Kyle Isom
59d51a1d38
- proto/mcias/v1/: AdminService, AuthService, TokenService, AccountService, CredentialService; generated Go stubs in gen/ - internal/grpcserver: full handler implementations sharing all business logic (auth, token, db, crypto) with REST server; interceptor chain: logging -> auth (JWT alg-first + revocation) -> rate-limit (token bucket, 10 req/s, burst 10, per-IP) - internal/config: optional grpc_addr field in [server] section - cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr when configured; graceful shutdown of both servers in 15s window - cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands (health, pubkey, account, role, token, pgcreds) using TLS with optional custom CA cert - internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering public RPCs, auth interceptor (no token, invalid, revoked -> 401), non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows, AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip, credential fields absent from all responses Security: JWT validation path identical to REST: alg header checked before signature, alg:none rejected, revocation table checked after sig. Authorization metadata value never logged by any interceptor. Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from all proto response messages — enforced by proto design and confirmed by test TestCredentialFieldsAbsentFromAccountResponse. Login dummy-Argon2 timing guard preserves timing uniformity for unknown users (same as REST handleLogin). TLS required at listener level; cmd/mciassrv uses credentials.NewServerTLSFromFile; no h2c offered. 137 tests pass, zero race conditions (go test -race ./...)
216 lines
8.5 KiB
Go
216 lines
8.5 KiB
Go
// TokenService: token validation, service-token issuance, and revocation.
|
|
|
|
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
|
|
// versions:
|
|
// - protoc-gen-go-grpc v1.6.1
|
|
// - protoc v6.33.4
|
|
// source: mcias/v1/token.proto
|
|
|
|
package mciasv1
|
|
|
|
import (
|
|
context "context"
|
|
grpc "google.golang.org/grpc"
|
|
codes "google.golang.org/grpc/codes"
|
|
status "google.golang.org/grpc/status"
|
|
)
|
|
|
|
// This is a compile-time assertion to ensure that this generated file
|
|
// is compatible with the grpc package it is being compiled against.
|
|
// Requires gRPC-Go v1.64.0 or later.
|
|
const _ = grpc.SupportPackageIsVersion9
|
|
|
|
const (
|
|
TokenService_ValidateToken_FullMethodName = "/mcias.v1.TokenService/ValidateToken"
|
|
TokenService_IssueServiceToken_FullMethodName = "/mcias.v1.TokenService/IssueServiceToken"
|
|
TokenService_RevokeToken_FullMethodName = "/mcias.v1.TokenService/RevokeToken"
|
|
)
|
|
|
|
// TokenServiceClient is the client API for TokenService service.
|
|
//
|
|
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
|
|
//
|
|
// TokenService manages token lifecycle.
|
|
type TokenServiceClient interface {
|
|
// ValidateToken checks whether a JWT is valid and returns its claims.
|
|
// Public RPC — no auth required.
|
|
ValidateToken(ctx context.Context, in *ValidateTokenRequest, opts ...grpc.CallOption) (*ValidateTokenResponse, error)
|
|
// IssueServiceToken issues a new service token for a system account.
|
|
// Requires: admin JWT in metadata.
|
|
IssueServiceToken(ctx context.Context, in *IssueServiceTokenRequest, opts ...grpc.CallOption) (*IssueServiceTokenResponse, error)
|
|
// RevokeToken revokes a token by JTI.
|
|
// Requires: admin JWT in metadata.
|
|
RevokeToken(ctx context.Context, in *RevokeTokenRequest, opts ...grpc.CallOption) (*RevokeTokenResponse, error)
|
|
}
|
|
|
|
type tokenServiceClient struct {
|
|
cc grpc.ClientConnInterface
|
|
}
|
|
|
|
func NewTokenServiceClient(cc grpc.ClientConnInterface) TokenServiceClient {
|
|
return &tokenServiceClient{cc}
|
|
}
|
|
|
|
func (c *tokenServiceClient) ValidateToken(ctx context.Context, in *ValidateTokenRequest, opts ...grpc.CallOption) (*ValidateTokenResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(ValidateTokenResponse)
|
|
err := c.cc.Invoke(ctx, TokenService_ValidateToken_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (c *tokenServiceClient) IssueServiceToken(ctx context.Context, in *IssueServiceTokenRequest, opts ...grpc.CallOption) (*IssueServiceTokenResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(IssueServiceTokenResponse)
|
|
err := c.cc.Invoke(ctx, TokenService_IssueServiceToken_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (c *tokenServiceClient) RevokeToken(ctx context.Context, in *RevokeTokenRequest, opts ...grpc.CallOption) (*RevokeTokenResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(RevokeTokenResponse)
|
|
err := c.cc.Invoke(ctx, TokenService_RevokeToken_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
// TokenServiceServer is the server API for TokenService service.
