
		username := r.Attributes.Request.Http.Headers["x-jwt-claim-username"]
		if x.IsZero(username) {
			username = "public"
		}

		return &v1.SubjectReference{
			Object: &v1.ObjectReference{
				ObjectType: "user",
				ObjectId:   username,
			},
		}
	})

	mapper.Register[*auth.CheckRequest, Permission](func(r *auth.CheckRequest) Permission {
		switch r.GetAttributes().Request.Http.Method {
		case http.MethodGet:
			return "read"
		case http.MethodPost:
			return "create"
		case http.MethodPut:
			return "update"
		case http.MethodPatch:
			return "update"
		case http.MethodDelete:
			return "delete"
		default:
			return "read"
		}
	})

	mapper.Register[*auth.CheckRequest, *v1.CheckPermissionRequest](func(r *auth.CheckRequest) *v1.CheckPermissionRequest {
		return &v1.CheckPermissionRequest{
			Resource:   mapper.MapFrom[*auth.CheckRequest, *v1.ObjectReference](r),
			Permission: mapper.MapFrom[*auth.CheckRequest, Permission](r).String(),
			Subject:    mapper.MapFrom[*auth.CheckRequest, *v1.SubjectReference](r),
			Context:    x.Must(structpb.NewStruct(map[string]any{})),
		}
	})
}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 09:37:09 +0000