From 4beee46dc6c7642316e118a4d3aa51e4b407256e Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 20 May 2025 14:28:06 -0600 Subject: feat: add external authorization service (authzd) with JWT authentication - Add new authzd gRPC service implementing Envoy's external authorization API - Integrate JWT authentication filter in Envoy configuration with claim extraction - Update middleware to support both cookie-based and header-based user authentication - Add comprehensive test coverage for authorization service and server - Configure proper service orchestration with authzd, sparkled, and Envoy - Update build system and Docker configuration for multi-service deployment - Add grpcurl tool for gRPC service debugging and testing This enables fine-grained authorization control through Envoy's ext_authz filter while maintaining backward compatibility with existing cookie-based authentication. --- pkg/web/oidc_server.go | 23 +++++++++++++++++++---- pkg/web/oidc_server_test.go | 30 ++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 4 deletions(-) create mode 100644 pkg/web/oidc_server_test.go (limited to 'pkg/web') diff --git a/pkg/web/oidc_server.go b/pkg/web/oidc_server.go index 31ef572..86f4e7e 100644 --- a/pkg/web/oidc_server.go +++ b/pkg/web/oidc_server.go @@ -1,8 +1,10 @@ package web import ( + "net" "net/http" "strconv" + "strings" "testing" "time" @@ -20,15 +22,28 @@ type OIDCServer struct { } func NewOIDCServer(t *testing.T) *OIDCServer { - srv, err := mockoidc.Run() + srv, err := mockoidc.NewServer(nil) require.NoError(t, err) - srv.AddMiddleware(func(next http.Handler) http.Handler { + require.NoError(t, srv.AddMiddleware(func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - t.Logf("%v %v %v\n", r.Method, r.URL.Path, r.URL.Query()) + t.Logf("mockoidc: %v %v %v\n", r.Method, r.URL.Path, r.URL.Query()) next.ServeHTTP(w, r) }) - }) + })) + + ln, err := net.Listen("tcp", "127.0.0.1:0") + require.NoError(t, err) + require.NoError(t, srv.Start(ln, nil)) + if srv.Server != nil { + mux := srv.Server.Handler.(*http.ServeMux) + mux.Handle(strings.Replace(mockoidc.AuthorizationEndpoint, "/oidc", "/oidc/oauth", 1), http.HandlerFunc(srv.Authorize)) + mux.Handle(strings.Replace(mockoidc.TokenEndpoint, "/oidc", "/oidc/oauth", 1), http.HandlerFunc(srv.Token)) + mux.Handle(strings.Replace(mockoidc.UserinfoEndpoint, "/oidc", "/oidc/oauth", 1), http.HandlerFunc(srv.Userinfo)) + mux.Handle(strings.Replace(mockoidc.JWKSEndpoint, "/oidc", "/oidc/oauth", 1), http.HandlerFunc(srv.JWKS)) + mux.Handle(strings.Replace(mockoidc.DiscoveryEndpoint, "/oidc", "/oidc/oauth", 1), http.HandlerFunc(srv.Discovery)) + } + provider, err := oidc.NewProvider(t.Context(), srv.Issuer()) require.NoError(t, err) diff --git a/pkg/web/oidc_server_test.go b/pkg/web/oidc_server_test.go new file mode 100644 index 0000000..74d74d9 --- /dev/null +++ b/pkg/web/oidc_server_test.go @@ -0,0 +1,30 @@ +package web + +import ( + "net/http" + "strings" + "testing" + + "github.com/oauth2-proxy/mockoidc" + "github.com/stretchr/testify/require" +) + +func TestOIDCServer(t *testing.T) { + srv := NewOIDCServer(t) + defer srv.Close() + + t.Run("provides a working discover endpoints", func(t *testing.T) { + response, err := http.Get(srv.DiscoveryEndpoint()) + + require.NoError(t, err) + require.Equal(t, http.StatusOK, response.StatusCode) + }) + + t.Run("maps the gitlab oauth routes to the mockoidc ones", func(t *testing.T) { + url := srv.Addr() + strings.Replace(mockoidc.DiscoveryEndpoint, mockoidc.IssuerBase, mockoidc.IssuerBase+"/oauth", 1) + response, err := http.Get(url) + + require.NoError(t, err) + require.Equal(t, http.StatusOK, response.StatusCode) + }) +} -- cgit v1.2.3