Pass an input object to the policy evaluation instead of multiple arguments

sandhose · sandhose · commit d6b3e6ccaa02 · 2025-02-14T17:15:26.000+01:00
diff --git a/crates/handlers/src/graphql/mutations/user_email.rs b/crates/handlers/src/graphql/mutations/user_email.rs
@@ -424,7 +424,11 @@ impl UserEmailMutations {
 
         if !skip_policy_check {
             let mut policy = state.policy().await?;
-            let res = policy.evaluate_email(&input.email).await?;
+            let res = policy
+                .evaluate_email(mas_policy::EmailInput {
+                    email: &input.email,
+                })
+                .await?;
             if !res.valid() {
                 return Ok(AddEmailPayload::Denied {
                     violations: res.violations,
@@ -610,7 +614,11 @@ impl UserEmailMutations {
 
         // Check if the email address is allowed by the policy
         let mut policy = state.policy().await?;
-        let res = policy.evaluate_email(&input.email).await?;
+        let res = policy
+            .evaluate_email(mas_policy::EmailInput {
+                email: &input.email,
+            })
+            .await?;
         if !res.valid() {
             return Ok(StartEmailAuthenticationPayload::Denied {
                 violations: res.violations,
diff --git a/crates/handlers/src/oauth2/authorization/complete.rs b/crates/handlers/src/oauth2/authorization/complete.rs
@@ -226,7 +226,12 @@ pub(crate) async fn complete(
 
     // Run through the policy
     let res = policy
-        .evaluate_authorization_grant(&grant, client, &browser_session.user)
+        .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
+            user: Some(&browser_session.user),
+            client,
+            scope: &grant.scope,
+            grant_type: mas_policy::GrantType::AuthorizationCode,
+        })
         .await?;
 
     if !res.valid() {
diff --git a/crates/handlers/src/oauth2/consent.rs b/crates/handlers/src/oauth2/consent.rs
@@ -111,7 +111,12 @@ pub(crate) async fn get(
         let (csrf_token, cookie_jar) = cookie_jar.csrf_token(&clock, &mut rng);
 
         let res = policy
-            .evaluate_authorization_grant(&grant, &client, &session.user)
+            .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
+                user: Some(&session.user),
+                client: &client,
+                scope: &grant.scope,
+                grant_type: mas_policy::GrantType::AuthorizationCode,
+            })
             .await?;
 
         if res.valid() {
@@ -185,7 +190,12 @@ pub(crate) async fn post(
         .ok_or(RouteError::NoSuchClient)?;
 
     let res = policy
-        .evaluate_authorization_grant(&grant, &client, &session.user)
+        .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
+            user: Some(&session.user),
+            client: &client,
+            scope: &grant.scope,
+            grant_type: mas_policy::GrantType::AuthorizationCode,
+        })
         .await?;
 
     if !res.valid() {
diff --git a/crates/handlers/src/oauth2/device/consent.rs b/crates/handlers/src/oauth2/device/consent.rs
@@ -82,7 +82,12 @@ pub(crate) async fn get(
 
     // Evaluate the policy
     let res = policy
-        .evaluate_device_code_grant(&grant, &client, &session.user)
+        .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
+            grant_type: mas_policy::GrantType::DeviceCode,
+            client: &client,
+            scope: &grant.scope,
+            user: Some(&session.user),
+        })
         .await?;
     if !res.valid() {
         warn!(violation = ?res, "Device code grant for client {} denied by policy", client.id);
@@ -157,7 +162,12 @@ pub(crate) async fn post(
 
     // Evaluate the policy
     let res = policy
-        .evaluate_device_code_grant(&grant, &client, &session.user)
+        .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
+            grant_type: mas_policy::GrantType::DeviceCode,
+            client: &client,
+            scope: &grant.scope,
+            user: Some(&session.user),
+        })
         .await?;
     if !res.valid() {
         warn!(violation = ?res, "Device code grant for client {} denied by policy", client.id);
diff --git a/crates/handlers/src/oauth2/registration.rs b/crates/handlers/src/oauth2/registration.rs
@@ -244,7 +244,11 @@ pub(crate) async fn post(
         }
     }
 
-    let res = policy.evaluate_client_registration(&metadata).await?;
+    let res = policy
+        .evaluate_client_registration(mas_policy::ClientRegistrationInput {
+            client_metadata: &metadata,
+        })
+        .await?;
     if !res.valid() {
         return Err(RouteError::PolicyDenied(res.violations));
     }
diff --git a/crates/handlers/src/oauth2/token.rs b/crates/handlers/src/oauth2/token.rs
@@ -676,7 +676,12 @@ async fn client_credentials_grant(
 
     // Make the request go through the policy engine
     let res = policy
-        .evaluate_client_credentials_grant(&scope, client)
+        .evaluate_authorization_grant(mas_policy::AuthorizationGrantInput {
+            user: None,
+            client,
+            scope: &scope,
+            grant_type: mas_policy::GrantType::ClientCredentials,
+        })
         .await?;
     if !res.valid() {
         return Err(RouteError::DeniedByPolicy(res.violations));
diff --git a/crates/handlers/src/upstream_oauth2/link.rs b/crates/handlers/src/upstream_oauth2/link.rs
@@ -441,7 +441,11 @@ pub(crate) async fn get(
                         }
 
                         let res = policy
-                            .evaluate_upstream_oauth_register(&localpart, None)
+                            .evaluate_register(mas_policy::RegisterInput {
+                                registration_method: mas_policy::RegistrationMethod::UpstreamOAuth2,
+                                username: &localpart,
+                                email: None,
+                            })
                             .await?;
 
                         if res.valid() {
@@ -752,8 +756,13 @@ pub(crate) async fn post(
 
             // Policy check
             let res = policy
-                .evaluate_upstream_oauth_register(&username, email.as_deref())
+                .evaluate_register(mas_policy::RegisterInput {
+                    registration_method: mas_policy::RegistrationMethod::UpstreamOAuth2,
+                    username: &username,
+                    email: email.as_deref(),
+                })
                 .await?;
+
             if !res.valid() {
                 let form_state =
                     res.violations
diff --git a/crates/handlers/src/views/register/password.rs b/crates/handlers/src/views/register/password.rs
@@ -233,7 +233,11 @@ pub(crate) async fn post(
         }
 
         let res = policy
-            .evaluate_register(&form.username, &form.email)
+            .evaluate_register(mas_policy::RegisterInput {
+                registration_method: mas_policy::RegistrationMethod::Password,
+                username: &form.username,
+                email: Some(&form.email),
+            })
             .await?;
 
         for violation in res.violations {
diff --git a/crates/policy/src/lib.rs b/crates/policy/src/lib.rs
diff --git a/crates/policy/src/model.rs b/crates/policy/src/model.rs

Original file line number	Diff line number	Diff line change
`@@ -244,7 +244,11 @@ pub(crate) async fn post(`
`244`	`244`	`}`
`245`	`245`	`}`
`246`	`246`
`247`		`- let res = policy.evaluate_client_registration(&metadata).await?;`
	`247`	`+ let res = policy`
	`248`	`+ .evaluate_client_registration(mas_policy::ClientRegistrationInput {`
	`249`	`+ client_metadata: &metadata,`
	`250`	`+ })`
	`251`	`+ .await?;`
`248`	`252`	`if !res.valid() {`
`249`	`253`	`return Err(RouteError::PolicyDenied(res.violations));`
`250`	`254`	`}`