fix auth

lib/policy_service_web/endpoint.ex

@@ -25,7 +25,8 @@ defmodule PolicyServiceWeb.Endpoint do
     from: :policy_service,
     gzip: not code_reloading?,
     only: PolicyServiceWeb.static_paths(),
-    raise_on_missing_only: code_reloading?
+    raise_on_missing_only: code_reloading?,
+    headers: %{"Access-Control-Allow-Origin" => "*"}
 
   # Code reloading can be explicitly enabled under the
   # :code_reloader configuration of your endpoint.
@@ -42,7 +43,6 @@ defmodule PolicyServiceWeb.Endpoint do
     pass: ["*/*"],
     json_decoder: Phoenix.json_library()
 
-  plug CORSPlug
   plug Plug.MethodOverride
   plug Plug.Head
   plug Plug.Session, @session_options

lib/policy_service_web/plugs/authorize_roles.ex

@@ -26,19 +26,13 @@ defmodule PolicyServiceWeb.Plugs.AuthorizeRoles do
     do:
       opts
       |> Keyword.validate!([
-        :roles_claim
+        :roles_claim,
+        :required_permissions
       ])
 
   @impl Plug
   def call(conn, opts) do
-    IO.inspect(conn.private)
-
-    required_permissions =
-      conn.private[Phoenix.Router.Route]
-      |> Map.get(:options, %{})
-      |> Map.get(:required_permissions, [])
-
-    if authorized?(conn, opts.roles_claim, required_permissions) do
+    if authorized?(conn, opts.roles_claim, opts.required_permissions) do
       conn
     else
       conn

lib/policy_service_web/router.ex

@@ -8,7 +8,7 @@ defmodule PolicyServiceWeb.Router do
     plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec
   end
 
-  pipeline :authorize do
+  pipeline :auth do
     plug Oidcc.Plug.ExtractAuthorization
     plug Oidcc.Plug.RequireAuthorization
 
@@ -16,34 +16,51 @@ defmodule PolicyServiceWeb.Router do
     plug PolicyServiceWeb.Plugs.ExtractOrganizationId
 
     plug :introspect
-    plug :authorize_roles
+  end
+
+  pipeline :read do
+    plug :authorize_roles, required_permission: ["policy:read"]
+  end
+
+  pipeline :submit_solicitation do
+    plug :authorize_roles, required_permission: ["policy:submit_solicitation"]
+  end
+
+  pipeline :create_request do
+    plug :authorize_roles, required_permission: ["policy:create_request"]
   end
 
   get "/health", HealthController, :health
   get "/health/ready", HealthController, :ready
 
+  scope "/swaggerui" do
+    get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
+  end
+
   scope "/api" do
     pipe_through [:api]
 
     get "/openapi", OpenApiSpex.Plug.RenderSpec, []
 
     scope "/v1" do
-      pipe_through [:authorize]
+      pipe_through [:auth]
 
-      get "/policies", PolicyController, :index, required_permission: ["policy:read"]
-
-      get "/policies/:application_id", PolicyController, :show,
-        required_permissions: ["policy:read"]
-
-      post "/policies", PolicyController, :create, required_permissions: ["policy:create_request"]
-
-      post "/policies/:application_id/accept", PolicyController, :accept,
-        required_permission: ["policy:submit_solicitation"]
-    end
+      scope "/" do
+        pipe_through [:read]
+        get "/policies", PolicyController, :index
+        get "/policies/:application_id", PolicyController, :show
       end
 
-  scope "/swaggerui" do
-    get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
+      scope "/" do
+        pipe_through [:create_request]
+        post "/policies", PolicyController, :create
+      end
+
+      scope "/" do
+        pipe_through [:submit_solicitation]
+        post "/policies/:application_id/accept", PolicyController, :accept
+      end
+    end
   end
 
   def introspect(conn, _opts) do
@@ -63,9 +80,15 @@ defmodule PolicyServiceWeb.Router do
     )
   end
 
-  def authorize_roles(conn, _opts) do
+  def authorize_roles(conn, opts) do
     zitadel = Application.get_env(:policy_service, :zitadel)
-    opts = PolicyServiceWeb.Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim])
+
+    opts =
+      PolicyServiceWeb.Plugs.AuthorizeRoles.init(
+        roles_claim: zitadel[:roles_claim],
+        required_permissions: opts.required_permissions
+      )
+
     PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, opts)
   end
 end