authz: don't treat unauthenticated routes any different

Signed-off-by: Stephan Renatus <[email protected]>
StyraInc · Jul 3, 2024 · addc6cd · addc6cd
1 parent 7aef7ef
commit addc6cd
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 17 deletions.
diff --git a/policies/cats.rego b/policies/cats.rego
@@ -1,13 +1,15 @@
 package cats
+
 import rego.v1
 
-roles := {
-  "maria": "admin",
-}
+roles := {"maria": "admin"}
 
 default allow := false
-allow := allowed(input.user, input.action, input.resource)
 
-allowed(user, _, _) if user, "admin" in roles
-allowed(_, "get", _)
-allowed(_, "list", _)
+allow := allowed(input.user, input.action, input.resource, roles)
+
+allowed(user, _, _, roles) if user, "admin" in roles
+
+allowed(_, "get", _, _)
+
+allowed(_, "list", _, _)
diff --git a/policies/hello.rego b/policies/hello.rego
@@ -0,0 +1,5 @@
+package hello
+
+import rego.v1
+
+default allow := true
diff --git a/policies/login.rego b/policies/login.rego
@@ -0,0 +1,5 @@
+package login
+
+import rego.v1
+
+default allow := true
diff --git a/policies/profile.rego b/policies/profile.rego
@@ -1,4 +1,5 @@
 package profile
+
 import rego.v1
 
 default allow := true
diff --git a/src/app.controller.ts b/src/app.controller.ts
@@ -11,6 +11,7 @@ export class AppController {
   @UseGuards(LocalAuthGuard)
   @Unauthenticated() // So global JWT guard doesn't prohibit logins
   @Post('auth/login')
+  @AuthzQuery('login/allow')
   async login(@Request() req) {
     return this.authService.login(req.user);
   }
@@ -24,6 +25,7 @@ export class AppController {
 
   @Get('hello')
   @Unauthenticated()
+  @AuthzQuery('hello/allow')
   getInfo() {
     return { hello: 'world' };
   }

diff --git a/src/authz/authz.guard.ts b/src/authz/authz.guard.ts
@@ -2,7 +2,6 @@ import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { Reflector } from '@nestjs/core';
 
-import { IS_UNAUTHENTICATED_KEY } from '../authn/decorators/public';
 import { AuthzService } from './authz.service';
 import {
   AUTHZ_EXTRA,
@@ -17,7 +16,7 @@ class InputPayload implements ToInput {
   constructor(extra: ((_: Request) => Record<string, any>)[], req: Request) {
     this.input = extra.reduce(
       (acc, add) => (add ? { ...acc, ...add(req) } : acc),
-      { user: req.user.username },
+      { user: req.user?.username },
     );
   }
 
@@ -35,14 +34,6 @@ export class AuthzGuard implements CanActivate {
   ) {}
 
   async canActivate(context: ExecutionContext) {
-    const isUnauthenticated = this.reflector.getAllAndOverride<boolean>(
-      IS_UNAUTHENTICATED_KEY,
-      [context.getHandler(), context.getClass()],
-    );
-    if (isUnauthenticated) {
-      return true;
-    }
-
     const request = context.switchToHttp().getRequest();
     const inp = new InputPayload(
       this.reflector.getAll<((_: Request) => Record<string, any>)[]>(