feat: add external authorization service (authzd) with JWT authentication

- Add new authzd gRPC service implementing Envoy's external authorization API
- Integrate JWT authentication filter in Envoy configuration with claim extraction
- Update middleware to support both cookie-based and header-based user authentication
- Add comprehensive test coverage for authorization service and server
- Configure proper service orchestration with authzd, sparkled, and Envoy
- Update build system and Docker configuration for multi-service deployment
- Add grpcurl tool for gRPC service debugging and testing

This enables fine-grained authorization control through Envoy's ext_authz filter
while maintaining backward compatibility with existing cookie-based authentication.

2 files changed, 402 insertions, 0 deletions

diff --git a/vendor/github.com/bufbuild/protocompile/protoutil/editions.go b/vendor/github.com/bufbuild/protocompile/protoutil/editions.go
new file mode 100644
index 0000000..fb21dff
--- /dev/null
+++ b/vendor/github.com/bufbuild/protocompile/protoutil/editions.go
@@ -0,0 +1,140 @@
+// Copyright 2020-2024 Buf Technologies, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package protoutil
+
+import (
+	"fmt"
+
+	"google.golang.org/protobuf/reflect/protoreflect"
+	"google.golang.org/protobuf/types/descriptorpb"
+	"google.golang.org/protobuf/types/dynamicpb"
+
+	"github.com/bufbuild/protocompile/internal/editions"
+)
+
+// GetFeatureDefault gets the default value for the given feature and the given
+// edition. The given feature must represent a field of the google.protobuf.FeatureSet
+// message and must not be an extension.
+//
+// If the given field is from a dynamically built descriptor (i.e. it's containing
+// message descriptor is different from the linked-in descriptor for
+// [*descriptorpb.FeatureSet]), the returned value may be a dynamic value. In such
+// cases, the value may not be directly usable using [protoreflect.Message.Set] with
+// an instance of [*descriptorpb.FeatureSet] and must instead be used with a
+// [*dynamicpb.Message].
+//
+// To get the default value of a custom feature, use [GetCustomFeatureDefault]
+// instead.
+func GetFeatureDefault(edition descriptorpb.Edition, feature protoreflect.FieldDescriptor) (protoreflect.Value, error) {
+	if feature.ContainingMessage().FullName() != editions.FeatureSetDescriptor.FullName() {
+		return protoreflect.Value{}, fmt.Errorf("feature %s is a field of %s but should be a field of %s",
+			feature.Name(), feature.ContainingMessage().FullName(), editions.FeatureSetDescriptor.FullName())
+	}
+	var msgType protoreflect.MessageType
+	if feature.ContainingMessage() == editions.FeatureSetDescriptor {
+		msgType = editions.FeatureSetType
+	} else {
+		msgType = dynamicpb.NewMessageType(feature.ContainingMessage())
+	}
+	return editions.GetFeatureDefault(edition, msgType, feature)
+}
+
+// GetCustomFeatureDefault gets the default value for the given custom feature
+// and given edition. A custom feature is a field whose containing message is the
+// type of an extension field of google.protobuf.FeatureSet. The given extension
+// describes that extension field and message type. The given feature must be a
+// field of that extension's message type.
