-
Notifications
You must be signed in to change notification settings - Fork 106
/
sentry.go
130 lines (104 loc) · 3.53 KB
/
sentry.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
// Package sentry implements the sentry backend.
package sentry
import (
"context"
"fmt"
"sync"
"github.com/oasisprotocol/oasis-core/go/common/crypto/signature"
cmnGrpc "github.com/oasisprotocol/oasis-core/go/common/grpc"
"github.com/oasisprotocol/oasis-core/go/common/grpc/policy"
"github.com/oasisprotocol/oasis-core/go/common/identity"
"github.com/oasisprotocol/oasis-core/go/common/logging"
"github.com/oasisprotocol/oasis-core/go/common/node"
consensus "github.com/oasisprotocol/oasis-core/go/consensus/api"
"github.com/oasisprotocol/oasis-core/go/sentry/api"
grpcSentry "github.com/oasisprotocol/oasis-core/go/worker/sentry/grpc"
)
var _ api.Backend = (*backend)(nil)
type backend struct {
sync.RWMutex
logger *logging.Logger
consensus consensus.Backend
identity *identity.Identity
upstreamTLSPubKeys []signature.PublicKey
grpcPolicyCheckers map[cmnGrpc.ServiceName]*policy.DynamicRuntimePolicyChecker
}
func (b *backend) GetAddresses(ctx context.Context) (*api.SentryAddresses, error) {
// Consensus addresses.
consensusAddrs, err := b.consensus.GetAddresses()
if err != nil {
return nil, fmt.Errorf("sentry: error obtaining consensus addresses: %w", err)
}
b.logger.Debug("successfully obtained consensus addresses",
"addresses", consensusAddrs,
)
// TLS addresses -- only available if gRPC sentry is enabled.
tlsAddrs, err := grpcSentry.GetNodeAddresses()
if err != nil {
return nil, fmt.Errorf("sentry: error obtaining sentry worker addresses: %w", err)
}
var tlsAddresses []node.TLSAddress
for _, addr := range tlsAddrs {
tlsAddresses = append(tlsAddresses, node.TLSAddress{
PubKey: b.identity.GetTLSSigner().Public(),
Address: addr,
})
// Make sure to also include the certificate that will be valid
// in the next epoch, so that the node remains reachable.
if nextSigner := b.identity.GetNextTLSSigner(); nextSigner != nil {
tlsAddresses = append(tlsAddresses, node.TLSAddress{
PubKey: nextSigner.Public(),
Address: addr,
})
}
}
return &api.SentryAddresses{
Consensus: consensusAddrs,
TLS: tlsAddresses,
}, nil
}
func (b *backend) SetUpstreamTLSPubKeys(ctx context.Context, pubKeys []signature.PublicKey) error {
b.Lock()
defer b.Unlock()
b.upstreamTLSPubKeys = pubKeys
return nil
}
func (b *backend) GetUpstreamTLSPubKeys(ctx context.Context) ([]signature.PublicKey, error) {
b.RLock()
defer b.RUnlock()
return b.upstreamTLSPubKeys, nil
}
func (b *backend) UpdatePolicies(ctx context.Context, p api.ServicePolicies) error {
b.Lock()
defer b.Unlock()
b.grpcPolicyCheckers[p.Service] = policy.NewDynamicRuntimePolicyChecker(p.Service, nil)
for namespace, policy := range p.AccessPolicies {
b.grpcPolicyCheckers[p.Service].SetAccessPolicy(policy, namespace)
}
return nil
}
func (b *backend) GetPolicyChecker(ctx context.Context, service cmnGrpc.ServiceName) (*policy.DynamicRuntimePolicyChecker, error) {
b.RLock()
defer b.RUnlock()
p, ok := b.grpcPolicyCheckers[service]
if !ok {
return nil, fmt.Errorf("no policy checker defined for given service")
}
return p, nil
}
// New constructs a new sentry Backend instance.
func New(
consensusBackend consensus.Backend,
identity *identity.Identity,
) (api.LocalBackend, error) {
if consensusBackend == nil {
return nil, fmt.Errorf("sentry: consensus backend is nil")
}
b := &backend{
logger: logging.GetLogger("sentry"),
consensus: consensusBackend,
identity: identity,
grpcPolicyCheckers: make(map[cmnGrpc.ServiceName]*policy.DynamicRuntimePolicyChecker),
}
return b, nil
}