-
Notifications
You must be signed in to change notification settings - Fork 279
/
gprc.go
38 lines (33 loc) · 1.25 KB
/
gprc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
//go:generate protoc -I ../proto/authorize --go_out=plugins=grpc:../proto/authorize ../proto/authorize/authorize.proto
package authorize // import "github.com/pomerium/pomerium/authorize"
import (
"context"
"github.com/pomerium/pomerium/internal/telemetry/trace"
pb "github.com/pomerium/pomerium/proto/authorize"
)
// Authorize validates the user identity, device, and context of a request for
// a given route. Currently only checks identity.
func (a *Authorize) Authorize(ctx context.Context, in *pb.Identity) (*pb.AuthorizeReply, error) {
_, span := trace.StartSpan(ctx, "authorize.grpc.Authorize")
defer span.End()
ok := a.ValidIdentity(in.Route,
&Identity{
User: in.User,
Email: in.Email,
Groups: in.Groups,
ImpersonateEmail: in.ImpersonateEmail,
ImpersonateGroups: in.ImpersonateGroups,
})
return &pb.AuthorizeReply{IsValid: ok}, nil
}
// IsAdmin validates the user is an administrative user.
func (a *Authorize) IsAdmin(ctx context.Context, in *pb.Identity) (*pb.IsAdminReply, error) {
_, span := trace.StartSpan(ctx, "authorize.grpc.IsAdmin")
defer span.End()
ok := a.identityAccess.IsAdmin(
&Identity{
Email: in.Email,
Groups: in.Groups,
})
return &pb.IsAdminReply{IsAdmin: ok}, nil
}