+func GetCustomFeatureDefault(edition descriptorpb.Edition, extension protoreflect.ExtensionType, feature protoreflect.FieldDescriptor) (protoreflect.Value, error) {
+	extDesc := extension.TypeDescriptor()
+	if extDesc.ContainingMessage().FullName() != editions.FeatureSetDescriptor.FullName() {
+		return protoreflect.Value{}, fmt.Errorf("extension %s does not extend %s", extDesc.FullName(), editions.FeatureSetDescriptor.FullName())
+	}
+	if extDesc.Message() == nil {
+		return protoreflect.Value{}, fmt.Errorf("extensions of %s should be messages; %s is instead %s",
+			editions.FeatureSetDescriptor.FullName(), extDesc.FullName(), extDesc.Kind().String())
+	}
+	if feature.IsExtension() {
+		return protoreflect.Value{}, fmt.Errorf("feature %s is an extension, but feature extension %s may not itself have extensions",
+			feature.FullName(), extDesc.FullName())
+	}
+	if feature.ContainingMessage().FullName() != extDesc.Message().FullName() {
+		return protoreflect.Value{}, fmt.Errorf("feature %s is a field of %s but should be a field of %s",
+			feature.Name(), feature.ContainingMessage().FullName(), extDesc.Message().FullName())
+	}
+	if feature.ContainingMessage() != extDesc.Message() {
+		return protoreflect.Value{}, fmt.Errorf("feature %s has a different message descriptor from the given extension type for %s",
+			feature.Name(), extDesc.Message().FullName())
+	}
+	return editions.GetFeatureDefault(edition, extension.Zero().Message().Type(), feature)
+}
+
+// ResolveFeature resolves a feature for the given descriptor.
+//
+// If the given element is in a proto2 or proto3 syntax file, this skips
+// resolution and just returns the relevant default (since such files are not
+// allowed to override features). If neither the given element nor any of its
+// ancestors override the given feature, the relevant default is returned.
+//
+// This has the same caveat as GetFeatureDefault if the given feature is from a
+// dynamically built descriptor.
+func ResolveFeature(element protoreflect.Descriptor, feature protoreflect.FieldDescriptor) (protoreflect.Value, error) {
+	edition := editions.GetEdition(element)
+	defaultVal, err := GetFeatureDefault(edition, feature)
+	if err != nil {
+		return protoreflect.Value{}, err
+	}
+	return resolveFeature(edition, defaultVal, element, feature)
+}
+
+// ResolveCustomFeature resolves a custom feature for the given extension and
+// field descriptor.
+//
+// The given extension must be an extension of google.protobuf.FeatureSet that
+// represents a non-repeated message value. The given feature is a field in
+// that extension's message type.
+//
+// If the given element is in a proto2 or proto3 syntax file, this skips
+// resolution and just returns the relevant default (since such files are not
+// allowed to override features). If neither the given element nor any of its
+// ancestors override the given feature, the relevant default is returned.
+func ResolveCustomFeature(element protoreflect.Descriptor, extension protoreflect.ExtensionType, feature protoreflect.FieldDescriptor) (protoreflect.Value, error) {
+	edition := editions.GetEdition(element)
+	defaultVal, err := GetCustomFeatureDefault(edition, extension, feature)
+	if err != nil {
+		return protoreflect.Value{}, err
+	}
+	return resolveFeature(edition, defaultVal, element, extension.TypeDescriptor(), feature)
+}
+
+func resolveFeature(
+	edition descriptorpb.Edition,
+	defaultVal protoreflect.Value,
+	element protoreflect.Descriptor,
+	fields ...protoreflect.FieldDescriptor,
+) (protoreflect.Value, error) {
+	if edition == descriptorpb.Edition_EDITION_PROTO2 || edition == descriptorpb.Edition_EDITION_PROTO3 {
+		// these syntax levels can't specify features, so we can short-circuit the search
+		// through the descriptor hierarchy for feature overrides
+		return defaultVal, nil
+	}
+	val, err := editions.ResolveFeature(element, fields...)
+	if err != nil {
+		return protoreflect.Value{}, err
+	}
+	if val.IsValid() {
+		return val, nil
+	}
+	return defaultVal, nil
+}
diff --git a/vendor/github.com/bufbuild/protocompile/protoutil/protos.go b/vendor/github.com/bufbuild/protocompile/protoutil/protos.go
new file mode 100644
index 0000000..9c55999
--- /dev/null
+++ b/vendor/github.com/bufbuild/protocompile/protoutil/protos.go
@@ -0,0 +1,262 @@
+// Copyright 2020-2024 Buf Technologies, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package protoutil contains useful functions for interacting with descriptors.
