summaryrefslogtreecommitdiff
path: root/app/middleware
diff options
context:
space:
mode:
Diffstat (limited to 'app/middleware')
-rw-r--r--app/middleware/id_token_test.go1
-rw-r--r--app/middleware/permission.go24
-rw-r--r--app/middleware/require_permission.go33
-rw-r--r--app/middleware/require_permission_test.go58
-rw-r--r--app/middleware/user.go2
5 files changed, 117 insertions, 1 deletions
diff --git a/app/middleware/id_token_test.go b/app/middleware/id_token_test.go
index 5487ada..9d8521a 100644
--- a/app/middleware/id_token_test.go
+++ b/app/middleware/id_token_test.go
@@ -23,7 +23,6 @@ func TestIDToken(t *testing.T) {
t.Run("when an active id_token cookie is provided", func(t *testing.T) {
t.Run("attaches the token to the request context", func(t *testing.T) {
user := mockoidc.DefaultUser()
-
_, rawIDToken := srv.CreateTokensFor(user)
server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
diff --git a/app/middleware/permission.go b/app/middleware/permission.go
new file mode 100644
index 0000000..03e7cf9
--- /dev/null
+++ b/app/middleware/permission.go
@@ -0,0 +1,24 @@
+package middleware
+
+import (
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
+)
+
+type Permission string
+
+func (p Permission) ToGID() string {
+ return "gid://sparkle/Permission/" + p.String()
+}
+
+func (p Permission) RequestFor(user domain.Identifiable, resource domain.Identifiable) *rpc.AllowRequest {
+ return &rpc.AllowRequest{
+ Subject: user.ToGID(),
+ Permission: p.ToGID(),
+ Resource: resource.ToGID(),
+ }
+}
+
+func (p Permission) String() string {
+ return string(p)
+}
diff --git a/app/middleware/require_permission.go b/app/middleware/require_permission.go
new file mode 100644
index 0000000..563278e
--- /dev/null
+++ b/app/middleware/require_permission.go
@@ -0,0 +1,33 @@
+package middleware
+
+import (
+ "net/http"
+
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+)
+
+func RequirePermission(permission Permission, ability rpc.Ability) func(http.Handler) http.Handler {
+ return func(next http.Handler) http.Handler {
+ return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ user := cfg.CurrentUser.From(r.Context())
+
+ reply, err := ability.Allowed(r.Context(),
+ permission.RequestFor(user, &domain.Sparkle{ID: "*"}),
+ )
+ if err != nil {
+ pls.LogError(r.Context(), err)
+ w.WriteHeader(http.StatusForbidden)
+ return
+ }
+
+ if reply.Result {
+ next.ServeHTTP(w, r)
+ } else {
+ w.WriteHeader(http.StatusForbidden)
+ }
+ })
+ }
+}
diff --git a/app/middleware/require_permission_test.go b/app/middleware/require_permission_test.go
new file mode 100644
index 0000000..34a04a7
--- /dev/null
+++ b/app/middleware/require_permission_test.go
@@ -0,0 +1,58 @@
+package middleware
+
+import (
+ "context"
+ "net/http"
+ "testing"
+
+ "github.com/stretchr/testify/require"
+ "github.com/xlgmokha/x/pkg/test"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
+)
+
+type MockAbility func(context.Context, *rpc.AllowRequest) (*rpc.AllowReply, error)
+
+func (m MockAbility) Allowed(ctx context.Context, r *rpc.AllowRequest) (*rpc.AllowReply, error) {
+ return m(ctx, r)
+}
+
+func TestRequirePermission(t *testing.T) {
+ user := &domain.User{ID: domain.ID("1")}
+ ctx := cfg.CurrentUser.With(t.Context(), user)
+ permission := Permission("read_sparkles")
+
+ t.Run("when the permission is granted", func(t *testing.T) {
+ r, w := test.RequestResponse("GET", "/sparkles", test.WithContext(ctx))
+
+ middleware := RequirePermission(permission, MockAbility(func(ctx context.Context, r *rpc.AllowRequest) (*rpc.AllowReply, error) {
+ require.Equal(t, "gid://sparkle/User/"+user.ID.String(), r.Subject)
+ require.Equal(t, permission.ToGID(), r.Permission)
+ require.Equal(t, "gid://sparkle/Sparkle/*", r.Resource)
+
+ return &rpc.AllowReply{Result: true}, nil
+ }))
+ server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.WriteHeader(http.StatusTeapot)
+ }))
+ server.ServeHTTP(w, r)
+
+ require.Equal(t, http.StatusTeapot, w.Code)
+ })
+
+ t.Run("when the permission is denied", func(t *testing.T) {
+ r, w := test.RequestResponse("GET", "/sparkles", test.WithContext(ctx))
+
+ middleware := RequirePermission(permission, MockAbility(func(ctx context.Context, r *rpc.AllowRequest) (*rpc.AllowReply, error) {
+ return &rpc.AllowReply{Result: false}, nil
+ }))
+ server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ require.Fail(t, "unexpected call to handler")
+ }))
+
+ server.ServeHTTP(w, r)
+
+ require.Equal(t, http.StatusForbidden, w.Code)
+ })
+}
diff --git a/app/middleware/user.go b/app/middleware/user.go
index 6c018f4..2a6bf71 100644
--- a/app/middleware/user.go
+++ b/app/middleware/user.go
@@ -4,6 +4,7 @@ import (
"net/http"
"github.com/coreos/go-oidc/v3/oidc"
+ "github.com/xlgmokha/x/pkg/log"
"github.com/xlgmokha/x/pkg/mapper"
"github.com/xlgmokha/x/pkg/x"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
@@ -15,6 +16,7 @@ func User(db domain.Repository[*domain.User]) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
subject := r.Header.Get("x-jwt-claim-sub")
+ log.WithFields(r.Context(), log.Fields{"sub": subject})
user := db.Find(r.Context(), domain.ID(subject))
if !x.IsPresent(user) {
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 10:05:22 +0000