Move AuthService (#3272)

* Move AuthService and Claims * Move interceptor and authorization wrappers * Add artifact * Address review comments
digital-asset · Oct 29, 2019 · e887318 · e887318
1 parent 8cfbd50
commit e887318
Show file tree

Hide file tree

Showing 34 changed files with 139 additions and 100 deletions.
diff --git a/ledger/api-server-damlonx/reference-v2/BUILD.bazel b/ledger/api-server-damlonx/reference-v2/BUILD.bazel
@@ -28,6 +28,7 @@ da_scala_binary(
         "//daml-lf/language",
         "//daml-lf/transaction",
         "//language-support/scala/bindings",
+        "//ledger/ledger-api-auth",
         "//ledger/ledger-api-client",
         "//ledger/ledger-api-common",
         "//ledger/ledger-api-domain",

diff --git a/...e-v2/src/main/scala/com/daml/ledger/api/server/damlonx/reference/v2/ReferenceServer.scala b/...e-v2/src/main/scala/com/daml/ledger/api/server/damlonx/reference/v2/ReferenceServer.scala
@@ -12,9 +12,9 @@ import com.daml.ledger.participant.state.kvutils.InMemoryKVParticipantState
 import com.daml.ledger.participant.state.v1.ParticipantId
 import com.digitalasset.daml.lf.archive.DarReader
 import com.digitalasset.daml_lf_dev.DamlLf.Archive
+import com.digitalasset.ledger.api.auth.AuthServiceWildcard
 import com.digitalasset.platform.common.logging.NamedLoggerFactory
 import com.digitalasset.platform.index.{StandaloneIndexServer, StandaloneIndexerServer}
-import com.digitalasset.platform.server.api.authorization.auth.AuthServiceWildcard
 import org.slf4j.LoggerFactory
 
 import scala.concurrent.{ExecutionContext, Future}

diff --git a/ledger/ledger-api-auth/BUILD.bazel b/ledger/ledger-api-auth/BUILD.bazel
@@ -0,0 +1,38 @@
+# Copyright (c) 2019 The DAML Authors. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+load(
+    "//bazel_tools:scala.bzl",
+    "da_scala_library",
+    "da_scala_test_suite",
+)
+
+da_scala_library(
+    name = "ledger-api-auth",
+    srcs = glob(["src/main/scala/com/digitalasset/ledger/api/auth/**/*.scala"]),
+    resources = glob(["src/main/resources/**/*"]),
+    tags = ["maven_coordinates=com.digitalasset.ledger:ledger-api-auth:__VERSION__"],
+    visibility = [
+        "//visibility:public",
+    ],
+    runtime_deps = [],
+    deps = [
+        "//daml-lf/data",
+        "//ledger-api/grpc-definitions:ledger-api-scalapb",
+        "//ledger-api/rs-grpc-akka",
+        "//ledger-api/rs-grpc-bridge",
+        "//ledger/ledger-api-akka",
+        "//ledger/ledger-api-client",
+        "//ledger/ledger-api-common",
+        "//ledger/ledger-api-domain",
+        "//ledger/ledger-api-scala-logging",
+        "@maven//:com_typesafe_akka_akka_actor_2_12",
+        "@maven//:com_typesafe_akka_akka_stream_2_12",
+        "@maven//:io_grpc_grpc_api",
+        "@maven//:io_grpc_grpc_context",
+        "@maven//:io_grpc_grpc_core",
+        "@maven//:io_grpc_grpc_services",
+        "@maven//:org_scala_lang_modules_scala_java8_compat_2_12",
+        "@maven//:org_slf4j_slf4j_api",
+    ],
+)
diff --git a/ledger/ledger-api-auth/README.md b/ledger/ledger-api-auth/README.md
@@ -0,0 +1,17 @@
+# Ledger API authorization
+
+## General authorization in gRPC
+
+An `Interceptor` reads HTTP headers, and stores relevant information (e.g., claims) in a `Context`.
+
+GRPC services read the stored data from the `Context` in order to validate the requests.
+
+## Authorization in the ledger API
+
+The `AuthService` defines an interface for decoding HTTP headers into `Claims`.
+
+The ledger API server takes an `AuthService` implementation as an argument.
+
+The ledger API server uses a call interceptor and the given `AuthService` implementation to to store decoded `Claims` in the gRPC `Context`.
+
+All ledger API services use the `Claims` to validate their requests.
diff --git a/...er/participant/state/v1/AuthService.scala → ...alasset/ledger/api/auth/AuthService.scala b/...er/participant/state/v1/AuthService.scala → ...alasset/ledger/api/auth/AuthService.scala
@@ -1,7 +1,7 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.daml.ledger.participant.state.v1
+package com.digitalasset.ledger.api.auth
 
