move cors up

config/runtime.exs

@@ -35,26 +35,6 @@ if amqp_url do
   config :policy_service, :amqp_url, amqp_url
 end
 
-cors_origin = System.get_env("CORS_ORIGIN", "*")
-
-config :cors_plug,
-  origin: cors_origin,
-  headers: [
-    "Authorization",
-    "x-organization-id",
-    "Content-Type",
-    "Accept",
-    "Origin",
-    "User-Agent",
-    "DNT",
-    "Cache-Control",
-    "X-Mx-ReqToken",
-    "Keep-Alive",
-    "X-Requested-With",
-    "If-Modified-Since",
-    "X-CSRF-Token"
-  ]
-
 # Zitadel Configuration
 
 # ## Using releases

lib/policy_service_web/controllers/policy_controller.ex

@@ -31,7 +31,7 @@ defmodule PolicyServiceWeb.PolicyController do
   )
 
   def index(conn, params) do
-    org_id = conn.assigns[:org_id]
+    org_id = conn.private[PolicyServiceWeb.Plugs.ExtractOrganizationId]
 
     case PolicyQueries.list_by_org(org_id, params) do
       {:ok, {policies, meta}} ->
@@ -63,7 +63,7 @@ defmodule PolicyServiceWeb.PolicyController do
   )
 
   def show(conn, %{"application_id" => application_id}) do
-    org_id = conn.assigns[:org_id]
+    org_id = conn.private[PolicyServiceWeb.Plugs.ExtractOrganizationId]
 
     case PolicyQueries.get_by_application_id(org_id, application_id) do
       {:ok, policy} ->
@@ -89,7 +89,7 @@ defmodule PolicyServiceWeb.PolicyController do
 
   def create(conn, params) do
     application_id = Ecto.UUID.generate()
-    org_id = conn.assigns[:org_id]
+    org_id = conn.private[PolicyServiceWeb.Plugs.ExtractOrganizationId]
     submitted_by = conn.assigns[:user_id]
 
     with {:ok, policy_type} <- parse_policy_type(params["policy_type"]),
@@ -173,7 +173,7 @@ defmodule PolicyServiceWeb.PolicyController do
   )
 
   def accept(conn, %{"application_id" => application_id} = params) do
-    org_id = conn.assigns[:org_id]
+    org_id = conn.private[PolicyServiceWeb.Plugs.ExtractOrganizationId]
 
     with {:ok, policy} <- PolicyQueries.get_by_application_id(org_id, application_id) do
       command =

lib/policy_service_web/endpoint.ex

@@ -42,9 +42,13 @@ defmodule PolicyServiceWeb.Endpoint do
     pass: ["*/*"],
     json_decoder: Phoenix.json_library()
 
-  plug CORSPlug
   plug Plug.MethodOverride
   plug Plug.Head
   plug Plug.Session, @session_options
+
+  plug CORSPlug,
+    origin: ["*"],
+    headers: ["*"]
+
   plug PolicyServiceWeb.Router
 end

lib/policy_service_web/plugs/authorize_roles.ex

@@ -31,14 +31,11 @@ defmodule PolicyServiceWeb.Plugs.AuthorizeRoles do
 
   @impl Plug
   def call(conn, opts) do
-    IO.inspect(conn.private)
+    if authorized?(
-
+         conn,
-    required_permissions =
+         Keyword.get(opts, :roles_claim),
-      conn.private[Phoenix.Router.Route]
+         Keyword.get(opts, :required_permissions)
-      |> Map.get(:options, %{})
+       ) do
-      |> Map.get(:required_permissions, [])
-
-    if authorized?(conn, opts.roles_claim, required_permissions) do
       conn
     else
       conn
@@ -67,8 +64,8 @@ defmodule PolicyServiceWeb.Plugs.AuthorizeRoles do
 
   defp get_roles_map(conn, roles_claim) do
     case conn.private[Oidcc.Plug.IntrospectToken] do
-      %{extra: %{^roles_claim => %{} = roles_map}} ->
+      %Oidcc.TokenIntrospection{extra: extra} ->
-        Map.get(roles_map, roles_claim, %{})
+        Map.get(extra, roles_claim, %{})
 
       _ ->
         %{}

lib/policy_service_web/router.ex

@@ -8,7 +8,7 @@ defmodule PolicyServiceWeb.Router do
     plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec
   end
 
-  pipeline :authorize do
+  pipeline :auth do
     plug Oidcc.Plug.ExtractAuthorization
     plug Oidcc.Plug.RequireAuthorization
 
@@ -16,36 +16,53 @@ defmodule PolicyServiceWeb.Router do
     plug PolicyServiceWeb.Plugs.ExtractOrganizationId
 
     plug :introspect
-    plug :authorize_roles
+  end
+
+  pipeline :read do
+    plug :authorize_roles, required_permissions: ["policy:read"]
+  end
+
+  pipeline :submit_solicitation do
+    plug :authorize_roles, required_permissions: ["policy:submit_solicitation"]
+  end
+
+  pipeline :create_request do
+    plug :authorize_roles, required_permissions: ["policy:create_request"]
   end
 
   get "/health", HealthController, :health
   get "/health/ready", HealthController, :ready
 
+  scope "/swaggerui" do
+    get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
+  end
+
   scope "/api" do
     pipe_through [:api]
 
     get "/openapi", OpenApiSpex.Plug.RenderSpec, []
 
     scope "/v1" do
-      pipe_through [:authorize]
+      pipe_through [:auth]
 
-      get "/policies", PolicyController, :index, required_permission: ["policy:read"]
+      scope "/" do
+        pipe_through [:read]
+        get "/policies", PolicyController, :index
+        get "/policies/:application_id", PolicyController, :show
+      end
 
-      get "/policies/:application_id", PolicyController, :show,
+      scope "/" do
-        required_permissions: ["policy:read"]
+        pipe_through [:create_request]
+        post "/policies", PolicyController, :create
+      end
 
-      post "/policies", PolicyController, :create, required_permissions: ["policy:create_request"]
+      scope "/" do
-
+        pipe_through [:submit_solicitation]
-      post "/policies/:application_id/accept", PolicyController, :accept,
+        post "/policies/:application_id/accept", PolicyController, :accept
-        required_permission: ["policy:submit_solicitation"]
+      end
     end
   end
 
-  scope "/swaggerui" do
-    get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
-  end
-
   def introspect(conn, _opts) do
     zitadel = Application.get_env(:policy_service, :zitadel)
 
@@ -63,9 +80,12 @@ defmodule PolicyServiceWeb.Router do
     )
   end
 
-  def authorize_roles(conn, _opts) do
+  def authorize_roles(conn, opts) do
     zitadel = Application.get_env(:policy_service, :zitadel)
-    opts = PolicyServiceWeb.Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim])
+
-    PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, opts)
+    o =
+      PolicyServiceWeb.Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim])
+
+    PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, Keyword.merge(opts, o))
   end
 end