From 06618131ff1de346b79df00dff2db8d449563714 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 11 Jul 2025 14:14:14 -0600 Subject: refactor: rename CheckService to LocalCheckService --- pkg/authz/check_service.go | 152 ---------------------------------- pkg/authz/check_service_test.go | 95 --------------------- pkg/authz/local_check_service.go | 152 ++++++++++++++++++++++++++++++++++ pkg/authz/local_check_service_test.go | 95 +++++++++++++++++++++ pkg/authz/server.go | 2 +- 5 files changed, 248 insertions(+), 248 deletions(-) delete mode 100644 pkg/authz/check_service.go delete mode 100644 pkg/authz/check_service_test.go create mode 100644 pkg/authz/local_check_service.go create mode 100644 pkg/authz/local_check_service_test.go (limited to 'pkg') diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go deleted file mode 100644 index 55560f5..0000000 --- a/pkg/authz/check_service.go +++ /dev/null @@ -1,152 +0,0 @@ -package authz - -import ( - "context" - "net/http" - "strings" - - core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" - auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" - types "github.com/envoyproxy/go-control-plane/envoy/type/v3" - "github.com/xlgmokha/x/pkg/log" - "github.com/xlgmokha/x/pkg/x" - "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" - status "google.golang.org/genproto/googleapis/rpc/status" - "google.golang.org/grpc/codes" -) - -var public map[string]bool = map[string]bool{ - "GET:/": true, - "GET:/application.js": true, - "GET:/callback": true, - "GET:/dashboard/nav": true, - "GET:/favicon.ico": true, - "GET:/favicon.png": true, - "GET:/health": true, - "GET:/htmx.js": true, - "GET:/index.html": true, - "GET:/logo.png": true, - "GET:/pico.min.css": true, - "GET:/signout": true, - "GET:/sparkle": true, - "GET:/sparkles": true, - "GET:/vue.global.js": true, - "POST:/sparkles/restore": true, -} - -type CheckService struct { - auth.UnimplementedAuthorizationServer -} - -func NewCheckService() auth.AuthorizationServer { - return &CheckService{} -} - -func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) { - if svc.isAllowed(ctx, request) { - return svc.OK(ctx), nil - } - return svc.Denied(ctx), nil -} - -func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool { - ok, _ := public[svc.keyFor(r.Attributes.Request.Http)] - return ok -} - -func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool { - if !svc.validRequest(ctx, r) { - return false - } - - log.WithFields(ctx, svc.fieldsFor(r)) - return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r) -} - -func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool { - return x.IsPresent(r) && - x.IsPresent(r.Attributes) && - x.IsPresent(r.Attributes.Request) && - x.IsPresent(r.Attributes.Request.Http) -} - -// TODO:: Replace this naive implementation -func (svc *CheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) bool { - rawCookie := r.Attributes.Request.Http.Headers["cookie"] - if x.IsPresent(rawCookie) { - cookies, err := http.ParseCookie(rawCookie) - if err != nil { - pls.LogError(ctx, err) - return false - } - idTokenCookie := x.Find(cookies, func(cookie *http.Cookie) bool { - return cookie.Name == "id_token" - }) - if x.IsZero(idTokenCookie) { - return false - } - segments := strings.SplitN(idTokenCookie.Value, ".", 3) - if len(segments) != 3 { - return false - } - idToken, err := NewIDToken(idTokenCookie.Value) - if err != nil { - pls.LogError(ctx, err) - return false - } - if x.IsZero(idToken) { - return false - } - return true - } - return false -} - -func (svc *CheckService) OK(ctx context.Context) *auth.CheckResponse { - log.WithFields(ctx, log.Fields{"authorized": true}) - return &auth.CheckResponse{ - Status: &status.Status{ - Code: int32(codes.OK), - }, - HttpResponse: &auth.CheckResponse_OkResponse{ - OkResponse: &auth.OkHttpResponse{ - Headers: []*core.HeaderValueOption{}, - HeadersToRemove: []string{}, - ResponseHeadersToAdd: []*core.HeaderValueOption{}, - }, - }, - } -} - -func (svc *CheckService) Denied(ctx context.Context) *auth.CheckResponse { - log.WithFields(ctx, log.Fields{"authorized": false}) - return &auth.CheckResponse{ - Status: &status.Status{ - Code: int32(codes.PermissionDenied), - }, - HttpResponse: &auth.CheckResponse_DeniedResponse{ - DeniedResponse: &auth.DeniedHttpResponse{ - Status: &types.HttpStatus{ - Code: types.StatusCode_Unauthorized, - }, - Headers: []*core.HeaderValueOption{}, - }, - }, - } -} - -func (svc *CheckService) fieldsFor(r *auth.CheckRequest) log.Fields { - return log.Fields{ - "host": r.Attributes.Request.Http.Host, - "id": r.Attributes.Request.Http.Id, - "method": r.Attributes.Request.Http.Method, - "path": r.Attributes.Request.Http.Path, - "protocol": r.Attributes.Request.Http.Protocol, - "request_id": r.Attributes.Request.Http.Headers["x-request-id"], - "scheme": r.Attributes.Request.Http.Scheme, - } -} - -func (svc *CheckService) keyFor(r *auth.AttributeContext_HttpRequest) string { - return strings.Join([]string{r.Method, r.Path}, ":") -} diff --git a/pkg/authz/check_service_test.go b/pkg/authz/check_service_test.go deleted file mode 100644 index fc2da86..0000000 --- a/pkg/authz/check_service_test.go +++ /dev/null @@ -1,95 +0,0 @@ -package authz - -import ( - "strings" - "testing" - - core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" - auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - "google.golang.org/protobuf/types/known/timestamppb" -) - -func TestCheckService(t *testing.T) { - svc := NewCheckService() - - t.Run("allows access", func(t *testing.T) { - idToken := "eyJ0eXAiOiJKV1QiLCJraWQiOiJ0ZDBTbWRKUTRxUGg1cU5Lek0yNjBDWHgyVWgtd2hHLU1Eam9PS1dmdDhFIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMCIsInN1YiI6IjEiLCJhdWQiOiJlMzFlMWRhMGI4ZjZiNmUzNWNhNzBjNzkwYjEzYzA0MDZlNDRhY2E2YjJiZjY3ZjU1ZGU3MzU1YTk3OWEyMjRmIiwiZXhwIjoxNzQ3OTM3OTgzLCJpYXQiOjE3NDc5Mzc4NjMsImF1dGhfdGltZSI6MTc0Nzc3NDA2Nywic3ViX2xlZ2FjeSI6IjI0NzRjZjBiMjIxMTY4OGE1NzI5N2FjZTBlMjYwYTE1OTQ0NzU0ZDE2YjFiZDQyYzlkNjc3OWM5MDAzNjc4MDciLCJuYW1lIjoiQWRtaW5pc3RyYXRvciIsIm5pY2tuYW1lIjoicm9vdCIsInByZWZlcnJlZF91c2VybmFtZSI6InJvb3QiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByb2ZpbGUiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMC9yb290IiwicGljdHVyZSI6Imh0dHBzOi8