From 68558decefd9562a5c8ee3ffa9c197b244e65321 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 18 Jun 2025 16:19:14 -0600 Subject: feat: implement a bare bones envoy ext-authz server --- Cargo.lock | 12 ++++++++++++ Cargo.toml | 1 + src/server.rs | 44 ++++++++++++++++++++++++++++++++++++-------- 3 files changed, 49 insertions(+), 8 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 2be68e7..309635e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -53,6 +53,7 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" name = "authzd" version = "0.1.0" dependencies = [ + "envoy-types", "prost", "tokio", "tonic", @@ -149,6 +150,17 @@ version = "1.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719" +[[package]] +name = "envoy-types" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "065b6b0018b25902cab074d44c0e2098205329b6b5a309a33cc688bc0ac9573d" +dependencies = [ + "futures-core", + "prost", + "tonic", +] + [[package]] name = "equivalent" version = "1.0.2" diff --git a/Cargo.toml b/Cargo.toml index 2cf2463..9c19c33 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,6 +12,7 @@ name = "authzd-client" path = "src/client.rs" [dependencies] +envoy-types = "0.6.0" prost = "0.13" tokio = { version = "1.0", features = ["macros", "rt-multi-thread"] } tonic = "*" diff --git a/src/server.rs b/src/server.rs index b52c56f..3b7d55e 100644 --- a/src/server.rs +++ b/src/server.rs @@ -1,10 +1,39 @@ -use tonic::{Request, Response, Status, transport::Server}; - +use authz_rpc::ability_server::{Ability, AbilityServer}; +use authz_rpc::{AllowReply, AllowRequest}; +use envoy_types::ext_authz::v3::pb::{ + Authorization, AuthorizationServer, CheckRequest, CheckResponse, +}; +use envoy_types::ext_authz::v3::{CheckRequestExt, CheckResponseExt}; use hello_world::greeter_server::{Greeter, GreeterServer}; use hello_world::{HelloReply, HelloRequest}; +use tonic::{Request, Response, Status, transport::Server}; -use authz_rpc::ability_server::{Ability, AbilityServer}; -use authz_rpc::{AllowReply, AllowRequest}; +#[derive(Default)] +struct MyServer; + +#[tonic::async_trait] +impl Authorization for MyServer { + async fn check( + &self, + request: Request, + ) -> Result, Status> { + let request = request.into_inner(); + + let client_headers = request + .get_client_headers() + .ok_or_else(|| Status::invalid_argument("client headers not populated by envoy"))?; + + let mut request_status = Status::unauthenticated("not authorized"); + + if let Some(authorization) = client_headers.get("authorization") { + if authorization == "Bearer valid-token" { + request_status = Status::ok("request is valid"); + } + } + + Ok(Response::new(CheckResponse::with_status(request_status))) + } +} pub mod authz_rpc { tonic::include_proto!("authz.rpc"); @@ -52,12 +81,11 @@ impl Greeter for MyGreeter { #[tokio::main] async fn main() -> Result<(), Box> { let addr = "[::1]:50051".parse()?; - let ability = MyAbility::default(); - let greeter = MyGreeter::default(); Server::builder() - .add_service(GreeterServer::new(greeter)) - .add_service(AbilityServer::new(ability)) + .add_service(GreeterServer::new(MyGreeter::default())) + .add_service(AbilityServer::new(MyAbility::default())) + .add_service(AuthorizationServer::new(MyServer::default())) .serve(addr) .await?; -- cgit v1.2.3