mirror of
https://github.com/rocky-linux/peridot.git
synced 2024-11-18 19:31:25 +00:00
69 lines
2.7 KiB
Go
69 lines
2.7 KiB
Go
|
// Copyright 2016 Michal Witkowski. All Rights Reserved.
|
||
|
// See LICENSE for licensing terms.
|
||
|
|
||
|
package grpc_auth
|
||
|
|
||
|
import (
|
||
|
"context"
|
||
|
|
||
|
"github.com/grpc-ecosystem/go-grpc-middleware"
|
||
|
"google.golang.org/grpc"
|
||
|
)
|
||
|
|
||
|
// AuthFunc is the pluggable function that performs authentication.
|
||
|
//
|
||
|
// The passed in `Context` will contain the gRPC metadata.MD object (for header-based authentication) and
|
||
|
// the peer.Peer information that can contain transport-based credentials (e.g. `credentials.AuthInfo`).
|
||
|
//
|
||
|
// The returned context will be propagated to handlers, allowing user changes to `Context`. However,
|
||
|
// please make sure that the `Context` returned is a child `Context` of the one passed in.
|
||
|
//
|
||
|
// If error is returned, its `grpc.Code()` will be returned to the user as well as the verbatim message.
|
||
|
// Please make sure you use `codes.Unauthenticated` (lacking auth) and `codes.PermissionDenied`
|
||
|
// (authed, but lacking perms) appropriately.
|
||
|
type AuthFunc func(ctx context.Context) (context.Context, error)
|
||
|
|
||
|
// ServiceAuthFuncOverride allows a given gRPC service implementation to override the global `AuthFunc`.
|
||
|
//
|
||
|
// If a service implements the AuthFuncOverride method, it takes precedence over the `AuthFunc` method,
|
||
|
// and will be called instead of AuthFunc for all method invocations within that service.
|
||
|
type ServiceAuthFuncOverride interface {
|
||
|
AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error)
|
||
|
}
|
||
|
|
||
|
// UnaryServerInterceptor returns a new unary server interceptors that performs per-request auth.
|
||
|
func UnaryServerInterceptor(authFunc AuthFunc) grpc.UnaryServerInterceptor {
|
||
|
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
|
||
|
var newCtx context.Context
|
||
|
var err error
|
||
|
if overrideSrv, ok := info.Server.(ServiceAuthFuncOverride); ok {
|
||
|
newCtx, err = overrideSrv.AuthFuncOverride(ctx, info.FullMethod)
|
||
|
} else {
|
||
|
newCtx, err = authFunc(ctx)
|
||
|
}
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
return handler(newCtx, req)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// StreamServerInterceptor returns a new unary server interceptors that performs per-request auth.
|
||
|
func StreamServerInterceptor(authFunc AuthFunc) grpc.StreamServerInterceptor {
|
||
|
return func(srv interface{}, stream grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
|
||
|
var newCtx context.Context
|
||
|
var err error
|
||
|
if overrideSrv, ok := srv.(ServiceAuthFuncOverride); ok {
|
||
|
newCtx, err = overrideSrv.AuthFuncOverride(stream.Context(), info.FullMethod)
|
||
|
} else {
|
||
|
newCtx, err = authFunc(stream.Context())
|
||
|
}
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
wrapped := grpc_middleware.WrapServerStream(stream)
|
||
|
wrapped.WrappedContext = newCtx
|
||
|
return handler(srv, wrapped)
|
||
|
}
|
||
|
}
|