/
auth.go
executable file
·94 lines (84 loc) · 3.27 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
// Copyright 2016 Michal Witkowski. All Rights Reserved.
// See LICENSE for licensing terms.
/*
* Copyright (c) 2018, https://github.com/airwide-code/airwide.datacenter
* All rights reserved.
*
*
*
*/
// By @benqi 2017-11-17, we need check request
// Only a small portion of the API methods are available to unauthorized users:
//
// auth.sendCode
// auth.sendCall
// auth.checkPhone
// auth.signUp
// auth.signIn
// auth.importAuthorization
// help.getConfig
// help.getNearestDc
//
// Other methods will result in an error: 401 UNAUTHORIZED.
package grpc_auth2
import (
"github.com/grpc-ecosystem/go-grpc-middleware"
"golang.org/x/net/context"
"google.golang.org/grpc"
)
// AuthFunc is the pluggable function that performs authentication.
//
// The passed in `Context` will contain the gRPC metadata.MD object (for header-based authentication) and
// the peer.Peer information that can contain transport-based credentials (e.g. `credentials.AuthInfo`).
//
// The returned context will be propagated to handlers, allowing user changes to `Context`. However,
// please make sure that the `Context` returned is a child `Context` of the one passed in.
//
// If error is returned, its `grpc.Code()` will be returned to the user as well as the verbatim message.
// Please make sure you use `codes.Unauthenticated` (lacking auth) and `codes.PermissionDenied`
// (authed, but lacking perms) appropriately.
type AuthWithRequestFunc func(ctx context.Context, req interface{}) (context.Context, error)
// ServiceAuthFuncOverride allows a given gRPC service implementation to override the global `AuthFunc`.
//
// If a service implements the AuthFuncOverride method, it takes precedence over the `AuthFunc` method,
// and will be called instead of AuthFunc for all method invocations within that service.
type ServiceAuthFuncAttached interface {
AuthFuncAttached(ctx context.Context, fullMethodName string) (context.Context, error)
}
// UnaryServerInterceptor returns a new unary server interceptors that performs per-request auth.
func UnaryServerInterceptor(authFunc AuthWithRequestFunc) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
var newCtx context.Context
var err error
if overrideSrv, ok := info.Server.(ServiceAuthFuncAttached); ok {
newCtx, err = overrideSrv.AuthFuncAttached(ctx, info.FullMethod)
} else {
newCtx, err = authFunc(ctx, req)
}
if err != nil {
return nil, err
}
return handler(newCtx, req)
}
}
// StreamServerInterceptor returns a new unary server interceptors that performs per-request auth.
func StreamServerInterceptor(authFunc AuthWithRequestFunc) grpc.StreamServerInterceptor {
return func(srv interface{}, stream grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
var newCtx context.Context
var err error
if overrideSrv, ok := srv.(ServiceAuthFuncAttached); ok {
// TODO(@benqi): state machine???
newCtx, err = overrideSrv.AuthFuncAttached(stream.Context(), info.FullMethod)
if err != nil {
return err
}
}
newCtx, err = authFunc(stream.Context(), srv)
if err != nil {
return err
}
wrapped := grpc_middleware.WrapServerStream(stream)
wrapped.WrappedContext = newCtx
return handler(srv, wrapped)
}
}