mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add grpcserver test coverage

Browse Source 
- Add comprehensive test file for internal/grpcserver package
- Cover interceptors, system, engine, policy, and auth handlers
- Cover pbToRule/ruleToPB conversion helpers
- 37 tests total; CA/PKI/ACME and Login/Logout skipped (require live deps)

Co-authored-by: Junie <junie@jetbrains.com>
This commit is contained in:
Kyle Isom
2026-03-15 13:07:42 -07:00
parent ad167aed9b
commit 8215aaccc5
40 changed files with 8865 additions and 519 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
internal/grpcserver/acme.go
View File

@@ -6,8 +6,9 @@ import (
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/timestamppb"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
internacme "git.wntrmute.dev/kyle/metacrypt/internal/acme"
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
)
@@ -46,7 +47,7 @@ func (as *acmeServer) SetConfig(ctx context.Context, req *pb.SetConfigRequest) (
as.s.logger.Error("grpc: acme set config", "error", err)
return nil, status.Error(codes.Internal, "failed to save config")
}
return &pb.SetConfigResponse{Ok: true}, nil
return &pb.SetConfigResponse{}, nil
}
func (as *acmeServer) ListAccounts(ctx context.Context, req *pb.ListAccountsRequest) (*pb.ListAccountsResponse, error) {
@@ -68,7 +69,7 @@ func (as *acmeServer) ListAccounts(ctx context.Context, req *pb.ListAccountsRequ
Status: a.Status,
Contact: contacts,
MciasUsername: a.MCIASUsername,
CreatedAt: a.CreatedAt.String(),
CreatedAt: timestamppb.New(a.CreatedAt),
})
}
return &pb.ListAccountsResponse{Accounts: pbAccounts}, nil
@@ -95,8 +96,8 @@ func (as *acmeServer) ListOrders(ctx context.Context, req *pb.ListOrdersRequest)
AccountId: o.AccountID,
Status: o.Status,
Identifiers: identifiers,
CreatedAt: o.CreatedAt.String(),
ExpiresAt: o.ExpiresAt.String(),
CreatedAt: timestamppb.New(o.CreatedAt),
ExpiresAt: timestamppb.New(o.ExpiresAt),
})
}
return &pb.ListOrdersResponse{Orders: pbOrders}, nil

10
internal/grpcserver/auth.go
View File

@@ -2,13 +2,15 @@ package grpcserver
import (
"context"
"time"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/timestamppb"
mcias "git.wntrmute.dev/kyle/mcias/clients/go"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
)
type authServer struct {
@@ -17,10 +19,14 @@ type authServer struct {
}
func (as *authServer) Login(_ context.Context, req *pb.LoginRequest) (*pb.LoginResponse, error) {
token, expiresAt, err := as.s.auth.Login(req.Username, req.Password, req.TotpCode)
token, expiresAtStr, err := as.s.auth.Login(req.Username, req.Password, req.TotpCode)
if err != nil {
return nil, status.Error(codes.Unauthenticated, "invalid credentials")
}
var expiresAt *timestamppb.Timestamp
if t, err := time.Parse(time.RFC3339, expiresAtStr); err == nil {
expiresAt = timestamppb.New(t)
}
return &pb.LoginResponse{Token: token, ExpiresAt: expiresAt}, nil
}

