feat: add external authorization service (authzd) with JWT authentication

- Add new authzd gRPC service implementing Envoy's external authorization API
- Integrate JWT authentication filter in Envoy configuration with claim extraction
- Update middleware to support both cookie-based and header-based user authentication
- Add comprehensive test coverage for authorization service and server
- Configure proper service orchestration with authzd, sparkled, and Envoy
- Update build system and Docker configuration for multi-service deployment
- Add grpcurl tool for gRPC service debugging and testing

This enables fine-grained authorization control through Envoy's ext_authz filter
while maintaining backward compatibility with existing cookie-based authentication.

1 files changed, 31 insertions, 0 deletions

diff --git a/pkg/authz/server.go b/pkg/authz/server.go
new file mode 100644
index 0000000..49bcd3d
--- /dev/null
+++ b/pkg/authz/server.go
@@ -0,0 +1,31 @@
+package authz
+
+import (
+	"context"
+
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/reflection"
+)
+
+type Server struct {
+	*grpc.Server
+}
+
+func New(ctx context.Context, options ...grpc.ServerOption) *Server {
+	logger := log.From(ctx)
+	server := grpc.NewServer(x.Prepend(
+		options,
+		grpc.UnaryInterceptor(pls.LogGRPC(logger)),
+		grpc.StreamInterceptor(pls.LogGRPCStream(logger)),
+	)...)
+	auth.RegisterAuthorizationServer(server, &CheckService{})
+	reflection.Register(server)
+
+	return &Server{
+		Server: server,
+	}
+}