[Feature] add Access Token Authorization for gRPC Proxy Handler

Signed-off-by: kpango <kpango@vdaas.org>

Author: kpango

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23-alpine AS base
+FROM golang:1.25-alpine AS base
 
 RUN set -eux \
     && apk --no-cache add ca-certificates \
@@ -13,7 +13,7 @@ RUN GO111MODULE=on go mod download
 
 FROM base AS builder
 
-ENV APP_NAME authorization-proxy
+ENV APP_NAME=authorization-proxy
 ARG APP_VERSION='development version'
 
 COPY . .
@@ -39,9 +39,9 @@ RUN ldd "/usr/bin/${APP_NAME}"\
 # Start From Scratch For Running Environment
 FROM scratch
 # FROM alpine:latest
-LABEL maintainer "cncf-athenz-maintainers@lists.cncf.io"
+LABEL maintainer="cncf-athenz-maintainers@lists.cncf.io"
 
-ENV APP_NAME authorization-proxy
+ENV APP_NAME=authorization-proxy
 
 # Copy certificates for SSL/TLS
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

Makefile

@@ -3,6 +3,26 @@
 # .PHONY: all clean bench bench-all profile lint test contributors update install
 .PHONY: deps test coverage
 
+
+ROOTDIR = $(eval ROOTDIR := $(shell git rev-parse --show-toplevel))$(ROOTDIR)
+GITHUB_ACCESS_TOKEN = $(eval GITHUB_ACCESS_TOKEN := $(shell pass github.api.ro.token))$(GITHUB_ACCESS_TOKEN)
+GITHUB_SHA = $(eval GITHUB_SHA := $(shell git rev-parse HEAD))$(GITHUB_SHA)
+GITHUB_URL = https://github.com/AthenZ/authorization-proxy
+EMAIL = cncf-athenz-maintainers@lists.cncf.io
+
+DOCKERFILE = $(ROOTDIR)/Dockerfile
+DOCKER_EXTRA_OPTS = ""
+DOCKER_BUILDER_NAME = "athenz-builder"
+DOCKER_BUILDER_DRIVER = "docker-container"
+DOCKER_BUILDER_PLATFORM = "linux/amd64"
+DOCKER_IMAGE_REPO = AthenZ
+DOCKER_IMAGE_NAME = authorization-proxy
+
+VERSION = latest
+
+GOPATH := $(eval GOPATH := $(shell go env GOPATH))$(GOPATH)
+GOLINES_MAX_WIDTH     ?= 200
+
 # all: clean install lint test bench
 
