chio-envoy-ext-authz 0.1.0

Envoy ext_authz gRPC adapter that bridges external authorization checks to the Chio kernel
Documentation

Chio adapter for Envoy's ext_authz gRPC filter.

This crate implements envoy.service.auth.v3.Authorization/Check as a thin shim that translates each Envoy CheckRequest into an Chio [translate::ToolCallRequest], hands it to an [EnvoyKernel] implementation, and maps the returned [translate::Verdict] onto a compliant CheckResponse.

The crate deliberately keeps its dependency surface small so the adapter can be linked into any Envoy-fronted service without pulling in the rest of the Chio substrate. The [EnvoyKernel] trait exists precisely so real deployments can plug chio-kernel (or chio-http-core's HttpAuthority) into this service without this crate depending on them. A doc example is sketched below.

Example wiring

use chio_envoy_ext_authz::{
    proto::envoy::service::auth::v3::authorization_server::AuthorizationServer,
    translate::{ToolCallRequest, Verdict},
    ChioExtAuthzService, EnvoyKernel, KernelError,
};
use async_trait::async_trait;

struct MyKernel;

#[async_trait]
impl EnvoyKernel for MyKernel {
    async fn evaluate(
        &self,
        request: ToolCallRequest,
    ) -> Result<Verdict, KernelError> {
        // Delegate to chio-kernel / HttpAuthority / custom policy here.
        Ok(Verdict::Allow)
    }
}

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let svc = ChioExtAuthzService::new(MyKernel);
    tonic::transport::Server::builder()
        .add_service(AuthorizationServer::new(svc))
        .serve("0.0.0.0:9091".parse()?)
        .await?;
    Ok(())
}