refactor: remove anything unrelated to the authz daemon

21 files changed, 51 insertions, 643 deletions

diff --git a/pkg/app/app.go b/pkg/app/app.go
deleted file mode 100644
index 89a2bd34..00000000
--- a/pkg/app/app.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package app
-
-import (
-	"os"
-
-	"github.com/xlgmokha/x/pkg/log"
-	"gitlab.com/mokhax/spike/pkg/authz"
-	"gitlab.com/mokhax/spike/pkg/cfg"
-	"gitlab.com/mokhax/spike/pkg/srv"
-)
-
-func Start(bindAddr string) error {
-	logger := log.New(os.Stdout, log.Fields{"app": "gtwy"})
-	mux := authz.HTTP(authz.WithCasbin(), Routes())
-	return srv.Run(cfg.New(
-		bindAddr,
-		cfg.WithMux(log.HTTP(logger)(mux)),
-		cfg.WithTLS([]string{
-			"api.example.com",
-			"authzd.example.com",
-			"idp.example.com",
-			"ui.example.com",
-		}),
-	))
-}
diff --git a/pkg/app/routes.go b/pkg/app/routes.go
deleted file mode 100644
index ff1291c2..00000000
--- a/pkg/app/routes.go
+++ /dev/null
@@ -1,18 +0,0 @@
-package app
-
-import (
-	"net/http"
-
-	"gitlab.com/mokhax/spike/pkg/prxy"
-)
-
-func Routes() http.Handler {
-	mux := http.NewServeMux()
-	mux.Handle("/", prxy.New(map[string]string{
-		"api.example.com":    "http://localhost:8284",
-		"authzd.example.com": "http://localhost:50051",
-		"idp.example.com":    "http://localhost:8282",
-		"ui.example.com":     "http://localhost:8283",
-	}))
-	return mux
-}
diff --git a/pkg/authz/authz.go b/pkg/authz/authz.go
deleted file mode 100644
index 5a93a29c..00000000
--- a/pkg/authz/authz.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package authz
-
-import "net/http"
-
-type Authorizer interface {
-	Authorize(*http.Request) bool
-}
-
-type AuthorizerFunc func(*http.Request) bool
-
-func (f AuthorizerFunc) Authorize(r *http.Request) bool {
-	return f(r)
-}
-
-func HTTP(authorizer Authorizer, h http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if authorizer.Authorize(r) {
-			h.ServeHTTP(w, r)
-		} else {
-			w.WriteHeader(http.StatusForbidden)
-		}
-	})
-}
diff --git a/pkg/authz/casbin.go b/pkg/authz/casbin.go
deleted file mode 100644
index 140bdb98..00000000
--- a/pkg/authz/casbin.go
+++ /dev/null
@@ -1,43 +0,0 @@
-package authz
-
-import (
-	"fmt"
-	"net"
-	"net/http"
-
-	"github.com/casbin/casbin/v3"
-	"github.com/xlgmokha/x/pkg/log"
-	"github.com/xlgmokha/x/pkg/x"
-)
-
-func WithCasbin() Authorizer {
-	enforcer := x.Must(casbin.NewEnforcer("casbin.conf", "casbin.csv"))
-
-	return AuthorizerFunc(func(r *http.Request) bool {
-		host, _, err := net.SplitHostPort(r.Host)
-		if err != nil {
-			log.WithFields(r.Context(), log.Fields{"error": err})
-			return false
-		}
-
-		subject, found := TokenFrom(r).Subject()
-		if !found {
-			subject = "*"
-		}
-		ok, err := enforcer.Enforce(subject, host, r.Method, r.URL.Path)
-		if err != nil {
-			log.WithFields(r.Context(), log.Fields{"error": err})
-			return false
-		}
-
-		fmt.Printf("%v: %v -> %v %v%v\n", ok, subject, r.Method, host, r.URL.Path)
-		log.WithFields(r.Context(), log.Fields{
-			"authz":   ok,
-			"subject": subject,
-			"action":  r.Method,
-			"domain":  host,
-			"object":  r.URL.Path,
-		})
-		return ok
-	})
-}
diff --git a/pkg/authz/cedar.go b/pkg/authz/cedar.go
deleted file mode 100644
index 18674c74..00000000
--- a/pkg/authz/cedar.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package authz
-
-import (
-	"net"
-	"net/http"
-
-	cedar "github.com/cedar-policy/cedar-go"
-	"github.com/xlgmokha/x/pkg/log"
-	"gitlab.com/mokhax/spike/pkg/gid"
-	"gitlab.com/mokhax/spike/pkg/policies"
-)
-
-func WithCedar() Authorizer {
-	return AuthorizerFunc(func(r *http.Request) bool {
-		host, _, err := net.SplitHostPort(r.Host)
-		if err != nil {
-			log.WithFields(r.Context(), log.Fields{"error": err})
-			return false
-		}
-		subject, found := TokenFrom(r).Subject()
-		if !found {
-			subject = "gid://example/User/*"
-		}
-
-		return policies.Allowed(cedar.Request{
-			Principal: gid.NewEntityUID(subject),
-			Action:    cedar.NewEntityUID("HttpMethod", cedar.String(r.Method)),
-			Resource:  cedar.NewEntityUID("HttpPath", cedar.String(r.URL.Path)),
-			Context: cedar.NewRecord(cedar.RecordMap{
-				"host": cedar.String(host),
-			}),
-		})
-	})
-}
diff --git a/pkg/authz/token.go b/pkg/authz/token.go
deleted file mode 100644
index 2794bf4a..00000000
--- a/pkg/authz/token.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package authz
-
-import (
-	"net/http"
-	"strings"
-
-	"github.com/lestrrat-go/jwx/v3/jwt"
