feat: add external authorization service (authzd) with JWT authentication

- Add new authzd gRPC service implementing Envoy's external authorization API
- Integrate JWT authentication filter in Envoy configuration with claim extraction
- Update middleware to support both cookie-based and header-based user authentication
- Add comprehensive test coverage for authorization service and server
- Configure proper service orchestration with authzd, sparkled, and Envoy
- Update build system and Docker configuration for multi-service deployment
- Add grpcurl tool for gRPC service debugging and testing

This enables fine-grained authorization control through Envoy's ext_authz filter
while maintaining backward compatibility with existing cookie-based authentication.

1 files changed, 33 insertions, 0 deletions

diff --git a/cmd/authzd/main.go b/cmd/authzd/main.go
new file mode 100644
index 0000000..65a4672
--- /dev/null
+++ b/cmd/authzd/main.go
@@ -0,0 +1,33 @@
+package main
+
+import (
+	"context"
+	"net"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/authz"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+)
+
+func main() {
+	logger := log.New(os.Stdout, log.Fields{"app": "authzd"})
+	ctx := logger.WithContext(context.Background())
+	server := authz.New(ctx)
+
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		<-c
+		pls.LogNow(ctx, log.Fields{"status": "goodbye"})
+		server.GracefulStop()
+	}()
+
+	defer server.GracefulStop()
+	pls.LogNow(ctx, log.Fields{"status": "ready"})
+	socket := x.Must(net.Listen("tcp", ":10003"))
+	pls.LogErrorNow(ctx, server.Serve(socket))
+}