Migrate gRPC server to mcdsl grpcserver package
Replace MCR's custom auth, admin, and logging interceptors with the shared mcdsl grpcserver package. This eliminates ~110 lines of interceptor code and uses the same method-map auth pattern used by metacrypt. Key changes: - server.go: delegate to mcdslgrpc.New() for TLS, logging, and auth - interceptors.go: replaced with MethodMap definition (public, auth-required, admin-required) - Handler files: switch from auth.ClaimsFromContext to mcdslauth.TokenInfoFromContext - auth/client.go: add Authenticator() accessor for the underlying mcdsl authenticator - Tests: use mock MCIAS HTTP server instead of fakeValidator interface - Vendor: add mcdsl/grpcserver to vendor directory ListRepositories and GetRepository are now explicitly auth-required (not admin-required), matching the REST API. Previously they were implicitly auth-required by not being in the bypass or admin maps. Security: method map uses default-deny -- unmapped RPCs are rejected. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,26 +1,23 @@
|
||||
// Package grpcserver implements the MCR gRPC admin API server.
|
||||
//
|
||||
// It provides the same business logic as the REST admin API in
|
||||
// internal/server/, using shared internal/db and internal/gc packages.
|
||||
// The server enforces TLS 1.3 minimum, auth via MCIAS token validation,
|
||||
// and admin role checks on privileged RPCs.
|
||||
// It delegates TLS, logging, and auth/admin interceptors to the mcdsl
|
||||
// grpcserver package. MCR-specific business logic lives in the service
|
||||
// handler files (registry.go, policy.go, audit.go, admin.go).
|
||||
package grpcserver
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"log"
|
||||
"log/slog"
|
||||
"net"
|
||||
"sync"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
||||
mcdslgrpc "git.wntrmute.dev/kyle/mcdsl/grpcserver"
|
||||
|
||||
pb "git.wntrmute.dev/kyle/mcr/gen/mcr/v1"
|
||||
"git.wntrmute.dev/kyle/mcr/internal/db"
|
||||
"git.wntrmute.dev/kyle/mcr/internal/gc"
|
||||
"git.wntrmute.dev/kyle/mcr/internal/policy"
|
||||
"git.wntrmute.dev/kyle/mcr/internal/server"
|
||||
)
|
||||
|
||||
// AuditFunc is a callback for recording audit events. It follows the same
|
||||
@@ -30,11 +27,11 @@ type AuditFunc func(eventType, actorID, repository, digest, ip string, details m
|
||||
|
||||
// Deps holds the dependencies injected into the gRPC server.
|
||||
type Deps struct {
|
||||
DB *db.DB
|
||||
Validator server.TokenValidator
|
||||
Engine PolicyReloader
|
||||
AuditFn AuditFunc
|
||||
Collector *gc.Collector
|
||||
DB *db.DB
|
||||
Authenticator *mcdslauth.Authenticator
|
||||
Engine PolicyReloader
|
||||
AuditFn AuditFunc
|
||||
Collector *gc.Collector
|
||||
}
|
||||
|
||||
// PolicyReloader can reload policy rules from a store.
|
||||
@@ -56,70 +53,47 @@ type gcLastRun struct {
|
||||
BytesFreed int64
|
||||
}
|
||||
|
||||
// Server wraps a grpc.Server with MCR-specific configuration.
|
||||
// Server wraps a mcdsl grpcserver.Server with MCR-specific configuration.
|
||||
type Server struct {
|
||||
gs *grpc.Server
|
||||
srv *mcdslgrpc.Server
|
||||
deps Deps
|
||||
gcStatus *GCStatus
|
||||
}
|
||||
|
||||
// New creates a configured gRPC server with the interceptor chain:
|
||||
// [Request Logger] -> [Auth Interceptor] -> [Admin Interceptor] -> [Handler]
|
||||
// New creates a configured gRPC server that delegates TLS setup, logging,
|
||||
// and auth/admin interceptors to the mcdsl grpcserver package.
|
||||
//
|
||||
// The TLS config enforces TLS 1.3 minimum. If certFile or keyFile is
|
||||
// empty, the server is created without TLS (for testing only).
