go/grpcsp/authorization.go - buildbot - Git at Google

 // Package grpcsp implements grpc server interceptors to apply role-based
 // access control to a grpc service. It is intended to work with headers
 // set by [go.skia.org/infra/kube/go/authproxy] on incoming requests.
 package grpcsp

 import (
 	"context"
 	"fmt"
 	"strings"

 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"

 	"go.skia.org/infra/go/roles"
 	"go.skia.org/infra/kube/go/authproxy"
 )

 // ServerPolicy captures the set of authorization policies for
 // a given [grpc.Server] instance, including all individual services
 // registered to it.
 type ServerPolicy struct {
 	// maps ServiceName to authorization policy
 	servicePolicy map[string]*ServicePolicy
 }

 // ServicePolicy captures the authorization policy for an individual
 // grpc service.
 type ServicePolicy struct {
 	desc                 grpc.ServiceDesc
 	allowUnauthenticated bool
 	allowRoles           roles.Roles
 	rolesForMethod       map[string]roles.Roles
 }

 // Server returns a new ServerPolicy instance.
 func Server() *ServerPolicy {
 	ret := &ServerPolicy{
 		servicePolicy: map[string]*ServicePolicy{},
 	}
 	return ret
 }

 // Service returns a new configurable ServicePolicy.
 // The policy is conservative in that anything that isn't explicitly allowed
 // by the policy is denied. Calling this more than once with the same
 // [grpc.ServiceDesc] results in an error.
 func (sp *ServerPolicy) Service(desc grpc.ServiceDesc) (*ServicePolicy, error) {
 	if _, ok := sp.servicePolicy[desc.ServiceName]; ok {
 		return nil, fmt.Errorf("service policy already exists for %q", desc.ServiceName)
 	}
 	ret := &ServicePolicy{
 		desc:           desc,
 		allowRoles:     nil,
 		rolesForMethod: map[string]roles.Roles{},
 	}
 	for _, m := range desc.Methods {
 		fullPath := "/" + desc.ServiceName + "/" + m.MethodName
 		ret.rolesForMethod[fullPath] = nil
 	}
 	sp.servicePolicy[desc.ServiceName] = ret
 	return ret, nil
 }

 // AuthorizeUnauthenticated configures the service to allow any request, regardless
 // of authentication or roles attached to the request.
 func (p *ServicePolicy) AuthorizeUnauthenticated() error {
 	if p.allowRoles != nil {
 		return fmt.Errorf("allowed roles for %q have already been set", p.desc.ServiceName)
 	}
 	p.allowUnauthenticated = true
 	return nil
 }

 // AuthorizeRoles configures the policy to allow users with any of the given [role]
 // values to make calls to any method. Authorize multiple roles by passing multiple role
 // values. Calling this more than once results in an error.
 func (p *ServicePolicy) AuthorizeRoles(r roles.Roles) error {
 	if p.allowRoles != nil || p.allowUnauthenticated {
 		return fmt.Errorf("allowed roles for %q have already been set", p.desc.ServiceName)
 	}
 	p.allowRoles = r
 	return nil
 }

 // AuthorizeMethodForRoles configures the policy to allow users with any of the given [role]
 // values to make calls to [method]. Authorize multiple roles by passing multiple role
 // values. Calling this more than once with the same [method] results in an error. Calling
 // this with a method not included in the service description results in an error.
 func (p *ServicePolicy) AuthorizeMethodForRoles(method string, r roles.Roles) error {
 	if p.allowUnauthenticated {
 		return fmt.Errorf("allowed roles for %q have already been set to allow any", p.desc.ServiceName)
 	}

 	fullPath := "/" + p.desc.ServiceName + "/" + method
 	rfm, ok := p.rolesForMethod[fullPath]
 	if !ok {
 		return fmt.Errorf("unknown grpc method: %q for service %q", method, p.desc.ServiceName)
 	}
 	if rfm != nil {
 		return fmt.Errorf("already have roles set for method: %q", method)
 	}