 import java.util.concurrent.CompletionStage
 

diff --git a/.../authorization/auth/AuthServiceNone.scala → ...set/ledger/api/auth/AuthServiceNone.scala b/.../authorization/auth/AuthServiceNone.scala → ...set/ledger/api/auth/AuthServiceNone.scala
@@ -1,16 +1,15 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.auth
+package com.digitalasset.ledger.api.auth
 
 import java.util.concurrent.{CompletableFuture, CompletionStage}
 
-import com.daml.ledger.participant.state.v1.{AuthService, Claims}
 import io.grpc.Metadata
 
 /** An AuthService that rejects all calls by always returning an empty set of [[Claims]] */
 object AuthServiceNone extends AuthService {
   override def decodeMetadata(headers: Metadata): CompletionStage[Claims] = {
     CompletableFuture.completedFuture(Claims.empty)
   }
-}
+}
diff --git a/...uthorization/auth/AuthServiceStatic.scala → ...t/ledger/api/auth/AuthServiceStatic.scala b/...uthorization/auth/AuthServiceStatic.scala → ...t/ledger/api/auth/AuthServiceStatic.scala
@@ -1,11 +1,10 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.auth
+package com.digitalasset.ledger.api.auth
 
 import java.util.concurrent.{CompletableFuture, CompletionStage}
 
-import com.daml.ledger.participant.state.v1.{AuthService, Claims}
 import io.grpc.Metadata
 
 /** An AuthService that matches the value of the `Authorization` HTTP header against

diff --git a/...horization/auth/AuthServiceWildcard.scala → ...ledger/api/auth/AuthServiceWildcard.scala b/...horization/auth/AuthServiceWildcard.scala → ...ledger/api/auth/AuthServiceWildcard.scala
@@ -1,16 +1,15 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.auth
+package com.digitalasset.ledger.api.auth
 
 import java.util.concurrent.{CompletableFuture, CompletionStage}
 
-import com.daml.ledger.participant.state.v1.{AuthService, Claims}
 import io.grpc.Metadata
 
 /** An AuthService that authorizes all calls by always returning a wildcard [[Claims]] */
 object AuthServiceWildcard extends AuthService {
   override def decodeMetadata(headers: Metadata): CompletionStage[Claims] = {
     CompletableFuture.completedFuture(Claims.wildcard)
   }
-}
+}
diff --git a/.../ledger/participant/state/v1/Claims.scala → ...digitalasset/ledger/api/auth/Claims.scala b/.../ledger/participant/state/v1/Claims.scala → ...digitalasset/ledger/api/auth/Claims.scala
@@ -1,7 +1,7 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.daml.ledger.participant.state.v1
+package com.digitalasset.ledger.api.auth
 
 import com.digitalasset.daml.lf.data.Ref
 
@@ -88,8 +88,8 @@ case class Claims(claims: Seq[Claim]) {
 object Claims {
 
   /** A set of [[Claims]] that does not have any authorization */
-  def empty: Claims = Claims(List.empty[Claim])
+  val empty = Claims(List.empty[Claim])
 
   /** A set of [[Claims]] that has all possible authorizations */
-  def wildcard: Claims = Claims(List[Claim](ClaimPublic, ClaimAdmin, ClaimActAsAnyParty))
+  val wildcard = Claims(List[Claim](ClaimPublic, ClaimAdmin, ClaimActAsAnyParty))
 }
diff --git a/...thorization/AsyncForwardingListener.scala → ...interceptor/AsyncForwardingListener.scala b/...thorization/AsyncForwardingListener.scala → ...interceptor/AsyncForwardingListener.scala
@@ -1,7 +1,7 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization
+package com.digitalasset.ledger.api.auth.interceptor
 
 import io.grpc.ServerCall
 

diff --git a/...horization/AuthorizationInterceptor.scala → ...nterceptor/AuthorizationInterceptor.scala b/...horization/AuthorizationInterceptor.scala → ...nterceptor/AuthorizationInterceptor.scala
@@ -1,9 +1,9 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization
+package com.digitalasset.ledger.api.auth.interceptor
 