-	"github.com/xlgmokha/x/pkg/log"
-)
-
-func TokenFrom(r *http.Request) jwt.Token {
-	authorization := r.Header.Get("Authorization")
-	if authorization == "" || !strings.Contains(authorization, "Bearer") {
-		return jwt.New()
-	}
-
-	token, err := jwt.ParseRequest(r,
-		jwt.WithContext(r.Context()),
-		jwt.WithHeaderKey("Authorization"),
-		jwt.WithValidate(false), // TODO:: Connect this to a JSON Web Key Set
-		jwt.WithVerify(false),   // TODO:: Connect this to a JSON Web Key Set
-	)
-
-	if err != nil {
-		log.WithFields(r.Context(), log.Fields{"error": err})
-		return jwt.New()
-	}
-
-	return token
-}
diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go
deleted file mode 100644
index 0d7a6427..00000000
--- a/pkg/cfg/cfg.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package cfg
-
-import (
-	"crypto/tls"
-	"net/http"
-)
-
-type Config struct {
-	BindAddress string
-	Mux         http.Handler
-	TLS         *tls.Config
-}
-
-func New(addr string, options ...Option) *Config {
-	if addr == "" {
-		addr = ":0"
-	}
-
-	c := &Config{
-		BindAddress: addr,
-		Mux:         http.DefaultServeMux,
-	}
-	for _, option := range options {
-		option(c)
-	}
-	return c
-}
-
-func (c *Config) Run(server *http.Server) error {
-	if c.TLS != nil {
-		return server.ListenAndServeTLS("", "")
-	}
-	return server.ListenAndServe()
-}
diff --git a/pkg/cfg/mux.go b/pkg/cfg/mux.go
deleted file mode 100644
index 6c6f4375..00000000
--- a/pkg/cfg/mux.go
+++ /dev/null
@@ -1,11 +0,0 @@
-package cfg
-
-import (
-	"net/http"
-)
-
-func WithMux(mux http.Handler) Option {
-	return func(config *Config) {
-		config.Mux = mux
-	}
-}
diff --git a/pkg/cfg/option.go b/pkg/cfg/option.go
deleted file mode 100644
index 0f3e87d8..00000000
--- a/pkg/cfg/option.go
+++ /dev/null
@@ -1,3 +0,0 @@
-package cfg
-
-type Option func(*Config)
diff --git a/pkg/cfg/tls.go b/pkg/cfg/tls.go
deleted file mode 100644
index bce6e186..00000000
--- a/pkg/cfg/tls.go
+++ /dev/null
@@ -1,75 +0,0 @@
-package cfg
-
-import (
-	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
-	"io/ioutil"
-	"net/http"
-	"os"
-	"path/filepath"
-
-	"github.com/caddyserver/certmagic"
-	"github.com/xlgmokha/x/pkg/x"
-	"go.uber.org/zap"
-)
-
-func WithSelfSigned(cert, key string) Option {
-	certificate := x.Must(tls.LoadX509KeyPair(cert, key))
-
-	return func(config *Config) {
-		config.TLS = &tls.Config{
-			MinVersion:   tls.VersionTLS13,
-			Certificates: []tls.Certificate{certificate},
-		}
-	}
-}
-
-func WithTLS(domainNames []string) Option {
-	directoryURL := "https://localhost:8081/acme/acme/directory"
-	storage := &certmagic.FileStorage{
-		Path: filepath.Join(x.Must(os.Getwd()), "/tmp/cache"),
-	}
-	var cache *certmagic.Cache
-	cache = certmagic.NewCache(certmagic.CacheOptions{
-		GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
-			return certmagic.New(cache, certmagic.Config{
-				Logger:   x.Must(zap.NewProduction()),
-				OnDemand: new(certmagic.OnDemandConfig),
-				Storage:  storage,
-			}), nil
-		},
-	})
-	roots := x.Must(x509.SystemCertPool())
-	roots.AddCert(func() *x509.Certificate {
-		block, _ := pem.Decode(x.Must(ioutil.ReadFile(
-			filepath.Join(x.Must(os.Getwd()), "/tmp/step/certs/root_ca.crt"),
-		)))
-		return x.Must(x509.ParseCertificate(block.Bytes))
-	}())
-	magic := certmagic.New(cache, certmagic.Config{
-		Logger:   x.Must(zap.NewProduction()),
-		OnDemand: new(certmagic.OnDemandConfig),
-		Storage:  storage,
-	})
-	issuer := certmagic.NewACMEIssuer(magic, certmagic.ACMEIssuer{
-		Agreed:       true,
-		Email:        "email@example.com",
-		CA:           directoryURL,
-		TestCA:       directoryURL,
-		TrustedRoots: roots,
-	})
-	magic.Issuers = []certmagic.Issuer{issuer}
-
-	if err := http.ListenAndServe(":80", issuer.HTTPChallengeHandler(http.DefaultServeMux)); err != nil {
-		return func(*Config) {}
-	}
-
-	x.Check(magic.ManageSync(context.Background(), domainNames))
-
-	return func(config *Config) {
-		config.TLS = magic.TLSConfig()
-		config.TLS.NextProtos = append([]string{"h2", "http/1.1"}, config.TLS.NextProtos...)
-	}
-}
diff --git a/pkg/policies/policies_test.go b/pkg/policies/policies_test.go
index 24ef6c68..9dc98bcd 100644
--- a/pkg/policies/policies_test.go
+++ b/pkg/policies/policies_test.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/cedar-policy/cedar-go"
 	"github.com/stretchr/testify/assert"
-	"gitlab.com/mokhax/spike/pkg/gid"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authz.d/pkg/gid"
 )
 
