Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add protoc-gen-auth plugin to generate the service.pb.auth.go automatically #3623

Merged
merged 3 commits into from May 13, 2022
Merged

Add protoc-gen-auth plugin to generate the service.pb.auth.go automatically #3623

merged 3 commits into from May 13, 2022

Conversation

knanao
Copy link
Member

@knanao knanao commented May 12, 2022
edited

What this PR does / why we need it:

How to generate auth file

Please add the method option in your proto file like this.

service WebService {
    // Piped
    rpc RegisterPiped(RegisterPipedRequest) returns (RegisterPipedResponse) {
        option (model.role).project_role = ADMIN;
    }
    rpc UpdatePiped(UpdatePipedRequest) returns (UpdatePipedResponse) {
        option (model.role).project_role = EDITOR;
    }
    rpc RecreatePipedKey(RecreatePipedKeyRequest) returns (RecreatePipedKeyResponse) {
        option (model.role).project_role = VIEWER;
   }
   ...
}

Run make gen/code

You can generate the.pb.auth.go file through the make command.

// Copyright 2022 The PipeCD Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Code generated by protoc-gen-auth. DO NOT EDIT.
// source: pkg/app/server/service/webservice/service.proto

package webservice

import (
	"github.com/pipe-cd/pipecd/pkg/model"
	"github.com/pipe-cd/pipecd/pkg/rpc/rpcauth"
)

type authorizer struct{}

// NewRBACAuthorizer returns an RBACAuthorizer object for checking requested method based on RBAC.
func NewRBACAuthorizer() rpcauth.RBACAuthorizer {
	return &authorizer{}
}

func isAdmin(r model.Role) bool {
	return r.ProjectRole == model.Role_ADMIN
}

func isEditor(r model.Role) bool {
	return r.ProjectRole == model.Role_EDITOR
}

func isViewer(r model.Role) bool {
	return r.ProjectRole == model.Role_VIEWER
}

// Authorize checks whether a role is enough for given gRPC method or not.
func (a *authorizer) Authorize(method string, r model.Role) bool {
	switch method {
	case "/grpc.service.webservice.WebService/RegisterPiped":
		return isAdmin(r)
	case "/grpc.service.webservice.WebService/UpdatePiped":
		return isAdmin(r)
	case "/grpc.service.webservice.WebService/RecreatePipedKey":
		return isAdmin(r)
	case "/grpc.service.webservice.WebService/DeleteOldPipedKeys":
		return isAdmin(r)
         ...
	case "/grpc.service.webservice.WebService/AddApplication":
		return isAdmin(r) || isEditor(r)
	case "/grpc.service.webservice.WebService/UpdateApplication":
		return isAdmin(r) || isEditor(r)
	case "/grpc.service.webservice.WebService/EnableApplication":
		return isAdmin(r) || isEditor(r)
	case "/grpc.service.webservice.WebService/DisableApplication":
		return isAdmin(r) || isEditor(r)
	case "/grpc.service.webservice.WebService/DeleteApplication":
		return isAdmin(r) || isEditor(r)
         ...
	case "/grpc.service.webservice.WebService/ListPipeds":
		return isAdmin(r) || isEditor(r) || isViewer(r)
	case "/grpc.service.webservice.WebService/GetPiped":
		return isAdmin(r) || isEditor(r) || isViewer(r)
	case "/grpc.service.webservice.WebService/ListApplications":
		return isAdmin(r) || isEditor(r) || isViewer(r)
         ...
	}
	return false
}

Which issue(s) this PR fixes:

Fixes #

Does this PR introduce a user-facing change?:

NONE

@knanao knanao changed the title Add protoc-gen-auth plugin to generate the service.pb.auth.go automat… Add protoc-gen-auth plugin to generate the service.pb.auth.go automatically May 12, 2022
@knanao knanao marked this pull request as ready for review May 12, 2022 04:51
@knanao knanao requested a review from a team as a code owner May 12, 2022 04:51
@nghialv
Copy link
Member

nghialv commented May 12, 2022

I think we should not include the plugin binary to this GitHub repository.
tool/codegen/protoc-gen-auth/protoc-gen-auth

Instead of that, it should be built by using a multi-stage Dockerfile like this one:
https://github.com/pipe-cd/pipecd/blob/master/tool/static/Dockerfile#L1

@knanao
Copy link
Member Author

knanao commented May 12, 2022

@nghialv
Right.
But if we do so, we need to build protoc-gen-auth every time before running make gen/code in the workflow. don't you?
Or is there another better way?

