Kyle Isom
758aa91bfc
Replace MCR's custom auth, admin, and logging interceptors with the shared mcdsl grpcserver package. This eliminates ~110 lines of interceptor code and uses the same method-map auth pattern used by metacrypt. Key changes: - server.go: delegate to mcdslgrpc.New() for TLS, logging, and auth - interceptors.go: replaced with MethodMap definition (public, auth-required, admin-required) - Handler files: switch from auth.ClaimsFromContext to mcdslauth.TokenInfoFromContext - auth/client.go: add Authenticator() accessor for the underlying mcdsl authenticator - Tests: use mock MCIAS HTTP server instead of fakeValidator interface - Vendor: add mcdsl/grpcserver to vendor directory ListRepositories and GetRepository are now explicitly auth-required (not admin-required), matching the REST API. Previously they were implicitly auth-required by not being in the bypass or admin maps. Security: method map uses default-deny -- unmapped RPCs are rejected. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
56 lines
1.7 KiB
Go
56 lines
1.7 KiB
Go
package grpcserver
|
|
|
|
import (
|
|
mcdslgrpc "git.wntrmute.dev/kyle/mcdsl/grpcserver"
|
|
)
|
|
|
|
// methodMap builds the mcdsl grpcserver.MethodMap for MCR.
|
|
//
|
|
// Adding a new RPC without adding it to the correct map is a security
|
|
// defect -- the mcdsl auth interceptor denies unmapped methods by default.
|
|
func methodMap() mcdslgrpc.MethodMap {
|
|
return mcdslgrpc.MethodMap{
|
|
Public: publicMethods(),
|
|
AuthRequired: authRequiredMethods(),
|
|
AdminRequired: adminRequiredMethods(),
|
|
}
|
|
}
|
|
|
|
// publicMethods returns methods that require no authentication.
|
|
// Health is the only public RPC.
|
|
func publicMethods() map[string]bool {
|
|
return map[string]bool{
|
|
"/mcr.v1.AdminService/Health": true,
|
|
}
|
|
}
|
|
|
|
// authRequiredMethods returns methods that require a valid MCIAS token
|
|
// but not the admin role.
|
|
func authRequiredMethods() map[string]bool {
|
|
return map[string]bool{
|
|
"/mcr.v1.RegistryService/ListRepositories": true,
|
|
"/mcr.v1.RegistryService/GetRepository": true,
|
|
}
|
|
}
|
|
|
|
// adminRequiredMethods returns methods that require a valid MCIAS token
|
|
// with the admin role.
|
|
func adminRequiredMethods() map[string]bool {
|
|
return map[string]bool{
|
|
// Registry admin operations.
|
|
"/mcr.v1.RegistryService/DeleteRepository": true,
|
|
"/mcr.v1.RegistryService/GarbageCollect": true,
|
|
"/mcr.v1.RegistryService/GetGCStatus": true,
|
|
|
|
// Policy management -- all RPCs require admin.
|
|
"/mcr.v1.PolicyService/ListPolicyRules": true,
|
|
"/mcr.v1.PolicyService/CreatePolicyRule": true,
|
|
"/mcr.v1.PolicyService/GetPolicyRule": true,
|
|
"/mcr.v1.PolicyService/UpdatePolicyRule": true,
|
|
"/mcr.v1.PolicyService/DeletePolicyRule": true,
|
|
|
|
// Audit -- requires admin.
|
|
"/mcr.v1.AuditService/ListAuditEvents": true,
|
|
}
|
|
}
|