Commit 7f1b5e2
Changed files (5)
lib
authx
bin/api
@@ -21,7 +21,7 @@ end
lib_path = Pathname.new(__FILE__).parent.parent.join('lib').realpath.to_s
$LOAD_PATH.unshift(lib_path) unless $LOAD_PATH.include?(lib_path)
-require 'authx'
+require 'authx/rpc'
$scheme = ENV.fetch("SCHEME", "http")
$port = ENV.fetch("PORT", 8284).to_i
@@ -95,8 +95,6 @@ class API
private
def authorized?(request, permission, resource = Organization.new(id: 1))
- # TODO:: Check the JWT for the appropriate claim
- # Connect to the Authz RPC endpoint Ability.allowed?(subject, permission, resource)
token = request&.get_header('HTTP_AUTHORIZATION')&.split(' ', 2)&.last
response = rpc.allowed(
subject: token,
bin/idp
@@ -19,7 +19,7 @@ end
lib_path = Pathname.new(__FILE__).parent.parent.join('lib').realpath.to_s
$LOAD_PATH.unshift(lib_path) unless $LOAD_PATH.include?(lib_path)
-require 'authx'
+require 'authx/rpc'
$scheme = ENV.fetch("SCHEME", "http")
$port = ENV.fetch("PORT", 8282).to_i
@@ -79,6 +79,66 @@ Saml::Kit.configure do |x|
x.logger = Logger.new("/dev/stderr")
end
+class OrganizationPolicy < DeclarativePolicy::Base
+ condition(:owner) { true }
+
+ rule { owner }.enable :create_project
+end
+
+DeclarativePolicy.configure do
+ name_transformation do |name|
+ "#{name}Policy"
+ end
+end
+
+class Organization
+ class << self
+ def find(id)
+ new
+ end
+ end
+end
+
+module Authx
+ module Rpc
+ class AbilityHandler
+ def allowed(request, env)
+ puts [request, env, can?(request)].inspect
+
+ {
+ result: can?(request)
+ }
+ end
+
+ private
+
+ def can?(request)
+ subject = subject_of(request.subject)
+ resource = resource_from(request.resource)
+ policy = DeclarativePolicy.policy_for(subject, resource)
+ policy.can?(request.permission.to_sym)
+ end
+
+ def subject_of(token)
+ _header, claims, _signature = from_jwt(token)
+ claims[:sub]
+ end
+
+ def resource_from(global_id)
+ # TODO:: Parse global id and convert to class
+ GlobalID::Locator.locate(global_id)
+ end
+
+ # TODO:: validate signature
+ def from_jwt(token)
+ token
+ .split('.', 3)
+ .map { |x| JSON.parse(Base64.strict_decode64(x), symbolize_names: true) }
+ end
+ end
+ end
+end
+
class IdentityProvider
def call(env)
path = env['PATH_INFO']
lib/authx/rpc/ability_handler.rb
@@ -1,50 +0,0 @@
-# frozen_string_literal: true
-
-class Organization
- class << self
- def find(id)
- new
- end
- end
-end
-
-module Authx
- module Rpc
-
- class AbilityHandler
- def allowed(request, env)
- puts [request, env, can?(request)].inspect
-
- {
- result: can?(request)
- }
- end
-
- private
-
- def can?(request)
- subject = subject_of(request.subject)
- resource = resource_from(request.resource)
- policy = DeclarativePolicy.policy_for(subject, resource)
- policy.can?(request.permission.to_sym)
- end
-
- def subject_of(token)
- _header, claims, _signature = from_jwt(token)
- claims[:sub]
- end
-
- def resource_from(global_id)
- # TODO:: Parse global id and convert to class
- GlobalID::Locator.locate(global_id)
- end
-
- # TODO:: validate signature
- def from_jwt(token)
- token
- .split('.', 3)
- .map { |x| JSON.parse(Base64.strict_decode64(x), symbolize_names: true) }
- end
- end
- end
-end
lib/authx/rpc.rb
@@ -2,4 +2,3 @@
require "authx/rpc/ability_pb"
require "authx/rpc/ability_twirp"
-require "authx/rpc/ability_handler"
lib/authx.rb
@@ -1,19 +1,6 @@
# frozen_string_literal: true
-require "declarative_policy"
-
require "authx/rpc"
module Authx
- class OrganizationPolicy < DeclarativePolicy::Base
- condition(:owner) { true }
-
- rule { owner }.enable :create_project
- end
-
- DeclarativePolicy.configure do
- name_transformation do |name|
- "Authx::#{name}Policy"
- end
- end
end