feat: perform a remote PDP authz check

1 files changed, 19 insertions, 12 deletions

diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go
index 48f6d88..4f079f9 100644
--- a/pkg/authz/check_service.go
+++ b/pkg/authz/check_service.go
@@ -49,23 +49,30 @@ func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest)
 	if svc.isAllowed(ctx, request) {
 		return svc.OK(ctx), nil
 	}
+	return svc.Denied(ctx), nil
+}
 
+func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool {
+	ok, _ := public[svc.keyFor(r.Attributes.Request.Http)]
+	return ok
+}
+
+func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest) bool {
 	if x.IsZero(svc.client) {
-		return svc.Denied(ctx), nil
+		return false
 	}
-
-	response, err := svc.client.Check(ctx, request)
+	response, err := svc.client.Check(ctx, r)
 	if err != nil {
 		pls.LogError(ctx, err)
-		return svc.Denied(ctx), nil
+		return false
 	}
-	log.WithFields(ctx, log.Fields{"authzd": response})
-	return response, err
-}
-
-func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool {
-	ok, _ := public[svc.keyFor(r.Attributes.Request.Http)]
-	return ok
+	if x.IsZero(response.Status) {
+		return false
+	}
+	if response.Status.Code != int32(codes.OK) {
+		return false
+	}
+	return true
 }
 
 func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool {
@@ -74,7 +81,7 @@ func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bo
 	}
 
 	log.WithFields(ctx, svc.fieldsFor(r))
-	return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r)
+	return svc.isAuthorized(ctx, r) || svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r)
 }
 
 func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool {