163 lines
5.4 KiB
Go
163 lines
5.4 KiB
Go
// Package grpcserver implements the gRPC server for Metacrypt.
|
|
package grpcserver
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"fmt"
|
|
"log/slog"
|
|
"net"
|
|
"sync"
|
|
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/credentials"
|
|
|
|
pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
|
|
internacme "git.wntrmute.dev/kyle/metacrypt/internal/acme"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/auth"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/config"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/policy"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
|
|
)
|
|
|
|
// GRPCServer wraps the gRPC server and all service implementations.
|
|
type GRPCServer struct {
|
|
cfg *config.Config
|
|
sealMgr *seal.Manager
|
|
auth *auth.Authenticator
|
|
policy *policy.Engine
|
|
engines *engine.Registry
|
|
logger *slog.Logger
|
|
|
|
srv *grpc.Server
|
|
mu sync.Mutex
|
|
acmeHandlers map[string]*internacme.Handler
|
|
}
|
|
|
|
// New creates a new GRPCServer.
|
|
func New(cfg *config.Config, sealMgr *seal.Manager, authenticator *auth.Authenticator,
|
|
policyEngine *policy.Engine, engineRegistry *engine.Registry, logger *slog.Logger) *GRPCServer {
|
|
return &GRPCServer{
|
|
cfg: cfg,
|
|
sealMgr: sealMgr,
|
|
auth: authenticator,
|
|
policy: policyEngine,
|
|
engines: engineRegistry,
|
|
logger: logger,
|
|
acmeHandlers: make(map[string]*internacme.Handler),
|
|
}
|
|
}
|
|
|
|
// Start starts the gRPC server on cfg.Server.GRPCAddr.
|
|
func (s *GRPCServer) Start() error {
|
|
if s.cfg.Server.GRPCAddr == "" {
|
|
s.logger.Info("grpc_addr not configured, gRPC server disabled")
|
|
return nil
|
|
}
|
|
|
|
tlsCert, err := tls.LoadX509KeyPair(s.cfg.Server.TLSCert, s.cfg.Server.TLSKey)
|
|
if err != nil {
|
|
return fmt.Errorf("grpc: load TLS cert: %w", err)
|
|
}
|
|
tlsCfg := &tls.Config{
|
|
Certificates: []tls.Certificate{tlsCert},
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
creds := credentials.NewTLS(tlsCfg)
|
|
|
|
interceptor := chainInterceptors(
|
|
sealInterceptor(s.sealMgr, s.logger, sealRequiredMethods()),
|
|
authInterceptor(s.auth, s.logger, authRequiredMethods()),
|
|
adminInterceptor(s.logger, adminRequiredMethods()),
|
|
)
|
|
|
|
s.srv = grpc.NewServer(
|
|
grpc.Creds(creds),
|
|
grpc.UnaryInterceptor(interceptor),
|
|
)
|
|
|
|
pb.RegisterSystemServiceServer(s.srv, &systemServer{s: s})
|
|
pb.RegisterAuthServiceServer(s.srv, &authServer{s: s})
|
|
pb.RegisterEngineServiceServer(s.srv, &engineServer{s: s})
|
|
pb.RegisterPKIServiceServer(s.srv, &pkiServer{s: s})
|
|
pb.RegisterPolicyServiceServer(s.srv, &policyServer{s: s})
|
|
pb.RegisterACMEServiceServer(s.srv, &acmeServer{s: s})
|
|
|
|
lis, err := net.Listen("tcp", s.cfg.Server.GRPCAddr)
|
|
if err != nil {
|
|
return fmt.Errorf("grpc: listen %s: %w", s.cfg.Server.GRPCAddr, err)
|
|
}
|
|
|
|
s.logger.Info("starting gRPC server", "addr", s.cfg.Server.GRPCAddr)
|
|
if err := s.srv.Serve(lis); err != nil {
|
|
return fmt.Errorf("grpc: serve: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Shutdown gracefully stops the gRPC server.
