1 files changed, 61 insertions, 1 deletions

diff --git a/bin/idp b/bin/idp
index 48a77f7..7229be6 100755
--- a/bin/idp
+++ b/bin/idp
@@ -19,7 +19,7 @@ end
 lib_path = Pathname.new(__FILE__).parent.parent.join('lib').realpath.to_s
 $LOAD_PATH.unshift(lib_path) unless $LOAD_PATH.include?(lib_path)
 
-require 'authx'
+require 'authx/rpc'
 
 $scheme = ENV.fetch("SCHEME", "http")
 $port = ENV.fetch("PORT", 8282).to_i
@@ -79,6 +79,66 @@ Saml::Kit.configure do |x|
   x.logger = Logger.new("/dev/stderr")
 end
 
+class OrganizationPolicy < DeclarativePolicy::Base
+  condition(:owner) { true }
+
+  rule { owner }.enable :create_project
+end
+
+DeclarativePolicy.configure do
+  name_transformation do |name|
+    "#{name}Policy"
+  end
+end
+
+class Organization
+  class << self
+    def find(id)
+      new
+    end
+  end
+end
+
+module Authx
+  module Rpc
+    class AbilityHandler
+      def allowed(request, env)
+        puts [request, env, can?(request)].inspect
+
+        {
+          result: can?(request)
+        }
+      end
+
+      private
+
+      def can?(request)
+        subject = subject_of(request.subject)
+        resource = resource_from(request.resource)
+        policy = DeclarativePolicy.policy_for(subject, resource)
+        policy.can?(request.permission.to_sym)
+      end
+
+      def subject_of(token)
+        _header, claims, _signature = from_jwt(token)
+        claims[:sub]
+      end
+
+      def resource_from(global_id)
+        # TODO:: Parse global id and convert to class
+        GlobalID::Locator.locate(global_id)
+      end
+
+      # TODO:: validate signature
+      def from_jwt(token)
+        token
+          .split('.', 3)
+          .map { |x| JSON.parse(Base64.strict_decode64(x), symbolize_names: true) }
+      end
+    end
+  end
+end
+
 class IdentityProvider
   def call(env)
     path = env['PATH_INFO']