feat(xds): Implement response handling for external authorization

This commit introduces the `CheckResponseHandler` and `AuthzResponse` classes, which are responsible for processing responses from the external authorization service.

The `CheckResponseHandler` parses the `CheckResponse` protobuf, determines whether the request should be allowed or denied, and applies any header mutations specified in the response. It handles both `OkHttpResponse` and `DeniedHttpResponse` messages.

The `AuthzResponse` class is a value object that represents the outcome of the authorization check, encapsulating the decision (allow or deny), the status to be returned to the client (for deny decisions), and any header mutations.

This commit also includes unit tests for the new components.

Author: sauravzg

xds/src/main/java/io/grpc/xds/internal/extauthz/AuthzResponse.java

@@ -0,0 +1,91 @@
+/*
+ * Copyright 2025 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal.extauthz;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.collect.ImmutableList;
+import io.grpc.Metadata;
+import io.grpc.Status;
+import io.grpc.xds.internal.headermutations.HeaderMutations.ResponseHeaderMutations;
+import java.util.Optional;
+
+/**
+ * Represents the outcome of an authorization check, detailing whether the request is allowed or
+ * denied and including any associated headers or status information.
+ */
+@AutoValue
+public abstract class AuthzResponse {
+
+  /** Defines the authorization decision. */
+  public enum Decision {
+    /** The request is permitted. */
+    ALLOW,
+    /** The request is rejected. */
+    DENY,
+  }
+
+  /** Creates a builder for an ALLOW response, initializing with the specified headers. */
+  public static Builder allow(Metadata headers) {
+    return new AutoValue_AuthzResponse.Builder().setDecision(Decision.ALLOW)
+        .setResponseHeaderMutations(ResponseHeaderMutations.create(ImmutableList.of()))
+        .setHeaders(headers);
+  }
+
+  /** Creates a builder for a DENY response, initializing with the specified status. */
+  public static Builder deny(Status status) {
+    return new AutoValue_AuthzResponse.Builder().setDecision(Decision.DENY)
+        .setResponseHeaderMutations(ResponseHeaderMutations.create(ImmutableList.of()))
+        .setStatus(status);
+  }
+
+  /** Returns the authorization decision. */
+  public abstract Decision decision();
+
+  /**
+   * For DENY decisions, this provides the status to be returned to the calling client. It is empty
+   * for ALLOW decisions.
+   */
+  public abstract Optional<Status> status();
+
+  /**
+   * For ALLOW decisions, this provides the headers to be appended to the request headers for
+   * upstream. It is empty for DENY decisions.
+   */
+  public abstract Optional<Metadata> headers();
+
+  /**
+   * Returns mutations to be applied to the response headers. This is used for both ALLOW and DENY
+   * decisions.
+   */
+  public abstract ResponseHeaderMutations responseHeaderMutations();
+
+  /** Builder for creating {@link AuthzResponse} instances. */
+  @AutoValue.Builder
+  public abstract static class Builder {
+
+    abstract Builder setDecision(Decision decision);
+
+    abstract Builder setStatus(Status status);
+
+    abstract Builder setHeaders(Metadata headers);
+
+    public abstract Builder setResponseHeaderMutations(
+        ResponseHeaderMutations responseHeaderMutations);
+
+    public abstract AuthzResponse build();
+  }
+}

