This commit is contained in:
@@ -26,19 +26,13 @@ defmodule PolicyServiceWeb.Plugs.AuthorizeRoles do
|
||||
do:
|
||||
opts
|
||||
|> Keyword.validate!([
|
||||
:roles_claim
|
||||
:roles_claim,
|
||||
:required_permissions
|
||||
])
|
||||
|
||||
@impl Plug
|
||||
def call(conn, opts) do
|
||||
IO.inspect(conn.private)
|
||||
|
||||
required_permissions =
|
||||
conn.private[Phoenix.Router.Route]
|
||||
|> Map.get(:options, %{})
|
||||
|> Map.get(:required_permissions, [])
|
||||
|
||||
if authorized?(conn, opts.roles_claim, required_permissions) do
|
||||
if authorized?(conn, opts.roles_claim, opts.required_permissions) do
|
||||
conn
|
||||
else
|
||||
conn
|
||||
|
||||
@@ -8,7 +8,7 @@ defmodule PolicyServiceWeb.Router do
|
||||
plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec
|
||||
end
|
||||
|
||||
pipeline :authorize do
|
||||
pipeline :auth do
|
||||
plug Oidcc.Plug.ExtractAuthorization
|
||||
plug Oidcc.Plug.RequireAuthorization
|
||||
|
||||
@@ -16,36 +16,53 @@ defmodule PolicyServiceWeb.Router do
|
||||
plug PolicyServiceWeb.Plugs.ExtractOrganizationId
|
||||
|
||||
plug :introspect
|
||||
plug :authorize_roles
|
||||
end
|
||||
|
||||
pipeline :read do
|
||||
plug :authorize_roles, required_permission: ["policy:read"]
|
||||
end
|
||||
|
||||
pipeline :submit_solicitation do
|
||||
plug :authorize_roles, required_permission: ["policy:submit_solicitation"]
|
||||
end
|
||||
|
||||
pipeline :create_request do
|
||||
plug :authorize_roles, required_permission: ["policy:create_request"]
|
||||
end
|
||||
|
||||
get "/health", HealthController, :health
|
||||
get "/health/ready", HealthController, :ready
|
||||
|
||||
scope "/swaggerui" do
|
||||
get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
|
||||
end
|
||||
|
||||
scope "/api" do
|
||||
pipe_through [:api]
|
||||
|
||||
get "/openapi", OpenApiSpex.Plug.RenderSpec, []
|
||||
|
||||
scope "/v1" do
|
||||
pipe_through [:authorize]
|
||||
pipe_through [:auth]
|
||||
|
||||
get "/policies", PolicyController, :index, required_permission: ["policy:read"]
|
||||
scope "/" do
|
||||
pipe_through [:read]
|
||||
get "/policies", PolicyController, :index
|
||||
get "/policies/:application_id", PolicyController, :show
|
||||
end
|
||||
|
||||
get "/policies/:application_id", PolicyController, :show,
|
||||
required_permissions: ["policy:read"]
|
||||
scope "/" do
|
||||
pipe_through [:create_request]
|
||||
post "/policies", PolicyController, :create
|
||||
end
|
||||
|
||||
post "/policies", PolicyController, :create, required_permissions: ["policy:create_request"]
|
||||
|
||||
post "/policies/:application_id/accept", PolicyController, :accept,
|
||||
required_permission: ["policy:submit_solicitation"]
|
||||
scope "/" do
|
||||
pipe_through [:submit_solicitation]
|
||||
post "/policies/:application_id/accept", PolicyController, :accept
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
scope "/swaggerui" do
|
||||
get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
|
||||
end
|
||||
|
||||
def introspect(conn, _opts) do
|
||||
zitadel = Application.get_env(:policy_service, :zitadel)
|
||||
|
||||
@@ -63,9 +80,15 @@ defmodule PolicyServiceWeb.Router do
|
||||
)
|
||||
end
|
||||
|
||||
def authorize_roles(conn, _opts) do
|
||||
def authorize_roles(conn, opts) do
|
||||
zitadel = Application.get_env(:policy_service, :zitadel)
|
||||
opts = PolicyServiceWeb.Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim])
|
||||
|
||||
opts =
|
||||
PolicyServiceWeb.Plugs.AuthorizeRoles.init(
|
||||
roles_claim: zitadel[:roles_claim],
|
||||
required_permissions: opts.required_permissions
|
||||
)
|
||||
|
||||
PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, opts)
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user