From 4beee46dc6c7642316e118a4d3aa51e4b407256e Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 20 May 2025 14:28:06 -0600
Subject: feat: add external authorization service (authzd) with JWT
 authentication

- Add new authzd gRPC service implementing Envoy's external authorization API
- Integrate JWT authentication filter in Envoy configuration with claim extraction
- Update middleware to support both cookie-based and header-based user authentication
- Add comprehensive test coverage for authorization service and server
- Configure proper service orchestration with authzd, sparkled, and Envoy
- Update build system and Docker configuration for multi-service deployment
- Add grpcurl tool for gRPC service debugging and testing

This enables fine-grained authorization control through Envoy's ext_authz filter
while maintaining backward compatibility with existing cookie-based authentication.
---
 pkg/authz/check_service.go | 114 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 114 insertions(+)
 create mode 100644 pkg/authz/check_service.go

(limited to 'pkg/authz/check_service.go')

diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go
new file mode 100644
index 0000000..ff4e92a
--- /dev/null
+++ b/pkg/authz/check_service.go
@@ -0,0 +1,114 @@
+package authz
+
+import (
+	"context"
+	"strings"
+
+	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	types "github.com/envoyproxy/go-control-plane/envoy/type/v3"
+	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/x"
+	status "google.golang.org/genproto/googleapis/rpc/status"
+	"google.golang.org/grpc/codes"
+)
+
+type CheckService struct {
+	auth.UnimplementedAuthorizationServer
+}
+
+func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) {
+	if svc.isAllowed(ctx, request) {
+		return svc.OK(ctx), nil
+	}
+	return svc.Denied(ctx), nil
+}
+
+// TODOD:: Replace with a PaC language
+func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool {
+	allowed := map[string]bool{
+		"GET:/":                  true,
+		"GET:/application.js":    true,
+		"GET:/callback":          true,
+		"GET:/dashboard/nav":     true,
+		"GET:/favicon.ico":       true,
+		"GET:/favicon.png":       true,
+		"GET:/health":            true,
+		"GET:/index.html":        true,
+		"GET:/logo.png":          true,
+		"GET:/signout":           true,
+		"GET:/sparkle":           true,
+		"GET:/sparkles":          true,
+		"POST:/sparkles/restore": true,
+	}
+	ok, _ := allowed[strings.Join([]string{
+		r.Attributes.Request.Http.Method,
+		r.Attributes.Request.Http.Path,
+	}, ":")]
+	return ok
+}
+
+func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool {
+	if !svc.validRequest(ctx, r) {
+		return false
+	}
+
+	log.WithFields(ctx, svc.fieldsFor(r))
+	return svc.isLoggedIn(ctx, r) || svc.isPublic(ctx, r)
+}
+
+func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool {
+	return x.IsPresent(r) &&
+		x.IsPresent(r.Attributes) &&
+		x.IsPresent(r.Attributes.Request) &&
+		x.IsPresent(r.Attributes.Request.Http)
+}
+
+// TODO:: Replace this naive implementation
+func (svc *CheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) bool {
+	return x.IsPresent(r.Attributes.Request.Http.Headers["cookie"])
+}
+
+func (svc *CheckService) OK(ctx context.Context) *auth.CheckResponse {
+	log.WithFields(ctx, log.Fields{"authorized": true})
+	return &auth.CheckResponse{
+		Status: &status.Status{
+			Code: int32(codes.OK),
+		},
+		HttpResponse: &auth.CheckResponse_OkResponse{
+			OkResponse: &auth.OkHttpResponse{
+				Headers:              []*core.HeaderValueOption{},
+				HeadersToRemove:      []string{},
+				ResponseHeadersToAdd: []*core.HeaderValueOption{},
+			},
+		},
+	}
+}
+
+func (svc *CheckService) Denied(ctx context.Context) *auth.CheckResponse {
+	log.WithFields(ctx, log.Fields{"authorized": false})
+	return &auth.CheckResponse{
+		Status: &status.Status{
+			Code: int32(codes.PermissionDenied),
+		},
+		HttpResponse: &auth.CheckResponse_DeniedResponse{
+			DeniedResponse: &auth.DeniedHttpResponse{
+				Status: &types.HttpStatus{
+					Code: types.StatusCode_Unauthorized,
+				},
+				Headers: []*core.HeaderValueOption{},
+			},
+		},
+	}
+}
+
+func (svc *CheckService) fieldsFor(r *auth.CheckRequest) log.Fields {
+	return log.Fields{
+		"id":       r.Attributes.Request.Http.Id,
+		"method":   r.Attributes.Request.Http.Method,
+		"path":     r.Attributes.Request.Http.Path,
+		"host":     r.Attributes.Request.Http.Host,
+		"scheme":   r.Attributes.Request.Http.Scheme,
+		"protocol": r.Attributes.Request.Http.Protocol,
+	}
+}
-- 
cgit v1.2.3