Move remote auth code from pkg/grpc to pkg/auth

buildbarn · Jan 24, 2025 · 1423d66 · 1423d66
1 parent de70210
commit 1423d66
Show file tree

Hide file tree

Showing 16 changed files with 92 additions and 94 deletions.
diff --git a/internal/mock/BUILD.bazel b/internal/mock/BUILD.bazel
@@ -23,6 +23,7 @@ gomock(
     out = "auth.go",
     interfaces = [
         "Authorizer",
+        "RequestHeadersAuthenticator",
     ],
     library = "//pkg/auth",
     mockgen_model_library = "@org_uber_go_mock//mockgen/model",
@@ -233,7 +234,6 @@ gomock(
         "Authenticator",
         "ClientDialer",
         "ClientFactory",
-        "RequestHeadersAuthenticator",
     ],
     library = "//pkg/grpc",
     mock_names = {"Authenticator": "MockGRPCAuthenticator"},

diff --git a/pkg/auth/BUILD.bazel b/pkg/auth/BUILD.bazel
@@ -7,21 +7,28 @@ go_library(
         "authentication_metadata.go",
         "authorizer.go",
         "jmespath_expression_authorizer.go",
+        "remote_authenticator.go",
+        "remote_authorizer.go",
+        "request_headers_authenticator.go",
         "static_authorizer.go",
     ],
     importpath = "github.com/buildbarn/bb-storage/pkg/auth",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/clock",
         "//pkg/digest",
+        "//pkg/eviction",
         "//pkg/otel",
         "//pkg/proto/auth",
         "//pkg/util",
         "@com_github_jmespath_go_jmespath//:go-jmespath",
         "@io_opentelemetry_go_otel//attribute",
+        "@org_golang_google_grpc//:grpc",
         "@org_golang_google_grpc//codes",
         "@org_golang_google_grpc//status",
         "@org_golang_google_protobuf//encoding/protojson",
         "@org_golang_google_protobuf//proto",
+        "@org_golang_google_protobuf//types/known/structpb",
     ],
 )
 
@@ -31,21 +38,28 @@ go_test(
         "any_authorizer_test.go",
         "authentication_metadata_test.go",
         "jmespath_expression_authorizer_test.go",
+        "remote_authenticator_test.go",
+        "remote_authorizer_test.go",
         "static_authorizer_test.go",
     ],
     deps = [
         ":auth",
         "//internal/mock",
         "//pkg/digest",
+        "//pkg/eviction",
         "//pkg/proto/auth",
         "//pkg/testutil",
         "@com_github_jmespath_go_jmespath//:go-jmespath",
         "@com_github_stretchr_testify//require",
         "@io_opentelemetry_go_otel//attribute",
         "@io_opentelemetry_go_proto_otlp//common/v1:common",
+        "@org_golang_google_grpc//:grpc",
         "@org_golang_google_grpc//codes",
         "@org_golang_google_grpc//status",
+        "@org_golang_google_protobuf//proto",
+        "@org_golang_google_protobuf//types/known/emptypb",
         "@org_golang_google_protobuf//types/known/structpb",
+        "@org_golang_google_protobuf//types/known/timestamppb",
         "@org_uber_go_mock//gomock",
     ],
 )
diff --git a/pkg/auth/configuration/authorizer_factory.go b/pkg/auth/configuration/authorizer_factory.go
@@ -63,11 +63,11 @@ func (f BaseAuthorizerFactory) NewAuthorizerFromConfiguration(config *pb.Authori
 		if err != nil {
 			return nil, util.StatusWrap(err, "Failed to create authorizer RPC client")
 		}
-		evictionSet, err := eviction.NewSetFromConfiguration[grpc.RemoteAuthorizerCacheKey](policy.Remote.CacheReplacementPolicy)
+		evictionSet, err := eviction.NewSetFromConfiguration[auth.RemoteAuthorizerCacheKey](policy.Remote.CacheReplacementPolicy)
 		if err != nil {
 			return nil, util.StatusWrap(err, "Cache replacement policy for remote authorization")
 		}
-		return grpc.NewRemoteAuthorizer(
+		return auth.NewRemoteAuthorizer(
 			grpcClient,
 			policy.Remote.Scope,
 			clock.SystemClock,

diff --git a/pkg/grpc/remote_authenticator.go → pkg/auth/remote_authenticator.go b/pkg/grpc/remote_authenticator.go → pkg/auth/remote_authenticator.go
@@ -1,12 +1,11 @@
-package grpc
+package auth
 
 import (
 	"context"
 	"crypto/sha256"
 	"sync"
 	"time"
 
