add auth

lib/workload_service_web/router.ex

@@ -5,29 +5,94 @@ defmodule WorkloadServiceWeb.Router do
   alias WorkloadServiceWeb.HealthController
 
   pipeline :api do
-    plug OpenApiSpex.Plug.PutApiSpec, module: WorkloadServiceWeb.ApiSpec
+    plug(OpenApiSpex.Plug.PutApiSpec, module: WorkloadServiceWeb.ApiSpec)
   end
 
-  get "/health", HealthController, :health
-  get "/health/ready", HealthController, :ready
+  pipeline :auth do
+    plug(Oidcc.Plug.ExtractAuthorization)
+    plug(Oidcc.Plug.RequireAuthorization)
+
+    plug(WorkloadServiceWeb.Plugs.RequireOrganizationId)
+    plug(WorkloadServiceWeb.Plugs.ExtractOrganizationId)
+
+    plug(:introspect)
+  end
+
+  pipeline(:read, do: plug(:authorize_roles, required_permissions: ["task:read"]))
+  pipeline(:submit, do: plug(:authorize_roles, required_permissions: ["task:submit"]))
+
+  pipeline(:request_approval,
+    do: plug(:authorize_roles, required_permissions: ["task:request_approval"])
+  )
+
+  pipeline(:approve, do: plug(:authorize_roles, required_permissions: ["task:approve"]))
+  pipeline(:complete, do: plug(:authorize_roles, required_permissions: ["task:complete"]))
+
+  get("/health", HealthController, :health)
+  get("/health/ready", HealthController, :ready)
 
   scope "/api" do
-    pipe_through [:api]
+    pipe_through([:api])
 
-    get "/openapi", OpenApiSpex.Plug.RenderSpec, []
+    get("/openapi", OpenApiSpex.Plug.RenderSpec, [])
 
     scope "/v1" do
-      get "/tasks", TaskController, :list
-      get "/tasks/:id", TaskController, :show
-      post "/tasks/:id/submit", TaskController, :submit
-      post "/tasks/:id/approve", TaskController, :approve
-      post "/tasks/:id/complete", TaskController, :complete
+      pipe_through([:auth])
+
+      scope "/" do
+        pipe_through([:read])
+        get("/tasks", TaskController, :list)
+        get("/tasks/:id", TaskController, :show)
+      end
+
+      scope "/" do
+        pipe_through([:submit])
+        post("/tasks/:id/submit", TaskController, :submit)
+      end
+
+      scope "/" do
+        pipe_through([:request_approval])
+        post("/tasks/:id/request_approval", TaskController, :request_approval)
+      end
+
+      scope "/" do
+        pipe_through([:approve])
+        post("/tasks/:id/approve", TaskController, :approve)
+      end
+
+      scope "/" do
+        pipe_through([:complete])
+        post("/tasks/:id/complete", TaskController, :complete)
+      end
     end
   end
 
   if Mix.env() == :dev do
     scope "/swaggerui" do
-      get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
+      get("/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi")
     end
   end
-end
+
+  def introspect(conn, _opts) do
+    zitadel = Application.get_env(:workload_service, :zitadel)
+
+    opts =
+      Oidcc.Plug.IntrospectToken.init(
+        provider: WorkloadService.ZitadelProvider,
+        client_id: zitadel[:client_id],
+        client_secret: zitadel[:client_secret],
+        token_introspection_opts: %{client_self_only: false}
+      )
+
+    Oidcc.Plug.IntrospectToken.call(conn, opts)
+  end
+
+  def authorize_roles(conn, opts) do
+    zitadel = Application.get_env(:workload_service, :zitadel)
+
+    o =
+      WorkloadServiceWeb.Plugs.AuthorizeRoles.init(roles_claim: zitadel[:roles_claim])
+
+    WorkloadServiceWeb.Plugs.AuthorizeRoles.call(conn, Keyword.merge(opts, o))
+  end
+end