 func build(f func(*cedar.Request)) *cedar.Request {
diff --git a/pkg/prxy/prxy.go b/pkg/prxy/prxy.go
deleted file mode 100644
index 43565bd3..00000000
--- a/pkg/prxy/prxy.go
+++ /dev/null
@@ -1,43 +0,0 @@
-package prxy
-
-import (
-	"fmt"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-
-	"github.com/xlgmokha/x/pkg/log"
-	"github.com/xlgmokha/x/pkg/x"
-)
-
-func New(routes map[string]string) http.Handler {
-	mapped := map[string]*url.URL{}
-	for source, destination := range routes {
-		mapped[source] = x.Must(url.Parse(destination))
-	}
-
-	return &httputil.ReverseProxy{
-		Rewrite: func(r *httputil.ProxyRequest) {
-			host, _, err := net.SplitHostPort(r.In.Host)
-			if err != nil {
-				log.WithFields(r.In.Context(), log.Fields{"error": err})
-				return
-			}
-
-			destination := mapped[host]
-			r.SetXForwarded()
-			r.SetURL(destination)
-		},
-		Transport:     http.DefaultTransport,
-		FlushInterval: -1,
-		ErrorLog:      nil,
-		ModifyResponse: func(r *http.Response) error {
-			r.Header.Add("Via", fmt.Sprintf("%v gtwy", r.Proto))
-			return nil
-		},
-		ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
-			log.WithFields(r.Context(), log.Fields{"error": err})
-		},
-	}
-}
diff --git a/pkg/prxy/prxy_test.go b/pkg/prxy/prxy_test.go
deleted file mode 100644
index 6f37974e..00000000
--- a/pkg/prxy/prxy_test.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package prxy
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"github.com/xlgmokha/x/pkg/x"
-	"gitlab.com/mokhax/spike/pkg/test"
-)
-
-func TestProxy(t *testing.T) {
-	t.Run("http://idp.test", func(t *testing.T) {
-		var lastIdPRequest *http.Request
-		var lastUiRequest *http.Request
-
-		idp := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			lastIdPRequest = r
-			w.WriteHeader(http.StatusOK)
-		}))
-		defer idp.Close()
-
-		ui := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			lastUiRequest = r
-			w.WriteHeader(http.StatusTeapot)
-		}))
-		defer ui.Close()
-
-		subject := New(map[string]string{
-			"idp.test": idp.URL,
-			"ui.test":  ui.URL,
-		})
-
-		r, w := test.RequestResponse("GET", "http://idp.test:8080/saml/new")
-
-		subject.ServeHTTP(w, r)
-
-		url := x.Must(url.Parse(idp.URL))
-
-		assert.Nil(t, lastUiRequest)
-		assert.Equal(t, http.StatusOK, w.Code)
-
-		require.NotNil(t, lastIdPRequest)
-		assert.Equal(t, url.Host, lastIdPRequest.Host)
-	})
-}
diff --git a/pkg/rpc/ability.pb.go b/pkg/rpc/ability.pb.go
index 48dd0b24..939719fc 100644
--- a/pkg/rpc/ability.pb.go
+++ b/pkg/rpc/ability.pb.go
@@ -129,7 +129,7 @@ var File_ability_proto protoreflect.FileDescriptor
 