+// For now these include only functions for efficiently converting descriptors
+// produced by the compiler to descriptor protos and functions for resolving
+// "features" (a core concept of Protobuf Editions).
+//
+// Despite the fact that descriptor protos are mutable, calling code should NOT
+// mutate any of the protos returned from this package. For efficiency, some
+// values returned from this package may reference internal state of a compiler
+// result, and mutating the proto could corrupt or invalidate parts of that
+// result.
+package protoutil
+
+import (
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/reflect/protodesc"
+	"google.golang.org/protobuf/reflect/protoreflect"
+	"google.golang.org/protobuf/types/descriptorpb"
+)
+
+// DescriptorProtoWrapper is a protoreflect.Descriptor that wraps an
+// underlying descriptor proto. It provides the same interface as
+// Descriptor but with one extra operation, to efficiently query for
+// the underlying descriptor proto.
+//
+// Descriptors that implement this will also implement another method
+// whose specified return type is the concrete type returned by the
+// AsProto method. The name of this method varies by the type of this
+// descriptor:
+//
+//	 Descriptor Type        Other Method Name
+//	---------------------+------------------------------------
+//	 FileDescriptor      |  FileDescriptorProto()
+//	 MessageDescriptor   |  MessageDescriptorProto()
+//	 FieldDescriptor     |  FieldDescriptorProto()
+//	 OneofDescriptor     |  OneofDescriptorProto()
+//	 EnumDescriptor      |  EnumDescriptorProto()
+//	 EnumValueDescriptor |  EnumValueDescriptorProto()
+//	 ServiceDescriptor   |  ServiceDescriptorProto()
+//	 MethodDescriptor    |  MethodDescriptorProto()
+//
+// For example, a DescriptorProtoWrapper that implements FileDescriptor
+// returns a *descriptorpb.FileDescriptorProto value from its AsProto
+// method and also provides a method with the following signature:
+//
+//	FileDescriptorProto() *descriptorpb.FileDescriptorProto
+type DescriptorProtoWrapper interface {
+	protoreflect.Descriptor
+	// AsProto returns the underlying descriptor proto. The concrete
+	// type of the proto message depends on the type of this
+	// descriptor:
+	//    Descriptor Type        Proto Message Type
+	//   ---------------------+------------------------------------
+	//    FileDescriptor      |  *descriptorpb.FileDescriptorProto
+	//    MessageDescriptor   |  *descriptorpb.DescriptorProto
+	//    FieldDescriptor     |  *descriptorpb.FieldDescriptorProto
+	//    OneofDescriptor     |  *descriptorpb.OneofDescriptorProto
+	//    EnumDescriptor      |  *descriptorpb.EnumDescriptorProto
+	//    EnumValueDescriptor |  *descriptorpb.EnumValueDescriptorProto
+	//    ServiceDescriptor   |  *descriptorpb.ServiceDescriptorProto
+	//    MethodDescriptor    |  *descriptorpb.MethodDescriptorProto
+	AsProto() proto.Message
+}
+
+// ProtoFromDescriptor extracts a descriptor proto from the given "rich"
+// descriptor. For descriptors generated by the compiler, this is an
+// inexpensive and non-lossy operation. Descriptors from other sources
+// however may be expensive (to re-create a proto) and even lossy.
+func ProtoFromDescriptor(d protoreflect.Descriptor) proto.Message {
+	switch d := d.(type) {
+	case protoreflect.FileDescriptor:
+		return ProtoFromFileDescriptor(d)
+	case protoreflect.MessageDescriptor:
+		return ProtoFromMessageDescriptor(d)
+	case protoreflect.FieldDescriptor:
+		return ProtoFromFieldDescriptor(d)
+	case protoreflect.OneofDescriptor:
+		return ProtoFromOneofDescriptor(d)
+	case protoreflect.EnumDescriptor:
+		return ProtoFromEnumDescriptor(d)
+	case protoreflect.EnumValueDescriptor:
+		return ProtoFromEnumValueDescriptor(d)
+	case protoreflect.ServiceDescriptor:
+		return ProtoFromServiceDescriptor(d)
+	case protoreflect.MethodDescriptor:
+		return ProtoFromMethodDescriptor(d)
+	default:
+		// WTF??
