Kyle Isom
d3d656a23f
- Add auth/login and auth/logout to mciasgrpcctl, calling the existing AuthService.Login/Logout RPCs; password is always prompted interactively (term.ReadPassword), never accepted as a flag, raw bytes zeroed after use - Add proto/mcias/v1/policy.proto with PolicyService (List, Create, Get, Update, Delete policy rules) - Regenerate gen/mcias/v1/ stubs to include policy - Implement internal/grpcserver/policyservice.go delegating to the same db layer as the REST policy handlers - Register PolicyService in grpcserver.go - Add policy list/create/get/update/delete to mciasgrpcctl - Update mciasgrpcctl man page with new commands Security: auth login uses the same interactive password prompt pattern as mciasctl; password never appears in process args, shell history, or logs; raw bytes zeroed after string conversion (same as REST CLI and REST server). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
342 lines
13 KiB
Go
342 lines
13 KiB
Go
// AuthService: login, logout, token renewal, and TOTP management.
|
|
|
|
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
|
|
// versions:
|
|
// - protoc-gen-go-grpc v1.6.1
|
|
// - protoc v3.20.3
|
|
// source: mcias/v1/auth.proto
|
|
|
|
package mciasv1
|
|
|
|
import (
|
|
context "context"
|
|
grpc "google.golang.org/grpc"
|
|
codes "google.golang.org/grpc/codes"
|
|
status "google.golang.org/grpc/status"
|
|
)
|
|
|
|
// This is a compile-time assertion to ensure that this generated file
|
|
// is compatible with the grpc package it is being compiled against.
|
|
// Requires gRPC-Go v1.64.0 or later.
|
|
const _ = grpc.SupportPackageIsVersion9
|
|
|
|
const (
|
|
AuthService_Login_FullMethodName = "/mcias.v1.AuthService/Login"
|
|
AuthService_Logout_FullMethodName = "/mcias.v1.AuthService/Logout"
|
|
AuthService_RenewToken_FullMethodName = "/mcias.v1.AuthService/RenewToken"
|
|
AuthService_EnrollTOTP_FullMethodName = "/mcias.v1.AuthService/EnrollTOTP"
|
|
AuthService_ConfirmTOTP_FullMethodName = "/mcias.v1.AuthService/ConfirmTOTP"
|
|
AuthService_RemoveTOTP_FullMethodName = "/mcias.v1.AuthService/RemoveTOTP"
|
|
)
|
|
|
|
// AuthServiceClient is the client API for AuthService service.
|
|
//
|
|
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
|
|
//
|
|
// AuthService handles all authentication flows.
|
|
type AuthServiceClient interface {
|
|
// Login authenticates with username+password (+optional TOTP) and returns a JWT.
|
|
// Public RPC — no auth required.
|
|
Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error)
|
|
// Logout revokes the caller's current token.
|
|
// Requires: valid JWT in metadata.
|
|
Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error)
|
|
// RenewToken exchanges the caller's token for a fresh one.
|
|
// Requires: valid JWT in metadata.
|
|
RenewToken(ctx context.Context, in *RenewTokenRequest, opts ...grpc.CallOption) (*RenewTokenResponse, error)
|
|
// EnrollTOTP begins TOTP enrollment for the calling account.
|
|
// Requires: valid JWT in metadata.
|
|
EnrollTOTP(ctx context.Context, in *EnrollTOTPRequest, opts ...grpc.CallOption) (*EnrollTOTPResponse, error)
|
|
// ConfirmTOTP confirms TOTP enrollment with a code from the authenticator app.
|
|
// Requires: valid JWT in metadata.
|
|
ConfirmTOTP(ctx context.Context, in *ConfirmTOTPRequest, opts ...grpc.CallOption) (*ConfirmTOTPResponse, error)
|
|
// RemoveTOTP removes TOTP from an account (admin only).
|
|
// Requires: admin JWT in metadata.
