software-engineering/policy-service
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix auth
All checks were successful
Build and Publish / build-release (push) Successful in 1m10s
Details

Browse Source
This commit is contained in:
HaimKortovich
2026-05-13 17:14:57 -05:00
parent db732c0af0
commit 9e6a9e4a48
2 changed files with 42 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/policy_service_web/plugs/authorize_roles.ex
View File

@@ -26,19 +26,13 @@ defmodule PolicyServiceWeb.Plugs.AuthorizeRoles do
do: do:
opts opts
|> Keyword.validate!([ |> Keyword.validate!([
:roles_claim :roles_claim,
:required_permissions
]) ])
@impl Plug @impl Plug
def call(conn, opts) do def call(conn, opts) do
IO.inspect(conn.private) if authorized?(conn, opts.roles_claim, opts.required_permissions) do
required_permissions =
conn.private[Phoenix.Router.Route]
|> Map.get(:options, %{})
|> Map.get(:required_permissions, [])
if authorized?(conn, opts.roles_claim, required_permissions) do
conn conn
else else
conn conn

57
lib/policy_service_web/router.ex
View File

@@ -8,7 +8,7 @@ defmodule PolicyServiceWeb.Router do
plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec
end end
pipeline :authorize do pipeline :auth do
plug Oidcc.Plug.ExtractAuthorization plug Oidcc.Plug.ExtractAuthorization
plug Oidcc.Plug.RequireAuthorization plug Oidcc.Plug.RequireAuthorization
@@ -16,34 +16,51 @@ defmodule PolicyServiceWeb.Router do
plug PolicyServiceWeb.Plugs.ExtractOrganizationId plug PolicyServiceWeb.Plugs.ExtractOrganizationId
plug :introspect plug :introspect
plug :authorize_roles end
pipeline :read do
plug :authorize_roles, required_permission: ["policy:read"]
end
pipeline :submit_solicitation do
plug :authorize_roles, required_permission: ["policy:submit_solicitation"]
end
pipeline :create_request do
plug :authorize_roles, required_permission: ["policy:create_request"]
end end
get "/health", HealthController, :health get "/health", HealthController, :health
get "/health/ready", HealthController, :ready get "/health/ready", HealthController, :ready
scope "/swaggerui" do
get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
end
scope "/api" do scope "/api" do
pipe_through [:api] pipe_through [:api]
get "/openapi", OpenApiSpex.Plug.RenderSpec, [] get "/openapi", OpenApiSpex.Plug.RenderSpec, []
scope "/v1" do scope "/v1" do
pipe_through [:authorize] pipe_through [:auth]
get "/policies", PolicyController, :index, required_permission: ["policy:read"] scope "/" do
pipe_through [:read]
get "/policies/:application_id", PolicyController, :show, get "/policies", PolicyController, :index
required_permissions: ["policy:read"] get "/policies/:application_id", PolicyController, :show
post "/policies", PolicyController, :create, required_permissions: ["policy:create_request"]
post "/policies/:application_id/accept", PolicyController, :accept,
required_permission: ["policy:submit_solicitation"]
end
end end
scope "/swaggerui" do scope "/" do
get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi" pipe_through [:create_request]
post "/policies", PolicyController, :create
end
scope "/" do
pipe_through [:submit_solicitation]
post "/policies/:application_id/accept", PolicyController, :accept
end
end
end end
def introspect(conn, _opts) do def introspect(conn, _opts) do
@@ -63,9 +80,15 @@ defmodule PolicyServiceWeb.Router do
) )
end end
def authorize_roles(conn, _opts) do def authorize_roles(conn, opts) do
zitadel = Application.get_env(:policy_service, :zitadel) zitadel = Application.get_env(:policy_service, :zitadel)
opts = PolicyServiceWeb.Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim])
opts =
PolicyServiceWeb.Plugs.AuthorizeRoles.init(
roles_claim: zitadel[:roles_claim],
required_permissions: opts.required_permissions
)
PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, opts) PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, opts)
end end
end end