4 files changed, 34 insertions, 27 deletions

diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go
index 4f079f9..55560f5 100644
--- a/pkg/authz/check_service.go
+++ b/pkg/authz/check_service.go
@@ -35,14 +35,11 @@ var public map[string]bool = map[string]bool{
 }
 
 type CheckService struct {
-	client auth.AuthorizationClient
 	auth.UnimplementedAuthorizationServer
 }
 
-func NewCheckService(client auth.AuthorizationClient) *CheckService {
-	return &CheckService{
-		client: client,
-	}
+func NewCheckService() auth.AuthorizationServer {
+	return &CheckService{}
 }
 
 func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) {
@@ -57,31 +54,13 @@ func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) boo
 	return ok
 }
 
-func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest) bool {
-	if x.IsZero(svc.client) {
-		return false
-	}
-	response, err := svc.client.Check(ctx, r)
-	if err != nil {
-		pls.LogError(ctx, err)
-		return false
-	}
-	if x.IsZero(response.Status) {
-		return false
-	}
-	if response.Status.Code != int32(codes.OK) {
-		return false
-	}
-	return true
-}
-
 func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool {
 	if !svc.validRequest(ctx, r) {
 		return false
 	}
 
 	log.WithFields(ctx, svc.fieldsFor(r))
-	return svc.isAuthorized(ctx, r) || svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r)
+	return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r)
 }
 
 func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool {
diff --git a/pkg/authz/check_service_test.go b/pkg/authz/check_service_test.go
index 9a0f4e8..fc2da86 100644
--- a/pkg/authz/check_service_test.go
+++ b/pkg/authz/check_service_test.go
@@ -12,7 +12,7 @@ import (
 )
 
 func TestCheckService(t *testing.T) {
-	svc := NewCheckService(nil)
+	svc := NewCheckService()
 
 	t.Run("allows access", func(t *testing.T) {
 		idToken := "eyJ0eXAiOiJKV1QiLCJraWQiOiJ0ZDBTbWRKUTRxUGg1cU5Lek0yNjBDWHgyVWgtd2hHLU1Eam9PS1dmdDhFIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMCIsInN1YiI6IjEiLCJhdWQiOiJlMzFlMWRhMGI4ZjZiNmUzNWNhNzBjNzkwYjEzYzA0MDZlNDRhY2E2YjJiZjY3ZjU1ZGU3MzU1YTk3OWEyMjRmIiwiZXhwIjoxNzQ3OTM3OTgzLCJpYXQiOjE3NDc5Mzc4NjMsImF1dGhfdGltZSI6MTc0Nzc3NDA2Nywic3ViX2xlZ2FjeSI6IjI0NzRjZjBiMjIxMTY4OGE1NzI5N2FjZTBlMjYwYTE1OTQ0NzU0ZDE2YjFiZDQyYzlkNjc3OWM5MDAzNjc4MDciLCJuYW1lIjoiQWRtaW5pc3RyYXRvciIsIm5pY2tuYW1lIjoicm9vdCIsInByZWZlcnJlZF91c2VybmFtZSI6InJvb3QiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByb2ZpbGUiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMC9yb290IiwicGljdHVyZSI6Imh0dHBzOi8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMjU4ZDhkYzkxNmRiOGNlYTJjYWZiNmMzY2QwY2IwMjQ2ZWZlMDYxNDIxZGJkODNlYzNhMzUwNDI4Y2FiZGE0Zj9zPTgwJmQ9aWRlbnRpY29uIiwiZ3JvdXBzX2RpcmVjdCI6WyJnaXRsYWItb3JnIiwidG9vbGJveCIsIm1hc3NfaW5zZXJ0X2dyb3VwX18wXzEwMCIsImN1c3RvbS1yb2xlcy1yb290LWdyb3VwL2FhIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAvYWEvYWFhIiwiZ251d2dldCIsIkNvbW1pdDQ1MSIsImphc2hrZW5hcyIsImZsaWdodGpzIiwidHdpdHRlciIsImdpdGxhYi1leGFtcGxlcyIsImdpdGxhYi1leGFtcGxlcy9zZWN1cml0eSIsIjQxMjcwOCIsImdpdGxhYi1leGFtcGxlcy9kZW1vLWdyb3VwIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAiLCI0MzQwNDQtZ3JvdXAtMSIsIjQzNDA0NC1ncm91cC0yIiwiZ2l0bGFiLW9yZzEiLCJnaXRsYWItb3JnL3NlY3VyZSIsImdpdGxhYi1vcmcvc2VjdXJlL21hbmFnZXJzIiwiZ2l0bGFiLW9yZy9zZWN1cml0eS1wcm9kdWN0cyIsImdpdGxhYi1vcmcvc2VjdXJpdHktcHJvZHVjdHMvYW5hbHl6ZXJzIl19.TjTrGS5FjfPoY0HWkSLvgjogBxB27jX2beosOZAkwXi_gO3q9DTnL0csOgxjoF1UR8baPNfMFBqL1ipLxBdY9vvDxZve-sOhoSptjzLGkCi7uQKeu7r8wNyFWNWhcLwmbinZyENGSZqIDSkHy0lGdo9oj7qqnH6sYqU46jtWACDGSHTFjNNuo1s_P2SZgkaq4c4v4jdlVV_C_Qlvtl7-eaWV1LzTpB4Mz0VWGsRx1pk3-KnS24crhBjxSE383z4Nar4ZhrsrTK-bOj33l6U32gRKNb4g6GxrPXaRQ268n37spQmbQn0aDwmUOABv-aBRy203bCCZca8BJ0XBur8t6w"
diff --git a/pkg/authz/remote_check_service.go b/pkg/authz/remote_check_service.go
new file mode 100644
index 0000000..43178fe
--- /dev/null
+++ b/pkg/authz/remote_check_service.go
@@ -0,0 +1,28 @@
+package authz
+
+import (
+	"context"
+	"errors"
+
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/xlgmokha/x/pkg/x"
+)
+
+type RemoteCheckService struct {
+	client auth.AuthorizationClient
+	auth.UnimplementedAuthorizationServer
+}
+
+func NewRemoteCheckService(client auth.AuthorizationClient) auth.AuthorizationServer {
+	return &RemoteCheckService{
+		client: client,
+	}
+}
+
+func (svc *RemoteCheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) {
+	if x.IsZero(svc.client) {
+		return nil, errors.New("RPC client is not configured")
+	}
+
+	return svc.client.Check(ctx, request)
+}
diff --git a/pkg/authz/server.go b/pkg/authz/server.go
index 24d6b0c..434d233 100644
--- a/pkg/authz/server.go
+++ b/pkg/authz/server.go
@@ -30,7 +30,7 @@ func New(ctx context.Context, options ...grpc.ServerOption) *Server {
 	connection := Connection.From(ctx)
 
 	if x.IsZero(connection) {
-		auth.RegisterAuthorizationServer(server, NewCheckService(nil))
+		auth.RegisterAuthorizationServer(server, NewCheckService())
 	} else {
 		pls.LogNow(ctx, log.Fields{"authzd": map[string]string{
 			"target": connection.CanonicalTarget(),
@@ -38,7 +38,7 @@ func New(ctx context.Context, options ...grpc.ServerOption) *Server {
 		}})
 		auth.RegisterAuthorizationServer(
 			server,
-			NewCheckService(
+			NewRemoteCheckService(
 				auth.NewAuthorizationClient(connection),
 			),
 		)