|
|
func (s *GRPCServer) Shutdown() {
|
|
if s.srv != nil {
|
|
s.srv.GracefulStop()
|
|
}
|
|
}
|
|
|
|
// sealRequiredMethods returns the set of RPC full names that require the vault
|
|
// to be unsealed.
|
|
func sealRequiredMethods() map[string]bool {
|
|
return map[string]bool{
|
|
"/metacrypt.v1.AuthService/Login": true,
|
|
"/metacrypt.v1.AuthService/Logout": true,
|
|
"/metacrypt.v1.AuthService/TokenInfo": true,
|
|
"/metacrypt.v1.EngineService/Mount": true,
|
|
"/metacrypt.v1.EngineService/Unmount": true,
|
|
"/metacrypt.v1.EngineService/ListMounts": true,
|
|
"/metacrypt.v1.EngineService/Request": true,
|
|
"/metacrypt.v1.PKIService/GetRootCert": true,
|
|
"/metacrypt.v1.PKIService/GetChain": true,
|
|
"/metacrypt.v1.PKIService/GetIssuerCert": true,
|
|
"/metacrypt.v1.PolicyService/CreatePolicy": true,
|
|
"/metacrypt.v1.PolicyService/ListPolicies": true,
|
|
"/metacrypt.v1.PolicyService/GetPolicy": true,
|
|
"/metacrypt.v1.PolicyService/DeletePolicy": true,
|
|
"/metacrypt.v1.ACMEService/CreateEAB": true,
|
|
"/metacrypt.v1.ACMEService/SetConfig": true,
|
|
"/metacrypt.v1.ACMEService/ListAccounts": true,
|
|
"/metacrypt.v1.ACMEService/ListOrders": true,
|
|
}
|
|
}
|
|
|
|
// authRequiredMethods returns the set of RPC full names that require a valid token.
|
|
func authRequiredMethods() map[string]bool {
|
|
return map[string]bool{
|
|
"/metacrypt.v1.AuthService/Logout": true,
|
|
"/metacrypt.v1.AuthService/TokenInfo": true,
|
|
"/metacrypt.v1.EngineService/Mount": true,
|
|
"/metacrypt.v1.EngineService/Unmount": true,
|
|
"/metacrypt.v1.EngineService/ListMounts": true,
|
|
"/metacrypt.v1.EngineService/Request": true,
|
|
"/metacrypt.v1.PolicyService/CreatePolicy": true,
|
|
"/metacrypt.v1.PolicyService/ListPolicies": true,
|
|
"/metacrypt.v1.PolicyService/GetPolicy": true,
|
|
"/metacrypt.v1.PolicyService/DeletePolicy": true,
|
|
"/metacrypt.v1.ACMEService/CreateEAB": true,
|
|
"/metacrypt.v1.ACMEService/SetConfig": true,
|
|
"/metacrypt.v1.ACMEService/ListAccounts": true,
|
|
"/metacrypt.v1.ACMEService/ListOrders": true,
|
|
}
|
|
}
|
|
|
|
// adminRequiredMethods returns the set of RPC full names that require admin.
|
|
func adminRequiredMethods() map[string]bool {
|
|
return map[string]bool{
|
|
"/metacrypt.v1.SystemService/Seal": true,
|
|
"/metacrypt.v1.EngineService/Mount": true,
|
|
"/metacrypt.v1.EngineService/Unmount": true,
|
|
"/metacrypt.v1.PolicyService/CreatePolicy": true,
|
|
"/metacrypt.v1.PolicyService/DeletePolicy": true,
|
|
"/metacrypt.v1.ACMEService/SetConfig": true,
|
|
"/metacrypt.v1.ACMEService/ListAccounts": true,
|
|
"/metacrypt.v1.ACMEService/ListOrders": true,
|
|
}
|
|
}
|