add auth

2026-05-15 10:21:36 -05:00
parent 3cc9e2764e
commit 141104822e
13 changed files with 314 additions and 47 deletions
--- a/lib/provider_service_web/router.ex
+++ b/lib/provider_service_web/router.ex
@@ -1,11 +1,30 @@
 defmodule ProviderServiceWeb.Router do
  use Phoenix.Router
+  import Plug.Conn
+
+  alias ProviderServiceWeb.Plugs

  pipeline :api do
    plug(:accepts, ["json"])
    plug(OpenApiSpex.Plug.PutApiSpec, module: ProviderServiceWeb.ApiSpec)
  end

+  pipeline :auth do
+    plug(Oidcc.Plug.ExtractAuthorization)
+    plug(Oidcc.Plug.RequireAuthorization)
+    plug(ProviderServiceWeb.Plugs.RequireOrganizationId)
+    plug(ProviderServiceWeb.Plugs.ExtractOrganizationId)
+    plug(:introspect)
+  end
+
+  pipeline :read do
+    plug(:authorize_roles, required_permissions: ["provider:read"])
+  end
+
+  pipeline :manage do
+    plug(:authorize_roles, required_permissions: ["provider:manage"])
+  end
+
  get("/health", ProviderServiceWeb.HealthController, :health)
  get("/health/ready", ProviderServiceWeb.HealthController, :ready)

@@ -15,59 +34,87 @@ defmodule ProviderServiceWeb.Router do
    get("/openapi", OpenApiSpex.Plug.RenderSpec, [])

    scope "/v1" do
-      # Providers
-      get("/providers", ProviderServiceWeb.ProviderController, :index)
-      post("/providers", ProviderServiceWeb.ProviderController, :create)
-      get("/providers/:provider_id", ProviderServiceWeb.ProviderController, :show)
-      put("/providers/:provider_id", ProviderServiceWeb.ProviderController, :update)
+      pipe_through([:auth])

-      post(
-        "/providers/:provider_id/deactivate",
-        ProviderServiceWeb.ProviderController,
-        :deactivate
-      )
+      scope "/" do
+        pipe_through([:read])
+        get("/providers", ProviderServiceWeb.ProviderController, :index)
+        get("/providers/:provider_id", ProviderServiceWeb.ProviderController, :show)
+        get("/providers/:provider_id/templates", ProviderServiceWeb.TemplateController, :index)
+      end

-      post(
-        "/providers/:provider_id/reactivate",
-        ProviderServiceWeb.ProviderController,
-        :reactivate
-      )
+      scope "/" do
+        pipe_through([:manage])
+        post("/providers", ProviderServiceWeb.ProviderController, :create)
+        put("/providers/:provider_id", ProviderServiceWeb.ProviderController, :update)

-      # Templates
-      get("/providers/:provider_id/templates", ProviderServiceWeb.TemplateController, :index)
+        post(
+          "/providers/:provider_id/deactivate",
+          ProviderServiceWeb.ProviderController,
+          :deactivate
+        )

-      post(
-        "/providers/:provider_id/templates",
-        ProviderServiceWeb.TemplateController,
-        :upload_template
-      )
+        post(
+          "/providers/:provider_id/reactivate",
+          ProviderServiceWeb.ProviderController,
+          :reactivate
+        )

-      post(
-        "/providers/:provider_id/templates/:template_id/activate",
-        ProviderServiceWeb.TemplateController,
-        :activate
-      )
+        post(
+          "/providers/:provider_id/templates",
+          ProviderServiceWeb.TemplateController,
+          :upload_template
+        )

-      post(
-        "/providers/:provider_id/templates/:template_id/deactivate",
-        ProviderServiceWeb.TemplateController,
-        :deactivate
-      )
+        post(
+          "/providers/:provider_id/templates/:template_id/activate",
+          ProviderServiceWeb.TemplateController,
+          :activate
+        )

-      post(
-        "/providers/:provider_id/templates/:template_id/set-default",
-        ProviderServiceWeb.TemplateController,
-        :set_default
-      )
+        post(
+          "/providers/:provider_id/templates/:template_id/deactivate",
+          ProviderServiceWeb.TemplateController,
+          :deactivate
+        )

-      delete(
-        "/providers/:provider_id/templates/:template_id",
-        ProviderServiceWeb.TemplateController,
-        :remove
-      )
+        post(
+          "/providers/:provider_id/templates/:template_id/set-default",
+          ProviderServiceWeb.TemplateController,
+          :set_default
+        )
+
+        delete(
+          "/providers/:provider_id/templates/:template_id",
+          ProviderServiceWeb.TemplateController,
+          :remove
+        )
+      end
    end
  end

+  defp introspect(conn, _opts) do
+    zitadel = Application.get_env(:provider_service, :zitadel)
+
+    opts =
+      Oidcc.Plug.IntrospectToken.init(
+        provider: ProviderService.ZitadelProvider,
+        client_id: zitadel[:client_id],
+        client_secret: zitadel[:client_secret],
+        token_introspection_opts: %{client_self_only: false}
+      )
+
+    Oidcc.Plug.IntrospectToken.call(conn, opts)
+  end
+
+  defp authorize_roles(conn, opts) do
+    zitadel = Application.get_env(:provider_service, :zitadel)
+
+    init_opts = Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim])
+
+    Plugs.AuthorizeRoles.call(conn, Keyword.merge(opts, init_opts))
+  end
+
  if Mix.env() == :dev do
    scope "/swaggerui" do
      get("/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi")