Migrate gRPC server to mcdsl grpcserver package
Replace MCR's custom auth, admin, and logging interceptors with the shared mcdsl grpcserver package. This eliminates ~110 lines of interceptor code and uses the same method-map auth pattern used by metacrypt. Key changes: - server.go: delegate to mcdslgrpc.New() for TLS, logging, and auth - interceptors.go: replaced with MethodMap definition (public, auth-required, admin-required) - Handler files: switch from auth.ClaimsFromContext to mcdslauth.TokenInfoFromContext - auth/client.go: add Authenticator() accessor for the underlying mcdsl authenticator - Tests: use mock MCIAS HTTP server instead of fakeValidator interface - Vendor: add mcdsl/grpcserver to vendor directory ListRepositories and GetRepository are now explicitly auth-required (not admin-required), matching the REST API. Previously they were implicitly auth-required by not being in the bypass or admin maps. Security: method map uses default-deny -- unmapped RPCs are rejected. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -9,8 +9,9 @@ import (
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/status"
|
||||
|
||||
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
||||
|
||||
pb "git.wntrmute.dev/kyle/mcr/gen/mcr/v1"
|
||||
"git.wntrmute.dev/kyle/mcr/internal/auth"
|
||||
"git.wntrmute.dev/kyle/mcr/internal/db"
|
||||
"git.wntrmute.dev/kyle/mcr/internal/policy"
|
||||
)
|
||||
@@ -74,10 +75,10 @@ func (s *policyService) CreatePolicyRule(ctx context.Context, req *pb.CreatePoli
|
||||
return nil, status.Errorf(codes.InvalidArgument, "%s", err.Error())
|
||||
}
|
||||
|
||||
claims := auth.ClaimsFromContext(ctx)
|
||||
info := mcdslauth.TokenInfoFromContext(ctx)
|
||||
createdBy := ""
|
||||
if claims != nil {
|
||||
createdBy = claims.Subject
|
||||
if info != nil {
|
||||
createdBy = info.Username
|
||||
}
|
||||
|
||||
row := db.PolicyRuleRow{
|
||||
@@ -207,10 +208,10 @@ func (s *policyService) UpdatePolicyRule(ctx context.Context, req *pb.UpdatePoli
|
||||
}
|
||||
|
||||
if s.auditFn != nil {
|
||||
claims := auth.ClaimsFromContext(ctx)
|
||||
info := mcdslauth.TokenInfoFromContext(ctx)
|
||||
actorID := ""
|
||||
if claims != nil {
|
||||
actorID = claims.Subject
|
||||
if info != nil {
|
||||
actorID = info.Username
|
||||
}
|
||||
s.auditFn("policy_rule_updated", actorID, "", "", "", map[string]string{
|
||||
"rule_id": strconv.FormatInt(req.Id, 10),
|
||||
@@ -243,10 +244,10 @@ func (s *policyService) DeletePolicyRule(ctx context.Context, req *pb.DeletePoli
|
||||
}
|
||||
|
||||
if s.auditFn != nil {
|
||||
claims := auth.ClaimsFromContext(ctx)
|
||||
info := mcdslauth.TokenInfoFromContext(ctx)
|
||||
actorID := ""
|
||||
if claims != nil {
|
||||
actorID = claims.Subject
|
||||
if info != nil {
|
||||
actorID = info.Username
|
||||
}
|
||||
s.auditFn("policy_rule_deleted", actorID, "", "", "", map[string]string{
|
||||
"rule_id": strconv.FormatInt(req.Id, 10),
|
||||
|
||||
Reference in New Issue
Block a user