mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
310ed83f28f254e5b3f2c82de2f7ea53badbcf51
metacrypt/internal/grpcserver/interceptors.go
Kyle Isom 310ed83f28 Migrate gRPC server to mcdsl grpcserver package 
Replace metacrypt's hand-rolled gRPC interceptor chain with the mcdsl
grpcserver package, which provides TLS setup, logging, and method-map
auth (public/auth-required/admin-required) out of the box.

Metacrypt-specific interceptors are preserved as hooks:
- sealInterceptor runs as a PreInterceptor (before logging/auth)
- auditInterceptor runs as a PostInterceptor (after auth)

The three legacy method maps (seal/auth/admin) are restructured into
mcdsl's MethodMap (Public/AuthRequired/AdminRequired) plus a separate
seal-required map for the PreInterceptor. Token context is now stored
via mcdsl/auth.ContextWithTokenInfo instead of a package-local key.

Bumps mcdsl from v1.0.0 to v1.0.1 (adds PreInterceptors/PostInterceptors
to grpcserver.Options).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 14:42:41 -07:00

74 lines
2.2 KiB
Go
Raw Blame History

package grpcserver
import (
"context"
"log/slog"
"path"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"git.wntrmute.dev/kyle/metacrypt/internal/audit"
"git.wntrmute.dev/kyle/metacrypt/internal/auth"
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
)
// sealInterceptor rejects calls with FailedPrecondition when the vault is
// sealed, for the listed methods. It is intended to run as a PreInterceptor
// in the mcdsl grpcserver chain, before logging and auth.
func sealInterceptor(sealMgr *seal.Manager, logger *slog.Logger, methods map[string]bool) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
if !methods[info.FullMethod] {
return handler(ctx, req)
}
if sealMgr.State() != seal.StateUnsealed {
logger.Debug("grpc request rejected: vault sealed", "method", info.FullMethod)
return nil, status.Error(codes.FailedPrecondition, "vault is sealed")
}
return handler(ctx, req)
}
}
// auditInterceptor logs an audit event after each RPC completes. It is
// intended to run as a PostInterceptor in the mcdsl grpcserver chain,
// after auth so that caller info is available in the context via
// auth.TokenInfoFromContext.
func auditInterceptor(auditLog *audit.Logger) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
resp, err := handler(ctx, req)
caller := "anonymous"
var roles []string
if ti := auth.TokenInfoFromContext(ctx); ti != nil {
caller = ti.Username
roles = ti.Roles
}
outcome := "success"
var errMsg string
if err != nil {
outcome = "error"
if st, ok := status.FromError(err); ok {
if st.Code() == codes.PermissionDenied || st.Code() == codes.Unauthenticated {
outcome = "denied"
}
errMsg = st.Message()
} else {
errMsg = err.Error()
}
}
auditLog.Log(ctx, audit.Event{
Caller: caller,
Roles: roles,
Operation: path.Base(info.FullMethod),
Resource: info.FullMethod,
Outcome: outcome,
Error: errMsg,
})
return resp, err
}
}
Reference in New Issue View Git Blame Copy Permalink