 	p.rolesForMethod[fullPath] = r
 	return nil
 }

 // rolesFromContext is dependent on specific headers set by skia's auth-proxy implementation.
 func rolesFromContext(ctx context.Context) (roles.Roles, error) {
 	md, ok := metadata.FromIncomingContext(ctx)
 	if !ok {
 		return nil, status.Error(codes.PermissionDenied, "could not authorize without metadata from incoming context")
 	}
 	user := md.Get(authproxy.WebAuthHeaderName)
 	if len(user) == 0 {
 		return nil, status.Error(codes.PermissionDenied, "could not authorize without user identity from incoming context")
 	}
 	return roles.RolesFromStrings(md.Get(authproxy.WebAuthRoleHeaderName)...), nil
 }

 // UnaryInterceptor returns a [grpc.UnaryServerInterceptor] that applies role checks defined
 // by the policy to incoming requests. Requests that do not satisfy the policy result in
 // a [codes.PermissionDenied] response code returned to the caller.
 func (sp *ServerPolicy) UnaryInterceptor() grpc.UnaryServerInterceptor {
 	ret := func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
 		serviceName := strings.Split(info.FullMethod, "/")[1]
 		p, ok := sp.servicePolicy[serviceName]
 		if !ok {
 			return nil, status.Errorf(codes.PermissionDenied, "no policy for service: %q", serviceName)
 		}
 		if p.allowUnauthenticated {
 			return handler(ctx, req)
 		}
 		roleSet, err := rolesFromContext(ctx)
 		if err != nil {
 			return nil, status.Error(codes.PermissionDenied, err.Error())
 		}
 		if p.allowRoles.IsAuthorized(roleSet) {
 			return handler(ctx, req)
 		}

 		allowedRoleSet, ok := p.rolesForMethod[info.FullMethod]
 		if !ok {
 			return nil, status.Error(codes.PermissionDenied, "unrecognized method")
 		}
 		if !allowedRoleSet.IsAuthorized(roleSet) {
 			return nil, status.Error(codes.PermissionDenied, "user does not have required role(s)")
 		}
 		return handler(ctx, req)
 	}
 	return ret
 }
	// Package grpcsp implements grpc server interceptors to apply role-based
	// access control to a grpc service. It is intended to work with headers
	// set by [go.skia.org/infra/kube/go/authproxy] on incoming requests.
	package grpcsp

	import (
	"context"
	"fmt"
	"strings"

	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/status"

	"go.skia.org/infra/go/roles"
	"go.skia.org/infra/kube/go/authproxy"
	)

	// ServerPolicy captures the set of authorization policies for
	// a given [grpc.Server] instance, including all individual services
	// registered to it.
	type ServerPolicy struct {
	// maps ServiceName to authorization policy
	servicePolicy map[string]*ServicePolicy
	}

	// ServicePolicy captures the authorization policy for an individual
	// grpc service.
	type ServicePolicy struct {
	desc grpc.ServiceDesc
	allowUnauthenticated bool
	allowRoles roles.Roles
	rolesForMethod map[string]roles.Roles
	}

	// Server returns a new ServerPolicy instance.
	func Server() *ServerPolicy {
	ret := &ServerPolicy{
	servicePolicy: map[string]*ServicePolicy{},
	}
	return ret
	}

	// Service returns a new configurable ServicePolicy.
	// The policy is conservative in that anything that isn't explicitly allowed
	// by the policy is denied. Calling this more than once with the same
	// [grpc.ServiceDesc] results in an error.
	func (sp ServerPolicy) Service(desc grpc.ServiceDesc) (ServicePolicy, error) {
	if _, ok := sp.servicePolicy[desc.ServiceName]; ok {
	return nil, fmt.Errorf("service policy already exists for %q", desc.ServiceName)
	}
	ret := &ServicePolicy{
	desc: desc,
	allowRoles: nil,
	rolesForMethod: map[string]roles.Roles{},
	}
	for _, m := range desc.Methods {
	fullPath := "/" + desc.ServiceName + "/" + m.MethodName
	ret.rolesForMethod[fullPath] = nil
	}
	sp.servicePolicy[desc.ServiceName] = ret
	return ret, nil
	}

