feat(auth): add grpc proxy (#1155)

* feat(auth): add build configuration and protobuf definitions

* feat: add gRPC dependencies to workspace

- Add tokio-stream for async streaming support
- Add tonic and tonic-build for gRPC framework

* feat(auth): add gRPC dependencies and build configuration

- Add tonic dependencies for gRPC transport
- Add tokio-stream for streaming support
- Add tonic-build as build dependency for code generation
- Enable HTTP/2 support in axum

* feat(auth): add gRPC proxy test module

- Add grpc_proxy_tests module for testing gRPC proxy functionality

* docs: add gRPC proxy enablement plan

- Comprehensive plan for extending auth proxy to support gRPC
- Includes objectives, scope, deliverables, and testing strategy
- Documents work plan and review checklist

* chore: remove temporary PR review comments file

- Clean up temporary file containing PR review data

* feat: implement OAuth core with JWT assertion verification

- Add ServiceOAuthPolicy for per-service OAuth configuration
- Implement JWT assertion verifier with signature validation
- Add replay protection for JWT tokens
- Include rate limiting functionality for OAuth endpoints

* feat: add gRPC proxy support with streaming and header sanitization

- Implement unified proxy handler for HTTP and gRPC requests
- Add gRPC detection based on content-type and HTTP/2 headers
- Support unary and streaming gRPC forwarding
- Add transport-aware header sanitization for both protocols
- Implement binary metadata validation with size limits

* test: add comprehensive gRPC proxy integration tests

- Add tests for unary and streaming gRPC proxy forwarding
- Test security validations for headers and binary metadata
- Verify authentication requirements and header injection
- Include negative test cases for security violations
- Test content-type validation and HTTP/2 requirements

* docs: add gRPC proxy implementation plan and testing guide

- Document gRPC proxy enablement objectives and scope
- Include work plan with implementation steps
- Add testing strategy and verification criteria
- Provide developer documentation for configuration and usage
- Include review checklist for quality assurance

* feat: separate HTTP/1.1 and HTTP/2 clients for REST and gRPC support

- Add HTTP2Client type alias for gRPC requests
- Refactor AuthenticatedProxy to use separate http_client and http2_client
- Configure HTTP/1.1 client for REST requests with performance optimizations
- Configure HTTP/2 client for gRPC requests with adaptive window control
- Update proxy handlers to use appropriate client based on request type
- Fix duplicate grpc- header check in is_proxy_injected_header_allowed
- Improve header validation logic in apply_additional_headers

* docs: remove grpc-proxy-plan.md

* fix: remove trailing whitespace in proxy.rs

* docs: fix formatting in load_abi macro documentation

* lint: fix clippy

Author: shekohex

Cargo.lock

@@ -158,6 +158,7 @@ futures-core = { version = "0.3.31", default-features = false }
 tokio = { version = "^1", default-features = false }
 tokio-util = { version = "^0.7", default-features = false }
 tokio-cron-scheduler = { version = "0.13.0", default-features = false }
+tokio-stream = { version = "0.1.15", default-features = false, features = ["net"] }
 pin-project-lite = "0.2.7"
 tower = { version = "0.5.2", default-features = false }
 tower-http = { version = "0.6", default-features = false }

Cargo.toml

@@ -50,13 +50,18 @@ serde_json = { workspace = true, features = ["alloc"] }
 bytes = { workspace = true }
 tower = { workspace = true, features = ["util", "timeout", "limit", "load-shed", "steer", "filter", "make"] }
 tokio = { workspace = true, features = ["full"] }
-axum = { workspace = true, features = ["json", "multipart", "http1", "tokio"] }
+axum = { workspace = true, features = ["json", "multipart", "http1", "http2", "tokio"] }
 reqwest = { workspace = true, features = ["json", "multipart"] }
 futures-util = { workspace = true }
 http = { workspace = true }
 tempfile = { workspace = true }
 tracing-subscriber = { workspace = true, features = ["fmt", "env-filter", "registry"] }
 openssl = { version = "0.10", features = ["vendored"] }
+tokio-stream = { workspace = true }
+tonic = { workspace = true, features = ["codegen", "prost", "transport"] }
+
+[build-dependencies]
+tonic-build = { workspace = true, features = ["prost"] }
 
 [features]
 default = ["std", "tracing"]

crates/auth/Cargo.toml

@@ -0,0 +1,8 @@
+fn main() {
+    // Generate test gRPC service definitions for integration tests.
+    tonic_build::configure()
+        .build_client(true)
+        .build_server(true)
+        .compile_protos(&["proto/grpc_proxy_test.proto"], &["proto"])
+        .expect("failed to build gRPC test protos");
+}

crates/auth/build.rs

@@ -0,0 +1,16 @@
+syntax = "proto3";
+
+package blueprint.auth.grpcproxytest;
+
+service EchoService {
+  rpc Echo(EchoRequest) returns (EchoResponse);
+  rpc EchoStream(stream EchoRequest) returns (stream EchoResponse);
+}
+
+message EchoRequest {
+  string message = 1;
+}
+
+message EchoResponse {
+  string message = 1;
+}

crates/auth/proto/grpc_proxy_test.proto

@@ -21,13 +21,13 @@ pub fn rate_limit_check(
         .get(axum::http::header::FORWARDED)
         .and_then(|h| h.to_str().ok())
         .unwrap_or("unknown");
-    let key = format!("rl:{}:{}", service_id.to_string(), ip);
+    let key = format!("rl:{service_id}:{ip}");
 
     let cf = db
         .cf_handle(cf::OAUTH_RL_CF)
         .ok_or_else(|| "rl store unavailable".to_string())?;
 
-    let bucket_key = format!("{}:{}", key, window);
+    let bucket_key = format!("{key}:{window}");
 
     let current = db
         .get_cf(&cf, bucket_key.as_bytes())
@@ -143,7 +143,7 @@ impl<'a> AssertionVerifier<'a> {
 
         // Decode header to inspect alg/kid
         let header = jsonwebtoken::decode_header(jwt)
-            .map_err(|e| VerificationError::InvalidRequest(format!("invalid jwt header: {}", e)))?;
+            .map_err(|e| VerificationError::InvalidRequest(format!("invalid jwt header: {e}")))?;
         let alg = header.alg;
         if !matches!(
             alg,