fix: key parameter added

Signed-off-by: Leonid Kaganov <lleo@lleo.me>

Author: lleokaganov

.gitignore

@@ -15,3 +15,5 @@ DROP_DB.sh
 TODO.txt
 DOCKER.sh
 /lleo
+/client
+/scripts

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "hulypulse"
-version = "0.1.31"
+version = "0.1.32"
 edition = "2024"
 
 [dependencies]

Cargo.toml

@@ -2,5 +2,6 @@ default permit = true
 
 #permit if {
 # input.command == "Get"
+# contains(input.key, "/typing/")
 # input.claim.workspace == "00000000-0000-0000-0000-000000000001"
 #}

permit.repo renamed to policy.repo

@@ -59,7 +59,7 @@ pub struct Config {
 
  pub heartbeat_timeout: u64,
 
- pub permit_file: Option<String>,
+ pub policy_file: Option<String>,
 }
 
 pub static CONFIG: LazyLock<Config> = LazyLock::new(|| {

src/config.rs

@@ -68,7 +68,7 @@ pub async fn list(
  let key = format!("{}/{}", &params.workspace, &params.key);
  trace!(key, "list request");
 
- if !CONFIG.no_authorization && !test_rego_http(req, "List") {
+ if !CONFIG.no_authorization && !test_rego_http(req, "List", &key) {
  return Err(actix_web::error::ErrorForbidden("forbidden"));
  }
 
@@ -86,7 +86,7 @@ pub async fn get(
  let key = format!("{}/{}", &params.workspace, &params.key);
  trace!(key, "get request");
 
- if !CONFIG.no_authorization && !test_rego_http(req, "Get") {
+ if !CONFIG.no_authorization && !test_rego_http(req, "Get", &key) {
  return Err(actix_web::error::ErrorForbidden("forbidden"));
  }
 
@@ -119,7 +119,7 @@ pub async fn put(
  let key = format!("{}/{}", &params.workspace, &params.key);
  trace!(key, "put request");
 
- if !CONFIG.no_authorization && !test_rego_http(req, "Put") {
+ if !CONFIG.no_authorization && !test_rego_http(req, "Put", &key) {
  return Err(actix_web::error::ErrorForbidden("forbidden"));
  }
 
@@ -171,7 +171,7 @@ pub async fn delete(
  let key = format!("{}/{}", &params.workspace, &params.key);
  trace!(key, "delete request");
 
- if !CONFIG.no_authorization && !test_rego_http(req, "Delete") {
+ if !CONFIG.no_authorization && !test_rego_http(req, "Delete", &key) {
  return Err(actix_web::error::ErrorForbidden("forbidden"));
  }
 

src/handlers_http.rs

@@ -217,8 +217,17 @@ impl StreamHandler<Result<ws::Message, ws::ProtocolError>> for WsSession {
  // let x = self.claims.unwrap().as_ref();
  // );
  if !CONFIG.no_authorization {
+ let key = match &cmd {
+ WsCommand::Put { key, .. }
+ | WsCommand::Delete { key, .. }
+ | WsCommand::Get { key, .. }
+ | WsCommand::List { key, .. }
+ | WsCommand::Sub { key, .. }
+ | WsCommand::Unsub { key, .. } => key.as_str(),
+ _ => "",
+ };
  if let Some(ref claim) = self.claims {
- if !test_rego_claims(claim, cmd.as_ref()) {
+ if !test_rego_claims(claim, cmd.as_ref(), &key) {
  ctx.text("Unauthorized: Rego policy");
  ctx.stop();
  return;

src/handlers_ws.rs

@@ -57,33 +57,34 @@ pub fn check_workspace_core(claims_opt: Option<Claims>, key: &str) -> Result<(),
  Ok(())
 }
 
-pub fn test_rego_claims(claim: &Claims, command: &str) -> bool {
+pub fn test_rego_claims(claim: &Claims, command: &str, key: &str) -> bool {
  let data = serde_json::to_value(&claim).unwrap_or_default();
  let mut rego = REGORUS_ENGINE.clone();
 
  rego.set_input(regorus::Value::from(json!({
  "command": command,
  "claim": data,
+ "key": key,
  })));
  let result = rego.eval_rule(String::from("data.main.permit")).unwrap();
 
  result == regorus::Value::Bool(true)
 }
 
-pub fn test_rego_http(req: HttpRequest, command: &str) -> bool {
+pub fn test_rego_http(req: HttpRequest, command: &str, key: &str) -> bool {
  let claims = req
  .extensions()
  .get::<Claims>()
  .expect("Missing claims")
  .to_owned();
- test_rego_claims(&claims, command)
+ test_rego_claims(&claims, command, key)
 }
 
 pub static POLICY_TEXT: LazyLock<String> = LazyLock::new(|| {
- let Some(permit_file) = CONFIG.permit_file.as_ref() else {
+ let Some(policy_file) = CONFIG.policy_file.as_ref() else {
  return "package main\n\ndefault permit = true\n".to_string();
  };
- let path = Path::new(permit_file);
+ let path = Path::new(policy_file);
  if !path.exists() {
  panic!("Policy file not found: {}", path.display());
  }