mirror of
https://github.com/siderolabs/talos.git
synced 2025-09-15 02:41:10 +02:00
ad047a7dee
* `talosctl config new` now sets endpoints in the generated config. * Avoid duplication of roles in metadata. * Remove method name prefix handling. All methods should be set explicitly. * Add tests. Closes #3421. Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
81 lines
2.5 KiB
Go
81 lines
2.5 KiB
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
package authz
|
|
|
|
import (
|
|
"context"
|
|
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
|
|
"github.com/talos-systems/talos/pkg/machinery/role"
|
|
)
|
|
|
|
// ErrNotAuthorized should be returned to the client when they are not authorized.
|
|
var ErrNotAuthorized = status.Error(codes.PermissionDenied, "not authorized")
|
|
|
|
// Authorizer checks that the user is authorized (has a valid role) to call intercepted gRPC method.
|
|
// User roles should be set the Injector interceptor.
|
|
type Authorizer struct {
|
|
// Maps full gRPC method names to roles. The user should have at least one of them.
|
|
Rules map[string]role.Set
|
|
|
|
// Defines roles for gRPC methods not present in Rules.
|
|
FallbackRoles role.Set
|
|
|
|
// Logger.
|
|
Logger func(format string, v ...interface{})
|
|
}
|
|
|
|
func (a *Authorizer) logf(format string, v ...interface{}) {
|
|
if a.Logger != nil {
|
|
a.Logger(format, v...)
|
|
}
|
|
}
|
|
|
|
// authorize returns error if the user is not authorized (doesn't have a valid role) to call the given gRPC method.
|
|
// User roles should be previously set the Injector interceptor.
|
|
func (a *Authorizer) authorize(ctx context.Context, method string) error {
|
|
allowedRoles, found := a.Rules[method]
|
|
if !found {
|
|
a.logf("no explicit rule found for %q, falling back to %v", method, a.FallbackRoles.Strings())
|
|
allowedRoles = a.FallbackRoles
|
|
}
|
|
|
|
clientRoles := GetRoles(ctx)
|
|
if allowedRoles.IncludesAny(clientRoles) {
|
|
a.logf("authorized (%v includes %v)", allowedRoles.Strings(), clientRoles.Strings())
|
|
|
|
return nil
|
|
}
|
|
|
|
a.logf("not authorized (%v doesn't include %v)", allowedRoles.Strings(), clientRoles.Strings())
|
|
|
|
return ErrNotAuthorized
|
|
}
|
|
|
|
// UnaryInterceptor returns grpc UnaryServerInterceptor.
|
|
func (a *Authorizer) UnaryInterceptor() grpc.UnaryServerInterceptor {
|
|
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
|
|
if err := a.authorize(ctx, info.FullMethod); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return handler(ctx, req)
|
|
}
|
|
}
|
|
|
|
// StreamInterceptor returns grpc StreamServerInterceptor.
|
|
func (a *Authorizer) StreamInterceptor() grpc.StreamServerInterceptor {
|
|
return func(srv interface{}, stream grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
|
|
if err := a.authorize(stream.Context(), info.FullMethod); err != nil {
|
|
return err
|
|
}
|
|
|
|
return handler(srv, stream)
|
|
}
|
|
}
|