refactor context sent to opa

2023-01-18 15:50:42 +01:00 · 2023-01-18 15:50:42 +01:00 · a578417d31
parent 7dc6e7795f
commit a578417d31
4 changed files with 37 additions and 13 deletions
--- a/opa/user/list.rego
+++ b/opa/user/list.rego
@ -3,5 +3,5 @@ package user.list
 default allow := false
 allow := true {
-    input.uuid == "96d99d44-e0a6-458e-a656-de2a400d60a9"
+    input.role == "admin"
 }
--- a/opa/user/read.rego
+++ b/opa/user/read.rego
@ -3,5 +3,9 @@ package user.read
 default allow := false
 allow := true {
-    input.uuid == "96d99d44-e0a6-458e-a656-de2a400d60a8"
+    input.uuid == input.owner
 }
 allow := true {
    input.role == "admin"
 }
--- a/src/modules/authorization/adapters/secondaries/opa.decision-maker.ts
+++ b/src/modules/authorization/adapters/secondaries/opa.decision-maker.ts
@ -24,17 +24,25 @@ export class OpaDecisionMaker extends IMakeDecision {
    action: Action,
    context: Array<ContextItem>,
  ): Promise<Authorization> {
-    const { data } = await lastValueFrom(
+    const reducedContext = context.reduce(
-      this._httpService.post<Decision>(
+      (obj, item) => Object.assign(obj, { [item.name]: item.value }),
-        this._configService.get<string>('OPA_URL') + domain + '/' + action,
+      {},
        {
          input: {
            uuid,
            ...context,
          },
        },
      ),
    );
-    return new Authorization(data.result.allow);
+    try {
      const { data } = await lastValueFrom(
        this._httpService.post<Decision>(
          this._configService.get<string>('OPA_URL') + domain + '/' + action,
          {
            input: {
              uuid,
              ...reducedContext,
            },
          },
        ),
      );
      return new Authorization(data.result.allow);
    } catch (e) {
      return new Authorization(false);
    }
  }
 }
--- a/src/modules/authorization/tests/unit/opa.decision-maker.spec.ts
+++ b/src/modules/authorization/tests/unit/opa.decision-maker.spec.ts
@ -30,6 +30,9 @@ const mockHttpService = {
          },
        },
      });
    })
    .mockImplementationOnce(() => {
      throw new Error();
    }),
 };
@ -84,5 +87,14 @@ describe('OpaDecisionMaker', () => {
      );
      expect(authorization.allow).toBeFalsy();
    });
    it('should return a falsy authorization when an error happens', async () => {
      const authorization = await opaDecisionMaker.decide(
        'bb281075-1b98-4456-89d6-c643d3044a91',
        Domain.user,
        Action.read,
        [],
      );
      expect(authorization.allow).toBeFalsy();
    });
  });
 });