 const file_ability_proto_rawDesc = "" +
 	"\n" +
-	"\rability.proto\x12\tauthx.rpc\"d\n" +
+	"\rability.proto\x12\tauthz.rpc\"d\n" +
 	"\fAllowRequest\x12\x18\n" +
 	"\asubject\x18\x01 \x01(\tR\asubject\x12\x1e\n" +
 	"\n" +
@@ -140,7 +140,7 @@ const file_ability_proto_rawDesc = "" +
 	"AllowReply\x12\x16\n" +
 	"\x06result\x18\x01 \x01(\bR\x06result2F\n" +
 	"\aAbility\x12;\n" +
-	"\aAllowed\x12\x17.authx.rpc.AllowRequest\x1a\x15.authx.rpc.AllowReply\"\x00B!Z\x1fgitlab.com/mokhax/spike/pkg/rpcb\x06proto3"
+	"\aAllowed\x12\x17.authz.rpc.AllowRequest\x1a\x15.authz.rpc.AllowReply\"\x00B\tZ\apkg/rpcb\x06proto3"
 
 var (
 	file_ability_proto_rawDescOnce sync.Once
@@ -156,12 +156,12 @@ func file_ability_proto_rawDescGZIP() []byte {
 
 var file_ability_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
 var file_ability_proto_goTypes = []any{
-	(*AllowRequest)(nil), // 0: authx.rpc.AllowRequest
-	(*AllowReply)(nil),   // 1: authx.rpc.AllowReply
+	(*AllowRequest)(nil), // 0: authz.rpc.AllowRequest
+	(*AllowReply)(nil),   // 1: authz.rpc.AllowReply
 }
 var file_ability_proto_depIdxs = []int32{
-	0, // 0: authx.rpc.Ability.Allowed:input_type -> authx.rpc.AllowRequest
-	1, // 1: authx.rpc.Ability.Allowed:output_type -> authx.rpc.AllowReply
+	0, // 0: authz.rpc.Ability.Allowed:input_type -> authz.rpc.AllowRequest
+	1, // 1: authz.rpc.Ability.Allowed:output_type -> authz.rpc.AllowReply
 	1, // [1:2] is the sub-list for method output_type
 	0, // [0:1] is the sub-list for method input_type
 	0, // [0:0] is the sub-list for extension type_name
diff --git a/pkg/rpc/gitlab.com/mokhax/spike/pkg/rpc/ability.twirp.go b/pkg/rpc/ability.twirp.go
index ea2c3d17..f5a33296 100644
--- a/pkg/rpc/gitlab.com/mokhax/spike/pkg/rpc/ability.twirp.go
+++ b/pkg/rpc/ability.twirp.go
@@ -68,7 +68,7 @@ func NewAbilityProtobufClient(baseURL string, client HTTPClient, opts ...twirp.C
 
 	// Build method URLs: <baseURL>[<prefix>]/<package>.<Service>/<Method>
 	serviceURL := sanitizeBaseURL(baseURL)
-	serviceURL += baseServicePath(pathPrefix, "authx.rpc", "Ability")
+	serviceURL += baseServicePath(pathPrefix, "authz.rpc", "Ability")
 	urls := [1]string{
 		serviceURL + "Allowed",
 	}
@@ -82,7 +82,7 @@ func NewAbilityProtobufClient(baseURL string, client HTTPClient, opts ...twirp.C
 }
 
 func (c *abilityProtobufClient) Allowed(ctx context.Context, in *AllowRequest) (*AllowReply, error) {
-	ctx = ctxsetters.WithPackageName(ctx, "authx.rpc")
+	ctx = ctxsetters.WithPackageName(ctx, "authz.rpc")
 	ctx = ctxsetters.WithServiceName(ctx, "Ability")
 	ctx = ctxsetters.WithMethodName(ctx, "Allowed")
 	caller := c.callAllowed
@@ -160,7 +160,7 @@ func NewAbilityJSONClient(baseURL string, client HTTPClient, opts ...twirp.Clien
 