|
|
RemoveTOTP(ctx context.Context, in *RemoveTOTPRequest, opts ...grpc.CallOption) (*RemoveTOTPResponse, error)
|
|
}
|
|
|
|
type authServiceClient struct {
|
|
cc grpc.ClientConnInterface
|
|
}
|
|
|
|
func NewAuthServiceClient(cc grpc.ClientConnInterface) AuthServiceClient {
|
|
return &authServiceClient{cc}
|
|
}
|
|
|
|
func (c *authServiceClient) Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(LoginResponse)
|
|
err := c.cc.Invoke(ctx, AuthService_Login_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (c *authServiceClient) Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(LogoutResponse)
|
|
err := c.cc.Invoke(ctx, AuthService_Logout_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (c *authServiceClient) RenewToken(ctx context.Context, in *RenewTokenRequest, opts ...grpc.CallOption) (*RenewTokenResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(RenewTokenResponse)
|
|
err := c.cc.Invoke(ctx, AuthService_RenewToken_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (c *authServiceClient) EnrollTOTP(ctx context.Context, in *EnrollTOTPRequest, opts ...grpc.CallOption) (*EnrollTOTPResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(EnrollTOTPResponse)
|
|
err := c.cc.Invoke(ctx, AuthService_EnrollTOTP_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (c *authServiceClient) ConfirmTOTP(ctx context.Context, in *ConfirmTOTPRequest, opts ...grpc.CallOption) (*ConfirmTOTPResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(ConfirmTOTPResponse)
|
|
err := c.cc.Invoke(ctx, AuthService_ConfirmTOTP_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (c *authServiceClient) RemoveTOTP(ctx context.Context, in *RemoveTOTPRequest, opts ...grpc.CallOption) (*RemoveTOTPResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(RemoveTOTPResponse)
|
|
err := c.cc.Invoke(ctx, AuthService_RemoveTOTP_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
// AuthServiceServer is the server API for AuthService service.
|
|
// All implementations must embed UnimplementedAuthServiceServer
|
|
// for forward compatibility.
|
|
//
|
|
// AuthService handles all authentication flows.
|
|
type AuthServiceServer interface {
|
|
// Login authenticates with username+password (+optional TOTP) and returns a JWT.
|
|
// Public RPC — no auth required.
|
|
Login(context.Context, *LoginRequest) (*LoginResponse, error)
|
|
// Logout revokes the caller's current token.
|
|
// Requires: valid JWT in metadata.
|
|
Logout(context.Context, *LogoutRequest) (*LogoutResponse, error)
|
|
// RenewToken exchanges the caller's token for a fresh one.
|
|
// Requires: valid JWT in metadata.
|
|
RenewToken(context.Context, *RenewTokenRequest) (*RenewTokenResponse, error)
|
|
// EnrollTOTP begins TOTP enrollment for the calling account.
|
|
// Requires: valid JWT in metadata.
|
|
EnrollTOTP(context.Context, *EnrollTOTPRequest) (*EnrollTOTPResponse, error)
|
|
// ConfirmTOTP confirms TOTP enrollment with a code from the authenticator app.
|
|
// Requires: valid JWT in metadata.
|
|
ConfirmTOTP(context.Context, *ConfirmTOTPRequest) (*ConfirmTOTPResponse, error)
|
|
// RemoveTOTP removes TOTP from an account (admin only).
|
|
// Requires: admin JWT in metadata.
|
|
RemoveTOTP(context.Context, *RemoveTOTPRequest) (*RemoveTOTPResponse, error)
|
|
mustEmbedUnimplementedAuthServiceServer()
|
|
}
|
|
|
|
// UnimplementedAuthServiceServer must be embedded to have
|
|
// forward compatible implementations.
|
|
//
|
|
// NOTE: this should be embedded by value instead of pointer to avoid a nil
|
|
// pointer dereference when methods are called.
|
|
type UnimplementedAuthServiceServer struct{}
|
|
|
|
func (UnimplementedAuthServiceServer) Login(context.Context, *LoginRequest) (*LoginResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method Login not implemented")
|
|
}
|
|
func (UnimplementedAuthServiceServer) Logout(context.Context, *LogoutRequest) (*LogoutResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method Logout not implemented")
|
|
}
|
|
func (UnimplementedAuthServiceServer) RenewToken(context.Context, *RenewTokenRequest) (*RenewTokenResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method RenewToken not implemented")
|
|
}
|
|
func (UnimplementedAuthServiceServer) EnrollTOTP(context.Context, *EnrollTOTPRequest) (*EnrollTOTPResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method EnrollTOTP not implemented")
|
|
}
|
|
func (UnimplementedAuthServiceServer) ConfirmTOTP(context.Context, *ConfirmTOTPRequest) (*ConfirmTOTPResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method ConfirmTOTP not implemented")
|
|
}
|
|
func (UnimplementedAuthServiceServer) RemoveTOTP(context.Context, *RemoveTOTPRequest) (*RemoveTOTPResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method RemoveTOTP not implemented")
|
|
}
|
|
func (UnimplementedAuthServiceServer) mustEmbedUnimplementedAuthServiceServer() {}
|
|
func (UnimplementedAuthServiceServer) testEmbeddedByValue() {}
|
|
|
|
// UnsafeAuthServiceServer may be embedded to opt out of forward compatibility for this service.