+		if res, ok := d.(DescriptorProtoWrapper); ok {
+			return res.AsProto()
+		}
+		return nil
+	}
+}
+
+// ProtoFromFileDescriptor extracts a descriptor proto from the given "rich"
+// descriptor. For file descriptors generated by the compiler, this is an
+// inexpensive and non-lossy operation. File descriptors from other sources
+// however may be expensive (to re-create a proto) and even lossy.
+func ProtoFromFileDescriptor(d protoreflect.FileDescriptor) *descriptorpb.FileDescriptorProto {
+	if imp, ok := d.(protoreflect.FileImport); ok {
+		d = imp.FileDescriptor
+	}
+	type canProto interface {
+		FileDescriptorProto() *descriptorpb.FileDescriptorProto
+	}
+	if res, ok := d.(canProto); ok {
+		return res.FileDescriptorProto()
+	}
+	if res, ok := d.(DescriptorProtoWrapper); ok {
+		if fd, ok := res.AsProto().(*descriptorpb.FileDescriptorProto); ok {
+			return fd
+		}
+	}
+	return protodesc.ToFileDescriptorProto(d)
+}
+
+// ProtoFromMessageDescriptor extracts a descriptor proto from the given "rich"
+// descriptor. For message descriptors generated by the compiler, this is an
+// inexpensive and non-lossy operation. Message descriptors from other sources
+// however may be expensive (to re-create a proto) and even lossy.
+func ProtoFromMessageDescriptor(d protoreflect.MessageDescriptor) *descriptorpb.DescriptorProto {
+	type canProto interface {
+		MessageDescriptorProto() *descriptorpb.DescriptorProto
+	}
+	if res, ok := d.(canProto); ok {
+		return res.MessageDescriptorProto()
+	}
+	if res, ok := d.(DescriptorProtoWrapper); ok {
+		if md, ok := res.AsProto().(*descriptorpb.DescriptorProto); ok {
+			return md
+		}
+	}
+	return protodesc.ToDescriptorProto(d)
+}
+
+// ProtoFromFieldDescriptor extracts a descriptor proto from the given "rich"
+// descriptor. For field descriptors generated by the compiler, this is an
+// inexpensive and non-lossy operation. Field descriptors from other sources
+// however may be expensive (to re-create a proto) and even lossy.
+func ProtoFromFieldDescriptor(d protoreflect.FieldDescriptor) *descriptorpb.FieldDescriptorProto {
+	type canProto interface {
+		FieldDescriptorProto() *descriptorpb.FieldDescriptorProto
+	}
+	if res, ok := d.(canProto); ok {
+		return res.FieldDescriptorProto()
+	}
+	if res, ok := d.(DescriptorProtoWrapper); ok {
+		if fd, ok := res.AsProto().(*descriptorpb.FieldDescriptorProto); ok {
+			return fd
+		}
+	}
+	return protodesc.ToFieldDescriptorProto(d)
+}
+
+// ProtoFromOneofDescriptor extracts a descriptor proto from the given "rich"
+// descriptor. For oneof descriptors generated by the compiler, this is an
+// inexpensive and non-lossy operation. Oneof descriptors from other sources
+// however may be expensive (to re-create a proto) and even lossy.