 	// Build method URLs: <baseURL>[<prefix>]/<package>.<Service>/<Method>
 	serviceURL := sanitizeBaseURL(baseURL)
-	serviceURL += baseServicePath(pathPrefix, "authx.rpc", "Ability")
+	serviceURL += baseServicePath(pathPrefix, "authz.rpc", "Ability")
 	urls := [1]string{
 		serviceURL + "Allowed",
 	}
@@ -174,7 +174,7 @@ func NewAbilityJSONClient(baseURL string, client HTTPClient, opts ...twirp.Clien
 }
 
 func (c *abilityJSONClient) Allowed(ctx context.Context, in *AllowRequest) (*AllowReply, error) {
-	ctx = ctxsetters.WithPackageName(ctx, "authx.rpc")
+	ctx = ctxsetters.WithPackageName(ctx, "authz.rpc")
 	ctx = ctxsetters.WithServiceName(ctx, "Ability")
 	ctx = ctxsetters.WithMethodName(ctx, "Allowed")
 	caller := c.callAllowed
@@ -281,11 +281,11 @@ func (s *abilityServer) handleRequestBodyError(ctx context.Context, resp http.Re
 // Should be used with caution, it only matches routes generated by Twirp Go clients,
 // with the default "/twirp" prefix and default CamelCase service and method names.
 // More info: https://twitchtv.github.io/twirp/docs/routing.html
-const AbilityPathPrefix = "/twirp/authx.rpc.Ability/"
+const AbilityPathPrefix = "/twirp/authz.rpc.Ability/"
 
 func (s *abilityServer) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
 	ctx := req.Context()
-	ctx = ctxsetters.WithPackageName(ctx, "authx.rpc")
+	ctx = ctxsetters.WithPackageName(ctx, "authz.rpc")
 	ctx = ctxsetters.WithServiceName(ctx, "Ability")
 	ctx = ctxsetters.WithResponseWriter(ctx, resp)
 
@@ -304,7 +304,7 @@ func (s *abilityServer) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
 
 	// Verify path format: [<prefix>]/<package>.<Service>/<Method>
 	prefix, pkgService, method := parseTwirpPath(req.URL.Path)
-	if pkgService != "authx.rpc.Ability" {
+	if pkgService != "authz.rpc.Ability" {
 		msg := fmt.Sprintf("no handler for path %q", req.URL.Path)
 		s.writeError(ctx, resp, badRouteError(msg, req.Method, req.URL.Path))
 		return
@@ -518,7 +518,7 @@ func (s *abilityServer) ProtocGenTwirpVersion() string {
 // that is everything in a Twirp route except for the <Method>. This can be used for routing,
 // for example to identify the requests that are targeted to this service in a mux.
 func (s *abilityServer) PathPrefix() string {
-	return baseServicePath(s.pathPrefix, "authx.rpc", "Ability")
+	return baseServicePath(s.pathPrefix, "authz.rpc", "Ability")
 }
 
 // =====
@@ -1087,19 +1087,18 @@ func callClientError(ctx context.Context, h *twirp.ClientHooks, err twirp.Error)
 }
 
