1 files changed, 23 insertions, 2 deletions

diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go
index 3c4426a..0d5567a 100644
--- a/pkg/authz/check_service.go
+++ b/pkg/authz/check_service.go
@@ -10,6 +10,7 @@ import (
 	types "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	"github.com/xlgmokha/x/pkg/log"
 	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
 	status "google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc/codes"
@@ -17,6 +18,13 @@ import (
 
 type CheckService struct {
 	auth.UnimplementedAuthorizationServer
+	ability rpc.Ability
+}
+
+func NewCheckService(ability rpc.Ability) *CheckService {
+	return &CheckService{
+		ability: ability,
+	}
 }
 
 func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) {
@@ -56,7 +64,7 @@ func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bo
 	}
 
 	log.WithFields(ctx, svc.fieldsFor(r))
-	return svc.isLoggedIn(ctx, r) || svc.isPublic(ctx, r)
+	return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r)
 }
 
 func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool {
@@ -90,7 +98,20 @@ func (svc *CheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) b
 			pls.LogError(ctx, err)
 			return false
 		}
-		return x.IsPresent(idToken)
+		if x.IsZero(idToken) {
+			return false
+		}
+
+		reply, err := svc.ability.Allowed(ctx, &rpc.AllowRequest{
+			Subject:    idToken.Subject,
+			Permission: r.Attributes.Request.Http.Method,
+			Resource:   r.Attributes.Request.Http.Path,
+		})
+		if err != nil {
+			pls.LogError(ctx, err)
+			return false
+		}
+		return reply.Result
 	}
 	return false
 }