3 files changed, 33 insertions, 4 deletions

diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go
index 3c4426a..0d5567a 100644
--- a/pkg/authz/check_service.go
+++ b/pkg/authz/check_service.go
@@ -10,6 +10,7 @@ import (
 	types "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	"github.com/xlgmokha/x/pkg/log"
 	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
 	status "google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc/codes"
@@ -17,6 +18,13 @@ import (
 
 type CheckService struct {
 	auth.UnimplementedAuthorizationServer
+	ability rpc.Ability
+}
+
+func NewCheckService(ability rpc.Ability) *CheckService {
+	return &CheckService{
+		ability: ability,
+	}
 }
 
 func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) {
@@ -56,7 +64,7 @@ func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bo
 	}
 
 	log.WithFields(ctx, svc.fieldsFor(r))
-	return svc.isLoggedIn(ctx, r) || svc.isPublic(ctx, r)
+	return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r)
 }
 
 func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool {
@@ -90,7 +98,20 @@ func (svc *CheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) b
 			pls.LogError(ctx, err)
 			return false
 		}
-		return x.IsPresent(idToken)
+		if x.IsZero(idToken) {
+			return false
+		}
+
+		reply, err := svc.ability.Allowed(ctx, &rpc.AllowRequest{
+			Subject:    idToken.Subject,
+			Permission: r.Attributes.Request.Http.Method,
+			Resource:   r.Attributes.Request.Http.Path,
+		})
+		if err != nil {
+			pls.LogError(ctx, err)
+			return false
+		}
+		return reply.Result
 	}
 	return false
 }
diff --git a/pkg/authz/id_token.go b/pkg/authz/id_token.go
index b647161..ccc96de 100644
--- a/pkg/authz/id_token.go
+++ b/pkg/authz/id_token.go
@@ -9,7 +9,7 @@ import (
 )
 
 type IDToken struct {
-	Audience      []string  `json:"aud"`
+	// Audience      []string  `json:"aud"`
 	Email         string    `json:"email"`
 	EmailVerified bool      `json:"email_verified"`
 	ExpiredAt     int64     `json:"exp"`
diff --git a/pkg/authz/server.go b/pkg/authz/server.go
index 49bcd3d..b890387 100644
--- a/pkg/authz/server.go
+++ b/pkg/authz/server.go
@@ -2,11 +2,15 @@ package authz
 
 import (
 	"context"
+	"net/http"
 
 	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/xlgmokha/x/pkg/env"
 	"github.com/xlgmokha/x/pkg/log"
 	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/reflection"
 )
@@ -17,12 +21,16 @@ type Server struct {
 
 func New(ctx context.Context, options ...grpc.ServerOption) *Server {
 	logger := log.From(ctx)
+
 	server := grpc.NewServer(x.Prepend(
 		options,
 		grpc.UnaryInterceptor(pls.LogGRPC(logger)),
 		grpc.StreamInterceptor(pls.LogGRPCStream(logger)),
 	)...)
-	auth.RegisterAuthorizationServer(server, &CheckService{})
+	auth.RegisterAuthorizationServer(server, NewCheckService(rpc.NewAbilityProtobufClient(
+		env.Fetch("AUTHZD_HOST", "https://authzd.staging.runway.gitlab.net"),
+		&http.Client{Transport: &web.Transport{Logger: logger}},
+	)))
 	reflection.Register(server)
 
 	return &Server{