 var twirpFileDescriptor0 = []byte{
-	// 216 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x64, 0x90, 0xbd, 0x4e, 0xc3, 0x30,
-	0x14, 0x46, 0x29, 0x48, 0x4d, 0x7b, 0x05, 0x8b, 0x25, 0xc0, 0xea, 0xc0, 0x4f, 0xc4, 0xc0, 0x64,
-	0x4b, 0x30, 0x32, 0x95, 0x81, 0x07, 0xc8, 0xc8, 0x66, 0xbb, 0x57, 0xad, 0x89, 0x83, 0x2f, 0xfe,
-	0x11, 0xcd, 0xdb, 0x23, 0x39, 0x21, 0x8a, 0xd4, 0xf1, 0xf8, 0xc8, 0xfa, 0x8e, 0x2e, 0x5c, 0x29,
-	0x6d, 0x9d, 0x4d, 0xbd, 0xa0, 0xe0, 0x93, 0x67, 0x6b, 0x95, 0xd3, 0xe1, 0x28, 0x02, 0x99, 0x7a,
-	0x07, 0x97, 0x5b, 0xe7, 0xfc, 0x6f, 0x83, 0x3f, 0x19, 0x63, 0x62, 0x1c, 0xaa, 0x98, 0xf5, 0x17,
-	0x9a, 0xc4, 0x17, 0x0f, 0x8b, 0xe7, 0x75, 0xf3, 0x8f, 0xec, 0x0e, 0x80, 0x30, 0x74, 0x36, 0x46,
-	0xeb, 0xbf, 0xf9, 0x79, 0x91, 0xb3, 0x17, 0xb6, 0x81, 0x55, 0xc0, 0xe8, 0x73, 0x30, 0xc8, 0x2f,
-	0x8a, 0x9d, 0xb8, 0x7e, 0x02, 0x18, 0x57, 0xc8, 0xf5, 0xec, 0x06, 0x96, 0x01, 0x63, 0x76, 0xc3,
-	0xc4, 0xaa, 0x19, 0xe9, 0xe5, 0x03, 0xaa, 0xed, 0xd0, 0xc9, 0xde, 0xa0, 0x2a, 0x1f, 0x70, 0xc7,
-	0x6e, 0xc5, 0x54, 0x2b, 0xe6, 0xa9, 0x9b, 0xeb, 0x53, 0x41, 0xae, 0xaf, 0xcf, 0xde, 0x1f, 0x3f,
-	0xef, 0xf7, 0x36, 0x39, 0xa5, 0x85, 0xf1, 0x9d, 0xec, 0x7c, 0x7b, 0x50, 0x47, 0x19, 0xc9, 0xb6,
-	0x28, 0xa9, 0xdd, 0xcb, 0x40, 0x46, 0x2f, 0xcb, 0x21, 0x5e, 0xff, 0x02, 0x00, 0x00, 0xff, 0xff,
-	0xe2, 0x96, 0x42, 0xb1, 0x19, 0x01, 0x00, 0x00,
+	// 196 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4d, 0x4c, 0xca, 0xcc,
+	0xc9, 0x2c, 0xa9, 0xd4, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0xe2, 0x4c, 0x2c, 0x2d, 0xc9, 0xa8,
+	0xd2, 0x2b, 0x2a, 0x48, 0x56, 0x4a, 0xe1, 0xe2, 0x71, 0xcc, 0xc9, 0xc9, 0x2f, 0x0f, 0x4a, 0x2d,
+	0x2c, 0x4d, 0x2d, 0x2e, 0x11, 0x92, 0xe0, 0x62, 0x2f, 0x2e, 0x4d, 0xca, 0x4a, 0x4d, 0x2e, 0x91,
+	0x60, 0x54, 0x60, 0xd4, 0xe0, 0x0c, 0x82, 0x71, 0x85, 0xe4, 0xb8, 0xb8, 0x0a, 0x52, 0x8b, 0x72,
+	0x33, 0x8b, 0x8b, 0x33, 0xf3, 0xf3, 0x24, 0x98, 0xc0, 0x92, 0x48, 0x22, 0x42, 0x52, 0x5c, 0x1c,
+	0x45, 0xa9, 0xc5, 0xf9, 0xa5, 0x45, 0xc9, 0xa9, 0x12, 0xcc, 0x60, 0x59, 0x38, 0x5f, 0x49, 0x85,
+	0x8b, 0x0b, 0x6a, 0x4b, 0x41, 0x4e, 0xa5, 0x90, 0x18, 0x17, 0x5b, 0x51, 0x6a, 0x71, 0x69, 0x0e,
+	0xc4, 0x0a, 0x8e, 0x20, 0x28, 0xcf, 0xc8, 0x8d, 0x8b, 0xdd, 0x11, 0xe2, 0x4e, 0x21, 0x6b, 0x2e,
+	0x76, 0xb0, 0x86, 0xd4, 0x14, 0x21, 0x71, 0x3d, 0xb8, 0x6b, 0xf5, 0x90, 0x9d, 0x2a, 0x25, 0x8a,
+	0x29, 0x51, 0x90, 0x53, 0xa9, 0xc4, 0xe0, 0xc4, 0x19, 0xc5, 0x5e, 0x90, 0x9d, 0xae, 0x5f, 0x54,
+	0x90, 0x9c, 0xc4, 0x06, 0xf6, 0xb0, 0x31, 0x20, 0x00, 0x00, 0xff, 0xff, 0x72, 0x35, 0x46, 0x7c,
+	0x01, 0x01, 0x00, 0x00,
 }
diff --git a/pkg/rpc/ability_grpc.pb.go b/pkg/rpc/ability_grpc.pb.go
deleted file mode 100644
index 4d74cc41..00000000
--- a/pkg/rpc/ability_grpc.pb.go
+++ /dev/null
@@ -1,121 +0,0 @@
-// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
-// versions:
-// - protoc-gen-go-grpc v1.5.1
-// - protoc             v3.19.6
-// source: ability.proto
-
-package rpc
-
-import (
-	context "context"
-	grpc "google.golang.org/grpc"
-	codes "google.golang.org/grpc/codes"
-	status "google.golang.org/grpc/status"
-)
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.64.0 or later.
-const _ = grpc.SupportPackageIsVersion9
-
-const (
-	Ability_Allowed_FullMethodName = "/authx.rpc.Ability/Allowed"
-)
-
-// AbilityClient is the client API for Ability service.
-//
-// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
