authorize: add authorization (#59)

* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.
 * docs: updated `env.example` to include a `POLICY` setting example.
 * docs:  added `IDP_SERVICE_ACCOUNT` to  `env.example` .
 * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`.
 * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files.
 * proxy: `ROUTES` settings which has been replaced by `POLICY`.
* internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one.

Closes #54
Closes #41
Closes #61
Closes #58

internal/log/log.go

@@ -110,3 +110,19 @@ func Ctx(ctx context.Context) *zerolog.Logger {
 func FromRequest(r *http.Request) *zerolog.Logger {
 	return Ctx(r.Context())
 }
+
+// StdLogWrapper can be used to wrap logs originating from the from std
+// library's ErrorFunction argument in http.Serve and httputil.ReverseProxy.
+type StdLogWrapper struct {
+	*zerolog.Logger
+}
+
+func (l *StdLogWrapper) Write(p []byte) (n int, err error) {
+	n = len(p)
+	if n > 0 && p[n-1] == '\n' {
+		// Trim CR added by stdlog.
+		p = p[0 : n-1]
+	}
+	l.Error().Msg(string(p))
+	return len(p), nil
+}