cacheroach: Add email-domain grouping.

This change adds support for creating principals that represent an entire email domain's worth of principals. This is a quick way to add support for generalized principal grouping (#3), but is fairly coarse-grained.
bobvawter · Mar 19, 2021 · 3c8c2a8 · 3c8c2a8
1 parent e544447
commit 3c8c2a8
Show file tree

Hide file tree

Showing 13 changed files with 334 additions and 182 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -9,14 +9,38 @@ RUN apt-get update && \
     unzip protoc-$PROTOVER-$PROTOARCH.zip -d /usr/
 WORKDIR /tmp/compile
 COPY . .
-RUN go mod download && \
-    go get google.golang.org/protobuf/cmd/protoc-gen-go \
-           google.golang.org/grpc/cmd/protoc-gen-go-grpc && \
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go \
+               google.golang.org/grpc/cmd/protoc-gen-go-grpc && \
     go generate -v tools.go && \
     CGO_ENABLED=0 go build -v -ldflags="-s -w" -o /usr/bin/cacheroach .
 
-FROM scratch
+FROM scratch AS cacheroach
 WORKDIR /data/
 ENTRYPOINT ["/usr/bin/cacheroach"]
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /usr/bin/cacheroach /usr/bin/
+
+FROM cacheroach AS cloudrun
+# Expect $PORT from Cloud Run environment.
+ENV CACHE_MEMORY="128" \
+    CONNECT="@connect" \
+    GCLOUD_SECRET_NAME="" \
+    HMAC="@hmac" \
+    OIDC_CLIENT_ID="@oidc_client_id" \
+    OIDC_CLIENT_SECRET="@oidc_client_secret" \
+    OIDC_DOMAINS="cockroachlabs.com" \
+    OIDC_ISSUER="https://accounts.google.com"
+
+ENTRYPOINT [ \
+  "/usr/bin/cacheroach", \
+  "start", \
+  "--assumeSecure", \
+  "--bindAddr", ":$PORT", \
+  "--cacheMemory", "$CACHE_MEMORY", \
+  "--connect", "$CONNECT", \
+  "--oidcClientID", "$OIDC_CLIENT_ID", \
+  "--oidcClientSecret", "$OIDC_CLIENT_SECRET", \
+  "--oidcDomains", "$OIDC_DOMAINS", \
+  "--oidcIssuer", "$OIDC_ISSUER", \
+  "--signingKey", "$HMAC" \
+]
diff --git a/Dockerfile.gcr b/Dockerfile.gcr
diff --git a/api/principal.proto b/api/principal.proto
@@ -55,15 +55,28 @@ message Principal {
   bytes claims = 4 [
     (capabilities.field_rule) = {
       message: "must have pii access"
-      and: {
-        rule: {direction: RESPONSE}
-        rule: {may: {
-          capabilities: {pii: true}
-          scope: {on_principal: {field: 1}}
-        }}
+      or : {
+        rule: {
+          and: {
+            rule: {direction: REQUEST}
+            rule : {auth_status: SUPER}
+          }
+        }
+        rule: {
+          and: {
+            rule: {direction: RESPONSE}
+            rule: {may: {
+              capabilities: {pii: true}
+              scope: {on_principal: {field: 1}}
+            }}
+          }
+        }
       }
     }
   ];
+  // If present, indicates that the principal represents all users whose
+  // email address are in the given domain.
+  string email_domain = 5;
   string refresh_token = 66 [
     (capabilities.field_rule).never = true
   ];
@@ -81,6 +94,8 @@ message LoadRequest {
     ID ID = 1;
     // Load a Principal by email address.
     string email = 2;
+    // Load a domain-level Principal.
+    string email_domain = 3;
   }
 }