432
internal/grpcserver/ca.go Normal file
View File

@@ -0,0 +1,432 @@
package grpcserver
import (
"context"
"errors"
"strings"
"time"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/timestamppb"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
"git.wntrmute.dev/kyle/metacrypt/internal/engine/ca"
)
type caServer struct {
pb.UnimplementedCAServiceServer
s *GRPCServer
}
// caHandleRequest is a helper that dispatches a CA engine request and maps
// common errors to gRPC status codes.
func (cs *caServer) caHandleRequest(ctx context.Context, mount, operation string, req *engine.Request) (*engine.Response, error) {
resp, err := cs.s.engines.HandleRequest(ctx, mount, req)
if err != nil {
st := codes.Internal
switch {
case errors.Is(err, engine.ErrMountNotFound):
st = codes.NotFound
case errors.Is(err, ca.ErrIssuerNotFound):
st = codes.NotFound
case errors.Is(err, ca.ErrCertNotFound):
st = codes.NotFound
case errors.Is(err, ca.ErrIssuerExists):
st = codes.AlreadyExists
case errors.Is(err, ca.ErrUnauthorized):
st = codes.Unauthenticated
case errors.Is(err, ca.ErrForbidden):
st = codes.PermissionDenied
case strings.Contains(err.Error(), "not found"):
st = codes.NotFound
}
cs.s.logger.Error("grpc: ca "+operation, "mount", mount, "error", err)
return nil, status.Error(st, err.Error())
}
return resp, nil
}
func (cs *caServer) callerInfo(ctx context.Context) *engine.CallerInfo {
ti := tokenInfoFromContext(ctx)
if ti == nil {
return nil
}
return &engine.CallerInfo{
Username: ti.Username,
Roles: ti.Roles,
IsAdmin: ti.IsAdmin,
}
}
func (cs *caServer) ImportRoot(ctx context.Context, req *pb.ImportRootRequest) (*pb.ImportRootResponse, error) {
if req.Mount == "" {
return nil, status.Error(codes.InvalidArgument, "mount is required")
}
resp, err := cs.caHandleRequest(ctx, req.Mount, "import-root", &engine.Request{
Operation: "import-root",
CallerInfo: cs.callerInfo(ctx),
Data: map[string]interface{}{
"cert_pem": string(req.CertPem),
"key_pem": string(req.KeyPem),
},
})
if err != nil {
return nil, err
}
cn, _ := resp.Data["cn"].(string)
var expiresAt *timestamppb.Timestamp
if s, ok := resp.Data["expires_at"].(string); ok {
if t, err := time.Parse(time.RFC3339, s); err == nil {
expiresAt = timestamppb.New(t)
}
}
return &pb.ImportRootResponse{CommonName: cn, ExpiresAt: expiresAt}, nil
}
func (cs *caServer) GetRoot(ctx context.Context, req *pb.GetRootRequest) (*pb.GetRootResponse, error) {
if req.Mount == "" {
return nil, status.Error(codes.InvalidArgument, "mount is required")
}
resp, err := cs.caHandleRequest(ctx, req.Mount, "get-root", &engine.Request{
Operation: "get-root",
})
if err != nil {
return nil, err
}
certPEM, _ := resp.Data["cert_pem"].(string)
return &pb.GetRootResponse{CertPem: []byte(certPEM)}, nil
}
func (cs *caServer) CreateIssuer(ctx context.Context, req *pb.CreateIssuerRequest) (*pb.CreateIssuerResponse, error) {
if req.Mount == "" || req.Name == "" {
return nil, status.Error(codes.InvalidArgument, "mount and name are required")
}
data := map[string]interface{}{
"name": req.Name,
}
if req.KeyAlgorithm != "" {
data["key_algorithm"] = req.KeyAlgorithm
}
if req.KeySize != 0 {
data["key_size"] = float64(req.KeySize)
}
if req.Expiry != "" {
data["expiry"] = req.Expiry
}
if req.MaxTtl != "" {
data["max_ttl"] = req.MaxTtl
}
resp, err := cs.caHandleRequest(ctx, req.Mount, "create-issuer", &engine.Request{
Operation: "create-issuer",
CallerInfo: cs.callerInfo(ctx),
Data: data,
})
if err != nil {
return nil, err
}
name, _ := resp.Data["name"].(string)
certPEM, _ := resp.Data["cert_pem"].(string)
return &pb.CreateIssuerResponse{Name: name, CertPem: []byte(certPEM)}, nil
}
func (cs *caServer) DeleteIssuer(ctx context.Context, req *pb.DeleteIssuerRequest) (*pb.DeleteIssuerResponse, error) {
if req.Mount == "" || req.Name == "" {
return nil, status.Error(codes.InvalidArgument, "mount and name are required")
}
_, err := cs.caHandleRequest(ctx, req.Mount, "delete-issuer", &engine.Request{
Operation: "delete-issuer",
CallerInfo: cs.callerInfo(ctx),
Data: map[string]interface{}{"name": req.Name},
})
if err != nil {
return nil, err
}
return &pb.DeleteIssuerResponse{}, nil
}
func (cs *caServer) ListIssuers(ctx context.Context, req *pb.ListIssuersRequest) (*pb.ListIssuersResponse, error) {
if req.Mount == "" {
return nil, status.Error(codes.InvalidArgument, "mount is required")
}
resp, err := cs.caHandleRequest(ctx, req.Mount, "list-issuers", &engine.Request{
Operation: "list-issuers",
CallerInfo: cs.callerInfo(ctx),
})
if err != nil {
return nil, err
}
raw, _ := resp.Data["issuers"].([]interface{})
issuers := make([]string, 0, len(raw))
for _, v := range raw {
if s, ok := v.(string); ok {
issuers = append(issuers, s)
}
}
return &pb.ListIssuersResponse{Issuers: issuers}, nil
}
func (cs *caServer) GetIssuer(ctx context.Context, req *pb.GetIssuerRequest) (*pb.GetIssuerResponse, error) {
if req.Mount == "" || req.Name == "" {
return nil, status.Error(codes.InvalidArgument, "mount and name are required")
}
resp, err := cs.caHandleRequest(ctx, req.Mount, "get-issuer", &engine.Request{
Operation: "get-issuer",
Path: req.Name,
})
if err != nil {
return nil, err
}
certPEM, _ := resp.Data["cert_pem"].(string)
return &pb.GetIssuerResponse{CertPem: []byte(certPEM)}, nil
}
func (cs *caServer) GetChain(ctx context.Context, req *pb.CAServiceGetChainRequest) (*pb.CAServiceGetChainResponse, error) {
if req.Mount == "" || req.Issuer == "" {
return nil, status.Error(codes.InvalidArgument, "mount and issuer are required")
}
resp, err := cs.caHandleRequest(ctx, req.Mount, "get-chain", &engine.Request{
Operation: "get-chain",
Data: map[string]interface{}{"issuer": req.Issuer},
})
if err != nil {
return nil, err
}
chainPEM, _ := resp.Data["chain_pem"].(string)
return &pb.CAServiceGetChainResponse{ChainPem: []byte(chainPEM)}, nil
}
func (cs *caServer) IssueCert(ctx context.Context, req *pb.IssueCertRequest) (*pb.IssueCertResponse, error) {
if req.Mount == "" || req.Issuer == "" {
