From 9e6a9e4a485fbf85e2131695871d0821baf37d69 Mon Sep 17 00:00:00 2001 From: HaimKortovich Date: Wed, 13 May 2026 17:14:57 -0500 Subject: [PATCH] fix auth --- .../plugs/authorize_roles.ex | 12 +--- lib/policy_service_web/router.ex | 55 +++++++++++++------ 2 files changed, 42 insertions(+), 25 deletions(-) diff --git a/lib/policy_service_web/plugs/authorize_roles.ex b/lib/policy_service_web/plugs/authorize_roles.ex index 6bebd5b..95885d9 100644 --- a/lib/policy_service_web/plugs/authorize_roles.ex +++ b/lib/policy_service_web/plugs/authorize_roles.ex @@ -26,19 +26,13 @@ defmodule PolicyServiceWeb.Plugs.AuthorizeRoles do do: opts |> Keyword.validate!([ - :roles_claim + :roles_claim, + :required_permissions ]) @impl Plug def call(conn, opts) do - IO.inspect(conn.private) - - required_permissions = - conn.private[Phoenix.Router.Route] - |> Map.get(:options, %{}) - |> Map.get(:required_permissions, []) - - if authorized?(conn, opts.roles_claim, required_permissions) do + if authorized?(conn, opts.roles_claim, opts.required_permissions) do conn else conn diff --git a/lib/policy_service_web/router.ex b/lib/policy_service_web/router.ex index bc8ae91..0f24828 100644 --- a/lib/policy_service_web/router.ex +++ b/lib/policy_service_web/router.ex @@ -8,7 +8,7 @@ defmodule PolicyServiceWeb.Router do plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec end - pipeline :authorize do + pipeline :auth do plug Oidcc.Plug.ExtractAuthorization plug Oidcc.Plug.RequireAuthorization @@ -16,36 +16,53 @@ defmodule PolicyServiceWeb.Router do plug PolicyServiceWeb.Plugs.ExtractOrganizationId plug :introspect - plug :authorize_roles + end + + pipeline :read do + plug :authorize_roles, required_permission: ["policy:read"] + end + + pipeline :submit_solicitation do + plug :authorize_roles, required_permission: ["policy:submit_solicitation"] + end + + pipeline :create_request do + plug :authorize_roles, required_permission: ["policy:create_request"] end get "/health", HealthController, :health get "/health/ready", HealthController, :ready + scope "/swaggerui" do + get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi" + end + scope "/api" do pipe_through [:api] get "/openapi", OpenApiSpex.Plug.RenderSpec, [] scope "/v1" do - pipe_through [:authorize] + pipe_through [:auth] - get "/policies", PolicyController, :index, required_permission: ["policy:read"] + scope "/" do + pipe_through [:read] + get "/policies", PolicyController, :index + get "/policies/:application_id", PolicyController, :show + end - get "/policies/:application_id", PolicyController, :show, - required_permissions: ["policy:read"] + scope "/" do + pipe_through [:create_request] + post "/policies", PolicyController, :create + end - post "/policies", PolicyController, :create, required_permissions: ["policy:create_request"] - - post "/policies/:application_id/accept", PolicyController, :accept, - required_permission: ["policy:submit_solicitation"] + scope "/" do + pipe_through [:submit_solicitation] + post "/policies/:application_id/accept", PolicyController, :accept + end end end - scope "/swaggerui" do - get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi" - end - def introspect(conn, _opts) do zitadel = Application.get_env(:policy_service, :zitadel) @@ -63,9 +80,15 @@ defmodule PolicyServiceWeb.Router do ) end - def authorize_roles(conn, _opts) do + def authorize_roles(conn, opts) do zitadel = Application.get_env(:policy_service, :zitadel) - opts = PolicyServiceWeb.Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim]) + + opts = + PolicyServiceWeb.Plugs.AuthorizeRoles.init( + roles_claim: zitadel[:roles_claim], + required_permissions: opts.required_permissions + ) + PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, opts) end end