mcr/internal/grpcserver/interceptors.go

package grpcserver

import (
	mcdslgrpc "git.wntrmute.dev/mc/mcdsl/grpcserver"
)

// methodMap builds the mcdsl grpcserver.MethodMap for MCR.
//
// Adding a new RPC without adding it to the correct map is a security
// defect -- the mcdsl auth interceptor denies unmapped methods by default.
func methodMap() mcdslgrpc.MethodMap {
	return mcdslgrpc.MethodMap{
		Public:        publicMethods(),
		AuthRequired:  authRequiredMethods(),
		AdminRequired: adminRequiredMethods(),
	}
}

// publicMethods returns methods that require no authentication.
// Health is the only public RPC.
func publicMethods() map[string]bool {
	return map[string]bool{
		"/mcr.v1.AdminService/Health": true,
	}
}

// authRequiredMethods returns methods that require a valid MCIAS token
// but not the admin role.
func authRequiredMethods() map[string]bool {
	return map[string]bool{
		"/mcr.v1.RegistryService/ListRepositories": true,
		"/mcr.v1.RegistryService/GetRepository":    true,
	}
}

// adminRequiredMethods returns methods that require a valid MCIAS token
// with the admin role.
func adminRequiredMethods() map[string]bool {
	return map[string]bool{
		// Registry admin operations.
		"/mcr.v1.RegistryService/DeleteRepository": true,
		"/mcr.v1.RegistryService/GarbageCollect":   true,
		"/mcr.v1.RegistryService/GetGCStatus":      true,

		// Policy management -- all RPCs require admin.
		"/mcr.v1.PolicyService/ListPolicyRules":  true,
		"/mcr.v1.PolicyService/CreatePolicyRule": true,
		"/mcr.v1.PolicyService/GetPolicyRule":    true,
		"/mcr.v1.PolicyService/UpdatePolicyRule": true,
		"/mcr.v1.PolicyService/DeletePolicyRule": true,

		// Audit -- requires admin.
		"/mcr.v1.AuditService/ListAuditEvents": true,
	}
}