return nil, status.Error(codes.InvalidArgument, "mount and issuer are required")
}
data := map[string]interface{}{
"issuer": req.Issuer,
}
if req.Profile != "" {
data["profile"] = req.Profile
}
if req.CommonName != "" {
data["common_name"] = req.CommonName
}
if len(req.DnsNames) > 0 {
dns := make([]interface{}, len(req.DnsNames))
for i, v := range req.DnsNames {
dns[i] = v
}
data["dns_names"] = dns
}
if len(req.IpAddresses) > 0 {
ips := make([]interface{}, len(req.IpAddresses))
for i, v := range req.IpAddresses {
ips[i] = v
}
data["ip_addresses"] = ips
}
if req.Ttl != "" {
data["ttl"] = req.Ttl
}
if req.KeyAlgorithm != "" {
data["key_algorithm"] = req.KeyAlgorithm
}
if req.KeySize != 0 {
data["key_size"] = float64(req.KeySize)
}
if len(req.KeyUsages) > 0 {
ku := make([]interface{}, len(req.KeyUsages))
for i, v := range req.KeyUsages {
ku[i] = v
}
data["key_usages"] = ku
}
if len(req.ExtKeyUsages) > 0 {
eku := make([]interface{}, len(req.ExtKeyUsages))
for i, v := range req.ExtKeyUsages {
eku[i] = v
}
data["ext_key_usages"] = eku
}
resp, err := cs.caHandleRequest(ctx, req.Mount, "issue", &engine.Request{
Operation: "issue",
CallerInfo: cs.callerInfo(ctx),
Data: data,
})
if err != nil {
return nil, err
}
serial, _ := resp.Data["serial"].(string)
cn, _ := resp.Data["cn"].(string)
issuedBy, _ := resp.Data["issued_by"].(string)
certPEM, _ := resp.Data["cert_pem"].(string)
keyPEM, _ := resp.Data["key_pem"].(string)
chainPEM, _ := resp.Data["chain_pem"].(string)
sans := toStringSliceFromInterface(resp.Data["sans"])
var expiresAt *timestamppb.Timestamp
if s, ok := resp.Data["expires_at"].(string); ok {
if t, err := time.Parse(time.RFC3339, s); err == nil {
expiresAt = timestamppb.New(t)
}
}
return &pb.IssueCertResponse{
Serial: serial,
CommonName: cn,
Sans: sans,
IssuedBy: issuedBy,
ExpiresAt: expiresAt,
CertPem: []byte(certPEM),
KeyPem: []byte(keyPEM),
ChainPem: []byte(chainPEM),
}, nil
}
func (cs *caServer) GetCert(ctx context.Context, req *pb.GetCertRequest) (*pb.GetCertResponse, error) {
if req.Mount == "" || req.Serial == "" {
return nil, status.Error(codes.InvalidArgument, "mount and serial are required")
}
resp, err := cs.caHandleRequest(ctx, req.Mount, "get-cert", &engine.Request{
Operation: "get-cert",
CallerInfo: cs.callerInfo(ctx),
Data: map[string]interface{}{"serial": req.Serial},
})
if err != nil {
return nil, err
}
rec := certRecordFromData(resp.Data)
return &pb.GetCertResponse{Cert: rec}, nil
}
func (cs *caServer) ListCerts(ctx context.Context, req *pb.ListCertsRequest) (*pb.ListCertsResponse, error) {
if req.Mount == "" {
return nil, status.Error(codes.InvalidArgument, "mount is required")
}
resp, err := cs.caHandleRequest(ctx, req.Mount, "list-certs", &engine.Request{
Operation: "list-certs",
CallerInfo: cs.callerInfo(ctx),
})
if err != nil {
return nil, err
}
raw, _ := resp.Data["certs"].([]interface{})
summaries := make([]*pb.CertSummary, 0, len(raw))
for _, item := range raw {
m, ok := item.(map[string]interface{})
if !ok {
continue
}
summaries = append(summaries, certSummaryFromData(m))
}
return &pb.ListCertsResponse{Certs: summaries}, nil
}
func (cs *caServer) RenewCert(ctx context.Context, req *pb.RenewCertRequest) (*pb.RenewCertResponse, error) {
if req.Mount == "" || req.Serial == "" {
return nil, status.Error(codes.InvalidArgument, "mount and serial are required")
}
resp, err := cs.caHandleRequest(ctx, req.Mount, "renew", &engine.Request{
Operation: "renew",
CallerInfo: cs.callerInfo(ctx),
Data: map[string]interface{}{"serial": req.Serial},
})
if err != nil {
return nil, err
}
serial, _ := resp.Data["serial"].(string)
cn, _ := resp.Data["cn"].(string)
issuedBy, _ := resp.Data["issued_by"].(string)
certPEM, _ := resp.Data["cert_pem"].(string)
keyPEM, _ := resp.Data["key_pem"].(string)
chainPEM, _ := resp.Data["chain_pem"].(string)
sans := toStringSliceFromInterface(resp.Data["sans"])
var expiresAt *timestamppb.Timestamp
if s, ok := resp.Data["expires_at"].(string); ok {
if t, err := time.Parse(time.RFC3339, s); err == nil {
expiresAt = timestamppb.New(t)
}
}
return &pb.RenewCertResponse{
Serial: serial,
CommonName: cn,
Sans: sans,
IssuedBy: issuedBy,
ExpiresAt: expiresAt,
CertPem: []byte(certPEM),
KeyPem: []byte(keyPEM),
ChainPem: []byte(chainPEM),
}, nil
}
// --- helpers ---
func certRecordFromData(d map[string]interface{}) *pb.CertRecord {
serial, _ := d["serial"].(string)
issuer, _ := d["issuer"].(string)
cn, _ := d["cn"].(string)
profile, _ := d["profile"].(string)
issuedBy, _ := d["issued_by"].(string)
certPEM, _ := d["cert_pem"].(string)
sans := toStringSliceFromInterface(d["sans"])
var issuedAt, expiresAt *timestamppb.Timestamp
if s, ok := d["issued_at"].(string); ok {
if t, err := time.Parse(time.RFC3339, s); err == nil {
issuedAt = timestamppb.New(t)
}
}
if s, ok := d["expires_at"].(string); ok {
if t, err := time.Parse(time.RFC3339, s); err == nil {
expiresAt = timestamppb.New(t)
}
}
return &pb.CertRecord{
Serial: serial,
Issuer: issuer,
CommonName: cn,
Sans: sans,
Profile: profile,
IssuedBy: issuedBy,
IssuedAt: issuedAt,
ExpiresAt: expiresAt,
CertPem: []byte(certPEM),
}
}
func certSummaryFromData(d map[string]interface{}) *pb.CertSummary {
serial, _ := d["serial"].(string)
issuer, _ := d["issuer"].(string)
cn, _ := d["cn"].(string)
profile, _ := d["profile"].(string)
issuedBy, _ := d["issued_by"].(string)
var issuedAt, expiresAt *timestamppb.Timestamp
if s, ok := d["issued_at"].(string); ok {
if t, err := time.Parse(time.RFC3339, s); err == nil {
issuedAt = timestamppb.New(t)
}
}
if s, ok := d["expires_at"].(string); ok {
if t, err := time.Parse(time.RFC3339, s); err == nil {
expiresAt = timestamppb.New(t)
}
}
return &pb.CertSummary{
Serial: serial,
Issuer: issuer,
CommonName: cn,
Profile: profile,
IssuedBy: issuedBy,
IssuedAt: issuedAt,
ExpiresAt: expiresAt,
}
}
func toStringSliceFromInterface(v interface{}) []string {
raw, _ := v.([]interface{})
out := make([]string, 0, len(raw))
for _, item := range raw {
if s, ok := item.(string); ok {
out = append(out, s)
}
}
return out
}