-import com.daml.ledger.participant.state.v1.{AuthService, Claims}
+import com.digitalasset.ledger.api.auth.{AuthService, Claims}
 import io.grpc.{
   Context,
   Contexts,
@@ -23,7 +23,7 @@ import scala.util.{Failure, Success}
   * This interceptor uses the given [[AuthService]] to get [[Claims]] for the current request,
   * and then stores them in the current [[Context]].
   *
-  * Use [[ApiServiceAuthorization]] to read the claims from the context.
+  * Use [[com.digitalasset.ledger.api.auth.services.ApiServiceAuthorization]] to read the claims from the context.
   * */
 class AuthorizationInterceptor(protected val authService: AuthService, ec: ExecutionContext)
     extends ServerInterceptor {

diff --git a/...ActiveContractsServiceAuthorization.scala → ...ActiveContractsServiceAuthorization.scala b/...ActiveContractsServiceAuthorization.scala → ...ActiveContractsServiceAuthorization.scala
@@ -1,10 +1,10 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.services
+package com.digitalasset.ledger.api.auth.services
 
-import com.daml.ledger.participant.state.v1.AuthService
 import com.digitalasset.grpc.adapter.utils.DirectExecutionContext
+import com.digitalasset.ledger.api.auth.AuthService
 import com.digitalasset.ledger.api.v1.active_contracts_service.ActiveContractsServiceGrpc.ActiveContractsService
 import com.digitalasset.ledger.api.v1.active_contracts_service.{
   ActiveContractsServiceGrpc,
@@ -13,7 +13,6 @@ import com.digitalasset.ledger.api.v1.active_contracts_service.{
 }
 import com.digitalasset.platform.api.grpc.GrpcApiService
 import com.digitalasset.platform.server.api.ProxyCloseable
-import com.digitalasset.platform.server.api.authorization.ApiServiceAuthorization
 import io.grpc.ServerServiceDefinition
 import io.grpc.stub.StreamObserver
 import org.slf4j.{Logger, LoggerFactory}

diff --git a/...thorization/ApiServiceAuthorization.scala → ...th/services/ApiServiceAuthorization.scala b/...thorization/ApiServiceAuthorization.scala → ...th/services/ApiServiceAuthorization.scala
@@ -1,9 +1,10 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization
+package com.digitalasset.ledger.api.auth.services
 
-import com.daml.ledger.participant.state.v1.Claims
+import com.digitalasset.ledger.api.auth.Claims
+import com.digitalasset.ledger.api.auth.interceptor.AuthorizationInterceptor
 import com.digitalasset.ledger.api.v1.transaction_filter.TransactionFilter
 import com.digitalasset.platform.server.api.validation.ErrorFactories._
 import io.grpc.{Context, StatusRuntimeException}

diff --git a/...mmandCompletionServiceAuthorization.scala → ...mmandCompletionServiceAuthorization.scala b/...mmandCompletionServiceAuthorization.scala → ...mmandCompletionServiceAuthorization.scala
@@ -1,16 +1,15 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.services
+package com.digitalasset.ledger.api.auth.services
 
 import akka.stream.scaladsl.Source
-import com.daml.ledger.participant.state.v1.AuthService
 import com.digitalasset.grpc.adapter.utils.DirectExecutionContext
+import com.digitalasset.ledger.api.auth.AuthService
 import com.digitalasset.ledger.api.v1.command_completion_service.CommandCompletionServiceGrpc.CommandCompletionService
 import com.digitalasset.ledger.api.v1.command_completion_service._
 import com.digitalasset.platform.api.grpc.GrpcApiService
 import com.digitalasset.platform.server.api.ProxyCloseable
-import com.digitalasset.platform.server.api.authorization.ApiServiceAuthorization
 import com.digitalasset.platform.server.api.services.grpc.GrpcCommandCompletionService
 import io.grpc.ServerServiceDefinition
 import io.grpc.stub.StreamObserver

diff --git a/...ervices/CommandServiceAuthorization.scala → ...ervices/CommandServiceAuthorization.scala b/...ervices/CommandServiceAuthorization.scala → ...ervices/CommandServiceAuthorization.scala
@@ -1,21 +1,14 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.services
+package com.digitalasset.ledger.api.auth.services
 
