feat: add external authorization service (authzd) with JWT authentication

- Add new authzd gRPC service implementing Envoy's external authorization API
- Integrate JWT authentication filter in Envoy configuration with claim extraction
- Update middleware to support both cookie-based and header-based user authentication
- Add comprehensive test coverage for authorization service and server
- Configure proper service orchestration with authzd, sparkled, and Envoy
- Update build system and Docker configuration for multi-service deployment
- Add grpcurl tool for gRPC service debugging and testing

This enables fine-grained authorization control through Envoy's ext_authz filter
while maintaining backward compatibility with existing cookie-based authentication.

1 files changed, 40 insertions, 3 deletions

diff --git a/test/integration/container_test.go b/test/integration/container_test.go
index c51c5e0..68aef6d 100644
--- a/test/integration/container_test.go
+++ b/test/integration/container_test.go
@@ -6,15 +6,20 @@ package test
 import (
 	"context"
 	"net/http"
+	"strconv"
 	"testing"
 	"time"
 
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/oauth2-proxy/mockoidc"
 	playwright "github.com/playwright-community/playwright-go"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/xlgmokha/x/pkg/env"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
 )
 
 func environmentVariables(srv *web.OIDCServer) map[string]string {
@@ -49,6 +54,9 @@ func TestContainer(t *testing.T) {
 	envoyAdminEndpoint, err := container.PortEndpoint(ctx, "9901", "http")
 	require.NoError(t, err)
 
+	authzdEndpoint, err := container.PortEndpoint(ctx, "10003", "")
+	require.NoError(t, err)
+
 	for _, publicPath := range []string{
 		envoyAdminEndpoint + "/",
 		envoyEndpoint + "/",
@@ -76,6 +84,29 @@ func TestContainer(t *testing.T) {
 		assert.NotEmpty(t, "listener_0", body["configs"])
 	})
 
+	t.Run("authzd", func(t *testing.T) {
+		t.Run("responds to a GRPC request", func(t *testing.T) {
+			connection, err := grpc.NewClient(authzdEndpoint, grpc.WithTransportCredentials(insecure.NewCredentials()))
+			require.NoError(t, err)
+			defer connection.Close()
+
+			client := auth.NewAuthorizationClient(connection)
+
+			response, err := client.Check(t.Context(), &auth.CheckRequest{
+				Attributes: &auth.AttributeContext{
+					Request: &auth.AttributeContext_Request{
+						Http: &auth.AttributeContext_HttpRequest{
+							Method: "GET",
+							Path:   "/",
+						},
+					},
+				},
+			})
+			require.NoError(t, err)
+			assert.NotNil(t, response.GetOkResponse())
+		})
+	})
+
 	WithUI(t, func(browser playwright.Browser) {
 		page, err := browser.NewPage()
 		require.NoError(t, err)
@@ -89,10 +120,16 @@ func TestContainer(t *testing.T) {
 			t.Run("redirects to the OpenID Connect Provider", func(t *testing.T) {
 				t.Skip()
 
+				code := strconv.FormatInt(time.Now().Unix(), 10)
+				srv.MockOIDC.QueueUser(mockoidc.DefaultUser())
+				srv.MockOIDC.QueueCode(code)
+
 				require.NoError(t, page.GetByText("Login").Click())
-				// The envoy.yaml configuration has a hardcoded path that doesn't match the one provided by mockoidc
-				// because the oauth2 envoy filter doesn't support the OIDC discovery endpoint.
-				assert.Contains(t, page.URL(), srv.AuthorizationEndpoint()+"?client_id="+srv.MockOIDC.ClientID)
+				assert.Contains(t, page.URL(), envoyEndpoint+"/callback?code="+code)
+
+				content, err := page.Content()
+				require.NoError(t, err)
+				assert.Contains(t, content, "Share your gratitude")
 			})
 		})
 	})