-type AbilityClient interface {
-	Allowed(ctx context.Context, in *AllowRequest, opts ...grpc.CallOption) (*AllowReply, error)
-}
-
-type abilityClient struct {
-	cc grpc.ClientConnInterface
-}
-
-func NewAbilityClient(cc grpc.ClientConnInterface) AbilityClient {
-	return &abilityClient{cc}
-}
-
-func (c *abilityClient) Allowed(ctx context.Context, in *AllowRequest, opts ...grpc.CallOption) (*AllowReply, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(AllowReply)
-	err := c.cc.Invoke(ctx, Ability_Allowed_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-// AbilityServer is the server API for Ability service.
-// All implementations must embed UnimplementedAbilityServer
-// for forward compatibility.
-type AbilityServer interface {
-	Allowed(context.Context, *AllowRequest) (*AllowReply, error)
-	mustEmbedUnimplementedAbilityServer()
-}
-
-// UnimplementedAbilityServer must be embedded to have
-// forward compatible implementations.
-//
-// NOTE: this should be embedded by value instead of pointer to avoid a nil
-// pointer dereference when methods are called.
-type UnimplementedAbilityServer struct{}
-
-func (UnimplementedAbilityServer) Allowed(context.Context, *AllowRequest) (*AllowReply, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Allowed not implemented")
-}
-func (UnimplementedAbilityServer) mustEmbedUnimplementedAbilityServer() {}
-func (UnimplementedAbilityServer) testEmbeddedByValue()                 {}
-
-// UnsafeAbilityServer may be embedded to opt out of forward compatibility for this service.
-// Use of this interface is not recommended, as added methods to AbilityServer will
-// result in compilation errors.
-type UnsafeAbilityServer interface {
-	mustEmbedUnimplementedAbilityServer()
-}
-
-func RegisterAbilityServer(s grpc.ServiceRegistrar, srv AbilityServer) {
-	// If the following call pancis, it indicates UnimplementedAbilityServer was
-	// embedded by pointer and is nil.  This will cause panics if an
-	// unimplemented method is ever invoked, so we test this at initialization
-	// time to prevent it from happening at runtime later due to I/O.
-	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
-		t.testEmbeddedByValue()
-	}
-	s.RegisterService(&Ability_ServiceDesc, srv)
-}
-
-func _Ability_Allowed_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(AllowRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(AbilityServer).Allowed(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: Ability_Allowed_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(AbilityServer).Allowed(ctx, req.(*AllowRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-// Ability_ServiceDesc is the grpc.ServiceDesc for Ability service.
-// It's only intended for direct use with grpc.RegisterService,
-// and not to be introspected or modified (even as a copy)
-var Ability_ServiceDesc = grpc.ServiceDesc{
-	ServiceName: "authx.rpc.Ability",
-	HandlerType: (*AbilityServer)(nil),
-	Methods: []grpc.MethodDesc{
-		{
-			MethodName: "Allowed",
-			Handler:    _Ability_Allowed_Handler,
-		},
-	},
-	Streams:  []grpc.StreamDesc{},
-	Metadata: "ability.proto",
-}
diff --git a/pkg/rpc/ability_service.go b/pkg/rpc/ability_service.go
index 18327d52..db2e8fab 100644
--- a/pkg/rpc/ability_service.go
+++ b/pkg/rpc/ability_service.go
@@ -4,12 +4,11 @@ import (
 	context "context"
 
