From 4beee46dc6c7642316e118a4d3aa51e4b407256e Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 20 May 2025 14:28:06 -0600 Subject: feat: add external authorization service (authzd) with JWT authentication - Add new authzd gRPC service implementing Envoy's external authorization API - Integrate JWT authentication filter in Envoy configuration with claim extraction - Update middleware to support both cookie-based and header-based user authentication - Add comprehensive test coverage for authorization service and server - Configure proper service orchestration with authzd, sparkled, and Envoy - Update build system and Docker configuration for multi-service deployment - Add grpcurl tool for gRPC service debugging and testing This enables fine-grained authorization control through Envoy's ext_authz filter while maintaining backward compatibility with existing cookie-based authentication. --- app/middleware/user_test.go | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) (limited to 'app/middleware/user_test.go') diff --git a/app/middleware/user_test.go b/app/middleware/user_test.go index aed3582..7653684 100644 --- a/app/middleware/user_test.go +++ b/app/middleware/user_test.go @@ -61,16 +61,33 @@ func TestUser(t *testing.T) { }) t.Run("when ID Token is not provided", func(t *testing.T) { - server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - user := cfg.CurrentUser.From(r.Context()) - require.Nil(t, user) + t.Run("without custom headers", func(t *testing.T) { + server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + user := cfg.CurrentUser.From(r.Context()) + require.Nil(t, user) + + w.WriteHeader(http.StatusTeapot) + })) - w.WriteHeader(http.StatusTeapot) - })) + r, w := test.RequestResponse("GET", "/example") + server.ServeHTTP(w, r) - r, w := test.RequestResponse("GET", "/example") - server.ServeHTTP(w, r) + assert.Equal(t, http.StatusTeapot, w.Code) + }) - assert.Equal(t, http.StatusTeapot, w.Code) + t.Run("with x-jwt-claim-sub header", func(t *testing.T) { + server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + user := cfg.CurrentUser.From(r.Context()) + require.NotNil(t, user) + require.Equal(t, knownUser.ID, user.ID) + + w.WriteHeader(http.StatusTeapot) + })) + + r, w := test.RequestResponse("GET", "/example", test.WithRequestHeader("x-jwt-claim-sub", knownUser.ID.String())) + server.ServeHTTP(w, r) + + assert.Equal(t, http.StatusTeapot, w.Code) + }) }) } -- cgit v1.2.3