From 9edd3e64a6f1a56798e3881a6e404dba7c47c0da Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 11 Jul 2025 14:09:50 -0600 Subject: chore: split the RemoteCheckService from the LocalCheckService --- pkg/authz/check_service.go | 27 +++------------------------ pkg/authz/check_service_test.go | 2 +- pkg/authz/remote_check_service.go | 28 ++++++++++++++++++++++++++++ pkg/authz/server.go | 4 ++-- 4 files changed, 34 insertions(+), 27 deletions(-) create mode 100644 pkg/authz/remote_check_service.go (limited to 'pkg/authz') diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go index 4f079f9..55560f5 100644 --- a/pkg/authz/check_service.go +++ b/pkg/authz/check_service.go @@ -35,14 +35,11 @@ var public map[string]bool = map[string]bool{ } type CheckService struct { - client auth.AuthorizationClient auth.UnimplementedAuthorizationServer } -func NewCheckService(client auth.AuthorizationClient) *CheckService { - return &CheckService{ - client: client, - } +func NewCheckService() auth.AuthorizationServer { + return &CheckService{} } func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) { @@ -57,31 +54,13 @@ func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) boo return ok } -func (svc *CheckService) isAuthorized(ctx context.Context, r *auth.CheckRequest) bool { - if x.IsZero(svc.client) { - return false - } - response, err := svc.client.Check(ctx, r) - if err != nil { - pls.LogError(ctx, err) - return false - } - if x.IsZero(response.Status) { - return false - } - if response.Status.Code != int32(codes.OK) { - return false - } - return true -} - func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool { if !svc.validRequest(ctx, r) { return false } log.WithFields(ctx, svc.fieldsFor(r)) - return svc.isAuthorized(ctx, r) || svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r) + return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r) } func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool { diff --git a/pkg/authz/check_service_test.go b/pkg/authz/check_service_test.go index 9a0f4e8..fc2da86 100644 --- a/pkg/authz/check_service_test.go +++ b/pkg/authz/check_service_test.go @@ -12,7 +12,7 @@ import ( ) func TestCheckService(t *testing.T) { - svc := NewCheckService(nil) + svc := NewCheckService() t.Run("allows access", func(t *testing.T) { idToken := "eyJ0eXAiOiJKV1QiLCJraWQiOiJ0ZDBTbWRKUTRxUGg1cU5Lek0yNjBDWHgyVWgtd2hHLU1Eam9PS1dmdDhFIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMCIsInN1YiI6IjEiLCJhdWQiOiJlMzFlMWRhMGI4ZjZiNmUzNWNhNzBjNzkwYjEzYzA0MDZlNDRhY2E2YjJiZjY3ZjU1ZGU3MzU1YTk3OWEyMjRmIiwiZXhwIjoxNzQ3OTM3OTgzLCJpYXQiOjE3NDc5Mzc4NjMsImF1dGhfdGltZSI6MTc0Nzc3NDA2Nywic3ViX2xlZ2FjeSI6IjI0NzRjZjBiMjIxMTY4OGE1NzI5N2FjZTBlMjYwYTE1OTQ0NzU0ZDE2YjFiZDQyYzlkNjc3OWM5MDAzNjc4MDciLCJuYW1lIjoiQWRtaW5pc3RyYXRvciIsIm5pY2tuYW1lIjoicm9vdCIsInByZWZlcnJlZF91c2VybmFtZSI6InJvb3QiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByb2ZpbGUiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMC9yb290IiwicGljdHVyZSI6Imh0dHBzOi8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMjU4ZDhkYzkxNmRiOGNlYTJjYWZiNmMzY2QwY2IwMjQ2ZWZlMDYxNDIxZGJkODNlYzNhMzUwNDI4Y2FiZGE0Zj9zPTgwJmQ9aWRlbnRpY29uIiwiZ3JvdXBzX2RpcmVjdCI6WyJnaXRsYWItb3JnIiwidG9vbGJveCIsIm1hc3NfaW5zZXJ0X2dyb3VwX18wXzEwMCIsImN1c3RvbS1yb2xlcy1yb290LWdyb3VwL2FhIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAvYWEvYWFhIiwiZ251d2dldCIsIkNvbW1pdDQ1MSIsImphc2hrZW5hcyIsImZsaWdodGpzIiwidHdpdHRlciIsImdpdGxhYi1leGFtcGxlcyIsImdpdGxhYi1leGFtcGxlcy9zZWN1cml0eSIsIjQxMjcwOCIsImdpdGxhYi1leGFtcGxlcy9kZW1vLWdyb3VwIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAiLCI0MzQwNDQtZ3JvdXAtMSIsIjQzNDA0NC1ncm91cC0yIiwiZ2l0bGFiLW9yZzEiLCJnaXRsYWItb3JnL3NlY3VyZSIsImdpdGxhYi1vcmcvc2VjdXJlL21hbmFnZXJzIiwiZ2l0bGFiLW9yZy9zZWN1cml0eS1wcm9kdWN0cyIsImdpdGxhYi1vcmcvc2VjdXJpdHktcHJvZHVjdHMvYW5hbHl6ZXJzIl19.TjTrGS5FjfPoY0HWkSLvgjogBxB27jX2beosOZAkwXi_gO3q9DTnL0csOgxjoF1UR8baPNfMFBqL1ipLxBdY9vvDxZve-sOhoSptjzLGkCi7uQKeu7r8wNyFWNWhcLwmbinZyENGSZqIDSkHy0lGdo9oj7qqnH6sYqU46jtWACDGSHTFjNNuo1s_P2SZgkaq4c4v4jdlVV_C_Qlvtl7-eaWV1LzTpB4Mz0VWGsRx1pk3-KnS24crhBjxSE383z4Nar4ZhrsrTK-bOj33l6U32gRKNb4g6GxrPXaRQ268n37spQmbQn0aDwmUOABv-aBRy203bCCZca8BJ0XBur8t6w" diff --git a/pkg/authz/remote_check_service.go b/pkg/authz/remote_check_service.go new file mode 100644 index 0000000..43178fe --- /dev/null +++ b/pkg/authz/remote_check_service.go @@ -0,0 +1,28 @@ +package authz + +import ( + "context" + "errors" + + auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/xlgmokha/x/pkg/x" +) + +type RemoteCheckService struct { + client auth.AuthorizationClient + auth.UnimplementedAuthorizationServer +} + +func NewRemoteCheckService(client auth.AuthorizationClient) auth.AuthorizationServer { + return &RemoteCheckService{ + client: client, + } +} + +func (svc *RemoteCheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) { + if x.IsZero(svc.client) { + return nil, errors.New("RPC client is not configured") + } + + return svc.client.Check(ctx, request) +} diff --git a/pkg/authz/server.go b/pkg/authz/server.go index 24d6b0c..434d233 100644 --- a/pkg/authz/server.go +++ b/pkg/authz/server.go @@ -30,7 +30,7 @@ func New(ctx context.Context, options ...grpc.ServerOption) *Server { connection := Connection.From(ctx) if x.IsZero(connection) { - auth.RegisterAuthorizationServer(server, NewCheckService(nil)) + auth.RegisterAuthorizationServer(server, NewCheckService()) } else { pls.LogNow(ctx, log.Fields{"authzd": map[string]string{ "target": connection.CanonicalTarget(), @@ -38,7 +38,7 @@ func New(ctx context.Context, options ...grpc.ServerOption) *Server { }}) auth.RegisterAuthorizationServer( server, - NewCheckService( + NewRemoteCheckService( auth.NewAuthorizationClient(connection), ), ) -- cgit v1.2.3