61
internal/grpcserver/engine.go
View File

@@ -3,13 +3,11 @@ package grpcserver
import (
"context"
"errors"
"strings"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/structpb"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
)
@@ -24,8 +22,11 @@ func (es *engineServer) Mount(ctx context.Context, req *pb.MountRequest) (*pb.Mo
}
var config map[string]interface{}
if req.Config != nil {
config = req.Config.AsMap()
if len(req.Config) > 0 {
config = make(map[string]interface{}, len(req.Config))
for k, v := range req.Config {
config[k] = v
}
}
if err := es.s.engines.Mount(ctx, req.Name, engine.EngineType(req.Type), config); err != nil {
@@ -68,53 +69,3 @@ func (es *engineServer) ListMounts(_ context.Context, _ *pb.ListMountsRequest) (
return &pb.ListMountsResponse{Mounts: pbMounts}, nil
}
func (es *engineServer) Execute(ctx context.Context, req *pb.ExecuteRequest) (*pb.ExecuteResponse, error) {
if req.Mount == "" || req.Operation == "" {
return nil, status.Error(codes.InvalidArgument, "mount and operation are required")
}
ti := tokenInfoFromContext(ctx)
engReq := &engine.Request{
Operation: req.Operation,
Path: req.Path,
Data: nil,
}
if req.Data != nil {
engReq.Data = req.Data.AsMap()
}
if ti != nil {
engReq.CallerInfo = &engine.CallerInfo{
Username: ti.Username,
Roles: ti.Roles,
IsAdmin: ti.IsAdmin,
}
}
username := ""
if ti != nil {
username = ti.Username
}
es.s.logger.Info("grpc: engine execute", "mount", req.Mount, "operation", req.Operation, "username", username)
resp, err := es.s.engines.HandleRequest(ctx, req.Mount, engReq)
if err != nil {
st := codes.Internal
switch {
case errors.Is(err, engine.ErrMountNotFound):
st = codes.NotFound
case strings.Contains(err.Error(), "forbidden"):
st = codes.PermissionDenied
case strings.Contains(err.Error(), "not found"):
st = codes.NotFound
}
es.s.logger.Error("grpc: engine execute failed", "mount", req.Mount, "operation", req.Operation, "username", username, "error", err)
return nil, status.Error(st, err.Error())
}
es.s.logger.Info("grpc: engine execute ok", "mount", req.Mount, "operation", req.Operation, "username", username)
pbData, err := structpb.NewStruct(resp.Data)
if err != nil {
return nil, status.Error(codes.Internal, "failed to encode response")
}
return &pb.ExecuteResponse{Data: pbData}, nil
}

