From a3b0accde30a92434053bab1d25d8028e24ed866 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 4 Jul 2025 12:01:56 -0600 Subject: feat: perform a remote PDP authz check --- pkg/authz/check_service.go | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) (limited to 'pkg') diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go index 48f6d88..4f079f9 100644 --- a/pkg/authz/check_service.go +++ b/pkg/authz/check_service.go @@ -49,23 +49,30 @@ func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) if svc.isAllowed(ctx, request) { return svc.OK(ctx), nil } + return svc.Denied(ctx), nil +} +func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool { + ok, _ := public[svc.keyFor(r.Attributes.Request.Http)] + return ok +} + +func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest) bool { if x.IsZero(svc.client) { - return svc.Denied(ctx), nil + return false } - - response, err := svc.client.Check(ctx, request) + response, err := svc.client.Check(ctx, r) if err != nil { pls.LogError(ctx, err) - return svc.Denied(ctx), nil + return false } - log.WithFields(ctx, log.Fields{"authzd": response}) - return response, err -} - -func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool { - ok, _ := public[svc.keyFor(r.Attributes.Request.Http)] - return ok + if x.IsZero(response.Status) { + return false + } + if response.Status.Code != int32(codes.OK) { + return false + } + return true } func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool { @@ -74,7 +81,7 @@ func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bo } log.WithFields(ctx, svc.fieldsFor(r)) - return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r) + return svc.isAuthorized(ctx, r) || svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r) } func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool { -- cgit v1.2.3