typesec-integrations 0.3.0

OAuth, OIDC, WorkOS, and Arcade integrations for typesec
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

//! WorkOS Fine-Grained Authorization integration.

use std::sync::Arc;

use serde::{Deserialize, Serialize};
use serde_json::json;
use tracing::debug;
use typesec_core::policy::{PolicyEngine, PolicyResult};

use crate::http::{HttpClient, ReqwestHttpClient};

/// A WorkOS resource identifier parsed from a Typesec resource id.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct WorkOsResource {
    /// WorkOS resource type slug, for example `project`.
    pub resource_type_slug: String,
    /// Application-level external resource id.
    pub resource_external_id: String,
}

impl WorkOsResource {
    /// Parse `type/id` or `type:id` into a WorkOS resource reference.
    pub fn parse(resource: &str) -> Option<Self> {
        let (resource_type_slug, resource_external_id) = resource
            .split_once('/')
            .or_else(|| resource.split_once(':'))?;
        if resource_type_slug.is_empty() || resource_external_id.is_empty() {
            return None;
        }
        Some(Self {
            resource_type_slug: resource_type_slug.to_string(),
            resource_external_id: resource_external_id.to_string(),
        })
    }
}

/// JSON body sent to the WorkOS authorization check endpoint.
#[derive(Debug, Clone, Serialize)]
pub struct WorkOsFgaRequest {
    /// Permission slug to check.
    pub permission_slug: String,
    /// Resource type slug.
    pub resource_type_slug: String,
    /// External resource id.
    pub resource_external_id: String,
}

#[derive(Debug, Deserialize)]
struct WorkOsFgaResponse {
    authorized: bool,
}

/// Policy engine that delegates resource checks to WorkOS FGA.
pub struct WorkOsFgaEngine {
    api_key: String,
    base_url: String,
    http: Arc<dyn HttpClient>,
}

impl WorkOsFgaEngine {
    /// Create an engine using `https://api.workos.com`.
    pub fn new(api_key: impl Into<String>) -> Self {
        Self::with_http(
            api_key,
            "https://api.workos.com",
            Arc::new(ReqwestHttpClient::new()),
        )
    }

    /// Create an engine with custom base URL and HTTP client.
    pub fn with_http(
        api_key: impl Into<String>,
        base_url: impl Into<String>,
        http: Arc<dyn HttpClient>,
    ) -> Self {
        Self {
            api_key: api_key.into(),
            base_url: base_url.into().trim_end_matches('/').to_string(),
            http,
        }
    }

    fn request_for(&self, action: &str, resource: &str) -> Result<WorkOsFgaRequest, String> {
        let resource = WorkOsResource::parse(resource)
            .ok_or_else(|| format!("resource '{resource}' is not formatted as type/id"))?;
        Ok(WorkOsFgaRequest {
            permission_slug: permission_slug(action, &resource.resource_type_slug),
            resource_type_slug: resource.resource_type_slug,
            resource_external_id: resource.resource_external_id,
        })
    }
}

impl PolicyEngine for WorkOsFgaEngine {
    fn check(&self, subject: &str, action: &str, resource: &str) -> PolicyResult {
        debug!(subject, action, resource, "workos fga check");

        let request = match self.request_for(action, resource) {
            Ok(request) => request,
            Err(reason) => return PolicyResult::Delegate(reason),
        };

        let url = format!(
            "{}/authorization/organization_memberships/{}/check",
            self.base_url, subject
        );
        let body = json!({
            "permission_slug": request.permission_slug,
            "resource_type_slug": request.resource_type_slug,
            "resource_external_id": request.resource_external_id,
        });
        let headers = [("Authorization", format!("Bearer {}", self.api_key))];

        match self.http.post_json(&url, &headers, &body) {
            Ok(value) => match serde_json::from_value::<WorkOsFgaResponse>(value) {
                Ok(response) if response.authorized => PolicyResult::Allow,
                Ok(_) => PolicyResult::Deny(format!(
                    "WorkOS denied '{subject}' permission '{action}' on '{resource}'"
                )),
                Err(err) => PolicyResult::Deny(format!("WorkOS response parse error: {err}")),
            },
            Err(err) => PolicyResult::Deny(format!("WorkOS FGA check failed: {err}")),
        }
    }
}

fn permission_slug(action: &str, resource_type: &str) -> String {
    if action.contains(':') {
        action.to_string()
    } else {
        format!("{resource_type}:{action}")
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::http::StaticHttpClient;
    use serde_json::json;

    #[test]
    fn parses_resource_ids_for_workos() {
        let parsed = WorkOsResource::parse("project/proj_123").expect("parse");
        assert_eq!(parsed.resource_type_slug, "project");
        assert_eq!(parsed.resource_external_id, "proj_123");
    }

    #[test]
    fn allows_when_workos_authorizes() {
        let url = "https://api.workos.test/authorization/organization_memberships/om_1/check";
        let http = StaticHttpClient::new().with_response(url, json!({ "authorized": true }));
        let engine =
            WorkOsFgaEngine::with_http("sk_test", "https://api.workos.test", Arc::new(http));

        assert_eq!(
            engine.check("om_1", "edit", "project/proj_123"),
            PolicyResult::Allow
        );
    }

    #[test]
    fn denies_when_workos_denies() {
        let url = "https://api.workos.test/authorization/organization_memberships/om_1/check";
        let http = StaticHttpClient::new().with_response(url, json!({ "authorized": false }));
        let engine =
            WorkOsFgaEngine::with_http("sk_test", "https://api.workos.test", Arc::new(http));

        assert!(matches!(
            engine.check("om_1", "edit", "project/proj_123"),
            PolicyResult::Deny(_)
        ));
    }
}