+func ProtoFromOneofDescriptor(d protoreflect.OneofDescriptor) *descriptorpb.OneofDescriptorProto {
+	type canProto interface {
+		OneofDescriptorProto() *descriptorpb.OneofDescriptorProto
+	}
+	if res, ok := d.(canProto); ok {
+		return res.OneofDescriptorProto()
+	}
+	if res, ok := d.(DescriptorProtoWrapper); ok {
+		if ood, ok := res.AsProto().(*descriptorpb.OneofDescriptorProto); ok {
+			return ood
+		}
+	}
+	return protodesc.ToOneofDescriptorProto(d)
+}
+
+// ProtoFromEnumDescriptor extracts a descriptor proto from the given "rich"
+// descriptor. For enum descriptors generated by the compiler, this is an
+// inexpensive and non-lossy operation. Enum descriptors from other sources
+// however may be expensive (to re-create a proto) and even lossy.
+func ProtoFromEnumDescriptor(d protoreflect.EnumDescriptor) *descriptorpb.EnumDescriptorProto {
+	type canProto interface {
+		EnumDescriptorProto() *descriptorpb.EnumDescriptorProto
+	}
+	if res, ok := d.(canProto); ok {
+		return res.EnumDescriptorProto()
+	}
+	if res, ok := d.(DescriptorProtoWrapper); ok {
+		if ed, ok := res.AsProto().(*descriptorpb.EnumDescriptorProto); ok {
+			return ed
+		}
+	}
+	return protodesc.ToEnumDescriptorProto(d)
+}
+
+// ProtoFromEnumValueDescriptor extracts a descriptor proto from the given "rich"
+// descriptor. For enum value descriptors generated by the compiler, this is an
+// inexpensive and non-lossy operation. Enum value descriptors from other sources
+// however may be expensive (to re-create a proto) and even lossy.
+func ProtoFromEnumValueDescriptor(d protoreflect.EnumValueDescriptor) *descriptorpb.EnumValueDescriptorProto {
+	type canProto interface {
+		EnumValueDescriptorProto() *descriptorpb.EnumValueDescriptorProto
+	}
+	if res, ok := d.(canProto); ok {
+		return res.EnumValueDescriptorProto()
+	}
+	if res, ok := d.(DescriptorProtoWrapper); ok {
+		if ed, ok := res.AsProto().(*descriptorpb.EnumValueDescriptorProto); ok {
+			return ed
+		}
+	}
+	return protodesc.ToEnumValueDescriptorProto(d)
+}
+
+// ProtoFromServiceDescriptor extracts a descriptor proto from the given "rich"
+// descriptor. For service descriptors generated by the compiler, this is an
+// inexpensive and non-lossy operation. Service descriptors from other sources
+// however may be expensive (to re-create a proto) and even lossy.
+func ProtoFromServiceDescriptor(d protoreflect.ServiceDescriptor) *descriptorpb.ServiceDescriptorProto {
+	type canProto interface {
+		ServiceDescriptorProto() *descriptorpb.ServiceDescriptorProto
+	}
+	if res, ok := d.(canProto); ok {
+		return res.ServiceDescriptorProto()
+	}
+	if res, ok := d.(DescriptorProtoWrapper); ok {
+		if sd, ok := res.AsProto().(*descriptorpb.ServiceDescriptorProto); ok {
+			return sd
+		}
+	}
+	return protodesc.ToServiceDescriptorProto(d)
+}
+
+// ProtoFromMethodDescriptor extracts a descriptor proto from the given "rich"
+// descriptor. For method descriptors generated by the compiler, this is an
+// inexpensive and non-lossy operation. Method descriptors from other sources
+// however may be expensive (to re-create a proto) and even lossy.
+func ProtoFromMethodDescriptor(d protoreflect.MethodDescriptor) *descriptorpb.MethodDescriptorProto {
+	type canProto interface {
+		MethodDescriptorProto() *descriptorpb.MethodDescriptorProto
+	}
+	if res, ok := d.(canProto); ok {
+		return res.MethodDescriptorProto()
+	}
+	if res, ok := d.(DescriptorProtoWrapper); ok {
+		if md, ok := res.AsProto().(*descriptorpb.MethodDescriptorProto); ok {
+			return md
+		}
+	}
+	return protodesc.ToMethodDescriptorProto(d)
+}