-	"github.com/buildbarn/bb-storage/pkg/auth"
 	"github.com/buildbarn/bb-storage/pkg/clock"
 	"github.com/buildbarn/bb-storage/pkg/eviction"
 	auth_pb "github.com/buildbarn/bb-storage/pkg/proto/auth"
@@ -44,7 +43,7 @@ type remoteAuthCacheEntry struct {
 
 type remoteAuthResponse struct {
 	expirationTime time.Time
-	authMetadata   *auth.AuthenticationMetadata
+	authMetadata   *AuthenticationMetadata
 	err            error
 }
 
@@ -88,7 +87,7 @@ func NewRemoteAuthenticator(
 	}
 }
 
-func (a *remoteAuthenticator) Authenticate(ctx context.Context, headers map[string][]string) (*auth.AuthenticationMetadata, error) {
+func (a *remoteAuthenticator) Authenticate(ctx context.Context, headers map[string][]string) (*AuthenticationMetadata, error) {
 	request := &auth_pb.AuthenticateRequest{
 		RequestMetadata: make(map[string]*auth_pb.AuthenticateRequest_ValueList, len(headers)),
 		Scope:           a.scope,
@@ -184,7 +183,7 @@ func (a *remoteAuthenticator) authenticateRemotely(ctx context.Context, request
 
 	switch verdict := response.GetVerdict().(type) {
 	case *auth_pb.AuthenticateResponse_Allow:
-		ret.authMetadata, err = auth.NewAuthenticationMetadataFromProto(verdict.Allow)
+		ret.authMetadata, err = NewAuthenticationMetadataFromProto(verdict.Allow)
 		if err != nil {
 			ret.err = util.StatusWrapWithCode(err, codes.Unauthenticated, "Bad authentication response")
 		}

diff --git a/pkg/grpc/remote_authenticator_test.go → pkg/auth/remote_authenticator_test.go b/pkg/grpc/remote_authenticator_test.go → pkg/auth/remote_authenticator_test.go
@@ -1,4 +1,4 @@
-package grpc_test
+package auth_test
 
 import (
 	"context"
@@ -7,8 +7,8 @@ import (
 	"time"
 
 	"github.com/buildbarn/bb-storage/internal/mock"
+	"github.com/buildbarn/bb-storage/pkg/auth"
 	"github.com/buildbarn/bb-storage/pkg/eviction"
-	bb_grpc "github.com/buildbarn/bb-storage/pkg/grpc"
 	auth_pb "github.com/buildbarn/bb-storage/pkg/proto/auth"
 	"github.com/buildbarn/bb-storage/pkg/testutil"
 	"github.com/stretchr/testify/require"
@@ -33,11 +33,11 @@ func TestRemoteAuthenticatorFailure(t *testing.T) {
 		).Return(status.Error(codes.Unavailable, "Server offline"))
 		clock.EXPECT().Now().Return(time.Unix(1000, 0))
 
-		authenticator := bb_grpc.NewRemoteAuthenticator(
+		authenticator := auth.NewRemoteAuthenticator(
 			client,
 			structpb.NewStringValue("auth-scope"),
 			clock,
-			eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](),
+			eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](),
 			100,
 		)
 		// authMetadata, err := authenticator.Authenticate(ctx)
@@ -60,11 +60,11 @@ func TestRemoteAuthenticatorFailure(t *testing.T) {
 		})
 		clock.EXPECT().Now().Return(time.Unix(1000, 0))
 
-		authenticator := bb_grpc.NewRemoteAuthenticator(
+		authenticator := auth.NewRemoteAuthenticator(
 			client,
 			structpb.NewStringValue("auth-scope"),
 			clock,
-			eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](),
+			eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](),
 			100,
 		)
 		// authMetadata, err := authenticator.Authenticate(ctx)
@@ -101,14 +101,14 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) {
 		return nil
 	}
 
-	authenticateAllowFunc := func(authenticator bb_grpc.RequestHeadersAuthenticator, token string) {
+	authenticateAllowFunc := func(authenticator auth.RequestHeadersAuthenticator, token string) {
 		authMetadata, err := authenticator.Authenticate(ctx, map[string][]string{"Authorization": {token}})
 		require.NoError(t, err)
 		require.Equal(t, map[string]any{
 			"public": "You're totally who you say you are: " + token,
 		}, authMetadata.GetRaw())
 	}
-	authenticateDenyFunc := func(authenticator bb_grpc.RequestHeadersAuthenticator, token string) {
+	authenticateDenyFunc := func(authenticator auth.RequestHeadersAuthenticator, token string) {
 		_, err := authenticator.Authenticate(ctx, map[string][]string{"Authorization": {token}})
 		testutil.RequireEqualStatus(
 			t,
@@ -135,11 +135,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) {
 		).DoAndReturn(remoteService)
 		clock.EXPECT().Now().Return(time.Unix(1000, 0))
 