|
|
// All implementations must embed UnimplementedTokenServiceServer
|
|
// for forward compatibility.
|
|
//
|
|
// TokenService manages token lifecycle.
|
|
type TokenServiceServer interface {
|
|
// ValidateToken checks whether a JWT is valid and returns its claims.
|
|
// Public RPC — no auth required.
|
|
ValidateToken(context.Context, *ValidateTokenRequest) (*ValidateTokenResponse, error)
|
|
// IssueServiceToken issues a new service token for a system account.
|
|
// Requires: admin JWT in metadata.
|
|
IssueServiceToken(context.Context, *IssueServiceTokenRequest) (*IssueServiceTokenResponse, error)
|
|
// RevokeToken revokes a token by JTI.
|
|
// Requires: admin JWT in metadata.
|
|
RevokeToken(context.Context, *RevokeTokenRequest) (*RevokeTokenResponse, error)
|
|
mustEmbedUnimplementedTokenServiceServer()
|
|
}
|
|
|
|
// UnimplementedTokenServiceServer must be embedded to have
|
|
// forward compatible implementations.
|
|
//
|
|
// NOTE: this should be embedded by value instead of pointer to avoid a nil
|
|
// pointer dereference when methods are called.
|
|
type UnimplementedTokenServiceServer struct{}
|
|
|
|
func (UnimplementedTokenServiceServer) ValidateToken(context.Context, *ValidateTokenRequest) (*ValidateTokenResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method ValidateToken not implemented")
|
|
}
|
|
func (UnimplementedTokenServiceServer) IssueServiceToken(context.Context, *IssueServiceTokenRequest) (*IssueServiceTokenResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method IssueServiceToken not implemented")
|
|
}
|
|
func (UnimplementedTokenServiceServer) RevokeToken(context.Context, *RevokeTokenRequest) (*RevokeTokenResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method RevokeToken not implemented")
|
|
}
|
|
func (UnimplementedTokenServiceServer) mustEmbedUnimplementedTokenServiceServer() {}
|
|
func (UnimplementedTokenServiceServer) testEmbeddedByValue() {}
|
|
|
|
// UnsafeTokenServiceServer may be embedded to opt out of forward compatibility for this service.
|
|
// Use of this interface is not recommended, as added methods to TokenServiceServer will
|
|
// result in compilation errors.
|
|
type UnsafeTokenServiceServer interface {
|
|
mustEmbedUnimplementedTokenServiceServer()
|
|
}
|
|
|
|
func RegisterTokenServiceServer(s grpc.ServiceRegistrar, srv TokenServiceServer) {
|
|
// If the following call panics, it indicates UnimplementedTokenServiceServer was
|
|
// embedded by pointer and is nil. This will cause panics if an
|
|
// unimplemented method is ever invoked, so we test this at initialization
|
|
// time to prevent it from happening at runtime later due to I/O.
|
|
if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
|
|
t.testEmbeddedByValue()
|
|
}
|
|
s.RegisterService(&TokenService_ServiceDesc, srv)
|
|
}
|
|
|
|
func _TokenService_ValidateToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(ValidateTokenRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(TokenServiceServer).ValidateToken(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: TokenService_ValidateToken_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(TokenServiceServer).ValidateToken(ctx, req.(*ValidateTokenRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
func _TokenService_IssueServiceToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(IssueServiceTokenRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(TokenServiceServer).IssueServiceToken(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: TokenService_IssueServiceToken_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(TokenServiceServer).IssueServiceToken(ctx, req.(*IssueServiceTokenRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
func _TokenService_RevokeToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(RevokeTokenRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(TokenServiceServer).RevokeToken(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: TokenService_RevokeToken_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(TokenServiceServer).RevokeToken(ctx, req.(*RevokeTokenRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
// TokenService_ServiceDesc is the grpc.ServiceDesc for TokenService service.
|
|
// It's only intended for direct use with grpc.RegisterService,
|
|
// and not to be introspected or modified (even as a copy)
|
|
var TokenService_ServiceDesc = grpc.ServiceDesc{
|
|
ServiceName: "mcias.v1.TokenService",
|
|
HandlerType: (*TokenServiceServer)(nil),
|
|
Methods: []grpc.MethodDesc{
|
|
{
|
|
MethodName: "ValidateToken",
|
|
Handler: _TokenService_ValidateToken_Handler,
|
|
},
|
|
{
|
|
MethodName: "IssueServiceToken",
|
|
Handler: _TokenService_IssueServiceToken_Handler,
|
|
},
|
|
{
|
|
MethodName: "RevokeToken",
|
|
Handler: _TokenService_RevokeToken_Handler,
|
|
},
|
|
},
|
|
Streams: []grpc.StreamDesc{},
|
|
Metadata: "mcias/v1/token.proto",
|
|
}
|