 	"github.com/cedar-policy/cedar-go"
-	"gitlab.com/mokhax/spike/pkg/gid"
-	"gitlab.com/mokhax/spike/pkg/policies"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authz.d/pkg/gid"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authz.d/pkg/policies"
 )
 
 type AbilityService struct {
-	UnimplementedAbilityServer
 }
 
 func NewAbilityService() *AbilityService {
diff --git a/pkg/rpc/server.go b/pkg/rpc/server.go
index 08246b5b..a37df9fc 100644
--- a/pkg/rpc/server.go
+++ b/pkg/rpc/server.go
@@ -1,11 +1,21 @@
 package rpc
 
 import (
-	grpc "google.golang.org/grpc"
+	fmt "fmt"
+	http "net/http"
 )
 
-func New(options ...grpc.ServerOption) *grpc.Server {
-	server := grpc.NewServer(options...)
-	RegisterAbilityServer(server, NewAbilityService())
-	return server
+func New() http.Handler {
+	mux := http.NewServeMux()
+	for _, handler := range handlers() {
+		fmt.Printf("Registering : %v\n", handler.PathPrefix())
+		mux.Handle(handler.PathPrefix(), handler)
+	}
+	return mux
+}
+
+func handlers() []TwirpServer {
+	return []TwirpServer{
+		NewAbilityServer(NewAbilityService()),
+	}
 }
diff --git a/pkg/rpc/server_test.go b/pkg/rpc/server_test.go
index da60f86a..fd6e6237 100644
--- a/pkg/rpc/server_test.go
+++ b/pkg/rpc/server_test.go
@@ -1,35 +1,19 @@
 package rpc
 
 import (
-	"net"
+	http "net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	grpc "google.golang.org/grpc"
-	"google.golang.org/grpc/credentials/insecure"
 )
 
 func TestServer(t *testing.T) {
-	listener, err := net.Listen("tcp", "localhost:0")
-	require.NoError(t, err)
-	defer listener.Close()
+	srv := httptest.NewServer(New())
+	defer srv.Close()
 
-	server := New()
-	defer server.Stop()
-
-	go func() {
-		require.NoError(t, server.Serve(listener))
-	}()
-
-	connection, err := grpc.NewClient(
-		listener.Addr().String(),
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
-	)
-	require.NoError(t, err)
-
-	defer connection.Close()
-	client := NewAbilityClient(connection)
+	client := NewAbilityProtobufClient(srv.URL, &http.Client{})
 
 	t.Run("forbids", func(t *testing.T) {
 		reply, err := client.Allowed(t.Context(), &AllowRequest{
diff --git a/pkg/srv/srv.go b/pkg/srv/srv.go
deleted file mode 100644
index e7189406..00000000
--- a/pkg/srv/srv.go
+++ /dev/null
@@ -1,26 +0,0 @@
-package srv
-
-import (
-	"log"
-	"net/http"
-	"time"
-
-	"gitlab.com/mokhax/spike/pkg/cfg"
-)
-
-func New(c *cfg.Config) *http.Server {
-	return &http.Server{
-		Addr:              c.BindAddress,
-		Handler:           c.Mux,
-		TLSConfig:         c.TLS,
-		ReadHeaderTimeout: 10 * time.Second,
-		ReadTimeout:       30 * time.Second,
-		WriteTimeout:      30 * time.Second,
-		IdleTimeout:       30 * time.Second,
-		ErrorLog:          log.Default(),
-	}
-}
-
-func Run(c *cfg.Config) error {
-	return c.Run(New(c))
-}
diff --git a/pkg/test/test.go b/pkg/test/test.go
deleted file mode 100644
index 9963323a..00000000
--- a/pkg/test/test.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package test
-
-import (
-	"context"
-	"io"
-	"net/http"
-	"net/http/httptest"
-)
-
-type RequestOption func(*http.Request) *http.Request
-
-func Request(method, target string, options ...RequestOption) *http.Request {
-	request := httptest.NewRequest(method, target, nil)
-	for _, option := range options {
-		request = option(request)
-	}
-	return request
-}
-
-func RequestResponse(method, target string, options ...RequestOption) (*http.Request, *httptest.ResponseRecorder) {
-	return Request(method, target, options...), httptest.NewRecorder()
-}
-
-func WithRequestHeader(key, value string) RequestOption {
-	return func(r *http.Request) *http.Request {
-		r.Header.Set(key, value)
-		return r
-	}
-}
-
-func WithRequestBody(body io.ReadCloser) RequestOption {
-	return func(r *http.Request) *http.Request {
-		r.Body = body
-		return r
-	}
-}
-
-func WithContext(ctx context.Context) RequestOption {
-	return func(r *http.Request) *http.Request {
-		return r.WithContext(ctx)
-	}
-}
-
-func WithCookie(cookie *http.Cookie) RequestOption {
-	return func(r *http.Request) *http.Request {
-		r.AddCookie(cookie)
-		return r
-	}
-}