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMjU4ZDhkYzkxNmRiOGNlYTJjYWZiNmMzY2QwY2IwMjQ2ZWZlMDYxNDIxZGJkODNlYzNhMzUwNDI4Y2FiZGE0Zj9zPTgwJmQ9aWRlbnRpY29uIiwiZ3JvdXBzX2RpcmVjdCI6WyJnaXRsYWItb3JnIiwidG9vbGJveCIsIm1hc3NfaW5zZXJ0X2dyb3VwX18wXzEwMCIsImN1c3RvbS1yb2xlcy1yb290LWdyb3VwL2FhIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAvYWEvYWFhIiwiZ251d2dldCIsIkNvbW1pdDQ1MSIsImphc2hrZW5hcyIsImZsaWdodGpzIiwidHdpdHRlciIsImdpdGxhYi1leGFtcGxlcyIsImdpdGxhYi1leGFtcGxlcy9zZWN1cml0eSIsIjQxMjcwOCIsImdpdGxhYi1leGFtcGxlcy9kZW1vLWdyb3VwIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAiLCI0MzQwNDQtZ3JvdXAtMSIsIjQzNDA0NC1ncm91cC0yIiwiZ2l0bGFiLW9yZzEiLCJnaXRsYWItb3JnL3NlY3VyZSIsImdpdGxhYi1vcmcvc2VjdXJlL21hbmFnZXJzIiwiZ2l0bGFiLW9yZy9zZWN1cml0eS1wcm9kdWN0cyIsImdpdGxhYi1vcmcvc2VjdXJpdHktcHJvZHVjdHMvYW5hbHl6ZXJzIl19.TjTrGS5FjfPoY0HWkSLvgjogBxB27jX2beosOZAkwXi_gO3q9DTnL0csOgxjoF1UR8baPNfMFBqL1ipLxBdY9vvDxZve-sOhoSptjzLGkCi7uQKeu7r8wNyFWNWhcLwmbinZyENGSZqIDSkHy0lGdo9oj7qqnH6sYqU46jtWACDGSHTFjNNuo1s_P2SZgkaq4c4v4jdlVV_C_Qlvtl7-eaWV1LzTpB4Mz0VWGsRx1pk3-KnS24crhBjxSE383z4Nar4ZhrsrTK-bOj33l6U32gRKNb4g6GxrPXaRQ268n37spQmbQn0aDwmUOABv-aBRy203bCCZca8BJ0XBur8t6w" - accessToken := "f88f60df11e458b594c80b299aee05f8e5805c65c3e779cc6fbc606c4ac36227" - refreshToken := "0847d325d6e4f021c4baaae0ddb425dbd8795807a4751cd2131bec8e8a9aee24" - - cookies := []string{ - "bearer_token=" + accessToken + ";", - "id_token=" + idToken + ";", - "refresh_token=" + refreshToken, - } - - response, err := svc.Check(t.Context(), &auth.CheckRequest{ - Attributes: &auth.AttributeContext{ - Source: &auth.AttributeContext_Peer{ - Address: &core.Address{ - Address: &core.Address_SocketAddress{ - SocketAddress: &core.SocketAddress{ - Address: "127.0.0.1", - PortSpecifier: &core.SocketAddress_PortValue{ - PortValue: 52358, - }, - }, - }, - }, - }, - Destination: &auth.AttributeContext_Peer{ - Address: &core.Address{ - Address: &core.Address_SocketAddress{ - SocketAddress: &core.SocketAddress{ - Address: "127.0.0.1", - PortSpecifier: &core.SocketAddress_PortValue{ - PortValue: 10000, - }, - }, - }, - }, - }, - Request: &auth.AttributeContext_Request{ - Time: ×tamppb.Timestamp{Seconds: 1747937928, Nanos: 476481000}, - Http: &auth.AttributeContext_HttpRequest{ - Id: "1248474133684962828", - Method: "GET", - Headers: map[string]string{ - ":authority": "localhost:10000", - ":method": "GET", - ":path": "/health", - ":scheme": "http", - "accept": "*/*", - "accept-encoding": "gzip, deflate, br, zstd", - "accept-language": "en-US,en;q=0.9", - "cache-control": "max-age=0", - "content-length": "64", - "content-type": "application/json", - "cookie": strings.Join(cookies, "; "), - "origin": "http://localhost:10000", - "referer": "http://localhost:10000/dashboard", - "sec-ch-ua-mobile": "?0", - "sec-ch-ua-platform": "Linux", - "sec-fetch-dest": "empty", - "sec-fetch-mode": "cors", - "sec-fetch-site": "same-origin", - "x-forwarded-proto": "http", - "x-request-id": "7e064610-9e19-4a38-8354-0de0b5fbd7c6", - }, - Path: "/health", - Host: "localhost:10000", - Scheme: "http", - Protocol: "HTTP/1.1", - }, - }, - MetadataContext: &core.Metadata{}, - RouteMetadataContext: &core.Metadata{}, - }, - }) - - require.NoError(t, err) - assert.NotNil(t, response.GetOkResponse()) - }) -} diff --git a/pkg/authz/local_check_service.go b/pkg/authz/local_check_service.go new file mode 100644 index 0000000..e165143 --- /dev/null +++ b/pkg/authz/local_check_service.go @@ -0,0 +1,152 @@ +package authz + +import ( + "context" + "net/http" + "strings" + + core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + types "github.com/envoyproxy/go-control-plane/envoy/type/v3" + "github.com/xlgmokha/x/pkg/log" + "github.com/xlgmokha/x/pkg/x" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" + status "google.golang.org/genproto/googleapis/rpc/status" + "google.golang.org/grpc/codes" +) + +var public map[string]bool = map[string]bool{ + "GET:/": true, + "GET:/application.js": true, + "GET:/callback": true, + "GET:/dashboard/nav": true, + "GET:/favicon.ico": true, + "GET:/favicon.png": true, + "GET:/health": true, + "GET:/htmx.js": true, + "GET:/index.html": true, + "GET:/logo.png": true, + "GET:/pico.min.css": true, + "GET:/signout": true, + "GET:/sparkle": true, + "GET:/sparkles": true, + "GET:/vue.global.js": true, + "POST:/sparkles/restore": true, +} + +type LocalCheckService struct { + auth.UnimplementedAuthorizationServer +} + +func NewLocalCheckService() auth.AuthorizationServer { + return &LocalCheckService{} +} + +func (svc *LocalCheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) { + if svc.isAllowed(ctx, request) { + return svc.OK(ctx), nil + } + return svc.Denied(ctx), nil +} + +func (svc *LocalCheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool { + ok, _ := public[svc.keyFor(r.Attributes.Request.Http)] + return ok +} + +func (svc *LocalCheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool { + if !svc.validRequest(ctx, r) { + return false + } + + log.WithFields(ctx, svc.fieldsFor(r)) + return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r) +} + +func (svc *LocalCheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool { + return x.IsPresent(r) && + x.IsPresent(r.Attributes) && + x.IsPresent(r.Attributes.Request) && + x.IsPresent(r.Attributes.Request.Http) +} + +// TODO:: Replace this naive implementation +func (svc *LocalCheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) bool { + rawCookie := r.Attributes.Request.Http.Headers["cookie"] + if x.IsPresent(rawCookie) { + cookies, err := http.ParseCookie(rawCookie) + if err != nil { + pls.LogError(ctx, err) + return false + } + idTokenCookie := x.Find(cookies, func(cookie *http.Cookie) bool { + return cookie.Name == "id_token" + }) + if x.IsZero(idTokenCookie) { + return false + } + segments := strings.SplitN(idTokenCookie.Value, ".", 3) + if len(segments) != 3 { + return false + } + idToken, err := NewIDToken(idTokenCookie.Value) + if err != nil { + pls.LogError(ctx, err) + return false + } + if x.IsZero(idToken) { + return false + } + return true + } + return false +} + +func (svc *LocalCheckService) OK(ctx context.Context) *auth.CheckResponse { + log.WithFields(ctx, log.Fields{"authorized": true}) + return &auth.CheckResponse{ + Status: &status.Status{ + Code: int32(codes.OK), + }, + HttpResponse: &auth.CheckResponse_OkResponse{ + OkResponse: &auth.OkHttpResponse{ + Headers: []*core.HeaderValueOption{}, + HeadersToRemove: []string{}, + ResponseHeadersToAdd: []*core.HeaderValueOption{}, + }, + }, + } +} + +func (svc *LocalCheckService) Denied(ctx context.Context) *auth.CheckResponse { + log.WithFields(ctx, log.Fields{"authorized": false}) + return &auth.CheckResponse{ + Status: &status.Status{ + Code: int32(codes.PermissionDenied), + }, + HttpResponse: &auth.CheckResponse_DeniedResponse{ + DeniedResponse: &auth.DeniedHttpResponse{ + Status: &types.HttpStatus{ + Code: types.StatusCode_Unauthorized, + }, + Headers: []*core.HeaderValueOption{}, + }, + }, + } +} + +func (svc *LocalCheckService) fieldsFor(r *auth.CheckRequest) log.Fields { + return log.Fields{ + "host": r.Attributes.Request.Http.Host, + "id": r.Attributes.Request.Http.Id, + "method": r.Attributes.Request.Http.Method, + "path": r.Attributes.Request.Http.Path, + "protocol": r.Attributes.Request.Http.Protocol, + "request_id": r.Attributes.Request.Http.Headers["x-request-id"], + "scheme": r.Attributes.Request.Http.Scheme, + } +} + +func (svc *LocalCheckService) keyFor(r *auth.AttributeContext_HttpRequest) string { + return strings.Join([]string{r.Method, r.Path}, ":") +} diff --git a/pkg/authz/local_check_service_test.go b/pkg/authz/local_check_service_test.go new file mode 100644 index 0000000..eb633d4 --- /dev/null +++ b/pkg/authz/local_check_service_test.go @@ -0,0 +1,95 @@ +package authz + +import ( + "strings" + "testing" + + core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/protobuf/types/known/timestamppb" +) + +func TestLocalCheckService(t *testing.T) { + svc := NewLocalCheckService() + + t.Run("allows access", func(t *testing.T) { + idToken := "eyJ0eXAiOiJKV1QiLCJraWQiOiJ0ZDBTbWRKUTRxUGg1cU5Lek0yNjBDWHgyVWgtd2hHLU1Eam9PS1dmdDhFIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMCIsInN1YiI6IjEiLCJhdWQiOiJlMzFlMWRhMGI4ZjZiNmUzNWNhNzBjNzkwYjEzYzA0MDZlNDRhY2E2YjJiZjY3ZjU1ZGU3MzU1YTk3OWEyMjRmIiwiZXhwIjoxNzQ3OTM3OTgzLCJpYXQiOjE3NDc5Mzc4NjMsImF1dGhfdGltZSI6MTc0Nzc3NDA2Nywic3ViX2xlZ2FjeSI6IjI0NzRjZjBiMjIxMTY4OGE1NzI5N2FjZTBlMjYwYTE1OTQ0NzU0ZDE2YjFiZDQyYzlkNjc3OWM5MDAzNjc4MDciLCJuYW1lIjoiQWRtaW5pc3RyYXRvciIsIm5pY2tuYW1lIjoicm9vdCIsInByZWZlcnJlZF91c2VybmFtZSI6InJvb3QiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByb2ZpbGUiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMC9yb290IiwicGljdHVyZSI6Imh0dHBzOi8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMjU4ZDhkYzkxNmRiOGNlYTJjYWZiNmMzY2QwY2IwMjQ2ZWZlMDYxNDIxZGJkODNlYzNhMzUwNDI4Y2FiZGE0Zj9zPTgwJmQ9aWRlbnRpY29uIiwiZ3JvdXBzX2RpcmVjdCI6WyJnaXRsYWItb3JnIiwidG9vbGJveCIsIm1hc3NfaW5zZXJ0X2dyb3VwX18wXzEwMCIsImN1c3RvbS1yb2xlcy1yb290LWdyb3VwL2FhIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAvYWEvYWFhIiwiZ251d2dldCIsIkNvbW1pdDQ1MSIsImphc2hrZW5hcyIsImZsaWdodGpzIiwidHdpdHRlciIsImdpdGxhYi1leGFtcGxlcyIsImdpdGxhYi1leGFtcGxlcy9zZWN1cml0eSIsIjQxMjcwOCIsImdpdGxhYi1leGFtcGxlcy9kZW1vLWdyb3VwIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAiLCI0MzQwNDQtZ3JvdXAtMSIsIjQzNDA0NC1ncm91cC0yIiwiZ2l0bGFiLW9yZzEiLCJnaXRsYWItb3JnL3NlY3VyZSIsImdpdGxhYi1vcmcvc2VjdXJlL21hbmFnZXJzIiwiZ2l0bGFiLW9yZy9zZWN1cml0eS1wcm9kdWN0cyIsImdpdGxhYi1vcmcvc2VjdXJpdHktcHJvZHVjdHMvYW5hbHl6ZXJzIl19.TjTrGS5FjfPoY0HWkSLvgjogBxB27jX2beosOZAkwXi_gO3q9DTnL0csOgxjoF1UR8baPNfMFBqL1ipLxBdY9vvDxZve-sOhoSptjzLGkCi7uQKeu7r8wNyFWNWhcLwmbinZyENGSZqIDSkHy0lGdo9oj7qqnH6sYqU46jtWACDGSHTFjNNuo1s_P2SZgkaq4c4v4jdlVV_C_Qlvtl7-eaWV1LzTpB4Mz0VWGsRx1pk3-KnS24crhBjxSE383z4Nar4ZhrsrTK-bOj33l6U32gRKNb4g6GxrPXaRQ268n37spQmbQn0aDwmUOABv-aBRy203bCCZca8BJ0XBur8t6w" + accessToken := "f88f60df11e458b594c80b299aee05f8e5805c65c3e779cc6fbc606c4ac36227" + refreshToken := "0847d325d6e4f021c4baaae0ddb425dbd8795807a4751cd2131bec8e8a9aee24" + + cookies := []string{ + "bearer_token=" + accessToken + ";", + "id_token=" + idToken + ";", + "refresh_token=" + refreshToken, + } + + response, err := svc.Check(t.Context(), &auth.CheckRequest{ + Attributes: &auth.AttributeContext{ + Source: &auth.AttributeContext_Peer{ + Address: &core.Address{ + Address: &core.Address_SocketAddress{ + SocketAddress: &core.SocketAddress{ + Address: "127.0.0.1", + PortSpecifier: &core.SocketAddress_PortValue{ + PortValue: 52358, + }, + }, + }, + }, + }, + Destination: &auth.AttributeContext_Peer{ + Address: &core.Address{ + Address: &core.Address_SocketAddress{ + SocketAddress: &core.SocketAddress{ + Address: "127.0.0.1", + PortSpecifier: &core.SocketAddress_PortValue{ + PortValue: 10000, + }, + }, + }, + }, + }, + Request: &auth.AttributeContext_Request{ + Time: ×tamppb.Timestamp{Seconds: 1747937928, Nanos: 476481000}, + Http: &auth.AttributeContext_HttpRequest{ + Id: "1248474133684962828", + Method: "GET", + Headers: map[string]string{ + ":authority": "localhost:10000", + ":method": "GET", + ":path": "/health", + ":scheme": "http", + "accept": "*/*", + "accept-encoding": "gzip, deflate, br, zstd", + "accept-language": "en-US,en;q=0.9", + "cache-control": "max-age=0", + "content-length": "64", + "content-type": "application/json", + "cookie": strings.Join(cookies, "; "), + "origin": "http://localhost:10000", + "referer": "http://localhost:10000/dashboard", + "sec-ch-ua-mobile": "?0", + "sec-ch-ua-platform": "Linux", + "sec-fetch-dest": "empty", + "sec-fetch-mode": "cors", + "sec-fetch-site": "same-origin", + "x-forwarded-proto": "http", + "x-request-id": "7e064610-9e19-4a38-8354-0de0b5fbd7c6", + }, + Path: "/health", + Host: "localhost:10000", + Scheme: "http", + Protocol: "HTTP/1.1", + }, + }, + MetadataContext: &core.Metadata{}, + RouteMetadataContext: &core.Metadata{}, + }, + }) + + require.NoError(t, err) + assert.NotNil(t, response.GetOkResponse()) + }) +} diff --git a/pkg/authz/server.go b/pkg/authz/server.go index 434d233..6eedcca 100644 --- a/pkg/authz/server.go +++ b/pkg/authz/server.go @@ -30,7 +30,7 @@ func New(ctx context.Context, options ...grpc.ServerOption) *Server { connection := Connection.From(ctx) if x.IsZero(connection) { - auth.RegisterAuthorizationServer(server, NewCheckService()) + auth.RegisterAuthorizationServer(server, NewLocalCheckService()) } else { pls.LogNow(ctx, log.Fields{"authzd": map[string]string{ "target": connection.CanonicalTarget(), -- cgit v1.2.3