refactor: attempt to model a public policy in cedar

4 files changed, 38 insertions, 8 deletions

diff --git a/pkg/policies/entities.json b/pkg/policies/entities.json
index 3df6e43..2a7aa96 100644
--- a/pkg/policies/entities.json
+++ b/pkg/policies/entities.json
@@ -302,11 +302,5 @@
         "id": "4"
       }
     ]
-  },
-  {
-    "uid": {
-      "type": "HttpPath",
-      "id": "/projects.json"
-    }
   }
 ]
diff --git a/pkg/policies/rest.cedar b/pkg/policies/gtwy.cedar
index c6c4f74..763ab5f 100644
--- a/pkg/policies/rest.cedar
+++ b/pkg/policies/gtwy.cedar
@@ -9,4 +9,8 @@ permit (
     HttpMethod::"HEAD"
   ],
   resource
-) when { context.host == "api.example.com" };
+) when {
+  context.host == "api.example.com" ||
+  context.host == "idp.example.com" ||
+  context.host == "ui.example.com"
+};
diff --git a/pkg/policies/init.go b/pkg/policies/init.go
index a10526f..42a2322 100644
--- a/pkg/policies/init.go
+++ b/pkg/policies/init.go
@@ -62,7 +62,7 @@ func init() {
 
 func Allowed(request cedar.Request) bool {
 	ok, diagnostic := All.IsAuthorized(Entities, request)
-	fmt.Printf("%v: %v -> %v %v%v\n", ok, request.Principal, request.Action, request.Context.Map(), request.Resource)
+	fmt.Printf("%v: %v -> %v %v%v\n", ok, request.Principal, request.Action.ID, request.Context.Map(), request.Resource.ID)
 
 	if len(diagnostic.Errors) > 0 {
 		for err := range diagnostic.Errors {
diff --git a/pkg/policies/policies_test.go b/pkg/policies/policies_test.go
index e038edb..67179a7 100644
--- a/pkg/policies/policies_test.go
+++ b/pkg/policies/policies_test.go
@@ -30,6 +30,38 @@ func TestAllowed(t *testing.T) {
 		build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("PATCH")) }),
 		build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("DELETE")) }),
 		build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("HEAD")) }),
+		build(func(r *cedar.Request) {
+			r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/organizations.json"))
+		}),
+		build(func(r *cedar.Request) { r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/groups.json")) }),
+		build(func(r *cedar.Request) {
+			r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/openid-configuration"))
+			r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+		}),
+		build(func(r *cedar.Request) {
+			r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/oauth-authorization-server"))
+			r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+		}),
+		// build(func(r *cedar.Request) {
+		// 	r.Principal = gid.NewEntityUID("gid://User/*")
+		// 	r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/openid-configuration"))
+		// 	r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+		// }),
+		// build(func(r *cedar.Request) {
+		// 	r.Principal = gid.NewEntityUID("gid://User/*")
+		// 	r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/oauth-authorization-server"))
+		// 	r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+		// }),
+		build(func(r *cedar.Request) {
+			r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("POST"))
+			r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/twirp/authx.rpc.Ability/Allowed"))
+			r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+		}),
+		build(func(r *cedar.Request) {
+			r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("GET"))
+			r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/index.html"))
+			r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("ui.example.com")})
+		}),
 	}
 
 	for _, tt := range allowed {