SMQ - 2724 - Add Auth Callout

[rodneyosodo]

What type of PR is this?

This is a feature pull request that introduces external authorization callouts to the Auth service. It adds new configuration options, a callback mechanism, and integrates it into the authorization flow. The changes include modifications to the service logic, configuration, and testing infrastructure.

What does this do?

• New Features
  • Introduced external callback support for enhanced authentication.
  • Added configurable options for callouts, including URLs, HTTP method, and TLS verification.
• Documentation
  • Updated configuration instructions to cover new environment variables.
• Tests
  • Expanded test coverage for the callback and callout mechanisms.
• Chores
  • Upgraded various dependencies to their latest versions.

Which issue(s) does this PR fix/relate to?

• Resolves Add Billing webhook #2724

Have you included tests for your changes?

Yes, I have included tests for my changes.

Did you document any new/modified feature?

Yes, I have updated the documentation for the new feature.

Notes

sequenceDiagram
    participant Client
    participant AuthService
    participant CallBack
    participant ExternalService

    Client->>AuthService: Request Authorization
    AuthService->>CallBack: Invoke Authorize(policy)
    CallBack->>ExternalService: Send HTTP request (GET/POST)
    ExternalService-->>CallBack: Return response
    CallBack-->>AuthService: Return authorization result
    AuthService-->>Client: Respond with result

Loading

[dborovcanin]

Move this to the beginning of the function. Also, let's use a single URL at a time, with other URLs being a fallback, something like https://www.rabbitmq.com/docs/access-control#combined-backends.

[SammyOina]

we can try them iteratively on failure POST, then GET

[arvindh123]

I prefer not to add these mechanisms since we already have the flexibility to specify the HTTP method type in the environment configuration. This allows us to manage different request methods effectively without adding extra logic for retries. If the user mistakenly provides POST instead of GET, it would be their responsibility to correct this in the configuration.

[arvindh123]

What do you think about having option for request timeout ?

[arvindh123]

Can we add support for custom certification for the HTTPS request ?

[codecov]

Codecov Report

Attention: Patch coverage is 73.03371% with 24 lines in your changes missing coverage. Please review.

Project coverage is 34.76%. Comparing base (56829c1) to head (e6b0989).

Files with missing lines	Patch %	Lines
auth/mocks/callback.go	0.00%	18 Missing ⚠️
auth/callback.go	90.90%	4 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2731      +/-   ##
==========================================
- Coverage   42.03%   34.76%   -7.28%     
==========================================
  Files         347      212     -135     
  Lines       47929    38165    -9764     
==========================================
- Hits        20146    13267    -6879     
+ Misses      25582    23821    -1761     
+ Partials     2201     1077    -1124     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.