Commit 5c870c5
Changed files (4)
pkg
policies
pkg/policies/entities.json
@@ -302,11 +302,5 @@
"id": "4"
}
]
- },
- {
- "uid": {
- "type": "HttpPath",
- "id": "/projects.json"
- }
}
]
pkg/policies/rest.cedar → pkg/policies/gtwy.cedar
@@ -9,4 +9,8 @@ permit (
HttpMethod::"HEAD"
],
resource
-) when { context.host == "api.example.com" };
+) when {
+ context.host == "api.example.com" ||
+ context.host == "idp.example.com" ||
+ context.host == "ui.example.com"
+};
pkg/policies/init.go
@@ -62,7 +62,7 @@ func init() {
func Allowed(request cedar.Request) bool {
ok, diagnostic := All.IsAuthorized(Entities, request)
- fmt.Printf("%v: %v -> %v %v%v\n", ok, request.Principal, request.Action, request.Context.Map(), request.Resource)
+ fmt.Printf("%v: %v -> %v %v%v\n", ok, request.Principal, request.Action.ID, request.Context.Map(), request.Resource.ID)
if len(diagnostic.Errors) > 0 {
for err := range diagnostic.Errors {
pkg/policies/policies_test.go
@@ -30,6 +30,38 @@ func TestAllowed(t *testing.T) {
build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("PATCH")) }),
build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("DELETE")) }),
build(func(r *cedar.Request) { r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("HEAD")) }),
+ build(func(r *cedar.Request) {
+ r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/organizations.json"))
+ }),
+ build(func(r *cedar.Request) { r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/groups.json")) }),
+ build(func(r *cedar.Request) {
+ r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/openid-configuration"))
+ r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+ }),
+ build(func(r *cedar.Request) {
+ r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/oauth-authorization-server"))
+ r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+ }),
+ // build(func(r *cedar.Request) {
+ // r.Principal = gid.NewEntityUID("gid://User/*")
+ // r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/openid-configuration"))
+ // r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+ // }),
+ // build(func(r *cedar.Request) {
+ // r.Principal = gid.NewEntityUID("gid://User/*")
+ // r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/.well-known/oauth-authorization-server"))
+ // r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+ // }),
+ build(func(r *cedar.Request) {
+ r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("POST"))
+ r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/twirp/authx.rpc.Ability/Allowed"))
+ r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("idp.example.com")})
+ }),
+ build(func(r *cedar.Request) {
+ r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("GET"))
+ r.Resource = cedar.NewEntityUID("HttpPath", cedar.String("/index.html"))
+ r.Context = cedar.NewRecord(cedar.RecordMap{"host": cedar.String("ui.example.com")})
+ }),
}
for _, tt := range allowed {