Checkpoint: grpc auth fix, issuer list/detail, v2 protos, architecture docs
Co-authored-by: Junie <junie@jetbrains.com>
This commit is contained in:
@@ -1,126 +0,0 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/credentials"
|
||||
grpcstatus "google.golang.org/grpc/status"
|
||||
|
||||
metacryptv1 "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
|
||||
"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
|
||||
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
|
||||
)
|
||||
|
||||
// systemServiceServer implements metacryptv1.SystemServiceServer.
|
||||
type systemServiceServer struct {
|
||||
metacryptv1.UnimplementedSystemServiceServer
|
||||
s *Server
|
||||
}
|
||||
|
||||
func (g *systemServiceServer) Status(_ context.Context, _ *metacryptv1.StatusRequest) (*metacryptv1.StatusResponse, error) {
|
||||
return &metacryptv1.StatusResponse{State: g.s.seal.State().String()}, nil
|
||||
}
|
||||
|
||||
func (g *systemServiceServer) Init(ctx context.Context, req *metacryptv1.InitRequest) (*metacryptv1.InitResponse, error) {
|
||||
params := crypto.Argon2Params{
|
||||
Time: g.s.cfg.Seal.Argon2Time,
|
||||
Memory: g.s.cfg.Seal.Argon2Memory,
|
||||
Threads: g.s.cfg.Seal.Argon2Threads,
|
||||
}
|
||||
if err := g.s.seal.Initialize(ctx, []byte(req.Password), params); err != nil {
|
||||
if errors.Is(err, seal.ErrAlreadyInitialized) {
|
||||
return nil, grpcstatus.Error(codes.AlreadyExists, "already initialized")
|
||||
}
|
||||
g.s.logger.Error("grpc init failed", "error", err)
|
||||
return nil, grpcstatus.Error(codes.Internal, "initialization failed")
|
||||
}
|
||||
return &metacryptv1.InitResponse{State: g.s.seal.State().String()}, nil
|
||||
}
|
||||
|
||||
func (g *systemServiceServer) Unseal(ctx context.Context, req *metacryptv1.UnsealRequest) (*metacryptv1.UnsealResponse, error) {
|
||||
if err := g.s.seal.Unseal([]byte(req.Password)); err != nil {
|
||||
switch {
|
||||
case errors.Is(err, seal.ErrNotInitialized):
|
||||
return nil, grpcstatus.Error(codes.FailedPrecondition, "not initialized")
|
||||
case errors.Is(err, seal.ErrInvalidPassword):
|
||||
return nil, grpcstatus.Error(codes.Unauthenticated, "invalid password")
|
||||
case errors.Is(err, seal.ErrRateLimited):
|
||||
return nil, grpcstatus.Error(codes.ResourceExhausted, "too many attempts, try again later")
|
||||
case errors.Is(err, seal.ErrNotSealed):
|
||||
return nil, grpcstatus.Error(codes.AlreadyExists, "already unsealed")
|
||||
default:
|
||||
g.s.logger.Error("grpc unseal failed", "error", err)
|
||||
return nil, grpcstatus.Error(codes.Internal, "unseal failed")
|
||||
}
|
||||
}
|
||||
|
||||
if err := g.s.engines.UnsealAll(ctx); err != nil {
|
||||
g.s.logger.Error("grpc engine unseal failed", "error", err)
|
||||
return nil, grpcstatus.Error(codes.Internal, "engine unseal failed")
|
||||
}
|
||||
|
||||
return &metacryptv1.UnsealResponse{State: g.s.seal.State().String()}, nil
|
||||
}
|
||||
|
||||
func (g *systemServiceServer) Seal(_ context.Context, _ *metacryptv1.SealRequest) (*metacryptv1.SealResponse, error) {
|
||||
if err := g.s.engines.SealAll(); err != nil {
|
||||
g.s.logger.Error("grpc seal engines failed", "error", err)
|
||||
}
|
||||
if err := g.s.seal.Seal(); err != nil {
|
||||
g.s.logger.Error("grpc seal failed", "error", err)
|
||||
return nil, grpcstatus.Error(codes.Internal, "seal failed")
|
||||
}
|
||||
g.s.auth.ClearCache()
|
||||
return &metacryptv1.SealResponse{State: g.s.seal.State().String()}, nil
|
||||
}
|
||||
|
||||
// StartGRPC starts the gRPC server on cfg.Server.GRPCAddr using the same TLS
|
||||
// certificate as the HTTP server. It blocks until the listener closes.
|
||||
func (s *Server) StartGRPC() error {
|
||||
if s.cfg.Server.GRPCAddr == "" {
|
||||
return nil
|
||||
}
|
||||
|
||||
cert, err := tls.LoadX509KeyPair(s.cfg.Server.TLSCert, s.cfg.Server.TLSKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("grpc: load TLS key pair: %w", err)
|
||||
}
|
||||
tlsCfg := &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
CipherSuites: []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
},
|
||||
}
|
||||
|
||||
grpcSrv := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsCfg)))
|
||||
metacryptv1.RegisterSystemServiceServer(grpcSrv, &systemServiceServer{s: s})
|
||||
|
||||
lis, err := net.Listen("tcp", s.cfg.Server.GRPCAddr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("grpc: listen: %w", err)
|
||||
}
|
||||
|
||||
s.grpcSrv = grpcSrv
|
||||
s.logger.Info("starting gRPC server", "addr", s.cfg.Server.GRPCAddr)
|
||||
if err := grpcSrv.Serve(lis); err != nil {
|
||||
return fmt.Errorf("grpc: serve: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ShutdownGRPC gracefully stops the gRPC server.
|
||||
func (s *Server) ShutdownGRPC() {
|
||||
if s.grpcSrv != nil {
|
||||
s.grpcSrv.GracefulStop()
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user