720
internal/grpcserver/grpcserver_test.go Normal file
View File

@@ -0,0 +1,720 @@
package grpcserver
import (
"context"
"log/slog"
"path/filepath"
"testing"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/status"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
"git.wntrmute.dev/kyle/metacrypt/internal/auth"
"git.wntrmute.dev/kyle/metacrypt/internal/barrier"
"git.wntrmute.dev/kyle/metacrypt/internal/config"
"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
"git.wntrmute.dev/kyle/metacrypt/internal/db"
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
"git.wntrmute.dev/kyle/metacrypt/internal/policy"
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
)
// ---- test helpers ----
func fastArgon2Params() crypto.Argon2Params {
return crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
}
// mockBarrier is a no-op barrier for engine registry tests.
type mockBarrier struct{}
func (m *mockBarrier) Unseal(_ []byte) error { return nil }
func (m *mockBarrier) Seal() error { return nil }
func (m *mockBarrier) IsSealed() bool { return false }
func (m *mockBarrier) Get(_ context.Context, _ string) ([]byte, error) { return nil, barrier.ErrNotFound }
func (m *mockBarrier) Put(_ context.Context, _ string, _ []byte) error { return nil }
func (m *mockBarrier) Delete(_ context.Context, _ string) error { return nil }
func (m *mockBarrier) List(_ context.Context, _ string) ([]string, error) { return nil, nil }
// mockEngine is a minimal engine.Engine for registry tests.
type mockEngine struct{ t engine.EngineType }
func (m *mockEngine) Type() engine.EngineType { return m.t }
func (m *mockEngine) Initialize(_ context.Context, _ barrier.Barrier, _ string, _ map[string]interface{}) error {
return nil
}
func (m *mockEngine) Unseal(_ context.Context, _ barrier.Barrier, _ string) error { return nil }
func (m *mockEngine) Seal() error { return nil }
func (m *mockEngine) HandleRequest(_ context.Context, _ *engine.Request) (*engine.Response, error) {
return &engine.Response{Data: map[string]interface{}{"ok": true}}, nil
}
func newTestRegistry() *engine.Registry {
reg := engine.NewRegistry(&mockBarrier{}, slog.Default())
reg.RegisterFactory(engine.EngineTypeTransit, func() engine.Engine {
return &mockEngine{t: engine.EngineTypeTransit}
})
return reg
}
func newTestGRPCServer(t *testing.T) (*GRPCServer, func()) {
t.Helper()
dir := t.TempDir()
database, err := db.Open(filepath.Join(dir, "test.db"))
if err != nil {
t.Fatalf("open db: %v", err)
}
if err := db.Migrate(database); err != nil {
t.Fatalf("migrate: %v", err)
}
b := barrier.NewAESGCMBarrier(database)
sealMgr := seal.NewManager(database, b, slog.Default())
policyEngine := policy.NewEngine(b)
reg := newTestRegistry()
authenticator := auth.NewAuthenticator(nil, slog.Default())
cfg := &config.Config{
Seal: config.SealConfig{
Argon2Time: 1,
Argon2Memory: 64 * 1024,
Argon2Threads: 1,
},
}
srv := New(cfg, sealMgr, authenticator, policyEngine, reg, slog.Default())
return srv, func() { _ = database.Close() }
}
// okHandler is a grpc.UnaryHandler that always succeeds.
func okHandler(_ context.Context, _ interface{}) (interface{}, error) {
return "ok", nil
}
func methodInfo(name string) *grpc.UnaryServerInfo {
return &grpc.UnaryServerInfo{FullMethod: name}
}
// ---- interceptor tests ----
func TestSealInterceptor_Unsealed(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
// Initialize and unseal so state == StateUnsealed.
if err := srv.sealMgr.Initialize(context.Background(), []byte("pw"), fastArgon2Params()); err != nil {
t.Fatalf("initialize: %v", err)
}
methods := map[string]bool{"/test.Service/Method": true}
interceptor := sealInterceptor(srv.sealMgr, slog.Default(), methods)
resp, err := interceptor(context.Background(), nil, methodInfo("/test.Service/Method"), okHandler)
if err != nil {
t.Fatalf("expected success when unsealed, got: %v", err)
}
if resp != "ok" {
t.Errorf("expected 'ok', got %v", resp)
}
}
func TestSealInterceptor_Sealed(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
// Initialize then seal.
if err := srv.sealMgr.Initialize(context.Background(), []byte("pw"), fastArgon2Params()); err != nil {
t.Fatalf("initialize: %v", err)
}
if err := srv.sealMgr.Seal(); err != nil {
t.Fatalf("seal: %v", err)
}
methods := map[string]bool{"/test.Service/Method": true}
interceptor := sealInterceptor(srv.sealMgr, slog.Default(), methods)
_, err := interceptor(context.Background(), nil, methodInfo("/test.Service/Method"), okHandler)
if err == nil {
t.Fatal("expected error when sealed")
}
if code := status.Code(err); code != codes.FailedPrecondition {
t.Errorf("expected FailedPrecondition, got %v", code)
}
}
func TestSealInterceptor_SkipsUnlistedMethod(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
// State is uninitialized (sealed), but method is not in the list.
methods := map[string]bool{"/test.Service/Other": true}
interceptor := sealInterceptor(srv.sealMgr, slog.Default(), methods)
resp, err := interceptor(context.Background(), nil, methodInfo("/test.Service/Method"), okHandler)
if err != nil {
t.Fatalf("expected pass-through, got: %v", err)
}
if resp != "ok" {
t.Errorf("expected 'ok', got %v", resp)
}
}
func TestAuthInterceptor_MissingToken(t *testing.T) {
authenticator := auth.NewAuthenticator(nil, slog.Default())
methods := map[string]bool{"/test.Service/Method": true}
interceptor := authInterceptor(authenticator, slog.Default(), methods)
_, err := interceptor(context.Background(), nil, methodInfo("/test.Service/Method"), okHandler)
if err == nil {
t.Fatal("expected error for missing token")
}
if code := status.Code(err); code != codes.Unauthenticated {
t.Errorf("expected Unauthenticated, got %v", code)
}
}
func TestAuthInterceptor_SkipsUnlistedMethod(t *testing.T) {
authenticator := auth.NewAuthenticator(nil, slog.Default())
methods := map[string]bool{"/test.Service/Other": true}
interceptor := authInterceptor(authenticator, slog.Default(), methods)
resp, err := interceptor(context.Background(), nil, methodInfo("/test.Service/Method"), okHandler)
if err != nil {
t.Fatalf("expected pass-through, got: %v", err)
}
if resp != "ok" {
t.Errorf("expected 'ok', got %v", resp)
}
}
func TestAdminInterceptor_NoTokenInfo(t *testing.T) {
methods := map[string]bool{"/test.Service/Admin": true}
interceptor := adminInterceptor(slog.Default(), methods)
_, err := interceptor(context.Background(), nil, methodInfo("/test.Service/Admin"), okHandler)
if err == nil {
t.Fatal("expected error when no token info in context")
}
if code := status.Code(err); code != codes.PermissionDenied {
t.Errorf("expected PermissionDenied, got %v", code)
}
}
func TestAdminInterceptor_NonAdmin(t *testing.T) {
methods := map[string]bool{"/test.Service/Admin": true}
interceptor := adminInterceptor(slog.Default(), methods)
ctx := context.WithValue(context.Background(), tokenInfoKey, &auth.TokenInfo{
Username: "user",
IsAdmin: false,
})
