feat: connect to the remove authorization daemon

4 files changed, 47 insertions, 6 deletions

diff --git a/cmd/authzd/main.go b/cmd/authzd/main.go
index 35f95a2..32a7cc7 100644
--- a/cmd/authzd/main.go
+++ b/cmd/authzd/main.go
@@ -7,16 +7,29 @@ import (
 	"os/signal"
 	"syscall"
 
+	"github.com/xlgmokha/x/pkg/env"
 	"github.com/xlgmokha/x/pkg/log"
 	"github.com/xlgmokha/x/pkg/x"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/authz"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
 )
 
 func main() {
 	logger := log.New(os.Stdout, log.Fields{"app": "authzd"})
 	ctx := logger.WithContext(context.Background())
-	server := authz.New(ctx)
+
+	connection, err := grpc.NewClient(
+		env.Fetch("AUTHZD_HOST", "localhost:50051"),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+	if err != nil {
+		pls.LogErrorNow(ctx, err)
+	}
+	defer connection.Close()
+
+	server := authz.New(authz.Connection.With(ctx, connection))
 
 	c := make(chan os.Signal, 1)
 	signal.Notify(c, syscall.SIGINT, syscall.SIGTERM)
diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go
index 7057558..48f6d88 100644
--- a/pkg/authz/check_service.go
+++ b/pkg/authz/check_service.go
@@ -35,18 +35,32 @@ var public map[string]bool = map[string]bool{
 }
 
 type CheckService struct {
+	client auth.AuthorizationClient
 	auth.UnimplementedAuthorizationServer
 }
 
-func NewCheckService() *CheckService {
-	return &CheckService{}
+func NewCheckService(client auth.AuthorizationClient) *CheckService {
+	return &CheckService{
+		client: client,
+	}
 }
 
 func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) {
 	if svc.isAllowed(ctx, request) {
 		return svc.OK(ctx), nil
 	}
-	return svc.Denied(ctx), nil
+
+	if x.IsZero(svc.client) {
+		return svc.Denied(ctx), nil
+	}
+
+	response, err := svc.client.Check(ctx, request)
+	if err != nil {
+		pls.LogError(ctx, err)
+		return svc.Denied(ctx), nil
+	}
+	log.WithFields(ctx, log.Fields{"authzd": response})
+	return response, err
 }
 
 func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool {
diff --git a/pkg/authz/check_service_test.go b/pkg/authz/check_service_test.go
index 2f640dc..9a0f4e8 100644
--- a/pkg/authz/check_service_test.go
+++ b/pkg/authz/check_service_test.go
@@ -12,7 +12,7 @@ import (
 )
 
 func TestCheckService(t *testing.T) {
-	svc := CheckService{}
+	svc := NewCheckService(nil)
 