	// AuthorizeUnauthenticated configures the service to allow any request, regardless
	// of authentication or roles attached to the request.
	func (p *ServicePolicy) AuthorizeUnauthenticated() error {
	if p.allowRoles != nil {
	return fmt.Errorf("allowed roles for %q have already been set", p.desc.ServiceName)
	}
	p.allowUnauthenticated = true
	return nil
	}

	// AuthorizeRoles configures the policy to allow users with any of the given [role]
	// values to make calls to any method. Authorize multiple roles by passing multiple role
	// values. Calling this more than once results in an error.
	func (p *ServicePolicy) AuthorizeRoles(r roles.Roles) error {
	if p.allowRoles != nil \|\| p.allowUnauthenticated {
	return fmt.Errorf("allowed roles for %q have already been set", p.desc.ServiceName)
	}
	p.allowRoles = r
	return nil
	}

	// AuthorizeMethodForRoles configures the policy to allow users with any of the given [role]
	// values to make calls to [method]. Authorize multiple roles by passing multiple role
	// values. Calling this more than once with the same [method] results in an error. Calling
	// this with a method not included in the service description results in an error.
	func (p *ServicePolicy) AuthorizeMethodForRoles(method string, r roles.Roles) error {
	if p.allowUnauthenticated {
	return fmt.Errorf("allowed roles for %q have already been set to allow any", p.desc.ServiceName)
	}

	fullPath := "/" + p.desc.ServiceName + "/" + method
	rfm, ok := p.rolesForMethod[fullPath]
	if !ok {
	return fmt.Errorf("unknown grpc method: %q for service %q", method, p.desc.ServiceName)
	}
	if rfm != nil {
	return fmt.Errorf("already have roles set for method: %q", method)
	}

	p.rolesForMethod[fullPath] = r
	return nil
	}

	// rolesFromContext is dependent on specific headers set by skia's auth-proxy implementation.
	func rolesFromContext(ctx context.Context) (roles.Roles, error) {
	md, ok := metadata.FromIncomingContext(ctx)
	if !ok {
	return nil, status.Error(codes.PermissionDenied, "could not authorize without metadata from incoming context")
	}
	user := md.Get(authproxy.WebAuthHeaderName)
	if len(user) == 0 {
	return nil, status.Error(codes.PermissionDenied, "could not authorize without user identity from incoming context")
	}
	return roles.RolesFromStrings(md.Get(authproxy.WebAuthRoleHeaderName)...), nil
	}

	// UnaryInterceptor returns a [grpc.UnaryServerInterceptor] that applies role checks defined
	// by the policy to incoming requests. Requests that do not satisfy the policy result in
	// a [codes.PermissionDenied] response code returned to the caller.
	func (sp *ServerPolicy) UnaryInterceptor() grpc.UnaryServerInterceptor {
	ret := func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
	serviceName := strings.Split(info.FullMethod, "/")[1]
	p, ok := sp.servicePolicy[serviceName]
	if !ok {
	return nil, status.Errorf(codes.PermissionDenied, "no policy for service: %q", serviceName)
	}
	if p.allowUnauthenticated {
	return handler(ctx, req)
	}
	roleSet, err := rolesFromContext(ctx)
	if err != nil {
	return nil, status.Error(codes.PermissionDenied, err.Error())
	}
	if p.allowRoles.IsAuthorized(roleSet) {
	return handler(ctx, req)
	}

	allowedRoleSet, ok := p.rolesForMethod[info.FullMethod]
	if !ok {
	return nil, status.Error(codes.PermissionDenied, "unrecognized method")
	}
	if !allowedRoleSet.IsAuthorized(roleSet) {
	return nil, status.Error(codes.PermissionDenied, "user does not have required role(s)")
	}
	return handler(ctx, req)
	}
	return ret
	}