_, err := interceptor(ctx, nil, methodInfo("/test.Service/Admin"), okHandler)
if err == nil {
t.Fatal("expected error for non-admin")
}
if code := status.Code(err); code != codes.PermissionDenied {
t.Errorf("expected PermissionDenied, got %v", code)
}
}
func TestAdminInterceptor_Admin(t *testing.T) {
methods := map[string]bool{"/test.Service/Admin": true}
interceptor := adminInterceptor(slog.Default(), methods)
ctx := context.WithValue(context.Background(), tokenInfoKey, &auth.TokenInfo{
Username: "admin",
IsAdmin: true,
})
resp, err := interceptor(ctx, nil, methodInfo("/test.Service/Admin"), okHandler)
if err != nil {
t.Fatalf("expected success for admin, got: %v", err)
}
if resp != "ok" {
t.Errorf("expected 'ok', got %v", resp)
}
}
func TestAdminInterceptor_SkipsUnlistedMethod(t *testing.T) {
methods := map[string]bool{"/test.Service/Other": true}
interceptor := adminInterceptor(slog.Default(), methods)
// No token info in context — but method not listed, so should pass through.
resp, err := interceptor(context.Background(), nil, methodInfo("/test.Service/Method"), okHandler)
if err != nil {
t.Fatalf("expected pass-through, got: %v", err)
}
if resp != "ok" {
t.Errorf("expected 'ok', got %v", resp)
}
}
func TestChainInterceptors(t *testing.T) {
var order []int
makeInterceptor := func(n int) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
order = append(order, n)
return handler(ctx, req)
}
}
chained := chainInterceptors(makeInterceptor(1), makeInterceptor(2), makeInterceptor(3))
_, err := chained(context.Background(), nil, methodInfo("/test/Method"), okHandler)
if err != nil {
t.Fatalf("chain: %v", err)
}
if len(order) != 3 || order[0] != 1 || order[1] != 2 || order[2] != 3 {
t.Errorf("expected execution order [1 2 3], got %v", order)
}
}
func TestExtractToken(t *testing.T) {
tests := []struct {
name string
md metadata.MD
expected string
}{
{"no metadata", nil, ""},
{"no authorization", metadata.Pairs("other", "val"), ""},
{"bearer token", metadata.Pairs("authorization", "Bearer mytoken"), "mytoken"},
{"raw token", metadata.Pairs("authorization", "mytoken"), "mytoken"},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
var ctx context.Context
if tc.md != nil {
ctx = metadata.NewIncomingContext(context.Background(), tc.md)
} else {
ctx = context.Background()
}
got := extractToken(ctx)
if got != tc.expected {
t.Errorf("extractToken: got %q, want %q", got, tc.expected)
}
})
}
}
// ---- systemServer tests ----
func TestSystemStatus(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ss := &systemServer{s: srv}
resp, err := ss.Status(context.Background(), &pb.StatusRequest{})
if err != nil {
t.Fatalf("Status: %v", err)
}
if resp.State != "uninitialized" {
t.Errorf("expected 'uninitialized', got %q", resp.State)
}
}
func TestSystemInit_EmptyPassword(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ss := &systemServer{s: srv}
_, err := ss.Init(context.Background(), &pb.InitRequest{Password: ""})
if err == nil {
t.Fatal("expected error for empty password")
}
if code := status.Code(err); code != codes.InvalidArgument {
t.Errorf("expected InvalidArgument, got %v", code)
}
}
func TestSystemInit_Success(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ss := &systemServer{s: srv}
resp, err := ss.Init(context.Background(), &pb.InitRequest{Password: "testpassword"})
if err != nil {
t.Fatalf("Init: %v", err)
}
if resp.State != "unsealed" {
t.Errorf("expected 'unsealed' after init, got %q", resp.State)
}
}
func TestSystemInit_AlreadyInitialized(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ss := &systemServer{s: srv}
if _, err := ss.Init(context.Background(), &pb.InitRequest{Password: "pw"}); err != nil {
t.Fatalf("first Init: %v", err)
}
_, err := ss.Init(context.Background(), &pb.InitRequest{Password: "pw"})
if err == nil {
t.Fatal("expected error on second Init")
}
if code := status.Code(err); code != codes.AlreadyExists {
t.Errorf("expected AlreadyExists, got %v", code)
}
}
func TestSystemUnseal_NotInitialized(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ss := &systemServer{s: srv}
_, err := ss.Unseal(context.Background(), &pb.UnsealRequest{Password: "pw"})
if err == nil {
t.Fatal("expected error when not initialized")
}
if code := status.Code(err); code != codes.FailedPrecondition {
t.Errorf("expected FailedPrecondition, got %v", code)
}
}
func TestSystemUnseal_InvalidPassword(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ss := &systemServer{s: srv}
if _, err := ss.Init(context.Background(), &pb.InitRequest{Password: "correct"}); err != nil {
t.Fatalf("Init: %v", err)
}
if err := srv.sealMgr.Seal(); err != nil {
t.Fatalf("Seal: %v", err)
}
_, err := ss.Unseal(context.Background(), &pb.UnsealRequest{Password: "wrong"})
if err == nil {
t.Fatal("expected error for wrong password")
}
if code := status.Code(err); code != codes.Unauthenticated {
t.Errorf("expected Unauthenticated, got %v", code)
}
}
func TestSystemUnseal_Success(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ss := &systemServer{s: srv}
if _, err := ss.Init(context.Background(), &pb.InitRequest{Password: "pw"}); err != nil {
t.Fatalf("Init: %v", err)
}
if err := srv.sealMgr.Seal(); err != nil {
t.Fatalf("Seal: %v", err)
}
resp, err := ss.Unseal(context.Background(), &pb.UnsealRequest{Password: "pw"})
if err != nil {
t.Fatalf("Unseal: %v", err)
}
if resp.State != "unsealed" {
t.Errorf("expected 'unsealed', got %q", resp.State)
}
}
func TestSystemSeal_Success(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ss := &systemServer{s: srv}
if _, err := ss.Init(context.Background(), &pb.InitRequest{Password: "pw"}); err != nil {
t.Fatalf("Init: %v", err)
}
resp, err := ss.Seal(context.Background(), &pb.SealRequest{})
if err != nil {
t.Fatalf("Seal: %v", err)
}
if resp.State != "sealed" {
t.Errorf("expected 'sealed', got %q", resp.State)
}
}
// ---- engineServer tests ----
func TestEngineMount_MissingFields(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
es := &engineServer{s: srv}
_, err := es.Mount(context.Background(), &pb.MountRequest{Name: "", Type: "transit"})
if code := status.Code(err); code != codes.InvalidArgument {
t.Errorf("empty name: expected InvalidArgument, got %v", code)
}
_, err = es.Mount(context.Background(), &pb.MountRequest{Name: "default", Type: ""})
if code := status.Code(err); code != codes.InvalidArgument {
t.Errorf("empty type: expected InvalidArgument, got %v", code)
}
}
func TestEngineMount_UnknownType(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
es := &engineServer{s: srv}
_, err := es.Mount(context.Background(), &pb.MountRequest{Name: "test", Type: "unknown"})
if err == nil {
t.Fatal("expected error for unknown engine type")
}
if code := status.Code(err); code != codes.InvalidArgument {
t.Errorf("expected InvalidArgument, got %v", code)
}
}
func TestEngineMount_Success(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
es := &engineServer{s: srv}
