Add ability to specify allowed apis (#3129)

* add ability to specify allowed apis * fmt * added tests, jacked up existing tests, excluded healthchecks * linter * linter
dapr · May 7, 2021 · 2e3334b · 2e3334b
1 parent 09ca3ff
commit 2e3334b
Show file tree

Hide file tree

Showing 12 changed files with 5,471 additions and 4 deletions.
diff --git a/charts/dapr/crds/configuration.yaml b/charts/dapr/crds/configuration.yaml
@@ -68,6 +68,24 @@ spec:
                   trustDomain:
                     type: string
                 type: object
+              api:
+                description: APISpec describes the configuration for Dapr APIs
+                properties:
+                  allowed:
+                    items:
+                      description: APIAccessRule describes an access rule for allowing
+                        a Dapr API to be enabled and accessible by an app
+                      properties:
+                        name:
+                          type: string
+                        version:
+                          type: string
+                      required:
+                      - name
+                      - version
+                      type: object
+                    type: array
+                type: object
               features:
                 items:
                   description: FeatureSpec defines the features that are enabled/disabled

diff --git a/pkg/apis/configuration/v1alpha1/types.go b/pkg/apis/configuration/v1alpha1/types.go
@@ -43,6 +43,19 @@ type ConfigurationSpec struct {
 	NameResolutionSpec NameResolutionSpec `json:"nameResolution,omitempty"`
 	// +optional
 	Features []FeatureSpec `json:"features,omitempty"`
+	// +optional
+	APISpec APISpec `json:"api,omitempty"`
+}
+
+// APISpec describes the configuration for Dapr APIs
+type APISpec struct {
+	Allowed []APIAccessRule `json:"allowed,omitempty"`
+}
+
+// APIAccessRule describes an access rule for allowing a Dapr API to be enabled and accessible by an app
+type APIAccessRule struct {
+	Name    string `json:"name"`
+	Version string `json:"version"`
 }
 
 // NameResolutionSpec is the spec for name resolution configuration

diff --git a/pkg/apis/configuration/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/configuration/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/config/configuration.go b/pkg/config/configuration.go
@@ -89,6 +89,7 @@ type ConfigurationSpec struct {
 	AccessControlSpec  AccessControlSpec  `json:"accessControl,omitempty" yaml:"accessControl,omitempty"`
 	NameResolutionSpec NameResolutionSpec `json:"nameResolution,omitempty" yaml:"nameResolution,omitempty"`
 	Features           []FeatureSpec      `json:"features,omitempty" yaml:"features,omitempty"`
+	APISpec            APISpec            `json:"api,omitempty" yaml:"api,omitempty"`
 }
 
 type SecretsSpec struct {
@@ -107,6 +108,17 @@ type PipelineSpec struct {
 	Handlers []HandlerSpec `json:"handlers" yaml:"handlers"`
 }
 
+// APISpec describes the configuration for Dapr APIs
+type APISpec struct {
+	Allowed []APIAccessRule `json:"allowed,omitempty"`
+}
+
+// APIAccessRule describes an access rule for allowing a Dapr API to be enabled and accessible by an app
+type APIAccessRule struct {
+	Name    string `json:"name"`
+	Version string `json:"version"`
+}
+
 type HandlerSpec struct {
 	Name         string       `json:"name" yaml:"name"`
 	Type         string       `json:"type" yaml:"type"`

diff --git a/pkg/grpc/endpoints.go b/pkg/grpc/endpoints.go
@@ -0,0 +1,76 @@
+// ------------------------------------------------------------
+// Copyright (c) Microsoft Corporation and Dapr Contributors.
+// Licensed under the MIT License.
+// ------------------------------------------------------------
+
+package grpc
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/dapr/dapr/pkg/config"
+	v1 "github.com/dapr/dapr/pkg/messaging/v1"
+	"google.golang.org/grpc"
+)
+
+var endpoints = map[string][]string{
+	"invoke.v1": {
+		"/dapr.proto.runtime.v1.Dapr/InvokeService",
+	},
+	"state.v1": {
+		"/dapr.proto.runtime.v1.Dapr/GetState",
+		"/dapr.proto.runtime.v1.Dapr/GetBulkState",
+		"/dapr.proto.runtime.v1.Dapr/SaveState",
+		"/dapr.proto.runtime.v1.Dapr/DeleteState",
+		"/dapr.proto.runtime.v1.Dapr/DeleteBulkState",
+		"/dapr.proto.runtime.v1.Dapr/ExecuteStateTransaction",
+	},
+	"publish.v1": {
+		"/dapr.proto.runtime.v1.Dapr/PublishEvent",
+	},
+	"bindings.v1": {
+		"/dapr.proto.runtime.v1.Dapr/InvokeBinding",
+	},
+	"secrets.v1": {
+		"/dapr.proto.runtime.v1.Dapr/GetSecret",
+		"/dapr.proto.runtime.v1.Dapr/GetBulkSecret",
+	},
+	"actors.v1": {
+		"/dapr.proto.runtime.v1.Dapr/RegisterActorTimer",
+		"/dapr.proto.runtime.v1.Dapr/UnregisterActorTimer",
+		"/dapr.proto.runtime.v1.Dapr/RegisterActorReminder",
+		"/dapr.proto.runtime.v1.Dapr/UnregisterActorReminder",
+		"/dapr.proto.runtime.v1.Dapr/GetActorState",
+		"/dapr.proto.runtime.v1.Dapr/ExecuteActorStateTransaction",
+		"/dapr.proto.runtime.v1.Dapr/InvokeActor",
+	},
+	"metadata.v1": {
+		"/dapr.proto.runtime.v1.Dapr/GetMetadata",
+		"/dapr.proto.runtime.v1.Dapr/SetMetadata",
+	},
+	"shutdown.v1": {
+		"/dapr.proto.runtime.v1.Dapr/Shutdown",
+	},
+}
+
+func setAPIEndpointsMiddlewareUnary(rules []config.APIAccessRule) grpc.UnaryServerInterceptor {
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+		if len(rules) == 0 {
+			return handler(ctx, req)
+		}
+
+		for _, rule := range rules {
+			if list, ok := endpoints[rule.Name+"."+rule.Version]; ok {
+				for _, method := range list {
+					if method == info.FullMethod {
+						return handler(ctx, req)
+					}
+				}
+			}
+		}
+
+		err := v1.ErrorFromHTTPResponseCode(http.StatusNotImplemented, "requested endpoint is not available")
+		return nil, err
+	}
+}