refactor: combine cedar policies and add tests

author: mo khan <mo@mokhan.ca> 2025-04-02 13:32:22 -0600
committer: mo khan <mo@mokhan.ca> 2025-04-02 13:32:22 -0600
commit: 894e270ab5a15de2b664cc6f4ee6fd8369985f75 (patch)
tree: d778e426fcd1666dd35d978215434103e78acee8 /pkg/authz/cedar.go
parent: 2a37de4a34552feac221771278236fb23f8e83c0 (diff)
1 files changed, 13 insertions, 5 deletions
diff --git a/pkg/authz/cedar.go b/pkg/authz/cedar.go
index 7a92f8e..80bb2a3 100644
--- a/pkg/authz/cedar.go
+++ b/pkg/authz/cedar.go
@@ -1,25 +1,33 @@
 package authz
 
 import (
+	"net"
 	"net/http"
 
 	cedar "github.com/cedar-policy/cedar-go"
+	"gitlab.com/mokhax/spike/pkg/gid"
+	xlog "gitlab.com/mokhax/spike/pkg/log"
 	"gitlab.com/mokhax/spike/pkg/policies"
 )
 
 func WithCedar() Authorizer {
 	return AuthorizerFunc(func(r *http.Request) bool {
+		host, _, err := net.SplitHostPort(r.Host)
+		if err != nil {
+			xlog.WithFields(r, xlog.Fields{"error": err})
+			return false
+		}
 		subject, found := TokenFrom(r).Subject()
 		if !found {
-			subject = "*"
+			subject = "gid://User/*"
 		}
 
 		return policies.Allowed(cedar.Request{
-			Principal: cedar.NewEntityUID("Subject", cedar.String(subject)),
-			Action:    cedar.NewEntityUID("Action", cedar.String(r.Method)),
-			Resource:  cedar.NewEntityUID("Path", cedar.String(r.URL.Path)),
+			Principal: gid.NewEntityUID(subject),
+			Action:    cedar.NewEntityUID("HttpMethod", cedar.String(r.Method)),
+			Resource:  cedar.NewEntityUID("HttpPath", cedar.String(r.URL.Path)),
 			Context: cedar.NewRecord(cedar.RecordMap{
-				"Host": cedar.String(r.Host),
+				"host": cedar.String(host),
 			}),
 		})
 	})
author	mo khan <mo@mokhan.ca>	2025-04-02 13:32:22 -0600
committer	mo khan <mo@mokhan.ca>	2025-04-02 13:32:22 -0600
commit	894e270ab5a15de2b664cc6f4ee6fd8369985f75 (patch)
tree	d778e426fcd1666dd35d978215434103e78acee8 /pkg/authz/cedar.go
parent	2a37de4a34552feac221771278236fb23f8e83c0 (diff)