|
||||
func New(certFile, keyFile string, deps Deps) (*Server, error) {
|
||||
authInt := newAuthInterceptor(deps.Validator)
|
||||
adminInt := newAdminInterceptor()
|
||||
|
||||
chain := grpc.ChainUnaryInterceptor(
|
||||
loggingInterceptor,
|
||||
authInt.unary,
|
||||
adminInt.unary,
|
||||
)
|
||||
|
||||
var opts []grpc.ServerOption
|
||||
opts = append(opts, chain)
|
||||
|
||||
// Configure TLS if cert and key are provided.
|
||||
if certFile != "" && keyFile != "" {
|
||||
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("grpcserver: load TLS cert: %w", err)
|
||||
}
|
||||
tlsCfg := &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
MinVersion: tls.VersionTLS13,
|
||||
}
|
||||
opts = append(opts, grpc.Creds(credentials.NewTLS(tlsCfg)))
|
||||
// If certFile or keyFile is empty, TLS is skipped (for testing only).
|
||||
func New(certFile, keyFile string, deps Deps, logger *slog.Logger) (*Server, error) {
|
||||
srv, err := mcdslgrpc.New(certFile, keyFile, deps.Authenticator, methodMap(), logger)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// The JSON codec is registered globally via init() in gen/mcr/v1/codec.go.
|
||||
// The client must use grpc.ForceCodecV2(mcrv1.JSONCodec{}) to match.
|
||||
_ = pb.JSONCodec{} // ensure the gen/mcr/v1 init() runs (codec registration)
|
||||
|
||||
gs := grpc.NewServer(opts...)
|
||||
|
||||
gcStatus := &GCStatus{}
|
||||
|
||||
s := &Server{gs: gs, deps: deps, gcStatus: gcStatus}
|
||||
s := &Server{srv: srv, deps: deps, gcStatus: gcStatus}
|
||||
|
||||
// Register all services.
|
||||
pb.RegisterRegistryServiceServer(gs, ®istryService{
|
||||
pb.RegisterRegistryServiceServer(srv.GRPCServer, ®istryService{
|
||||
db: deps.DB,
|
||||
collector: deps.Collector,
|
||||
gcStatus: gcStatus,
|
||||
auditFn: deps.AuditFn,
|
||||
})
|
||||
pb.RegisterPolicyServiceServer(gs, &policyService{
|
||||
pb.RegisterPolicyServiceServer(srv.GRPCServer, &policyService{
|
||||
db: deps.DB,
|
||||
engine: deps.Engine,
|
||||
auditFn: deps.AuditFn,
|
||||
})
|
||||
pb.RegisterAuditServiceServer(gs, &auditService{
|
||||
pb.RegisterAuditServiceServer(srv.GRPCServer, &auditService{
|
||||
db: deps.DB,
|
||||
})
|
||||
pb.RegisterAdminServiceServer(gs, &adminService{})
|
||||
pb.RegisterAdminServiceServer(srv.GRPCServer, &adminService{})
|
||||
|
||||
return s, nil
|
||||
}
|
||||
@@ -127,15 +101,15 @@ func New(certFile, keyFile string, deps Deps) (*Server, error) {
|
||||
// Serve starts the gRPC server on the given listener.
|
||||
func (s *Server) Serve(lis net.Listener) error {
|
||||
log.Printf("grpc server listening on %s", lis.Addr())
|
||||
return s.gs.Serve(lis)
|
||||
return s.srv.GRPCServer.Serve(lis)
|
||||
}
|
||||
|
||||
// GracefulStop gracefully stops the gRPC server.
|
||||
func (s *Server) GracefulStop() {
|
||||
s.gs.GracefulStop()
|
||||
s.srv.Stop()
|
||||
}
|
||||
|
||||
// GRPCServer returns the underlying grpc.Server for testing.
|
||||
func (s *Server) GRPCServer() *grpc.Server {
|
||||
return s.gs
|
||||
func (s *Server) GRPCServer() *mcdslgrpc.Server {
|
||||
return s.srv
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user