Compare commits
2 Commits
0957c18d21
...
9e6a9e4a48
| Author | SHA1 | Date | |
|---|---|---|---|
| 9e6a9e4a48 | |||
| db732c0af0 |
@@ -25,7 +25,8 @@ defmodule PolicyServiceWeb.Endpoint do
|
|||||||
from: :policy_service,
|
from: :policy_service,
|
||||||
gzip: not code_reloading?,
|
gzip: not code_reloading?,
|
||||||
only: PolicyServiceWeb.static_paths(),
|
only: PolicyServiceWeb.static_paths(),
|
||||||
raise_on_missing_only: code_reloading?
|
raise_on_missing_only: code_reloading?,
|
||||||
|
headers: %{"Access-Control-Allow-Origin" => "*"}
|
||||||
|
|
||||||
# Code reloading can be explicitly enabled under the
|
# Code reloading can be explicitly enabled under the
|
||||||
# :code_reloader configuration of your endpoint.
|
# :code_reloader configuration of your endpoint.
|
||||||
@@ -42,7 +43,6 @@ defmodule PolicyServiceWeb.Endpoint do
|
|||||||
pass: ["*/*"],
|
pass: ["*/*"],
|
||||||
json_decoder: Phoenix.json_library()
|
json_decoder: Phoenix.json_library()
|
||||||
|
|
||||||
plug CORSPlug
|
|
||||||
plug Plug.MethodOverride
|
plug Plug.MethodOverride
|
||||||
plug Plug.Head
|
plug Plug.Head
|
||||||
plug Plug.Session, @session_options
|
plug Plug.Session, @session_options
|
||||||
|
|||||||
@@ -26,19 +26,13 @@ defmodule PolicyServiceWeb.Plugs.AuthorizeRoles do
|
|||||||
do:
|
do:
|
||||||
opts
|
opts
|
||||||
|> Keyword.validate!([
|
|> Keyword.validate!([
|
||||||
:roles_claim
|
:roles_claim,
|
||||||
|
:required_permissions
|
||||||
])
|
])
|
||||||
|
|
||||||
@impl Plug
|
@impl Plug
|
||||||
def call(conn, opts) do
|
def call(conn, opts) do
|
||||||
IO.inspect(conn.private)
|
if authorized?(conn, opts.roles_claim, opts.required_permissions) do
|
||||||
|
|
||||||
required_permissions =
|
|
||||||
conn.private[Phoenix.Router.Route]
|
|
||||||
|> Map.get(:options, %{})
|
|
||||||
|> Map.get(:required_permissions, [])
|
|
||||||
|
|
||||||
if authorized?(conn, opts.roles_claim, required_permissions) do
|
|
||||||
conn
|
conn
|
||||||
else
|
else
|
||||||
conn
|
conn
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ defmodule PolicyServiceWeb.Router do
|
|||||||
plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec
|
plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec
|
||||||
end
|
end
|
||||||
|
|
||||||
pipeline :authorize do
|
pipeline :auth do
|
||||||
plug Oidcc.Plug.ExtractAuthorization
|
plug Oidcc.Plug.ExtractAuthorization
|
||||||
plug Oidcc.Plug.RequireAuthorization
|
plug Oidcc.Plug.RequireAuthorization
|
||||||
|
|
||||||
@@ -16,34 +16,51 @@ defmodule PolicyServiceWeb.Router do
|
|||||||
plug PolicyServiceWeb.Plugs.ExtractOrganizationId
|
plug PolicyServiceWeb.Plugs.ExtractOrganizationId
|
||||||
|
|
||||||
plug :introspect
|
plug :introspect
|
||||||
plug :authorize_roles
|
end
|
||||||
|
|
||||||
|
pipeline :read do
|
||||||
|
plug :authorize_roles, required_permission: ["policy:read"]
|
||||||
|
end
|
||||||
|
|
||||||
|
pipeline :submit_solicitation do
|
||||||
|
plug :authorize_roles, required_permission: ["policy:submit_solicitation"]
|
||||||
|
end
|
||||||
|
|
||||||
|
pipeline :create_request do
|
||||||
|
plug :authorize_roles, required_permission: ["policy:create_request"]
|
||||||
end
|
end
|
||||||
|
|
||||||
get "/health", HealthController, :health
|
get "/health", HealthController, :health
|
||||||
get "/health/ready", HealthController, :ready
|
get "/health/ready", HealthController, :ready
|
||||||
|
|
||||||
|
scope "/swaggerui" do
|
||||||
|
get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
|
||||||
|
end
|
||||||
|
|
||||||
scope "/api" do
|
scope "/api" do
|
||||||
pipe_through [:api]
|
pipe_through [:api]
|
||||||
|
|
||||||
get "/openapi", OpenApiSpex.Plug.RenderSpec, []
|
get "/openapi", OpenApiSpex.Plug.RenderSpec, []
|
||||||
|
|
||||||
scope "/v1" do
|
scope "/v1" do
|
||||||
pipe_through [:authorize]
|
pipe_through [:auth]
|
||||||
|
|
||||||
get "/policies", PolicyController, :index, required_permission: ["policy:read"]
|
scope "/" do
|
||||||
|
pipe_through [:read]
|
||||||
get "/policies/:application_id", PolicyController, :show,
|
get "/policies", PolicyController, :index
|
||||||
required_permissions: ["policy:read"]
|
get "/policies/:application_id", PolicyController, :show
|
||||||
|
|
||||||
post "/policies", PolicyController, :create, required_permissions: ["policy:create_request"]
|
|
||||||
|
|
||||||
post "/policies/:application_id/accept", PolicyController, :accept,
|
|
||||||
required_permission: ["policy:submit_solicitation"]
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
scope "/swaggerui" do
|
scope "/" do
|
||||||
get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
|
pipe_through [:create_request]
|
||||||
|
post "/policies", PolicyController, :create
|
||||||
|
end
|
||||||
|
|
||||||
|
scope "/" do
|
||||||
|
pipe_through [:submit_solicitation]
|
||||||
|
post "/policies/:application_id/accept", PolicyController, :accept
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def introspect(conn, _opts) do
|
def introspect(conn, _opts) do
|
||||||
@@ -63,9 +80,15 @@ defmodule PolicyServiceWeb.Router do
|
|||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorize_roles(conn, _opts) do
|
def authorize_roles(conn, opts) do
|
||||||
zitadel = Application.get_env(:policy_service, :zitadel)
|
zitadel = Application.get_env(:policy_service, :zitadel)
|
||||||
opts = PolicyServiceWeb.Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim])
|
|
||||||
|
opts =
|
||||||
|
PolicyServiceWeb.Plugs.AuthorizeRoles.init(
|
||||||
|
roles_claim: zitadel[:roles_claim],
|
||||||
|
required_permissions: opts.required_permissions
|
||||||
|
)
|
||||||
|
|
||||||
PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, opts)
|
PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, opts)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user