Checkpoint: auth, engine, seal, server, grpc updates
Co-authored-by: Junie <junie@jetbrains.com>
This commit is contained in:
@@ -42,9 +42,11 @@ func (s *Server) requireUnseal(next http.HandlerFunc) http.HandlerFunc {
|
||||
state := s.seal.State()
|
||||
switch state {
|
||||
case seal.StateUninitialized:
|
||||
s.logger.Debug("request rejected: service uninitialized", "path", r.URL.Path)
|
||||
http.Error(w, `{"error":"not initialized"}`, http.StatusPreconditionFailed)
|
||||
return
|
||||
case seal.StateSealed, seal.StateInitializing:
|
||||
s.logger.Debug("request rejected: service sealed", "path", r.URL.Path)
|
||||
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
|
||||
return
|
||||
}
|
||||
@@ -57,16 +59,19 @@ func (s *Server) requireAuth(next http.HandlerFunc) http.HandlerFunc {
|
||||
return s.requireUnseal(func(w http.ResponseWriter, r *http.Request) {
|
||||
token := extractToken(r)
|
||||
if token == "" {
|
||||
s.logger.Debug("request rejected: missing token", "path", r.URL.Path)
|
||||
http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
info, err := s.auth.ValidateToken(token)
|
||||
if err != nil {
|
||||
s.logger.Debug("request rejected: invalid token", "path", r.URL.Path, "error", err)
|
||||
http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
s.logger.Debug("request authenticated", "path", r.URL.Path, "username", info.Username)
|
||||
ctx := context.WithValue(r.Context(), tokenInfoKey, info)
|
||||
next(w, r.WithContext(ctx))
|
||||
})
|
||||
@@ -77,9 +82,11 @@ func (s *Server) requireAdmin(next http.HandlerFunc) http.HandlerFunc {
|
||||
return s.requireAuth(func(w http.ResponseWriter, r *http.Request) {
|
||||
info := TokenInfoFromContext(r.Context())
|
||||
if info == nil || !info.IsAdmin {
|
||||
s.logger.Debug("request rejected: admin required", "path", r.URL.Path)
|
||||
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
s.logger.Debug("admin request authorized", "path", r.URL.Path, "username", info.Username)
|
||||
next(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
@@ -36,14 +36,14 @@ func setupTestServer(t *testing.T) (*Server, *seal.Manager, chi.Router) {
|
||||
db.Migrate(database)
|
||||
|
||||
b := barrier.NewAESGCMBarrier(database)
|
||||
sealMgr := seal.NewManager(database, b)
|
||||
sealMgr := seal.NewManager(database, b, slog.Default())
|
||||
sealMgr.CheckInitialized()
|
||||
|
||||
// Auth requires MCIAS client which we can't create in tests easily,
|
||||
// so we pass nil and avoid auth-dependent routes in these tests.
|
||||
authenticator := auth.NewAuthenticator(nil)
|
||||
authenticator := auth.NewAuthenticator(nil, slog.Default())
|
||||
policyEngine := policy.NewEngine(b)
|
||||
engineRegistry := engine.NewRegistry(b)
|
||||
engineRegistry := engine.NewRegistry(b, slog.Default())
|
||||
|
||||
cfg := &config.Config{
|
||||
Server: config.ServerConfig{
|
||||
|
||||
Reference in New Issue
Block a user