|
|
// Use of this interface is not recommended, as added methods to AuthServiceServer will
|
|
// result in compilation errors.
|
|
type UnsafeAuthServiceServer interface {
|
|
mustEmbedUnimplementedAuthServiceServer()
|
|
}
|
|
|
|
func RegisterAuthServiceServer(s grpc.ServiceRegistrar, srv AuthServiceServer) {
|
|
// If the following call panics, it indicates UnimplementedAuthServiceServer was
|
|
// embedded by pointer and is nil. This will cause panics if an
|
|
// unimplemented method is ever invoked, so we test this at initialization
|
|
// time to prevent it from happening at runtime later due to I/O.
|
|
if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
|
|
t.testEmbeddedByValue()
|
|
}
|
|
s.RegisterService(&AuthService_ServiceDesc, srv)
|
|
}
|
|
|
|
func _AuthService_Login_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(LoginRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(AuthServiceServer).Login(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: AuthService_Login_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(AuthServiceServer).Login(ctx, req.(*LoginRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
func _AuthService_Logout_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(LogoutRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(AuthServiceServer).Logout(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: AuthService_Logout_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(AuthServiceServer).Logout(ctx, req.(*LogoutRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
func _AuthService_RenewToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(RenewTokenRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(AuthServiceServer).RenewToken(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: AuthService_RenewToken_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(AuthServiceServer).RenewToken(ctx, req.(*RenewTokenRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
func _AuthService_EnrollTOTP_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(EnrollTOTPRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(AuthServiceServer).EnrollTOTP(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: AuthService_EnrollTOTP_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(AuthServiceServer).EnrollTOTP(ctx, req.(*EnrollTOTPRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
func _AuthService_ConfirmTOTP_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(ConfirmTOTPRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(AuthServiceServer).ConfirmTOTP(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: AuthService_ConfirmTOTP_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(AuthServiceServer).ConfirmTOTP(ctx, req.(*ConfirmTOTPRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
func _AuthService_RemoveTOTP_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(RemoveTOTPRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(AuthServiceServer).RemoveTOTP(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: AuthService_RemoveTOTP_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(AuthServiceServer).RemoveTOTP(ctx, req.(*RemoveTOTPRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
// AuthService_ServiceDesc is the grpc.ServiceDesc for AuthService service.
|
|
// It's only intended for direct use with grpc.RegisterService,
|
|
// and not to be introspected or modified (even as a copy)
|
|
var AuthService_ServiceDesc = grpc.ServiceDesc{
|
|
ServiceName: "mcias.v1.AuthService",
|
|
HandlerType: (*AuthServiceServer)(nil),
|
|
Methods: []grpc.MethodDesc{
|
|
{
|
|
MethodName: "Login",
|
|
Handler: _AuthService_Login_Handler,
|
|
},
|
|
{
|
|
MethodName: "Logout",
|
|
Handler: _AuthService_Logout_Handler,
|
|
},
|
|
{
|
|
MethodName: "RenewToken",
|
|
Handler: _AuthService_RenewToken_Handler,
|
|
},
|
|
{
|
|
MethodName: "EnrollTOTP",
|
|
Handler: _AuthService_EnrollTOTP_Handler,
|
|
},
|
|
{
|
|
MethodName: "ConfirmTOTP",
|
|
Handler: _AuthService_ConfirmTOTP_Handler,
|
|
},
|
|
{
|
|
MethodName: "RemoveTOTP",
|
|
Handler: _AuthService_RemoveTOTP_Handler,
|
|
},
|
|
},
|
|
Streams: []grpc.StreamDesc{},
|
|
Metadata: "mcias/v1/auth.proto",
|
|
}
|