xds/src/main/java/io/grpc/xds/internal/extauthz/CheckResponseHandler.java

@@ -0,0 +1,148 @@
+/*
+ * Copyright 2025 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal.extauthz;
+
+import com.google.common.collect.ImmutableList;
+import io.envoyproxy.envoy.service.auth.v3.CheckResponse;
+import io.envoyproxy.envoy.service.auth.v3.DeniedHttpResponse;
+import io.envoyproxy.envoy.service.auth.v3.OkHttpResponse;
+import io.grpc.Metadata;
+import io.grpc.Status;
+import io.grpc.internal.GrpcUtil;
+import io.grpc.xds.internal.headermutations.HeaderMutationDisallowedException;
+import io.grpc.xds.internal.headermutations.HeaderMutationFilter;
+import io.grpc.xds.internal.headermutations.HeaderMutations;
+import io.grpc.xds.internal.headermutations.HeaderMutator;
+
+/**
+ * Handles the response from the external authorization service, processing it to determine the
+ * authorization decision and applying any necessary header mutations.
+ */
+public interface CheckResponseHandler {
+
+  /**
+   * A factory for creating {@link CheckResponseHandler} instances.
+   */
+  @FunctionalInterface
+  interface Factory {
+    /**
+     * Creates a new ResponseHandler.
+     *
+     * @param headerMutator Utility to apply header mutations.
+     * @param headerMutationFilter Filter to apply to header mutations.
+     * @param config The external authorization configuration.
+     */
+    CheckResponseHandler create(HeaderMutator headerMutator,
+        HeaderMutationFilter headerMutationFilter, ExtAuthzConfig config);
+  }
+
+  /**
+   * The default factory for creating {@link CheckResponseHandler} instances.
+   */
+  Factory INSTANCE = ResponseHandlerImpl::new;
+
+  /**
+   * Processes the CheckResponse from the external authorization service.
+   *
+   * @param response The response from the authorization service.
+   * @param headers The request headers, which may be mutated as part of handling the response.
+   * @return An {@link AuthzResponse} indicating the outcome of the authorization check.
+   */
+  AuthzResponse handleResponse(final CheckResponse response, Metadata headers);
+
+  /** Default implementation of {@link CheckResponseHandler}. */
+  static final class ResponseHandlerImpl implements CheckResponseHandler {
+    private final HeaderMutator headerMutator;
+    private final HeaderMutationFilter headerMutationFilter;
+    private final ExtAuthzConfig config;
+
+    ResponseHandlerImpl(HeaderMutator headerMutator, // NOPMD
+        HeaderMutationFilter headerMutationFilter, ExtAuthzConfig config) {
+      this.headerMutator = headerMutator;
+      this.headerMutationFilter = headerMutationFilter;
+      this.config = config;
+    }
+
+    @Override
+    public AuthzResponse handleResponse(final CheckResponse response, Metadata headers) {
+      try {
+        if (response.getStatus().getCode() == Status.Code.OK.value()) {
+          return handleOkResponse(response, headers);
+        } else {
+          return handleNotOkResponse(response);
+        }
+      } catch (HeaderMutationDisallowedException e) {
+        return AuthzResponse.deny(e.getStatus()).build();
+      }
+    }
+
+    private AuthzResponse handleOkResponse(final CheckResponse response, Metadata headers)
+        throws HeaderMutationDisallowedException {
+      if (!response.hasOkResponse()) {
+        return AuthzResponse.allow(headers).build();
+      }
+      OkHttpResponse okResponse = response.getOkResponse();
+      HeaderMutations requestedMutations = buildHeaderMutationsFromOkResponse(okResponse);
+      HeaderMutations allowedMutations = headerMutationFilter.filter(requestedMutations);
+
+      applyMutations(allowedMutations, headers);
+      return AuthzResponse.allow(headers)
+          .setResponseHeaderMutations(allowedMutations.responseMutations()).build();
+    }
+
+    private HeaderMutations buildHeaderMutationsFromOkResponse(OkHttpResponse okResponse) {
+      return HeaderMutations.create(
+          HeaderMutations.RequestHeaderMutations.create(
+              ImmutableList.copyOf(okResponse.getHeadersList()),
+              ImmutableList.copyOf(okResponse.getHeadersToRemoveList())),
+          HeaderMutations.ResponseHeaderMutations
+              .create(ImmutableList.copyOf(okResponse.getResponseHeadersToAddList())));
+    }
+
+    private AuthzResponse handleNotOkResponse(CheckResponse response)
+        throws HeaderMutationDisallowedException {
+      Status statusToReturn = config.statusOnError();
+      if (!response.hasDeniedResponse()) {
+        return AuthzResponse.deny(statusToReturn).build();
+      }
+      DeniedHttpResponse deniedResponse = response.getDeniedResponse();
+      HeaderMutations requestedMutations = buildHeaderMutationsFromDeniedResponse(deniedResponse);
+      HeaderMutations allowedMutations = headerMutationFilter.filter(requestedMutations);
+
+      Status status = statusToReturn;
+      if (deniedResponse.hasStatus()) {
+        status = GrpcUtil.httpStatusToGrpcStatus(deniedResponse.getStatus().getCodeValue())
+            .withDescription(deniedResponse.getBody());
+      }
+      return AuthzResponse.deny(status)
+          .setResponseHeaderMutations(allowedMutations.responseMutations()).build();
+    }
+
+    private HeaderMutations buildHeaderMutationsFromDeniedResponse(
+        DeniedHttpResponse deniedResponse) {
+      return HeaderMutations.create(
+          HeaderMutations.RequestHeaderMutations.create(ImmutableList.of(), ImmutableList.of()),
+          HeaderMutations.ResponseHeaderMutations
+              .create(ImmutableList.copyOf(deniedResponse.getHeadersList())));
+    }
+
+
+    private void applyMutations(final HeaderMutations mutations, Metadata headers) {
+      headerMutator.applyRequestMutations(mutations.requestMutations(), headers);
+    }
+  }
+}

