feat: provide minimal `ext-authz` implementation

https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter
author: mo khan <mo@mokhan.ca> 2025-06-02 09:58:43 -0600
committer: mo khan <mo@mokhan.ca> 2025-06-02 09:58:43 -0600
commit: 30877c82667ccda1e97c087911b7aeb4e24f51ee (patch)
tree: 4df155f68612ee9e842ed6c5e83023c903db9880
parent: 7eceda78b9f0cc03946b5922697ad13d0cba55db (diff)
7 files changed, 276 insertions, 3 deletions
diff --git a/app/init.go b/app/init.go
index f5d1dc4b..3c4e757e 100644
--- a/app/init.go
+++ b/app/init.go
@@ -10,6 +10,6 @@ import (
 
 func init() {
 	ioc.RegisterSingleton[*zerolog.Logger](ioc.Default, func() *zerolog.Logger {
-		return log.New(os.Stdout, log.Fields{})
+		return log.New(os.Stdout, log.Fields{"app": "authzd"})
 	})
 }
diff --git a/app/server.go b/app/server.go
new file mode 100644
index 00000000..3ce0aadc
--- /dev/null
+++ b/app/server.go
@@ -0,0 +1,24 @@
+package app
+
+import (
+	"context"
+
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/app/services"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/reflection"
+)
+
+type Server struct {
+	*grpc.Server
+}
+
+func NewServer(ctx context.Context, options ...grpc.ServerOption) *Server {
+	server := grpc.NewServer(options...)
+	auth.RegisterAuthorizationServer(server, services.NewCheckService())
+	reflection.Register(server)
+
+	return &Server{
+		Server: server,
+	}
+}
diff --git a/app/server_test.go b/app/server_test.go
new file mode 100644
index 00000000..ff34487a
--- /dev/null
+++ b/app/server_test.go
@@ -0,0 +1,63 @@
+package app
+
+import (
+	"context"
+	"net"
+	"testing"
+
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/test/bufconn"
+)
+
+type HTTPRequest = auth.AttributeContext_HttpRequest
+
+func TestServer(t *testing.T) {
+	socket := bufconn.Listen(1024 * 1024)
+	srv := NewServer(t.Context())
+
+	defer srv.GracefulStop()
+	go func() {
+		require.NoError(t, srv.Serve(socket))
+	}()
+
+	connection, err := grpc.DialContext(
+		t.Context(),
+		"bufnet",
+		grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) {
+			return socket.Dial()
+		}),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+	require.NoError(t, err)
+	defer connection.Close()
+
+	client := auth.NewAuthorizationClient(connection)
+
+	t.Run("CheckRequest", func(t *testing.T) {
+		tt := []struct {
+			http   *HTTPRequest
+			status codes.Code
+		}{
+			{status: codes.OK, http: &HTTPRequest{Method: "GET", Path: "/"}},
+		}
+
+		for _, example := range tt {
+			t.Run(example.http.Path, func(t *testing.T) {
+				response, err := client.Check(t.Context(), &auth.CheckRequest{
+					Attributes: &auth.AttributeContext{
+						Request: &auth.AttributeContext_Request{
+							Http: example.http,
+						},
+					},
+				})
+				require.NoError(t, err)
+				assert.Equal(t, int32(example.status), response.Status.Code)
+			})
+		}
+	})
+}
diff --git a/app/services/check.go b/app/services/check.go
new file mode 100644
index 00000000..d0004572
--- /dev/null
+++ b/app/services/check.go
@@ -0,0 +1,61 @@
+package services
+
+import (
+	"context"
+
+	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	types "github.com/envoyproxy/go-control-plane/envoy/type/v3"
+	status "google.golang.org/genproto/googleapis/rpc/status"
+	"google.golang.org/grpc/codes"
+)
+
+type CheckService struct {
+	auth.UnimplementedAuthorizationServer
+}
+
+func NewCheckService() *CheckService {
+	return &CheckService{}
+}
+
+func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) {
+	if svc.isAllowed(ctx, request) {
+		return svc.OK(ctx), nil
+	}
+	return svc.Denied(ctx), nil
+}
+
+func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool {
+	return true
+}
+
+func (svc *CheckService) OK(ctx context.Context) *auth.CheckResponse {
+	return &auth.CheckResponse{
+		Status: &status.Status{
+			Code: int32(codes.OK),
+		},
+		HttpResponse: &auth.CheckResponse_OkResponse{
+			OkResponse: &auth.OkHttpResponse{
+				Headers:              []*core.HeaderValueOption{},
+				HeadersToRemove:      []string{},
+				ResponseHeadersToAdd: []*core.HeaderValueOption{},
+			},
+		},
+	}
+}
+
+func (svc *CheckService) Denied(ctx context.Context) *auth.CheckResponse {
+	return &auth.CheckResponse{
+		Status: &status.Status{
+			Code: int32(codes.PermissionDenied),
+		},
+		HttpResponse: &auth.CheckResponse_DeniedResponse{
+			DeniedResponse: &auth.DeniedHttpResponse{
+				Status: &types.HttpStatus{
+					Code: types.StatusCode_Unauthorized,
+				},
+				Headers: []*core.HeaderValueOption{},
+			},
+		},
+	}
+}
diff --git a/app/services/check_test.go b/app/services/check_test.go
new file mode 100644
index 00000000..4eb396bb
--- /dev/null
+++ b/app/services/check_test.go
@@ -0,0 +1,95 @@
+package services
+
+import (
+	"strings"
+	"testing"
+
+	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+func TestCheckService(t *testing.T) {
+	svc := NewCheckService()
+
+	t.Run("allows access", func(t *testing.T) {
+		idToken := "header.payload.signature"
+		accessToken := "f88f60df11e458b594c80b299aee05f8e5805c65c3e779cc6fbc606c4ac36227"
+		refreshToken := "0847d325d6e4f021c4baaae0ddb425dbd8795807a4751cd2131bec8e8a9aee24"
+
+		cookies := []string{
+			"bearer_token=" + accessToken + ";",
+			"id_token=" + idToken + ";",
+			"refresh_token=" + refreshToken,
+		}
+
+		response, err := svc.Check(t.Context(), &auth.CheckRequest{
+			Attributes: &auth.AttributeContext{
+				Source: &auth.AttributeContext_Peer{
+					Address: &core.Address{
+						Address: &core.Address_SocketAddress{
+							SocketAddress: &core.SocketAddress{
+								Address: "127.0.0.1",
+								PortSpecifier: &core.SocketAddress_PortValue{
+									PortValue: 52358,
+								},
+							},
+						},
+					},
+				},
+				Destination: &auth.AttributeContext_Peer{
+					Address: &core.Address{
+						Address: &core.Address_SocketAddress{
+							SocketAddress: &core.SocketAddress{
+								Address: "127.0.0.1",
+								PortSpecifier: &core.SocketAddress_PortValue{
+									PortValue: 10000,
+								},
+							},
+						},
+					},
+				},
+				Request: &auth.AttributeContext_Request{
+					Time: &timestamppb.Timestamp{Seconds: 1747937928, Nanos: 476481000},
+					Http: &auth.AttributeContext_HttpRequest{
+						Id:     "1248474133684962828",
+						Method: "GET",
+						Headers: map[string]string{
+							":authority":         "localhost:10000",
+							":method":            "GET",
+							":path":              "/health",
+							":scheme":            "http",
+							"accept":             "*/*",
+							"accept-encoding":    "gzip, deflate, br, zstd",
+							"accept-language":    "en-US,en;q=0.9",
+							"cache-control":      "max-age=0",
+							"content-length":     "64",
+							"content-type":       "application/json",
+							"cookie":             strings.Join(cookies, "; "),
+							"origin":             "http://localhost:10000",
+							"referer":            "http://localhost:10000/dashboard",
+							"sec-ch-ua-mobile":   "?0",
+							"sec-ch-ua-platform": "Linux",
+							"sec-fetch-dest":     "empty",
+							"sec-fetch-mode":     "cors",
+							"sec-fetch-site":     "same-origin",
+							"x-forwarded-proto":  "http",
+							"x-request-id":       "7e064610-9e19-4a38-8354-0de0b5fbd7c6",
+						},
+						Path:     "/health",
