pomerium/internal/grpc/authorize/client/authorize_client.go

// Package client implements a gRPC client for the authorization service.
package client

import (
	"context"
	"net/http"

	"github.com/pomerium/pomerium/internal/grpc/authorize"
	pb "github.com/pomerium/pomerium/internal/grpc/authorize"
	"github.com/pomerium/pomerium/internal/telemetry/trace"

	"google.golang.org/grpc"
)

// Authorizer provides the authorize service interface
type Authorizer interface {
	// Authorize takes a route and user session and returns whether the
	// request is valid per access policy
	Authorize(ctx context.Context, user string, r *http.Request) (*pb.IsAuthorizedReply, error)
	// Close closes the auth connection if any.
	Close() error
}

// Client is a gRPC implementation of an authenticator (authorize client)
type Client struct {
	conn   *grpc.ClientConn
	client pb.AuthorizerClient
}

// New returns a new authorize service client.
func New(conn *grpc.ClientConn) (p *Client, err error) {
	return &Client{conn: conn, client: pb.NewAuthorizerClient(conn)}, nil
}

// Authorize takes a route and user session and returns whether the
// request is valid per access policy
func (c *Client) Authorize(ctx context.Context, user string, r *http.Request) (*pb.IsAuthorizedReply, error) {
	ctx, span := trace.StartSpan(ctx, "grpc.authorize.client.Authorize")
	defer span.End()
	in := &pb.IsAuthorizedRequest{
		UserToken:         user,
		RequestHost:       r.Host,
		RequestMethod:     r.Method,
		RequestHeaders:    cloneHeaders(r.Header),
		RequestRemoteAddr: r.RemoteAddr,
		RequestRequestUri: r.RequestURI,
		RequestUrl:        r.URL.String(),
	}
	return c.client.IsAuthorized(ctx, in)
}

// Close tears down the ClientConn and all underlying connections.
func (c *Client) Close() error {
	return c.conn.Close()
}

type protoHeader map[string]*authorize.IsAuthorizedRequest_Headers

func cloneHeaders(in http.Header) protoHeader {
	out := make(protoHeader, len(in))
	for key, values := range in {
		newValues := make([]string, len(values))
		copy(newValues, values)
		out[key] = &authorize.IsAuthorizedRequest_Headers{Value: newValues}
	}
	return out
}