defmodule PolicyServiceWeb.Router do use PolicyServiceWeb, :router alias PolicyServiceWeb.PolicyController alias PolicyServiceWeb.HealthController pipeline :api do plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec end pipeline :auth do plug Oidcc.Plug.ExtractAuthorization plug Oidcc.Plug.RequireAuthorization plug PolicyServiceWeb.Plugs.RequireOrganizationId plug PolicyServiceWeb.Plugs.ExtractOrganizationId plug :introspect end pipeline :read do plug :authorize_roles, required_permission: ["policy:read"] end pipeline :submit_solicitation do plug :authorize_roles, required_permission: ["policy:submit_solicitation"] end pipeline :create_request do plug :authorize_roles, required_permission: ["policy:create_request"] end get "/health", HealthController, :health get "/health/ready", HealthController, :ready scope "/swaggerui" do get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi" end scope "/api" do pipe_through [:api] get "/openapi", OpenApiSpex.Plug.RenderSpec, [] scope "/v1" do pipe_through [:auth] scope "/" do pipe_through [:read] get "/policies", PolicyController, :index get "/policies/:application_id", PolicyController, :show end scope "/" do pipe_through [:create_request] post "/policies", PolicyController, :create end scope "/" do pipe_through [:submit_solicitation] post "/policies/:application_id/accept", PolicyController, :accept end end end def introspect(conn, _opts) do zitadel = Application.get_env(:policy_service, :zitadel) opts = Oidcc.Plug.IntrospectToken.init( provider: PolicyService.ZitadelProvider, client_id: zitadel[:client_id], client_secret: zitadel[:client_secret], token_introspection_opts: %{client_self_only: false} ) Oidcc.Plug.IntrospectToken.call( conn, opts ) end def authorize_roles(conn, opts) do zitadel = Application.get_env(:policy_service, :zitadel) opts = PolicyServiceWeb.Plugs.AuthorizeRoles.init( roles_claim: zitadel[:roles_claim], required_permissions: opts.required_permissions ) PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, opts) end end