+						Host:     "localhost:10000",
+						Scheme:   "http",
+						Protocol: "HTTP/1.1",
+					},
+				},
+				MetadataContext:      &core.Metadata{},
+				RouteMetadataContext: &core.Metadata{},
+			},
+		})
+
+		require.NoError(t, err)
+		assert.NotNil(t, response.GetOkResponse())
+	})
+}
diff --git a/go.mod b/go.mod
index 1d561262..0da45df9 100644
--- a/go.mod
+++ b/go.mod
@@ -4,17 +4,22 @@ go 1.24
 
 require (
 	github.com/cedar-policy/cedar-go v1.2.1
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4
 	github.com/magefile/mage v1.15.0
 	github.com/rs/zerolog v1.34.0
 	github.com/stretchr/testify v1.10.0
 	github.com/twitchtv/twirp v8.1.3+incompatible
 	github.com/xlgmokha/x v0.0.0-20250430185455-b691eda27477
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4
+	google.golang.org/grpc v1.71.0
 	google.golang.org/protobuf v1.36.6
 )
 
 require (
 	github.com/arthurnn/twirp-ruby v1.13.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golobby/container/v3 v3.3.2 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
@@ -22,14 +27,13 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
 	golang.org/x/net v0.37.0 // indirect
 	golang.org/x/sys v0.32.0 // indirect
 	golang.org/x/text v0.24.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
-	google.golang.org/grpc v1.71.0 // indirect
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/go.sum b/go.sum
index 9cb518ea..0a713aca 100644
--- a/go.sum
+++ b/go.sum
@@ -2,10 +2,20 @@ github.com/arthurnn/twirp-ruby v1.13.0 h1:j0T7I5oxe2niKFdfjiiCmkiydwYeegrbwVMs+G
 github.com/arthurnn/twirp-ruby v1.13.0/go.mod h1:1fVOQuSLzwXoPi9/ejlDYG3roilJIPAZN2sw+A3o48o=
 github.com/cedar-policy/cedar-go v1.2.1 h1:f4Ie1j6OT2TqtmnbVcR7OyJWfyPEUvYrFYaurQZhTAo=
 github.com/cedar-policy/cedar-go v1.2.1/go.mod h1:Ahhlu3DxDzvGTR88v/+j/EeiMEyvta11hlkdDgj4AZU=
+github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 h1:boJj011Hh+874zpIySeApCX4GeOjPl9qhRF3QuIZq+Q=
+github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
+github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
+github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
+github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
@@ -15,6 +25,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/jsonapi v1.0.0 h1:qIGgO5Smu3yJmSs+QlvhQnrscdZfFhiV6S8ryJAglqU=
 github.com/google/jsonapi v1.0.0/go.mod h1:YYHiRPJT8ARXGER8In9VuLv4qvLfDmA9ULQqptbLE4s=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -34,6 +46,8 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
@@ -48,6 +62,18 @@ github.com/twitchtv/twirp v8.1.3+incompatible h1:+F4TdErPgSUbMZMwp13Q/KgDVuI7HJX
 github.com/twitchtv/twirp v8.1.3+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A=
 github.com/xlgmokha/x v0.0.0-20250430185455-b691eda27477 h1:oeKrn9BSDSic5MTXKhQesxhIhB7byxl86IHtCD+yw4k=
 github.com/xlgmokha/x v0.0.0-20250430185455-b691eda27477/go.mod h1:axGPKzoJCNTmPJxYqN5l+Z9gGbPe0yolkT61a5p3QiI=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
+go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
+go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
+go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
+go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
 golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
 golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
 golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
author	mo khan <mo@mokhan.ca>	2025-06-02 09:58:43 -0600
committer	mo khan <mo@mokhan.ca>	2025-06-02 09:58:43 -0600
commit	30877c82667ccda1e97c087911b7aeb4e24f51ee (patch)
tree	4df155f68612ee9e842ed6c5e83023c903db9880
parent	7eceda78b9f0cc03946b5922697ad13d0cba55db (diff)