-import com.daml.ledger.participant.state.v1.AuthService
 import com.digitalasset.grpc.adapter.utils.DirectExecutionContext
+import com.digitalasset.ledger.api.auth.AuthService
 import com.digitalasset.ledger.api.v1.command_service.CommandServiceGrpc.CommandService
-import com.digitalasset.ledger.api.v1.command_service.{
-  CommandServiceGrpc,
-  SubmitAndWaitForTransactionIdResponse,
-  SubmitAndWaitForTransactionResponse,
-  SubmitAndWaitForTransactionTreeResponse,
-  SubmitAndWaitRequest
-}
+import com.digitalasset.ledger.api.v1.command_service._
 import com.digitalasset.platform.api.grpc.GrpcApiService
 import com.digitalasset.platform.server.api.ProxyCloseable
-import com.digitalasset.platform.server.api.authorization.ApiServiceAuthorization
 import com.google.protobuf.empty.Empty
 import io.grpc.ServerServiceDefinition
 import org.slf4j.{Logger, LoggerFactory}

diff --git a/...mmandSubmissionServiceAuthorization.scala → ...mmandSubmissionServiceAuthorization.scala b/...mmandSubmissionServiceAuthorization.scala → ...mmandSubmissionServiceAuthorization.scala
@@ -1,15 +1,14 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.services
+package com.digitalasset.ledger.api.auth.services
 
-import com.daml.ledger.participant.state.v1.AuthService
 import com.digitalasset.grpc.adapter.utils.DirectExecutionContext
+import com.digitalasset.ledger.api.auth.AuthService
 import com.digitalasset.ledger.api.v1.command_submission_service.CommandSubmissionServiceGrpc.CommandSubmissionService
 import com.digitalasset.ledger.api.v1.command_submission_service._
 import com.digitalasset.platform.api.grpc.GrpcApiService
 import com.digitalasset.platform.server.api.ProxyCloseable
-import com.digitalasset.platform.server.api.authorization.ApiServiceAuthorization
 import com.google.protobuf.empty.Empty
 import io.grpc.ServerServiceDefinition
 import org.slf4j.{Logger, LoggerFactory}

diff --git a/...erConfigurationServiceAuthorization.scala → ...erConfigurationServiceAuthorization.scala b/...erConfigurationServiceAuthorization.scala → ...erConfigurationServiceAuthorization.scala
@@ -1,15 +1,14 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.services
+package com.digitalasset.ledger.api.auth.services
 
-import com.daml.ledger.participant.state.v1.AuthService
 import com.digitalasset.grpc.adapter.utils.DirectExecutionContext
+import com.digitalasset.ledger.api.auth.AuthService
 import com.digitalasset.ledger.api.v1.ledger_configuration_service.LedgerConfigurationServiceGrpc.LedgerConfigurationService
 import com.digitalasset.ledger.api.v1.ledger_configuration_service._
 import com.digitalasset.platform.api.grpc.GrpcApiService
 import com.digitalasset.platform.server.api.ProxyCloseable
-import com.digitalasset.platform.server.api.authorization.ApiServiceAuthorization
 import io.grpc.ServerServiceDefinition
 import io.grpc.stub.StreamObserver
 import org.slf4j.{Logger, LoggerFactory}

diff --git a/.../LedgerIdentityServiceAuthorization.scala → .../LedgerIdentityServiceAuthorization.scala b/.../LedgerIdentityServiceAuthorization.scala → .../LedgerIdentityServiceAuthorization.scala
@@ -1,19 +1,18 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.services
+package com.digitalasset.ledger.api.auth.services
 
