forked from buchgr/bazel-remote
/
grpc_basic_auth.go
139 lines (114 loc) · 3.5 KB
/
grpc_basic_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
package server
import (
"context"
"strings"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
grpc_status "google.golang.org/grpc/status"
auth "github.com/abbot/go-http-auth"
)
var (
errNoMetadata = grpc_status.Error(codes.Unauthenticated,
"no metadata found")
errNoAuthMetadata = grpc_status.Error(codes.Unauthenticated,
"no authentication metadata found")
errAccessDenied = grpc_status.Error(codes.Unauthenticated,
"access denied")
)
// GrpcBasicAuth wraps an auth.SecretProvider, and provides gRPC interceptors
// that verify that requests can be authenticated using HTTP basic auth.
type GrpcBasicAuth struct {
secrets auth.SecretProvider
allowUnauthenticatedReadOnly bool
}
// NewGrpcBasicAuth returns a GrpcBasicAuth that wraps the given
// auth.SecretProvider.
func NewGrpcBasicAuth(secrets auth.SecretProvider, allowUnauthenticatedReadOnly bool) *GrpcBasicAuth {
return &GrpcBasicAuth{
secrets: secrets,
allowUnauthenticatedReadOnly: allowUnauthenticatedReadOnly,
}
}
// StreamServerInterceptor verifies that each request can be authenticated
// using HTTP basic auth, or is allowed without authentication.
func (b *GrpcBasicAuth) StreamServerInterceptor(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
// Always allow health service requests.
if info.FullMethod == grpcHealthServiceName {
return handler(srv, ss)
}
if b.allowUnauthenticatedReadOnly {
_, ro := readOnlyMethods[info.FullMethod]
if ro {
return handler(srv, ss)
}
}
username, password, err := getLogin(ss.Context())
if err != nil {
return err
}
if username == "" || password == "" {
return errAccessDenied
}
if !b.allowed(username, password) {
return errAccessDenied
}
return handler(srv, ss)
}
// UnaryServerInterceptor verifies that each request can be authenticated
// using HTTP basic auth, or is allowed without authenticated.
func (b *GrpcBasicAuth) UnaryServerInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
// Always allow health service requests.
if info.FullMethod == grpcHealthServiceName {
return handler(ctx, req)
}
if b.allowUnauthenticatedReadOnly {
_, ro := readOnlyMethods[info.FullMethod]
if ro {
return handler(ctx, req)
}
}
username, password, err := getLogin(ctx)
if err != nil {
return nil, err
}
if username == "" || password == "" {
return nil, errAccessDenied
}
if !b.allowed(username, password) {
return nil, errAccessDenied
}
return handler(ctx, req)
}
func getLogin(ctx context.Context) (username, password string, err error) {
md, ok := metadata.FromIncomingContext(ctx)
if !ok {
return "", "", errNoMetadata
}
for k, v := range md {
if k == ":authority" && len(v) > 0 {
// When bazel is run with --remote_cache=grpc://user:pass@address/"
// the value looks like "user:pass@address".
fields := strings.SplitN(v[0], ":", 2)
if len(fields) < 2 {
continue
}
username = fields[0]
fields = strings.SplitN(fields[1], "@", 2)
if len(fields) < 2 {
continue
}
password = fields[0]
return username, password, nil
}
}
return "", "", errNoAuthMetadata
}
func (b *GrpcBasicAuth) allowed(username, password string) bool {
ignoredRealm := ""
requiredSecret := b.secrets(username, ignoredRealm)
if requiredSecret == "" {
return false // User does not exist.
}
return auth.CheckSecret(password, requiredSecret)
}