feat: provide minimal `ext-authz` implementation

https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter

1 files changed, 95 insertions, 0 deletions

diff --git a/app/services/check_test.go b/app/services/check_test.go
new file mode 100644
index 00000000..4eb396bb
--- /dev/null
+++ b/app/services/check_test.go
@@ -0,0 +1,95 @@
+package services
+
+import (
+	"strings"
+	"testing"
+
+	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+func TestCheckService(t *testing.T) {
+	svc := NewCheckService()
+
+	t.Run("allows access", func(t *testing.T) {
+		idToken := "header.payload.signature"
+		accessToken := "f88f60df11e458b594c80b299aee05f8e5805c65c3e779cc6fbc606c4ac36227"
+		refreshToken := "0847d325d6e4f021c4baaae0ddb425dbd8795807a4751cd2131bec8e8a9aee24"
+
+		cookies := []string{
+			"bearer_token=" + accessToken + ";",
+			"id_token=" + idToken + ";",
+			"refresh_token=" + refreshToken,
+		}
+
+		response, err := svc.Check(t.Context(), &auth.CheckRequest{
+			Attributes: &auth.AttributeContext{
+				Source: &auth.AttributeContext_Peer{
+					Address: &core.Address{
+						Address: &core.Address_SocketAddress{
+							SocketAddress: &core.SocketAddress{
+								Address: "127.0.0.1",
+								PortSpecifier: &core.SocketAddress_PortValue{
+									PortValue: 52358,
+								},
+							},
+						},
+					},
+				},
+				Destination: &auth.AttributeContext_Peer{
+					Address: &core.Address{
+						Address: &core.Address_SocketAddress{
+							SocketAddress: &core.SocketAddress{
+								Address: "127.0.0.1",
+								PortSpecifier: &core.SocketAddress_PortValue{
+									PortValue: 10000,
+								},
+							},
+						},
+					},
+				},
+				Request: &auth.AttributeContext_Request{
+					Time: &timestamppb.Timestamp{Seconds: 1747937928, Nanos: 476481000},
+					Http: &auth.AttributeContext_HttpRequest{
+						Id:     "1248474133684962828",
+						Method: "GET",
+						Headers: map[string]string{
+							":authority":         "localhost:10000",
+							":method":            "GET",
+							":path":              "/health",
+							":scheme":            "http",
+							"accept":             "*/*",
+							"accept-encoding":    "gzip, deflate, br, zstd",
+							"accept-language":    "en-US,en;q=0.9",
+							"cache-control":      "max-age=0",
+							"content-length":     "64",
+							"content-type":       "application/json",
+							"cookie":             strings.Join(cookies, "; "),
+							"origin":             "http://localhost:10000",
+							"referer":            "http://localhost:10000/dashboard",
+							"sec-ch-ua-mobile":   "?0",
+							"sec-ch-ua-platform": "Linux",
+							"sec-fetch-dest":     "empty",
+							"sec-fetch-mode":     "cors",
+							"sec-fetch-site":     "same-origin",
+							"x-forwarded-proto":  "http",
+							"x-request-id":       "7e064610-9e19-4a38-8354-0de0b5fbd7c6",
+						},
+						Path:     "/health",
+						Host:     "localhost:10000",
+						Scheme:   "http",
+						Protocol: "HTTP/1.1",
+					},
+				},
+				MetadataContext:      &core.Metadata{},
+				RouteMetadataContext: &core.Metadata{},
+			},
+		})
+
+		require.NoError(t, err)
+		assert.NotNil(t, response.GetOkResponse())
+	})
+}