xds/src/test/java/io/grpc/xds/internal/extauthz/AuthzResponseTest.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2025 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal.extauthz;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import com.google.common.collect.ImmutableList;
+import io.envoyproxy.envoy.config.core.v3.HeaderValue;
+import io.envoyproxy.envoy.config.core.v3.HeaderValueOption;
+import io.grpc.Metadata;
+import io.grpc.Status;
+import io.grpc.xds.internal.extauthz.AuthzResponse.Decision;
+import io.grpc.xds.internal.headermutations.HeaderMutations.ResponseHeaderMutations;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+@RunWith(JUnit4.class)
+public class AuthzResponseTest {
+  @Test
+  public void testAllow() {
+    Metadata headers = new Metadata();
+    headers.put(Metadata.Key.of("foo", Metadata.ASCII_STRING_MARSHALLER), "bar");
+    AuthzResponse response = AuthzResponse.allow(headers).build();
+    assertThat(response.decision()).isEqualTo(Decision.ALLOW);
+    assertThat(response.headers()).hasValue(headers);
+    assertThat(response.status()).isEmpty();
+    assertThat(response.responseHeaderMutations().headers()).isEmpty();
+  }
+
+  @Test
+  public void testAllowWithHeaderMutations() {
+    Metadata headers = new Metadata();
+    ResponseHeaderMutations mutations =
+        ResponseHeaderMutations.create(ImmutableList.of(HeaderValueOption.newBuilder()
+            .setHeader(HeaderValue.newBuilder().setKey("key").setValue("value")).build()));
+    AuthzResponse response =
+        AuthzResponse.allow(headers).setResponseHeaderMutations(mutations).build();
+    assertThat(response.decision()).isEqualTo(Decision.ALLOW);
+    assertThat(response.responseHeaderMutations()).isEqualTo(mutations);
+  }
+
+  @Test
+  public void testDeny() {
+    Status status = Status.PERMISSION_DENIED.withDescription("reason");
+    AuthzResponse response = AuthzResponse.deny(status).build();
+    assertThat(response.decision()).isEqualTo(Decision.DENY);
+    assertThat(response.status()).hasValue(status);
+    assertThat(response.headers()).isEmpty();
+    assertThat(response.responseHeaderMutations().headers()).isEmpty();
+  }
+}