-
Notifications
You must be signed in to change notification settings - Fork 390
/
endpoint.go
138 lines (112 loc) · 3.64 KB
/
endpoint.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
// Copyright (C) 2022 Storj Labs, Inc.
// See LICENSE for copying information.
package userinfo
import (
"context"
"github.com/spacemonkeygo/monkit/v3"
"github.com/zeebo/errs"
"go.uber.org/zap"
"storj.io/common/identity"
"storj.io/common/macaroon"
"storj.io/common/pb"
"storj.io/common/rpc/rpcpeer"
"storj.io/common/rpc/rpcstatus"
"storj.io/common/storj"
"storj.io/storj/satellite/console"
)
var (
mon = monkit.Package()
// Error is an error class for userinfo endpoint errors.
Error = errs.Class("userinfo_endpoint")
)
// Config holds Endpoint's configuration.
type Config struct {
Enabled bool `help:"Whether the private Userinfo rpc endpoint is enabled" default:"false"`
AllowedPeers storj.NodeURLs `help:"A comma delimited list of peers (IDs/addresses) allowed to use this endpoint."`
}
// Endpoint userinfo endpoint.
type Endpoint struct {
pb.DRPCUserInfoUnimplementedServer
log *zap.Logger
users console.Users
apiKeys console.APIKeys
projects console.Projects
config Config
allowedPeers map[storj.NodeID]storj.NodeURL
}
// NewEndpoint creates a new userinfo endpoint instance.
func NewEndpoint(log *zap.Logger, users console.Users, apiKeys console.APIKeys, projects console.Projects, config Config) (*Endpoint, error) {
if len(config.AllowedPeers) == 0 {
return nil, Error.New("allowed peer list parameter '--allowed-peer-list' is required")
}
// put peers into a map for faster retrieval by NodeID.
allowedPeers := make(map[storj.NodeID]storj.NodeURL)
for _, peer := range config.AllowedPeers {
allowedPeers[peer.ID] = peer
}
return &Endpoint{
log: log,
users: users,
apiKeys: apiKeys,
projects: projects,
config: config,
allowedPeers: allowedPeers,
}, nil
}
// Close closes resources.
func (e *Endpoint) Close() error { return nil }
// Get returns relevant info about the current user.
func (e *Endpoint) Get(ctx context.Context, req *pb.GetUserInfoRequest) (response *pb.GetUserInfoResponse, err error) {
defer mon.Task()(&ctx)(&err)
peer, err := rpcpeer.FromContext(ctx)
if err != nil {
return nil, rpcstatus.Error(rpcstatus.Internal, err.Error())
}
peerID, err := identity.PeerIdentityFromPeer(peer)
if err != nil {
return nil, rpcstatus.Error(rpcstatus.Unauthenticated, err.Error())
}
if err = e.verifyPeer(peerID.ID); err != nil {
return nil, rpcstatus.Error(rpcstatus.PermissionDenied, err.Error())
}
key, err := e.getAPIKey(ctx, req.Header)
if err != nil {
return nil, rpcstatus.Error(rpcstatus.InvalidArgument, err.Error())
}
info, err := e.apiKeys.GetByHead(ctx, key.Head())
if err != nil {
return nil, rpcstatus.Error(rpcstatus.InvalidArgument, Error.Wrap(err).Error())
}
project, err := e.projects.Get(ctx, info.ProjectID)
if err != nil {
return nil, rpcstatus.Error(rpcstatus.NotFound, Error.Wrap(err).Error())
}
user, err := e.users.Get(ctx, project.OwnerID)
if err != nil {
return nil, rpcstatus.Error(rpcstatus.NotFound, Error.Wrap(err).Error())
}
return &pb.GetUserInfoResponse{
PaidTier: user.PaidTier,
}, nil
}
// verifyPeer verifies that a peer is allowed.
func (e *Endpoint) verifyPeer(id storj.NodeID) error {
_, ok := e.allowedPeers[id]
if !ok {
return Error.New("peer %q is untrusted", id)
}
return nil
}
func (e *Endpoint) getAPIKey(ctx context.Context, header *pb.RequestHeader) (key *macaroon.APIKey, err error) {
defer mon.Task()(&ctx)(&err)
if header == nil {
return nil, Error.New("Missing API credentials")
}
key, err = macaroon.ParseRawAPIKey(header.ApiKey)
if err != nil {
err = Error.Wrap(err)
e.log.Debug("Invalid credentials", zap.Error(err))
return nil, err
}
return key, nil
}