_, err := es.Mount(context.Background(), &pb.MountRequest{Name: "default", Type: "transit"})
if err != nil {
t.Fatalf("Mount: %v", err)
}
}
func TestEngineMount_Duplicate(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
es := &engineServer{s: srv}
if _, err := es.Mount(context.Background(), &pb.MountRequest{Name: "default", Type: "transit"}); err != nil {
t.Fatalf("first Mount: %v", err)
}
_, err := es.Mount(context.Background(), &pb.MountRequest{Name: "default", Type: "transit"})
if err == nil {
t.Fatal("expected error for duplicate mount")
}
if code := status.Code(err); code != codes.AlreadyExists {
t.Errorf("expected AlreadyExists, got %v", code)
}
}
func TestEngineUnmount_MissingName(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
es := &engineServer{s: srv}
_, err := es.Unmount(context.Background(), &pb.UnmountRequest{Name: ""})
if code := status.Code(err); code != codes.InvalidArgument {
t.Errorf("expected InvalidArgument, got %v", code)
}
}
func TestEngineUnmount_NotFound(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
es := &engineServer{s: srv}
_, err := es.Unmount(context.Background(), &pb.UnmountRequest{Name: "nonexistent"})
if code := status.Code(err); code != codes.NotFound {
t.Errorf("expected NotFound, got %v", code)
}
}
func TestEngineUnmount_Success(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
es := &engineServer{s: srv}
if _, err := es.Mount(context.Background(), &pb.MountRequest{Name: "default", Type: "transit"}); err != nil {
t.Fatalf("Mount: %v", err)
}
if _, err := es.Unmount(context.Background(), &pb.UnmountRequest{Name: "default"}); err != nil {
t.Fatalf("Unmount: %v", err)
}
}
func TestEngineListMounts(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
es := &engineServer{s: srv}
resp, err := es.ListMounts(context.Background(), &pb.ListMountsRequest{})
if err != nil {
t.Fatalf("ListMounts: %v", err)
}
if len(resp.Mounts) != 0 {
t.Errorf("expected 0 mounts, got %d", len(resp.Mounts))
}
if _, err := es.Mount(context.Background(), &pb.MountRequest{Name: "eng1", Type: "transit"}); err != nil {
t.Fatalf("Mount: %v", err)
}
resp, err = es.ListMounts(context.Background(), &pb.ListMountsRequest{})
if err != nil {
t.Fatalf("ListMounts after mount: %v", err)
}
if len(resp.Mounts) != 1 {
t.Errorf("expected 1 mount, got %d", len(resp.Mounts))
}
if resp.Mounts[0].Name != "eng1" {
t.Errorf("mount name: got %q, want %q", resp.Mounts[0].Name, "eng1")
}
}
// ---- policyServer tests ----
func TestPolicyCreate_MissingID(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ps := &policyServer{s: srv}
_, err := ps.CreatePolicy(context.Background(), &pb.CreatePolicyRequest{
Rule: &pb.PolicyRule{Id: ""},
})
if code := status.Code(err); code != codes.InvalidArgument {
t.Errorf("expected InvalidArgument, got %v", code)
}
}
func TestPolicyCreate_NilRule(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ps := &policyServer{s: srv}
_, err := ps.CreatePolicy(context.Background(), &pb.CreatePolicyRequest{Rule: nil})
if code := status.Code(err); code != codes.InvalidArgument {
t.Errorf("expected InvalidArgument, got %v", code)
}
}
func TestPolicyRoundtrip(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
// Policy engine needs an unsealed barrier; unseal it via the seal manager.
if err := srv.sealMgr.Initialize(context.Background(), []byte("pw"), fastArgon2Params()); err != nil {
t.Fatalf("initialize: %v", err)
}
ps := &policyServer{s: srv}
rule := &pb.PolicyRule{
Id: "rule-1",
Priority: 10,
Effect: "allow",
Usernames: []string{"alice"},
Resources: []string{"/ca/*"},
Actions: []string{"read"},
}
// Create.
createResp, err := ps.CreatePolicy(context.Background(), &pb.CreatePolicyRequest{Rule: rule})
if err != nil {
t.Fatalf("CreatePolicy: %v", err)
}
if createResp.Rule.Id != "rule-1" {
t.Errorf("created rule id: got %q, want %q", createResp.Rule.Id, "rule-1")
}
// Get.
getResp, err := ps.GetPolicy(context.Background(), &pb.GetPolicyRequest{Id: "rule-1"})
if err != nil {
t.Fatalf("GetPolicy: %v", err)
}
if getResp.Rule.Id != "rule-1" {
t.Errorf("get rule id: got %q, want %q", getResp.Rule.Id, "rule-1")
}
// List.
listResp, err := ps.ListPolicies(context.Background(), &pb.ListPoliciesRequest{})
if err != nil {
t.Fatalf("ListPolicies: %v", err)
}
if len(listResp.Rules) != 1 {
t.Errorf("expected 1 rule, got %d", len(listResp.Rules))
}
// Delete.
if _, err := ps.DeletePolicy(context.Background(), &pb.DeletePolicyRequest{Id: "rule-1"}); err != nil {
t.Fatalf("DeletePolicy: %v", err)
}
// Get after delete should fail.
_, err = ps.GetPolicy(context.Background(), &pb.GetPolicyRequest{Id: "rule-1"})
if code := status.Code(err); code != codes.NotFound {
t.Errorf("expected NotFound after delete, got %v", code)
}
}
func TestPolicyGet_MissingID(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ps := &policyServer{s: srv}
_, err := ps.GetPolicy(context.Background(), &pb.GetPolicyRequest{Id: ""})
if code := status.Code(err); code != codes.InvalidArgument {
t.Errorf("expected InvalidArgument, got %v", code)
}
}
func TestPolicyDelete_MissingID(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
ps := &policyServer{s: srv}
_, err := ps.DeletePolicy(context.Background(), &pb.DeletePolicyRequest{Id: ""})
if code := status.Code(err); code != codes.InvalidArgument {
t.Errorf("expected InvalidArgument, got %v", code)
}
}
// ---- authServer tests ----
func TestAuthTokenInfo_FromContext(t *testing.T) {
srv, cleanup := newTestGRPCServer(t)
defer cleanup()
as := &authServer{s: srv}
ti := &auth.TokenInfo{Username: "alice", Roles: []string{"user"}, IsAdmin: false}
ctx := context.WithValue(context.Background(), tokenInfoKey, ti)
resp, err := as.TokenInfo(ctx, &pb.TokenInfoRequest{})
if err != nil {
t.Fatalf("TokenInfo: %v", err)
}
if resp.Username != "alice" {
t.Errorf("username: got %q, want %q", resp.Username, "alice")
}
if resp.IsAdmin {
t.Error("expected IsAdmin=false")
}
}
// ---- pbToRule / ruleToPB conversion tests ----
func TestPbToRuleRoundtrip(t *testing.T) {
original := &pb.PolicyRule{
Id: "test-rule",
Priority: 5,
Effect: "deny",
Usernames: []string{"bob"},
Roles: []string{"operator"},
Resources: []string{"/pki/*"},
Actions: []string{"write", "delete"},
}
rule := pbToRule(original)
if rule.ID != original.Id {
t.Errorf("ID: got %q, want %q", rule.ID, original.Id)
}
if rule.Priority != int(original.Priority) {
t.Errorf("Priority: got %d, want %d", rule.Priority, original.Priority)
}
if string(rule.Effect) != original.Effect {
t.Errorf("Effect: got %q, want %q", rule.Effect, original.Effect)
}
back := ruleToPB(rule)
if back.Id != original.Id {
t.Errorf("roundtrip Id: got %q, want %q", back.Id, original.Id)
}
if back.Priority != original.Priority {
t.Errorf("roundtrip Priority: got %d, want %d", back.Priority, original.Priority)
}
if back.Effect != original.Effect {
t.Errorf("roundtrip Effect: got %q, want %q", back.Effect, original.Effect)
}
}