 # clean:
@@ -51,3 +71,74 @@ check-license-header:
 	# go install github.com/apache/skywalking-eyes/cmd/license-eye@latest
 	license-eye -c .licenserc.yaml header check
 	# license-eye -c .licenserc.yaml header fix
+
+docker_build:
+	@make DOCKER_BUILDER_NAME=$(DOCKER_BUILDER_NAME) create_buildx
+	$(eval TMP_DIR := $(shell mktemp -d))
+	@echo $(GITHUB_ACCESS_TOKEN) > $(TMP_DIR)/gat
+	@chmod 600 $(TMP_DIR)/gat
+	DOCKER_BUILDKIT=1 docker buildx build \
+		--allow "network.host" \
+		--build-arg BUILDKIT_MULTI_PLATFORM=1 \
+		--build-arg EMAIL="$(EMAIL)" \
+		--builder "$(DOCKER_BUILDER_NAME)" \
+		--label org.opencontainers.image.revision="$(GITHUB_SHA)" \
+		--label org.opencontainers.image.source="$(GITHUB_URL)" \
+		--label org.opencontainers.image.title="$(DOCKER_IMAGE_REPO)/$(DOCKER_IMAGE_NAME)" \
+		--label org.opencontainers.image.url="$(GITHUB_URL)" \
+		--label org.opencontainers.image.version="$(VERSION)" \
+		--memory 32G \
+		--memory-swap 32G \
+		--network=host \
+		--output type=registry,oci-mediatypes=true,compression=zstd,compression-level=5,force-compression=true,push=true \
+		--platform $(DOCKER_BUILDER_PLATFORM) \
+		--attest type=sbom,generator=docker/buildkit-syft-scanner:edge \
+		--provenance=mode=max \
+		-t "$(DOCKER_IMAGE_REPO)/$(DOCKER_IMAGE_NAME):$(VERSION)" \
+		-f $(DOCKERFILE) .
+	docker buildx rm --force "$(DOCKER_BUILDER_NAME)"
+	@rm -rf $(TMP_DIR)
+
+
+init_buildx:
+	docker run \
+		--network=host \
+		--privileged \
+		--rm tonistiigi/binfmt:master \
+		--install $(DOCKER_BUILDER_PLATFORM)
+
+create_buildx:
+	-docker buildx rm --force $(DOCKER_BUILDER_NAME)
+	docker buildx create --use \
+		--name $(DOCKER_BUILDER_NAME) \
+		--driver $(DOCKER_BUILDER_DRIVER) \
+		--driver-opt=image=moby/buildkit:master \
+		--driver-opt=network=host \
+		--buildkitd-flags="--oci-worker-gc=false --oci-worker-snapshotter=stargz" \
+		--platform $(DOCKER_BUILDER_PLATFORM) \
+		--bootstrap
+	# make add_nodes
+	docker buildx ls
+	docker buildx inspect --bootstrap $(DOCKER_BUILDER_NAME)
+	sudo chown -R $(USER):$(GROUP_ID) "$(HOME)/.docker"
+
+remove_buildx:
+	-docker buildx rm --force --all-inactive
+	sudo rm -rf $(HOME)/.docker/buildx
+	docker buildx ls
+
+do_build:
+	@make DOCKERFILE="$(ROOTDIR)/Dockerfile" NAME="$(NAME)" DOCKER_BUILDER_NAME="$(DOCKER_BUILDER_NAME)-$(NAME)" docker_build
+
+build: \
+	remove_buildx \
+	init_buildx \
+	create_buildx
+	@make NAME="authorization-proxy" do_build
+	@make remove_buildx
+
+format:
+	find ./ -type d -name .git -prune -o -type f -regex '.*[^\.pb]\.go' -print | xargs $(GOPATH)/bin/golines -w -m $(GOLINES_MAX_WIDTH)
+	find ./ -type d -name .git -prune -o -type f -regex '.*[^\.pb]\.go' -print | xargs $(GOPATH)/bin/gofumpt -w
+	find ./ -type d -name .git -prune -o -type f -regex '.*[^\.pb]\.go' -print | xargs $(GOPATH)/bin/strictgoimports -w
+	find ./ -type d -name .git -prune -o -type f -regex '.*\.go' -print | xargs $(GOPATH)/bin/goimports -w

README.md

@@ -34,7 +34,7 @@ Client request can be authenticated and authorized by:
 1. Role token in the HTTP/HTTPS request header
 1. Role certificate on mTLS
 
-Requires go 1.23 or later.
+Requires go 1.25 or later.
 
 ## Use case
 

config/config.go

@@ -278,14 +278,17 @@ type AccessToken struct {
 
 	// CertOffsetDuration represents the certificate issue time offset when comparing with the issue time of the access token. (for usecase: new cert + old token)
 	CertOffsetDuration string `yaml:"certOffsetDuration"`
+
+	// AccessTokenAuthHeader represents the request header key for extracting the access token.
+	AccessTokenAuthHeader string `yaml:"accessTokenAuthHeader"`
 }
 
 // RoleToken represents the configuration to control role token verification.
 type RoleToken struct {
 	// Enable decides whether to verify role token.
 	Enable bool `yaml:"enable"`
 