 	t.Run("allows access", func(t *testing.T) {
 		idToken := "eyJ0eXAiOiJKV1QiLCJraWQiOiJ0ZDBTbWRKUTRxUGg1cU5Lek0yNjBDWHgyVWgtd2hHLU1Eam9PS1dmdDhFIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMCIsInN1YiI6IjEiLCJhdWQiOiJlMzFlMWRhMGI4ZjZiNmUzNWNhNzBjNzkwYjEzYzA0MDZlNDRhY2E2YjJiZjY3ZjU1ZGU3MzU1YTk3OWEyMjRmIiwiZXhwIjoxNzQ3OTM3OTgzLCJpYXQiOjE3NDc5Mzc4NjMsImF1dGhfdGltZSI6MTc0Nzc3NDA2Nywic3ViX2xlZ2FjeSI6IjI0NzRjZjBiMjIxMTY4OGE1NzI5N2FjZTBlMjYwYTE1OTQ0NzU0ZDE2YjFiZDQyYzlkNjc3OWM5MDAzNjc4MDciLCJuYW1lIjoiQWRtaW5pc3RyYXRvciIsIm5pY2tuYW1lIjoicm9vdCIsInByZWZlcnJlZF91c2VybmFtZSI6InJvb3QiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByb2ZpbGUiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMC9yb290IiwicGljdHVyZSI6Imh0dHBzOi8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMjU4ZDhkYzkxNmRiOGNlYTJjYWZiNmMzY2QwY2IwMjQ2ZWZlMDYxNDIxZGJkODNlYzNhMzUwNDI4Y2FiZGE0Zj9zPTgwJmQ9aWRlbnRpY29uIiwiZ3JvdXBzX2RpcmVjdCI6WyJnaXRsYWItb3JnIiwidG9vbGJveCIsIm1hc3NfaW5zZXJ0X2dyb3VwX18wXzEwMCIsImN1c3RvbS1yb2xlcy1yb290LWdyb3VwL2FhIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAvYWEvYWFhIiwiZ251d2dldCIsIkNvbW1pdDQ1MSIsImphc2hrZW5hcyIsImZsaWdodGpzIiwidHdpdHRlciIsImdpdGxhYi1leGFtcGxlcyIsImdpdGxhYi1leGFtcGxlcy9zZWN1cml0eSIsIjQxMjcwOCIsImdpdGxhYi1leGFtcGxlcy9kZW1vLWdyb3VwIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAiLCI0MzQwNDQtZ3JvdXAtMSIsIjQzNDA0NC1ncm91cC0yIiwiZ2l0bGFiLW9yZzEiLCJnaXRsYWItb3JnL3NlY3VyZSIsImdpdGxhYi1vcmcvc2VjdXJlL21hbmFnZXJzIiwiZ2l0bGFiLW9yZy9zZWN1cml0eS1wcm9kdWN0cyIsImdpdGxhYi1vcmcvc2VjdXJpdHktcHJvZHVjdHMvYW5hbHl6ZXJzIl19.TjTrGS5FjfPoY0HWkSLvgjogBxB27jX2beosOZAkwXi_gO3q9DTnL0csOgxjoF1UR8baPNfMFBqL1ipLxBdY9vvDxZve-sOhoSptjzLGkCi7uQKeu7r8wNyFWNWhcLwmbinZyENGSZqIDSkHy0lGdo9oj7qqnH6sYqU46jtWACDGSHTFjNNuo1s_P2SZgkaq4c4v4jdlVV_C_Qlvtl7-eaWV1LzTpB4Mz0VWGsRx1pk3-KnS24crhBjxSE383z4Nar4ZhrsrTK-bOj33l6U32gRKNb4g6GxrPXaRQ268n37spQmbQn0aDwmUOABv-aBRy203bCCZca8BJ0XBur8t6w"
diff --git a/pkg/authz/server.go b/pkg/authz/server.go
index e1b0669..4728182 100644
--- a/pkg/authz/server.go
+++ b/pkg/authz/server.go
@@ -4,6 +4,7 @@ import (
 	"context"
 
 	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	xcontext "github.com/xlgmokha/x/pkg/context"
 	"github.com/xlgmokha/x/pkg/log"
 	"github.com/xlgmokha/x/pkg/x"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
@@ -11,6 +12,8 @@ import (
 	"google.golang.org/grpc/reflection"
 )
 
+var Connection xcontext.Key[*grpc.ClientConn] = xcontext.Key[*grpc.ClientConn]("grpc_client")
+
 type Server struct {
 	*grpc.Server
 }
@@ -23,7 +26,18 @@ func New(ctx context.Context, options ...grpc.ServerOption) *Server {
 		grpc.UnaryInterceptor(pls.LogGRPC(logger)),
 		grpc.StreamInterceptor(pls.LogGRPCStream(logger)),
 	)...)
-	auth.RegisterAuthorizationServer(server, NewCheckService())
+
+	connection := Connection.From(ctx)
+	if x.IsZero(connection) {
+		auth.RegisterAuthorizationServer(server, NewCheckService(nil))
+	} else {
+		auth.RegisterAuthorizationServer(
+			server,
+			NewCheckService(
+				auth.NewAuthorizationClient(connection),
+			),
+		)
+	}
 	reflection.Register(server)
 
 	return &Server{