2
internal/grpcserver/pki.go
View File

@@ -7,7 +7,7 @@ import (
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
"git.wntrmute.dev/kyle/metacrypt/internal/engine/ca"
)

2
internal/grpcserver/policy.go
View File

@@ -6,7 +6,7 @@ import (
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
"git.wntrmute.dev/kyle/metacrypt/internal/policy"
)

103
internal/grpcserver/server.go
View File

@@ -11,7 +11,7 @@ import (
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
internacme "git.wntrmute.dev/kyle/metacrypt/internal/acme"
"git.wntrmute.dev/kyle/metacrypt/internal/auth"
"git.wntrmute.dev/kyle/metacrypt/internal/config"
@@ -79,6 +79,7 @@ func (s *GRPCServer) Start() error {
pb.RegisterAuthServiceServer(s.srv, &authServer{s: s})
pb.RegisterEngineServiceServer(s.srv, &engineServer{s: s})
pb.RegisterPKIServiceServer(s.srv, &pkiServer{s: s})
pb.RegisterCAServiceServer(s.srv, &caServer{s: s})
pb.RegisterPolicyServiceServer(s.srv, &policyServer{s: s})
pb.RegisterACMEServiceServer(s.srv, &acmeServer{s: s})
@@ -105,57 +106,77 @@ func (s *GRPCServer) Shutdown() {
// to be unsealed.
func sealRequiredMethods() map[string]bool {
return map[string]bool{
"/metacrypt.v1.AuthService/Login": true,
"/metacrypt.v1.AuthService/Logout": true,
"/metacrypt.v1.AuthService/TokenInfo": true,
"/metacrypt.v1.EngineService/Mount": true,
"/metacrypt.v1.EngineService/Unmount": true,
"/metacrypt.v1.EngineService/ListMounts": true,
"/metacrypt.v1.EngineService/Execute": true,
"/metacrypt.v1.PKIService/GetRootCert": true,
"/metacrypt.v1.PKIService/GetChain": true,
"/metacrypt.v1.PKIService/GetIssuerCert": true,
"/metacrypt.v1.PolicyService/CreatePolicy": true,
"/metacrypt.v1.PolicyService/ListPolicies": true,
"/metacrypt.v1.PolicyService/GetPolicy": true,
"/metacrypt.v1.PolicyService/DeletePolicy": true,
"/metacrypt.v1.ACMEService/CreateEAB": true,
"/metacrypt.v1.ACMEService/SetConfig": true,
"/metacrypt.v1.ACMEService/ListAccounts": true,
"/metacrypt.v1.ACMEService/ListOrders": true,
"/metacrypt.v2.AuthService/Login": true,
"/metacrypt.v2.AuthService/Logout": true,
"/metacrypt.v2.AuthService/TokenInfo": true,
"/metacrypt.v2.EngineService/Mount": true,
"/metacrypt.v2.EngineService/Unmount": true,
"/metacrypt.v2.EngineService/ListMounts": true,
"/metacrypt.v2.PKIService/GetRootCert": true,
"/metacrypt.v2.PKIService/GetChain": true,
"/metacrypt.v2.PKIService/GetIssuerCert": true,
"/metacrypt.v2.CAService/ImportRoot": true,
"/metacrypt.v2.CAService/GetRoot": true,
"/metacrypt.v2.CAService/CreateIssuer": true,
"/metacrypt.v2.CAService/DeleteIssuer": true,
"/metacrypt.v2.CAService/ListIssuers": true,
"/metacrypt.v2.CAService/GetIssuer": true,
"/metacrypt.v2.CAService/GetChain": true,
"/metacrypt.v2.CAService/IssueCert": true,
"/metacrypt.v2.CAService/GetCert": true,
"/metacrypt.v2.CAService/ListCerts": true,
"/metacrypt.v2.CAService/RenewCert": true,
"/metacrypt.v2.PolicyService/CreatePolicy": true,
"/metacrypt.v2.PolicyService/ListPolicies": true,
"/metacrypt.v2.PolicyService/GetPolicy": true,
"/metacrypt.v2.PolicyService/DeletePolicy": true,
"/metacrypt.v2.ACMEService/CreateEAB": true,
"/metacrypt.v2.ACMEService/SetConfig": true,
"/metacrypt.v2.ACMEService/ListAccounts": true,
"/metacrypt.v2.ACMEService/ListOrders": true,
}
}
// authRequiredMethods returns the set of RPC full names that require a valid token.
func authRequiredMethods() map[string]bool {
return map[string]bool{
"/metacrypt.v1.AuthService/Logout": true,
"/metacrypt.v1.AuthService/TokenInfo": true,
"/metacrypt.v1.EngineService/Mount": true,
"/metacrypt.v1.EngineService/Unmount": true,
"/metacrypt.v1.EngineService/ListMounts": true,
"/metacrypt.v1.EngineService/Execute": true,
"/metacrypt.v1.PolicyService/CreatePolicy": true,
"/metacrypt.v1.PolicyService/ListPolicies": true,
"/metacrypt.v1.PolicyService/GetPolicy": true,
"/metacrypt.v1.PolicyService/DeletePolicy": true,
"/metacrypt.v1.ACMEService/CreateEAB": true,
"/metacrypt.v1.ACMEService/SetConfig": true,
"/metacrypt.v1.ACMEService/ListAccounts": true,
"/metacrypt.v1.ACMEService/ListOrders": true,
"/metacrypt.v2.AuthService/Logout": true,
"/metacrypt.v2.AuthService/TokenInfo": true,
"/metacrypt.v2.EngineService/Mount": true,
"/metacrypt.v2.EngineService/Unmount": true,
"/metacrypt.v2.EngineService/ListMounts": true,
"/metacrypt.v2.CAService/ImportRoot": true,
"/metacrypt.v2.CAService/CreateIssuer": true,
"/metacrypt.v2.CAService/DeleteIssuer": true,
"/metacrypt.v2.CAService/ListIssuers": true,
"/metacrypt.v2.CAService/IssueCert": true,
"/metacrypt.v2.CAService/GetCert": true,
"/metacrypt.v2.CAService/ListCerts": true,
"/metacrypt.v2.CAService/RenewCert": true,
"/metacrypt.v2.PolicyService/CreatePolicy": true,
"/metacrypt.v2.PolicyService/ListPolicies": true,
"/metacrypt.v2.PolicyService/GetPolicy": true,
"/metacrypt.v2.PolicyService/DeletePolicy": true,
"/metacrypt.v2.ACMEService/CreateEAB": true,
"/metacrypt.v2.ACMEService/SetConfig": true,
"/metacrypt.v2.ACMEService/ListAccounts": true,
"/metacrypt.v2.ACMEService/ListOrders": true,
}
}
// adminRequiredMethods returns the set of RPC full names that require admin.
func adminRequiredMethods() map[string]bool {
return map[string]bool{
"/metacrypt.v1.SystemService/Seal": true,
"/metacrypt.v1.EngineService/Mount": true,
"/metacrypt.v1.EngineService/Unmount": true,
"/metacrypt.v1.PolicyService/CreatePolicy": true,
"/metacrypt.v1.PolicyService/DeletePolicy": true,
"/metacrypt.v1.ACMEService/SetConfig": true,
"/metacrypt.v1.ACMEService/ListAccounts": true,
"/metacrypt.v1.ACMEService/ListOrders": true,
"/metacrypt.v2.SystemService/Seal": true,
"/metacrypt.v2.EngineService/Mount": true,
"/metacrypt.v2.EngineService/Unmount": true,
"/metacrypt.v2.CAService/ImportRoot": true,
"/metacrypt.v2.CAService/CreateIssuer": true,
"/metacrypt.v2.CAService/DeleteIssuer": true,
"/metacrypt.v2.PolicyService/CreatePolicy": true,
"/metacrypt.v2.PolicyService/DeletePolicy": true,
"/metacrypt.v2.ACMEService/SetConfig": true,
"/metacrypt.v2.ACMEService/ListAccounts": true,
"/metacrypt.v2.ACMEService/ListOrders": true,
}
}

2
internal/grpcserver/system.go
View File

@@ -7,7 +7,7 @@ import (
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
)