-	// RoleAuthHeader represents the HTTP header for extracting the role token.
+	// RoleAuthHeader represents the request header key for extracting the role token.
 	RoleAuthHeader string `yaml:"roleAuthHeader"`
 }
 

go.mod

@@ -1,89 +1,99 @@
 module github.com/AthenZ/authorization-proxy/v4
 
-go 1.23.4
+go 1.25.1
 
 replace (
-	cloud.google.com/go => cloud.google.com/go v0.112.2
-	github.com/golang/mock => github.com/golang/mock v1.6.0
-	github.com/golang/protobuf => github.com/golang/protobuf v1.5.4
-	github.com/google/go-cmp => github.com/google/go-cmp v0.6.0
-	github.com/google/pprof => github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd
-	github.com/prometheus/common => github.com/prometheus/common v0.48.0
-	golang.org/x/exp => golang.org/x/exp v0.0.0-20240409090435-93d18d7e34b8
-	golang.org/x/image => golang.org/x/image v0.15.0
-	golang.org/x/lint => golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
-	golang.org/x/mobile => golang.org/x/mobile v0.0.0-20240404231514-09dbf07665ed
-	golang.org/x/mod => golang.org/x/mod v0.17.0
-	golang.org/x/oauth2 => golang.org/x/oauth2 v0.19.0
-	golang.org/x/term => golang.org/x/term v0.19.0
-	golang.org/x/text => golang.org/x/text v0.14.0
-	golang.org/x/time => golang.org/x/time v0.5.0
-	golang.org/x/tools => golang.org/x/tools v0.20.0
-	golang.org/x/xerrors => golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
-	google.golang.org/api => google.golang.org/api v0.172.0
-	google.golang.org/appengine => google.golang.org/appengine v1.6.8
-	google.golang.org/genproto => google.golang.org/genproto v0.0.0-20240412170617-26222e5d3d56
-	google.golang.org/grpc => google.golang.org/grpc v1.63.2
-	google.golang.org/protobuf => google.golang.org/protobuf v1.33.0
+	cloud.google.com/go => cloud.google.com/go v0.123.0
+	github.com/AthenZ/athenz-authorizer/v5 => github.com/AthenZ/athenz-authorizer/v5 v5.7.0
+	github.com/kpango/gache/v2 => github.com/kpango/gache/v2 v2.1.1
+	github.com/kpango/glg => github.com/kpango/glg v1.6.15
+	github.com/mwitkow/grpc-proxy => github.com/mwitkow/grpc-proxy v0.0.0-20250813121105-2866842de9a5
+	github.com/pkg/errors => github.com/pkg/errors v0.9.1
+	github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.23.2
+	github.com/prometheus/client_model => github.com/prometheus/client_model v0.6.2
+	golang.org/x/sync => golang.org/x/sync v0.17.0
+	google.golang.org/grpc => google.golang.org/grpc v1.75.1
+	google.golang.org/protobuf => google.golang.org/protobuf v1.36.9
+	gopkg.in/yaml.v2 => gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
-	github.com/AthenZ/athenz-authorizer/v5 v5.7.0
+	github.com/AthenZ/athenz-authorizer/v5 v5.0.0-00010101000000-000000000000
+	github.com/kpango/gache/v2 v2.1.0
 	github.com/kpango/glg v1.6.15
-	github.com/mwitkow/grpc-proxy v0.0.0-20181017164139-0f1106ef9c76
+	github.com/mwitkow/grpc-proxy v0.0.0-00010101000000-000000000000
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.19.1
-	github.com/prometheus/client_model v0.5.0
-	golang.org/x/sync v0.12.0
-	google.golang.org/grpc v1.71.0
-	google.golang.org/protobuf v1.36.5
+	github.com/prometheus/client_golang v1.20.4
+	github.com/prometheus/client_model v0.6.2
+	golang.org/x/sync v0.17.0
+	google.golang.org/grpc v1.75.1
+	google.golang.org/protobuf v1.36.9
 	gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
-	github.com/AthenZ/athenz v1.12.13 // indirect
+	github.com/AthenZ/athenz v1.12.26 // indirect
 	github.com/ardielle/ardielle-go v1.5.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
-	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
-	github.com/kpango/fastime v1.1.9 // indirect
-	github.com/kpango/gache/v2 v2.1.1 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/kpango/fastime v1.1.10 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/dsig v1.0.0 // indirect
+	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
-	github.com/lestrrat-go/httprc/v3 v3.0.0-beta1 // indirect
-	github.com/lestrrat-go/jwx/v3 v3.0.0 // indirect
+	github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect
+	github.com/lestrrat-go/jwx/v3 v3.0.11 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/prometheus/common v0.48.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
-	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
+	github.com/theparanoids/crypki v1.20.9 // indirect
+	github.com/valyala/fastjson v1.6.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250227231956-55c901821b1e // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/net v0.44.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apimachinery v0.32.3 // indirect
-	k8s.io/client-go v0.32.3 // indirect
+	k8s.io/apimachinery v0.34.1 // indirect
+	k8s.io/client-go v0.34.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )

go.mod.default

@@ -1,37 +1,18 @@
 module github.com/AthenZ/authorization-proxy/v4
 
-go 1.23.4
+go 1.25.1
 
 replace (
-	cloud.google.com/go => cloud.google.com/go latest
-	github.com/golang/mock => github.com/golang/mock latest
-	github.com/golang/protobuf => github.com/golang/protobuf latest
-	github.com/google/go-cmp => github.com/google/go-cmp latest
-	github.com/google/pprof => github.com/google/pprof latest
-	github.com/mwitkow/grpc-proxy => github.com/mwitkow/grpc-proxy 0f1106ef9c766333b9acb4b81e705da4bade7215
-	golang.org/x/crypto => golang.org/x/crypto latest
-	golang.org/x/exp => golang.org/x/exp latest
-	golang.org/x/image => golang.org/x/image latest
-	golang.org/x/lint => golang.org/x/lint latest
-	golang.org/x/mobile => golang.org/x/mobile latest
-	golang.org/x/mod => golang.org/x/mod latest
-	golang.org/x/net => golang.org/x/net latest
-	golang.org/x/oauth2 => golang.org/x/oauth2 latest
-	golang.org/x/sync => golang.org/x/sync latest
-	golang.org/x/sys => golang.org/x/sys latest
-	golang.org/x/term => golang.org/x/term latest
-	golang.org/x/text => golang.org/x/text latest
-	golang.org/x/time => golang.org/x/time latest
-	golang.org/x/tools => golang.org/x/tools latest
-	golang.org/x/xerrors => golang.org/x/xerrors latest
-	google.golang.org/api => google.golang.org/api latest
-	google.golang.org/appengine => google.golang.org/appengine latest
-	google.golang.org/genproto => google.golang.org/genproto latest
-	google.golang.org/grpc => google.golang.org/grpc latest
-	google.golang.org/protobuf => google.golang.org/protobuf latest
-)
-
-require (
-	github.com/AthenZ/athenz-authorizer/v5 latest
-	github.com/mwitkow/grpc-proxy v0.0.0-20181017164139-0f1106ef9c76
+	cloud.google.com/go => cloud.google.com/go upgrade
+	github.com/AthenZ/athenz-authorizer/v5 => github.com/AthenZ/athenz-authorizer/v5 upgrade
+	github.com/kpango/gache/v2 => github.com/kpango/gache/v2 upgrade
+	github.com/kpango/glg => github.com/kpango/glg upgrade
+	github.com/mwitkow/grpc-proxy => github.com/mwitkow/grpc-proxy master
+	github.com/pkg/errors => github.com/pkg/errors upgrade
+	github.com/prometheus/client_golang => github.com/prometheus/client_golang upgrade
+	github.com/prometheus/client_model => github.com/prometheus/client_model upgrade
+	golang.org/x/sync => golang.org/x/sync upgrade
+	google.golang.org/grpc => google.golang.org/grpc upgrade
+	google.golang.org/protobuf => google.golang.org/protobuf upgrade
+	gopkg.in/yaml.v2 => gopkg.in/yaml.v2 upgrade
 )