policy-service/lib/policy_service_web/router.ex

defmodule PolicyServiceWeb.Router do
  use PolicyServiceWeb, :router

  alias PolicyServiceWeb.PolicyController
  alias PolicyServiceWeb.HealthController

  pipeline :api do
    plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec
  end

  pipeline :authorize do
    plug Oidcc.Plug.ExtractAuthorization
    plug Oidcc.Plug.RequireAuthorization

    plug PolicyServiceWeb.Plugs.RequireOrganizationId
    plug PolicyServiceWeb.Plugs.ExtractOrganizationId

    plug :validate
    plug :authorize_roles
  end

  get "/health", HealthController, :health
  get "/health/ready", HealthController, :ready

  scope "/api" do
    pipe_through [:api]

    get "/openapi", OpenApiSpex.Plug.RenderSpec, []

    scope "/v1" do
      pipe_through [:authorize]

      get "/policies", PolicyController, :index, required_permission: ["policy:read"]

      get "/policies/:application_id", PolicyController, :show,
        required_permissions: ["policy:read"]

      post "/policies", PolicyController, :create, required_permissions: ["policy:create_request"]

      post "/policies/:application_id/accept", PolicyController, :accept,
        required_permission: ["policy:submit_solicitation"]
    end
  end

  scope "/swaggerui" do
    get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
  end

  def validate(conn, _opts) do
    zitadel = Application.get_env(:policy_service, :zitadel)

    opts =
      Oidcc.Plug.ValidateJwtToken.init(
        provider: PolicyService.ZitadelProvider,
        client_id: zitadel[:client_id],
        client_secret: zitadel[:client_secret]
      )

    Oidcc.Plug.IntrospectToken.call(
      conn,
      opts
    )
  end

  def authorize_roles(conn, _opts) do
    zitadel = Application.get_env(:policy_service, :zitadel)
    opts = PolicyServiceWeb.Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim])
    PolicyServiceWeb.Plugs.AuthorizeRoles.call(conn, opts)
  end
end