@nghialv
Copy link
Member

nghialv commented May 12, 2022

No, I meant building it once when making the container image.
When running that make gen/code the pre-built container image will be downloaded to run. No need to rebuild.

@pipecd-bot
Copy link
Collaborator

DOCKER

A Kapetanios build has just been triggered to run docker operations for the following 1 directory.
Their results will be reported back after the build is completed.

  1. tool/codegen

@pipecd-bot
Copy link
Collaborator

DOCKER

The Kapetanios build to run docker operations for the following 1 directory has been completed.

1. tool/codegen - success

An image named codegen:0.7.0-ba4eb5f was procuded for reviewing and testing.
By merging this PR, an image named codegen:0.7.0 will be pushed to the container registry.

There is no test to run inside this directory.

WARNING: Currently existing container image codegen:0.7.0 will be overridden after merging because this PR did not change the image version.

knanao
knanao commented May 12, 2022
View reviewed changes
Copy link
Member Author

@knanao knanao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me update tool/codegen version in another PR to avoid including generated file in this PR.

@pipecd-bot
Copy link
Collaborator

DOCKER

A Kapetanios build has just been triggered to run docker operations for the following 1 directory.
Their results will be reported back after the build is completed.

  1. tool/codegen

@pipecd-bot
Copy link
Collaborator

DOCKER

The Kapetanios build to run docker operations for the following 1 directory has been completed.

1. tool/codegen - success

An image named codegen:0.8.0-a65ddc3 was procuded for reviewing and testing.
By merging this PR, an image named codegen:0.8.0 will be pushed to the container registry.

There is no test to run inside this directory.

@pipecd-bot
Copy link
Collaborator

DOCKER

A Kapetanios build has just been triggered to run docker operations for the following 1 directory.
Their results will be reported back after the build is completed.

  1. tool/codegen

@pipecd-bot
Copy link
Collaborator

TODO

The following ISSUES will be created once got merged. If you want me to skip creating the issue, you can use /todo skip command.

Details

1. This way can not parse the first value of enum for some reasons hence

pipecd/tool/codegen/protoc-gen-auth/main.go

Lines 107 to 110 in 722b591

// FIXME: This way can not parse the first value of enum for some reasons hence
// set VIEWER for default value.
method.Role = "VIEWER"
if v.String() != "" {

This was created by todo plugin since "FIXME:" was found in 722b591 when #3623 was merged. cc: @knanao.

@pipecd-bot
Copy link
Collaborator

DOCKER

The Kapetanios build to run docker operations for the following 1 directory has been completed.

1. tool/codegen - success

An image named codegen:0.8.0-722b591 was procuded for reviewing and testing.
By merging this PR, an image named codegen:0.8.0 will be pushed to the container registry.

There is no test to run inside this directory.

nghialv
nghialv approved these changes May 13, 2022
View reviewed changes
Copy link
Member

@nghialv nghialv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job!

khanhtc1202
khanhtc1202 approved these changes May 13, 2022
View reviewed changes
Copy link
Member

@khanhtc1202 khanhtc1202 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool 🙌

@knanao knanao merged commit ee4a05a into master May 13, 2022
@knanao knanao deleted the protoc-plugin branch May 13, 2022 09:09
@pipecd-bot pipecd-bot mentioned this pull request May 13, 2022
Closed
This was referenced May 25, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nghialv nghialv nghialv approved these changes

@khanhtc1202 khanhtc1202 khanhtc1202 approved these changes

Assignees
No one assigned
Labels
release-note-none size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@knanao @nghialv @pipecd-bot @khanhtc1202