-import com.daml.ledger.participant.state.v1.AuthService
 import com.digitalasset.grpc.adapter.utils.DirectExecutionContext
+import com.digitalasset.ledger.api.auth.AuthService
+import com.digitalasset.ledger.api.v1.ledger_identity_service.LedgerIdentityServiceGrpc.LedgerIdentityService
 import com.digitalasset.ledger.api.v1.ledger_identity_service.{
   GetLedgerIdentityRequest,
   GetLedgerIdentityResponse,
   LedgerIdentityServiceGrpc
 }
-import com.digitalasset.ledger.api.v1.ledger_identity_service.LedgerIdentityServiceGrpc.LedgerIdentityService
 import com.digitalasset.platform.api.grpc.GrpcApiService
 import com.digitalasset.platform.server.api.ProxyCloseable
-import com.digitalasset.platform.server.api.authorization.ApiServiceAuthorization
 import io.grpc.ServerServiceDefinition
 import org.slf4j.{Logger, LoggerFactory}
 

diff --git a/...ckageManagementServiceAuthorization.scala → ...ckageManagementServiceAuthorization.scala b/...ckageManagementServiceAuthorization.scala → ...ckageManagementServiceAuthorization.scala
@@ -1,15 +1,14 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.services
+package com.digitalasset.ledger.api.auth.services
 
-import com.daml.ledger.participant.state.v1.AuthService
 import com.digitalasset.grpc.adapter.utils.DirectExecutionContext
+import com.digitalasset.ledger.api.auth.AuthService
 import com.digitalasset.ledger.api.v1.admin.package_management_service.PackageManagementServiceGrpc.PackageManagementService
 import com.digitalasset.ledger.api.v1.admin.package_management_service._
 import com.digitalasset.platform.api.grpc.GrpcApiService
 import com.digitalasset.platform.server.api.ProxyCloseable
-import com.digitalasset.platform.server.api.authorization.ApiServiceAuthorization
 import io.grpc.ServerServiceDefinition
 import org.slf4j.{Logger, LoggerFactory}
 

diff --git a/...ervices/PackageServiceAuthorization.scala → ...ervices/PackageServiceAuthorization.scala b/...ervices/PackageServiceAuthorization.scala → ...ervices/PackageServiceAuthorization.scala
@@ -1,15 +1,14 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.services
+package com.digitalasset.ledger.api.auth.services
 
-import com.daml.ledger.participant.state.v1.AuthService
 import com.digitalasset.grpc.adapter.utils.DirectExecutionContext
+import com.digitalasset.ledger.api.auth.AuthService
 import com.digitalasset.ledger.api.v1.package_service.PackageServiceGrpc.PackageService
 import com.digitalasset.ledger.api.v1.package_service._
 import com.digitalasset.platform.api.grpc.GrpcApiService
 import com.digitalasset.platform.server.api.ProxyCloseable
-import com.digitalasset.platform.server.api.authorization.ApiServiceAuthorization
 import io.grpc.ServerServiceDefinition
 import org.slf4j.{Logger, LoggerFactory}
 

diff --git a/...PartyManagementServiceAuthorization.scala → ...PartyManagementServiceAuthorization.scala b/...PartyManagementServiceAuthorization.scala → ...PartyManagementServiceAuthorization.scala
@@ -1,23 +1,14 @@
 // Copyright (c) 2019 The DAML Authors. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package com.digitalasset.platform.server.api.authorization.services
+package com.digitalasset.ledger.api.auth.services
 
-import com.daml.ledger.participant.state.v1.AuthService
 import com.digitalasset.grpc.adapter.utils.DirectExecutionContext
-import com.digitalasset.ledger.api.v1.admin.party_management_service.{
-  AllocatePartyRequest,
-  AllocatePartyResponse,
-  GetParticipantIdRequest,
-  GetParticipantIdResponse,
-  ListKnownPartiesRequest,
-  ListKnownPartiesResponse,
-  PartyManagementServiceGrpc
-}
+import com.digitalasset.ledger.api.auth.AuthService
 import com.digitalasset.ledger.api.v1.admin.party_management_service.PartyManagementServiceGrpc.PartyManagementService
+import com.digitalasset.ledger.api.v1.admin.party_management_service._
 import com.digitalasset.platform.api.grpc.GrpcApiService
 import com.digitalasset.platform.server.api.ProxyCloseable
-import com.digitalasset.platform.server.api.authorization.ApiServiceAuthorization
 import io.grpc.ServerServiceDefinition
 import org.slf4j.{Logger, LoggerFactory}