refactor: leave shared code in lib folder and move everything else to the service related code

author: mo khan <mo@mokhan.ca> 2025-03-06 13:23:09 -0700
committer: mo khan <mo@mokhan.ca> 2025-03-06 13:23:09 -0700
commit: 7f1b5e2417ccd79c556177a5382b43ce385f54ae (patch)
tree: 357e45e89d4f95aeefc3c952d662a467505f2caa /bin
parent: 1faacf8dda27d4eef0a4440deda82326262e0a89 (diff)
2 files changed, 62 insertions, 4 deletions
diff --git a/bin/api b/bin/api
index 0650020..3d618a2 100755
--- a/bin/api
+++ b/bin/api
@@ -21,7 +21,7 @@ end
 lib_path = Pathname.new(__FILE__).parent.parent.join('lib').realpath.to_s
 $LOAD_PATH.unshift(lib_path) unless $LOAD_PATH.include?(lib_path)
 
-require 'authx'
+require 'authx/rpc'
 
 $scheme = ENV.fetch("SCHEME", "http")
 $port = ENV.fetch("PORT", 8284).to_i
@@ -95,8 +95,6 @@ class API
   private
 
   def authorized?(request, permission, resource = Organization.new(id: 1))
-    # TODO:: Check the JWT for the appropriate claim
-    # Connect to the Authz RPC endpoint Ability.allowed?(subject, permission, resource)
     token = request&.get_header('HTTP_AUTHORIZATION')&.split(' ', 2)&.last
     response = rpc.allowed(
       subject: token,
diff --git a/bin/idp b/bin/idp
index 48a77f7..7229be6 100755
--- a/bin/idp
+++ b/bin/idp
@@ -19,7 +19,7 @@ end
 lib_path = Pathname.new(__FILE__).parent.parent.join('lib').realpath.to_s
 $LOAD_PATH.unshift(lib_path) unless $LOAD_PATH.include?(lib_path)
 
-require 'authx'
+require 'authx/rpc'
 
 $scheme = ENV.fetch("SCHEME", "http")
 $port = ENV.fetch("PORT", 8282).to_i
@@ -79,6 +79,66 @@ Saml::Kit.configure do |x|
   x.logger = Logger.new("/dev/stderr")
 end
 
+class OrganizationPolicy < DeclarativePolicy::Base
+  condition(:owner) { true }
+
+  rule { owner }.enable :create_project
+end
+
+DeclarativePolicy.configure do
+  name_transformation do |name|
+    "#{name}Policy"
+  end
+end
+
+class Organization
+  class << self
+    def find(id)
+      new
+    end
+  end
+end
+
+module Authx
+  module Rpc
+    class AbilityHandler
+      def allowed(request, env)
+        puts [request, env, can?(request)].inspect
+
+        {
+          result: can?(request)
+        }
+      end
+
+      private
+
+      def can?(request)
+        subject = subject_of(request.subject)
+        resource = resource_from(request.resource)
+        policy = DeclarativePolicy.policy_for(subject, resource)
+        policy.can?(request.permission.to_sym)
+      end
+
+      def subject_of(token)
+        _header, claims, _signature = from_jwt(token)
+        claims[:sub]
+      end
+
+      def resource_from(global_id)
+        # TODO:: Parse global id and convert to class
+        GlobalID::Locator.locate(global_id)
+      end
+
+      # TODO:: validate signature
+      def from_jwt(token)
+        token
+          .split('.', 3)
+          .map { |x| JSON.parse(Base64.strict_decode64(x), symbolize_names: true) }
+      end
+    end
+  end
+end
+
 class IdentityProvider
   def call(env)
     path = env['PATH_INFO']
author	mo khan <mo@mokhan.ca>	2025-03-06 13:23:09 -0700
committer	mo khan <mo@mokhan.ca>	2025-03-06 13:23:09 -0700
commit	7f1b5e2417ccd79c556177a5382b43ce385f54ae (patch)
tree	357e45e89d4f95aeefc3c952d662a467505f2caa /bin
parent	1faacf8dda27d4eef0a4440deda82326262e0a89 (diff)