-		authenticator := bb_grpc.NewRemoteAuthenticator(
+		authenticator := auth.NewRemoteAuthenticator(
 			client,
 			structpb.NewStringValue("auth-scope"),
 			clock,
-			eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](),
+			eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](),
 			100,
 		)
 		authMetadata, err := authenticator.Authenticate(ctx, map[string][]string{"Authorization": {"allow1", "token2"}})
@@ -168,11 +168,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) {
 		).DoAndReturn(remoteService)
 		clock.EXPECT().Now().Return(time.Unix(1000, 0))
 
-		authenticator := bb_grpc.NewRemoteAuthenticator(
+		authenticator := auth.NewRemoteAuthenticator(
 			client,
 			structpb.NewStringValue("auth-scope"),
 			clock,
-			eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](),
+			eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](),
 			100,
 		)
 		_, err := authenticator.Authenticate(ctx, map[string][]string{"Authorization": {"deny3", "token4"}})
@@ -186,11 +186,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) {
 		client := mock.NewMockClientConnInterface(ctrl)
 		clock := mock.NewMockClock(ctrl)
 
-		authenticator := bb_grpc.NewRemoteAuthenticator(
+		authenticator := auth.NewRemoteAuthenticator(
 			client,
 			structpb.NewStringValue("auth-scope"),
 			clock,
-			eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](),
+			eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](),
 			100,
 		)
 
@@ -216,11 +216,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) {
 
 		clock.EXPECT().Now().Return(time.Unix(1000, 0)).AnyTimes()
 
-		authenticator := bb_grpc.NewRemoteAuthenticator(
+		authenticator := auth.NewRemoteAuthenticator(
 			client,
 			structpb.NewStringValue("auth-scope"),
 			clock,
-			eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](),
+			eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](),
 			2, // Only two spaces in this test.
 		)
 
@@ -261,11 +261,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) {
 
 		clock.EXPECT().Now().Return(time.Unix(1000, 0)).AnyTimes()
 
-		authenticator := bb_grpc.NewRemoteAuthenticator(
+		authenticator := auth.NewRemoteAuthenticator(
 			client,
 			structpb.NewStringValue("auth-scope"),
 			clock,
-			eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](),
+			eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](),
 			100,
 		)
 		doAuth := func(token string, done chan<- struct{}) {
@@ -356,11 +356,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) {
 
 		clock.EXPECT().Now().Return(time.Unix(1000, 0)).AnyTimes()
 
-		authenticator := bb_grpc.NewRemoteAuthenticator(
+		authenticator := auth.NewRemoteAuthenticator(
 			client,
 			structpb.NewStringValue("auth-scope"),
 			clock,
-			eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](),
+			eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](),
 			100,
 		)
 		doAuth := func(token string, done chan<- struct{}, verdict string) {

diff --git a/pkg/grpc/remote_authorizer.go → pkg/auth/remote_authorizer.go b/pkg/grpc/remote_authorizer.go → pkg/auth/remote_authorizer.go
@@ -1,12 +1,11 @@
-package grpc
+package auth
 
 import (
 	"context"
 	"crypto/sha256"
 	"sync"
 	"time"
 
-	"github.com/buildbarn/bb-storage/pkg/auth"
 	"github.com/buildbarn/bb-storage/pkg/clock"
 	"github.com/buildbarn/bb-storage/pkg/digest"
 	"github.com/buildbarn/bb-storage/pkg/eviction"
@@ -69,7 +68,7 @@ func NewRemoteAuthorizer(
 	clock clock.Clock,
 	evictionSet eviction.Set[RemoteAuthorizerCacheKey],
 	maximumCacheSize int,
-) auth.Authorizer {
+) Authorizer {
 	return &remoteAuthorizer{
 		remoteAuthClient: auth_pb.NewAuthorizerClient(client),
 		scope:            scope,
@@ -91,7 +90,7 @@ func (a *remoteAuthorizer) Authorize(ctx context.Context, instanceNames []digest
 }
 
 func (a *remoteAuthorizer) authorizeSingle(ctx context.Context, instanceName digest.InstanceName) error {
-	authenticationMetadata := auth.AuthenticationMetadataFromContext(ctx)
+	authenticationMetadata := AuthenticationMetadataFromContext(ctx)
 	request := &auth_pb.AuthorizeRequest{
 		AuthenticationMetadata: authenticationMetadata.GetFullProto(),
 		Scope:                  a.scope,