diff --git a/internal/mock/BUILD.bazel b/internal/mock/BUILD.bazel index 6267af89..057f0c94 100644 --- a/internal/mock/BUILD.bazel +++ b/internal/mock/BUILD.bazel @@ -23,6 +23,7 @@ gomock( out = "auth.go", interfaces = [ "Authorizer", + "RequestHeadersAuthenticator", ], library = "//pkg/auth", mockgen_model_library = "@org_uber_go_mock//mockgen/model", @@ -233,7 +234,6 @@ gomock( "Authenticator", "ClientDialer", "ClientFactory", - "RequestHeadersAuthenticator", ], library = "//pkg/grpc", mock_names = {"Authenticator": "MockGRPCAuthenticator"}, diff --git a/pkg/auth/BUILD.bazel b/pkg/auth/BUILD.bazel index 0e24d418..0e482495 100644 --- a/pkg/auth/BUILD.bazel +++ b/pkg/auth/BUILD.bazel @@ -7,21 +7,28 @@ go_library( "authentication_metadata.go", "authorizer.go", "jmespath_expression_authorizer.go", + "remote_authenticator.go", + "remote_authorizer.go", + "request_headers_authenticator.go", "static_authorizer.go", ], importpath = "github.com/buildbarn/bb-storage/pkg/auth", visibility = ["//visibility:public"], deps = [ + "//pkg/clock", "//pkg/digest", + "//pkg/eviction", "//pkg/otel", "//pkg/proto/auth", "//pkg/util", "@com_github_jmespath_go_jmespath//:go-jmespath", "@io_opentelemetry_go_otel//attribute", + "@org_golang_google_grpc//:grpc", "@org_golang_google_grpc//codes", "@org_golang_google_grpc//status", "@org_golang_google_protobuf//encoding/protojson", "@org_golang_google_protobuf//proto", + "@org_golang_google_protobuf//types/known/structpb", ], ) @@ -31,21 +38,28 @@ go_test( "any_authorizer_test.go", "authentication_metadata_test.go", "jmespath_expression_authorizer_test.go", + "remote_authenticator_test.go", + "remote_authorizer_test.go", "static_authorizer_test.go", ], deps = [ ":auth", "//internal/mock", "//pkg/digest", + "//pkg/eviction", "//pkg/proto/auth", "//pkg/testutil", "@com_github_jmespath_go_jmespath//:go-jmespath", "@com_github_stretchr_testify//require", "@io_opentelemetry_go_otel//attribute", "@io_opentelemetry_go_proto_otlp//common/v1:common", + "@org_golang_google_grpc//:grpc", "@org_golang_google_grpc//codes", "@org_golang_google_grpc//status", + "@org_golang_google_protobuf//proto", + "@org_golang_google_protobuf//types/known/emptypb", "@org_golang_google_protobuf//types/known/structpb", + "@org_golang_google_protobuf//types/known/timestamppb", "@org_uber_go_mock//gomock", ], ) diff --git a/pkg/auth/configuration/authorizer_factory.go b/pkg/auth/configuration/authorizer_factory.go index ce1207e0..96bb69b5 100644 --- a/pkg/auth/configuration/authorizer_factory.go +++ b/pkg/auth/configuration/authorizer_factory.go @@ -63,11 +63,11 @@ func (f BaseAuthorizerFactory) NewAuthorizerFromConfiguration(config *pb.Authori if err != nil { return nil, util.StatusWrap(err, "Failed to create authorizer RPC client") } - evictionSet, err := eviction.NewSetFromConfiguration[grpc.RemoteAuthorizerCacheKey](policy.Remote.CacheReplacementPolicy) + evictionSet, err := eviction.NewSetFromConfiguration[auth.RemoteAuthorizerCacheKey](policy.Remote.CacheReplacementPolicy) if err != nil { return nil, util.StatusWrap(err, "Cache replacement policy for remote authorization") } - return grpc.NewRemoteAuthorizer( + return auth.NewRemoteAuthorizer( grpcClient, policy.Remote.Scope, clock.SystemClock, diff --git a/pkg/grpc/remote_authenticator.go b/pkg/auth/remote_authenticator.go similarity index 95% rename from pkg/grpc/remote_authenticator.go rename to pkg/auth/remote_authenticator.go index b00e6ef4..f2b903e5 100644 --- a/pkg/grpc/remote_authenticator.go +++ b/pkg/auth/remote_authenticator.go @@ -1,4 +1,4 @@ -package grpc +package auth import ( "context" @@ -6,7 +6,6 @@ import ( "sync" "time" - "github.com/buildbarn/bb-storage/pkg/auth" "github.com/buildbarn/bb-storage/pkg/clock" "github.com/buildbarn/bb-storage/pkg/eviction" auth_pb "github.com/buildbarn/bb-storage/pkg/proto/auth" @@ -44,7 +43,7 @@ type remoteAuthCacheEntry struct { type remoteAuthResponse struct { expirationTime time.Time - authMetadata *auth.AuthenticationMetadata + authMetadata *AuthenticationMetadata err error } @@ -88,7 +87,7 @@ func NewRemoteAuthenticator( } } -func (a *remoteAuthenticator) Authenticate(ctx context.Context, headers map[string][]string) (*auth.AuthenticationMetadata, error) { +func (a *remoteAuthenticator) Authenticate(ctx context.Context, headers map[string][]string) (*AuthenticationMetadata, error) { request := &auth_pb.AuthenticateRequest{ RequestMetadata: make(map[string]*auth_pb.AuthenticateRequest_ValueList, len(headers)), Scope: a.scope, @@ -184,7 +183,7 @@ func (a *remoteAuthenticator) authenticateRemotely(ctx context.Context, request switch verdict := response.GetVerdict().(type) { case *auth_pb.AuthenticateResponse_Allow: - ret.authMetadata, err = auth.NewAuthenticationMetadataFromProto(verdict.Allow) + ret.authMetadata, err = NewAuthenticationMetadataFromProto(verdict.Allow) if err != nil { ret.err = util.StatusWrapWithCode(err, codes.Unauthenticated, "Bad authentication response") } diff --git a/pkg/grpc/remote_authenticator_test.go b/pkg/auth/remote_authenticator_test.go similarity index 91% rename from pkg/grpc/remote_authenticator_test.go rename to pkg/auth/remote_authenticator_test.go index 55ca77c4..552bafa8 100644 --- a/pkg/grpc/remote_authenticator_test.go +++ b/pkg/auth/remote_authenticator_test.go @@ -1,4 +1,4 @@ -package grpc_test +package auth_test import ( "context" @@ -7,8 +7,8 @@ import ( "time" "github.com/buildbarn/bb-storage/internal/mock" + "github.com/buildbarn/bb-storage/pkg/auth" "github.com/buildbarn/bb-storage/pkg/eviction" - bb_grpc "github.com/buildbarn/bb-storage/pkg/grpc" auth_pb "github.com/buildbarn/bb-storage/pkg/proto/auth" "github.com/buildbarn/bb-storage/pkg/testutil" "github.com/stretchr/testify/require" @@ -33,11 +33,11 @@ func TestRemoteAuthenticatorFailure(t *testing.T) { ).Return(status.Error(codes.Unavailable, "Server offline")) clock.EXPECT().Now().Return(time.Unix(1000, 0)) - authenticator := bb_grpc.NewRemoteAuthenticator( + authenticator := auth.NewRemoteAuthenticator( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](), 100, ) // authMetadata, err := authenticator.Authenticate(ctx) @@ -60,11 +60,11 @@ func TestRemoteAuthenticatorFailure(t *testing.T) { }) clock.EXPECT().Now().Return(time.Unix(1000, 0)) - authenticator := bb_grpc.NewRemoteAuthenticator( + authenticator := auth.NewRemoteAuthenticator( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](), 100, ) // authMetadata, err := authenticator.Authenticate(ctx) @@ -101,14 +101,14 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) { return nil } - authenticateAllowFunc := func(authenticator bb_grpc.RequestHeadersAuthenticator, token string) { + authenticateAllowFunc := func(authenticator auth.RequestHeadersAuthenticator, token string) { authMetadata, err := authenticator.Authenticate(ctx, map[string][]string{"Authorization": {token}}) require.NoError(t, err) require.Equal(t, map[string]any{ "public": "You're totally who you say you are: " + token, }, authMetadata.GetRaw()) } - authenticateDenyFunc := func(authenticator bb_grpc.RequestHeadersAuthenticator, token string) { + authenticateDenyFunc := func(authenticator auth.RequestHeadersAuthenticator, token string) { _, err := authenticator.Authenticate(ctx, map[string][]string{"Authorization": {token}}) testutil.RequireEqualStatus( t, @@ -135,11 +135,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) { ).DoAndReturn(remoteService) clock.EXPECT().Now().Return(time.Unix(1000, 0)) - authenticator := bb_grpc.NewRemoteAuthenticator( + authenticator := auth.NewRemoteAuthenticator( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](), 100, ) authMetadata, err := authenticator.Authenticate(ctx, map[string][]string{"Authorization": {"allow1", "token2"}}) @@ -168,11 +168,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) { ).DoAndReturn(remoteService) clock.EXPECT().Now().Return(time.Unix(1000, 0)) - authenticator := bb_grpc.NewRemoteAuthenticator( + authenticator := auth.NewRemoteAuthenticator( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](), 100, ) _, err := authenticator.Authenticate(ctx, map[string][]string{"Authorization": {"deny3", "token4"}}) @@ -186,11 +186,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) { client := mock.NewMockClientConnInterface(ctrl) clock := mock.NewMockClock(ctrl) - authenticator := bb_grpc.NewRemoteAuthenticator( + authenticator := auth.NewRemoteAuthenticator( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](), 100, ) @@ -216,11 +216,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1000, 0)).AnyTimes() - authenticator := bb_grpc.NewRemoteAuthenticator( + authenticator := auth.NewRemoteAuthenticator( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](), 2, // Only two spaces in this test. ) @@ -261,11 +261,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1000, 0)).AnyTimes() - authenticator := bb_grpc.NewRemoteAuthenticator( + authenticator := auth.NewRemoteAuthenticator( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](), 100, ) doAuth := func(token string, done chan<- struct{}) { @@ -356,11 +356,11 @@ func TestRemoteAuthenticatorSuccess(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1000, 0)).AnyTimes() - authenticator := bb_grpc.NewRemoteAuthenticator( + authenticator := auth.NewRemoteAuthenticator( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthenticatorCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthenticatorCacheKey](), 100, ) doAuth := func(token string, done chan<- struct{}, verdict string) { diff --git a/pkg/grpc/remote_authorizer.go b/pkg/auth/remote_authorizer.go similarity index 97% rename from pkg/grpc/remote_authorizer.go rename to pkg/auth/remote_authorizer.go index a96219d1..a1cbeb9c 100644 --- a/pkg/grpc/remote_authorizer.go +++ b/pkg/auth/remote_authorizer.go @@ -1,4 +1,4 @@ -package grpc +package auth import ( "context" @@ -6,7 +6,6 @@ import ( "sync" "time" - "github.com/buildbarn/bb-storage/pkg/auth" "github.com/buildbarn/bb-storage/pkg/clock" "github.com/buildbarn/bb-storage/pkg/digest" "github.com/buildbarn/bb-storage/pkg/eviction" @@ -69,7 +68,7 @@ func NewRemoteAuthorizer( clock clock.Clock, evictionSet eviction.Set[RemoteAuthorizerCacheKey], maximumCacheSize int, -) auth.Authorizer { +) Authorizer { return &remoteAuthorizer{ remoteAuthClient: auth_pb.NewAuthorizerClient(client), scope: scope, @@ -91,7 +90,7 @@ func (a *remoteAuthorizer) Authorize(ctx context.Context, instanceNames []digest } func (a *remoteAuthorizer) authorizeSingle(ctx context.Context, instanceName digest.InstanceName) error { - authenticationMetadata := auth.AuthenticationMetadataFromContext(ctx) + authenticationMetadata := AuthenticationMetadataFromContext(ctx) request := &auth_pb.AuthorizeRequest{ AuthenticationMetadata: authenticationMetadata.GetFullProto(), Scope: a.scope, diff --git a/pkg/grpc/remote_authorizer_test.go b/pkg/auth/remote_authorizer_test.go similarity index 93% rename from pkg/grpc/remote_authorizer_test.go rename to pkg/auth/remote_authorizer_test.go index 23c00526..cacfe4fc 100644 --- a/pkg/grpc/remote_authorizer_test.go +++ b/pkg/auth/remote_authorizer_test.go @@ -1,4 +1,4 @@ -package grpc_test +package auth_test import ( "context" @@ -10,7 +10,6 @@ import ( "github.com/buildbarn/bb-storage/pkg/auth" "github.com/buildbarn/bb-storage/pkg/digest" "github.com/buildbarn/bb-storage/pkg/eviction" - bb_grpc "github.com/buildbarn/bb-storage/pkg/grpc" auth_pb "github.com/buildbarn/bb-storage/pkg/proto/auth" "github.com/buildbarn/bb-storage/pkg/testutil" "github.com/stretchr/testify/require" @@ -36,11 +35,11 @@ func TestRemoteAuthorizerFailure(t *testing.T) { ).Return(status.Error(codes.Unavailable, "Server offline")) clock.EXPECT().Now().Return(time.Unix(1000, 0)) - authorizer := bb_grpc.NewRemoteAuthorizer( + authorizer := auth.NewRemoteAuthorizer( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthorizerCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthorizerCacheKey](), 100, ) errs := authorizer.Authorize(ctx, []digest.InstanceName{digest.MustNewInstanceName("allowed")}) @@ -60,11 +59,11 @@ func TestRemoteAuthorizerFailure(t *testing.T) { }) clock.EXPECT().Now().Return(time.Unix(1000, 0)) - authorizer := bb_grpc.NewRemoteAuthorizer( + authorizer := auth.NewRemoteAuthorizer( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthorizerCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthorizerCacheKey](), 100, ) errs := authorizer.Authorize(ctx, []digest.InstanceName{digest.MustNewInstanceName("allowed")}) @@ -149,11 +148,11 @@ func TestRemoteAuthorizerSuccess(t *testing.T) { ).DoAndReturn(remoteService) clock.EXPECT().Now().Return(time.Unix(1000, 0)).Times(2) - authorizer := bb_grpc.NewRemoteAuthorizer( + authorizer := auth.NewRemoteAuthorizer( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthorizerCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthorizerCacheKey](), 100, ) errs := authorizer.Authorize(authCtx, []digest.InstanceName{ @@ -173,11 +172,11 @@ func TestRemoteAuthorizerSuccess(t *testing.T) { client := mock.NewMockClientConnInterface(ctrl) clock := mock.NewMockClock(ctrl) - authorizer := bb_grpc.NewRemoteAuthorizer( + authorizer := auth.NewRemoteAuthorizer( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthorizerCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthorizerCacheKey](), 100, ) @@ -203,11 +202,11 @@ func TestRemoteAuthorizerSuccess(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1000, 0)).AnyTimes() - authorizer := bb_grpc.NewRemoteAuthorizer( + authorizer := auth.NewRemoteAuthorizer( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthorizerCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthorizerCacheKey](), 100, ) @@ -239,11 +238,11 @@ func TestRemoteAuthorizerSuccess(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1000, 0)).AnyTimes() - authorizer := bb_grpc.NewRemoteAuthorizer( + authorizer := auth.NewRemoteAuthorizer( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthorizerCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthorizerCacheKey](), 2, // Only two spaces in this test. ) @@ -284,11 +283,11 @@ func TestRemoteAuthorizerSuccess(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1000, 0)).AnyTimes() - authorizer := bb_grpc.NewRemoteAuthorizer( + authorizer := auth.NewRemoteAuthorizer( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthorizerCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthorizerCacheKey](), 100, ) doAuth := func(name string, done chan<- struct{}) { @@ -382,11 +381,11 @@ func TestRemoteAuthorizerSuccess(t *testing.T) { clock.EXPECT().Now().Return(time.Unix(1000, 0)).AnyTimes() - authorizer := bb_grpc.NewRemoteAuthorizer( + authorizer := auth.NewRemoteAuthorizer( client, structpb.NewStringValue("auth-scope"), clock, - eviction.NewLRUSet[bb_grpc.RemoteAuthorizerCacheKey](), + eviction.NewLRUSet[auth.RemoteAuthorizerCacheKey](), 100, ) doAuth := func(name string, done chan<- struct{}, verdict string) { diff --git a/pkg/grpc/request_headers_authenticator.go b/pkg/auth/request_headers_authenticator.go similarity index 74% rename from pkg/grpc/request_headers_authenticator.go rename to pkg/auth/request_headers_authenticator.go index 6e09abef..263e8d98 100644 --- a/pkg/grpc/request_headers_authenticator.go +++ b/pkg/auth/request_headers_authenticator.go @@ -1,13 +1,11 @@ -package grpc +package auth import ( "context" - - "github.com/buildbarn/bb-storage/pkg/auth" ) // RequestHeadersAuthenticator can be used to grant or deny access to a server // based on request headers, typically from an HTTP or gRPC request. type RequestHeadersAuthenticator interface { - Authenticate(ctx context.Context, headers map[string][]string) (*auth.AuthenticationMetadata, error) + Authenticate(ctx context.Context, headers map[string][]string) (*AuthenticationMetadata, error) } diff --git a/pkg/grpc/BUILD.bazel b/pkg/grpc/BUILD.bazel index b039eebb..103b134b 100644 --- a/pkg/grpc/BUILD.bazel +++ b/pkg/grpc/BUILD.bazel @@ -27,10 +27,7 @@ go_library( "peer_transport_credentials_linux.go", "proto_trace_attributes_extractor.go", "proxy_dialer.go", - "remote_authenticator.go", - "remote_authorizer.go", - "remote_grpc_request_authenticator.go", - "request_headers_authenticator.go", + "remote_request_authenticator.go", "request_metadata_tracing_interceptor.go", "server.go", "tls_client_certificate_authenticator.go", @@ -40,7 +37,6 @@ go_library( deps = [ "//pkg/auth", "//pkg/clock", - "//pkg/digest", "//pkg/eviction", "//pkg/jwt", "//pkg/program", @@ -69,7 +65,6 @@ go_library( "@org_golang_google_protobuf//encoding/prototext", "@org_golang_google_protobuf//proto", "@org_golang_google_protobuf//reflect/protoreflect", - "@org_golang_google_protobuf//types/known/structpb", "@org_golang_x_sync//semaphore", ] + select({ "@rules_go//go/platform:android": [ @@ -107,9 +102,7 @@ go_test( "metadata_forwarding_and_reusing_interceptor_test.go", "peer_credentials_authenticator_test.go", "proto_trace_attributes_extractor_test.go", - "remote_authenticator_test.go", - "remote_authorizer_test.go", - "remote_grpc_request_authenticator_test.go", + "remote_request_authenticator_test.go", "request_metadata_tracing_interceptor_test.go", "tls_client_certificate_authenticator_test.go", ] + select({ @@ -134,8 +127,6 @@ go_test( ":grpc", "//internal/mock", "//pkg/auth", - "//pkg/digest", - "//pkg/eviction", "//pkg/proto/auth", "//pkg/proto/configuration/grpc", "//pkg/testutil", @@ -154,7 +145,6 @@ go_test( "@org_golang_google_protobuf//proto", "@org_golang_google_protobuf//types/known/emptypb", "@org_golang_google_protobuf//types/known/structpb", - "@org_golang_google_protobuf//types/known/timestamppb", "@org_uber_go_mock//gomock", ], ) diff --git a/pkg/grpc/authenticator.go b/pkg/grpc/authenticator.go index 40908e5e..dbf2f6ef 100644 --- a/pkg/grpc/authenticator.go +++ b/pkg/grpc/authenticator.go @@ -103,7 +103,7 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic if err != nil { return nil, false, false, err } - return NewRemoteGrpcRequestAuthenticator(authenticator, policyKind.Remote.Headers), false, false, nil + return NewRemoteRequestAuthenticator(authenticator, policyKind.Remote.Headers), false, false, nil default: return nil, false, false, status.Error(codes.InvalidArgument, "Configuration did not contain an authentication policy type") } @@ -112,16 +112,16 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic // NewRequestHeadersAuthenticatorFromConfiguration creates an Authenticator that // forwards authentication requests to a remote gRPC service. This is a // convenient way to integrate custom authentication processes. -func NewRequestHeadersAuthenticatorFromConfiguration(configuration *configuration.RemoteAuthenticationPolicy, grpcClientFactory ClientFactory) (RequestHeadersAuthenticator, error) { +func NewRequestHeadersAuthenticatorFromConfiguration(configuration *configuration.RemoteAuthenticationPolicy, grpcClientFactory ClientFactory) (auth.RequestHeadersAuthenticator, error) { grpcClient, err := grpcClientFactory.NewClientFromConfiguration(configuration.Endpoint) if err != nil { return nil, util.StatusWrap(err, "Failed to create authenticator RPC client") } - evictionSet, err := eviction.NewSetFromConfiguration[RemoteAuthenticatorCacheKey](configuration.CacheReplacementPolicy) + evictionSet, err := eviction.NewSetFromConfiguration[auth.RemoteAuthenticatorCacheKey](configuration.CacheReplacementPolicy) if err != nil { return nil, util.StatusWrap(err, "Cache replacement policy for remote authentication") } - return NewRemoteAuthenticator( + return auth.NewRemoteAuthenticator( grpcClient, configuration.Scope, clock.SystemClock, diff --git a/pkg/grpc/remote_grpc_request_authenticator.go b/pkg/grpc/remote_request_authenticator.go similarity index 67% rename from pkg/grpc/remote_grpc_request_authenticator.go rename to pkg/grpc/remote_request_authenticator.go index 0c50946f..1a522eb7 100644 --- a/pkg/grpc/remote_grpc_request_authenticator.go +++ b/pkg/grpc/remote_request_authenticator.go @@ -9,25 +9,25 @@ import ( "google.golang.org/grpc/status" ) -type remoteGrpcRequestAuthenticator struct { - remoteAuthenticator RequestHeadersAuthenticator +type remoteRequestAuthenticator struct { + remoteAuthenticator auth.RequestHeadersAuthenticator headerKeys []string } -// NewRemoteGrpcRequestAuthenticator creates a new Authenticator for incoming gRPC +// NewRemoteRequestAuthenticator creates a new Authenticator for incoming gRPC // requests that forwards configured headers to a remote service for // authentication. The result from the remote service is cached. -func NewRemoteGrpcRequestAuthenticator( - remoteAuthenticator RequestHeadersAuthenticator, +func NewRemoteRequestAuthenticator( + remoteAuthenticator auth.RequestHeadersAuthenticator, headerKeys []string, ) Authenticator { - return &remoteGrpcRequestAuthenticator{ + return &remoteRequestAuthenticator{ remoteAuthenticator: remoteAuthenticator, headerKeys: headerKeys, } } -func (a *remoteGrpcRequestAuthenticator) Authenticate(ctx context.Context) (*auth.AuthenticationMetadata, error) { +func (a *remoteRequestAuthenticator) Authenticate(ctx context.Context) (*auth.AuthenticationMetadata, error) { metadata, ok := metadata.FromIncomingContext(ctx) if !ok { return nil, status.Error(codes.Unauthenticated, "Not called from within an incoming gRPC context") diff --git a/pkg/grpc/remote_grpc_request_authenticator_test.go b/pkg/grpc/remote_request_authenticator_test.go similarity index 91% rename from pkg/grpc/remote_grpc_request_authenticator_test.go rename to pkg/grpc/remote_request_authenticator_test.go index 5793ecee..0f5e9973 100644 --- a/pkg/grpc/remote_grpc_request_authenticator_test.go +++ b/pkg/grpc/remote_request_authenticator_test.go @@ -17,7 +17,7 @@ import ( "google.golang.org/protobuf/types/known/structpb" ) -func TestRemoteGrpcRequestAuthenticator(t *testing.T) { +func TestRemoteRequestAuthenticator(t *testing.T) { ctrl, ctx := gomock.WithContext(context.Background(), t) md := metadata.New( map[string]string{ @@ -42,7 +42,7 @@ func TestRemoteGrpcRequestAuthenticator(t *testing.T) { Public: structpb.NewStringValue("You're totally who you say you are"), }), nil) - authenticator := bb_grpc.NewRemoteGrpcRequestAuthenticator( + authenticator := bb_grpc.NewRemoteRequestAuthenticator( backend, []string{ "Authorization", @@ -63,7 +63,7 @@ func TestRemoteGrpcRequestAuthenticator(t *testing.T) { grpcCtx, map[string][]string{}, ).Return(nil, status.Error(codes.Unavailable, "Server offline")) - authenticator := bb_grpc.NewRemoteGrpcRequestAuthenticator( + authenticator := bb_grpc.NewRemoteRequestAuthenticator( backend, headerKeys, ) diff --git a/pkg/http/BUILD.bazel b/pkg/http/BUILD.bazel index 68e0dd78..ebd41e83 100644 --- a/pkg/http/BUILD.bazel +++ b/pkg/http/BUILD.bazel @@ -15,7 +15,7 @@ go_library( "metrics_handler.go", "metrics_round_tripper.go", "oidc_authenticator.go", - "remote_http_request_authenticator.go", + "remote_request_authenticator.go", "server.go", "status_code.go", ], @@ -51,7 +51,7 @@ go_test( "allow_authenticator_test.go", "deny_authenticator_test.go", "oidc_authenticator_test.go", - "remote_http_request_authenticator_test.go", + "remote_request_authenticator_test.go", ], deps = [ ":http", diff --git a/pkg/http/authenticator.go b/pkg/http/authenticator.go index d6681fe9..e7c99f98 100644 --- a/pkg/http/authenticator.go +++ b/pkg/http/authenticator.go @@ -130,7 +130,7 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic if err != nil { return nil, err } - return NewRemoteHTTPRequestAuthenticator(backend, policyKind.Remote.Headers) + return NewRemoteRequestAuthenticator(backend, policyKind.Remote.Headers) default: return nil, status.Error(codes.InvalidArgument, "Configuration did not contain an authentication policy type") } diff --git a/pkg/http/remote_http_request_authenticator.go b/pkg/http/remote_request_authenticator.go similarity index 65% rename from pkg/http/remote_http_request_authenticator.go rename to pkg/http/remote_request_authenticator.go index 0285f9b6..dbfc5466 100644 --- a/pkg/http/remote_http_request_authenticator.go +++ b/pkg/http/remote_request_authenticator.go @@ -4,21 +4,20 @@ import ( "net/http" "github.com/buildbarn/bb-storage/pkg/auth" - bb_grpc "github.com/buildbarn/bb-storage/pkg/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) -type remoteHTTPRequestAuthenticator struct { - remoteAuthenticator bb_grpc.RequestHeadersAuthenticator +type remoteRequestAuthenticator struct { + remoteAuthenticator auth.RequestHeadersAuthenticator headerKeys []string } -// NewRemoteHTTPRequestAuthenticator creates a new Authenticator for incoming gRPC +// NewRemoteRequestAuthenticator creates a new Authenticator for incoming gRPC // requests that forwards configured headers to a remote service for // authentication. The result from the remote service is cached. -func NewRemoteHTTPRequestAuthenticator( - remoteAuthenticator bb_grpc.RequestHeadersAuthenticator, +func NewRemoteRequestAuthenticator( + remoteAuthenticator auth.RequestHeadersAuthenticator, headerKeys []string, ) (Authenticator, error) { for _, key := range headerKeys { @@ -26,13 +25,13 @@ func NewRemoteHTTPRequestAuthenticator( return nil, status.Errorf(codes.InvalidArgument, "Header key %#v is not canonical, did you mean %#v?", key, canonicalHeaderKey) } } - return &remoteHTTPRequestAuthenticator{ + return &remoteRequestAuthenticator{ remoteAuthenticator: remoteAuthenticator, headerKeys: headerKeys, }, nil } -func (a *remoteHTTPRequestAuthenticator) Authenticate(w http.ResponseWriter, r *http.Request) (*auth.AuthenticationMetadata, error) { +func (a *remoteRequestAuthenticator) Authenticate(w http.ResponseWriter, r *http.Request) (*auth.AuthenticationMetadata, error) { requestHeaders := make(map[string][]string, len(a.headerKeys)) for _, key := range a.headerKeys { if values, ok := r.Header[key]; ok { diff --git a/pkg/http/remote_http_request_authenticator_test.go b/pkg/http/remote_request_authenticator_test.go similarity index 93% rename from pkg/http/remote_http_request_authenticator_test.go rename to pkg/http/remote_request_authenticator_test.go index 275c50fe..1de15539 100644 --- a/pkg/http/remote_http_request_authenticator_test.go +++ b/pkg/http/remote_request_authenticator_test.go @@ -40,7 +40,7 @@ func TestRemoteHttpRequestAuthenticator(t *testing.T) { Public: structpb.NewStringValue("You're totally who you say you are"), }), nil) - authenticator, err := bb_http.NewRemoteHTTPRequestAuthenticator( + authenticator, err := bb_http.NewRemoteRequestAuthenticator( backend, []string{ "Authorization", @@ -64,7 +64,7 @@ func TestRemoteHttpRequestAuthenticator(t *testing.T) { ctx, map[string][]string{}, ).Return(nil, status.Error(codes.Unauthenticated, "Server offline")) - authenticator, err := bb_http.NewRemoteHTTPRequestAuthenticator( + authenticator, err := bb_http.NewRemoteRequestAuthenticator( backend, []string{}, ) @@ -80,7 +80,7 @@ func TestRemoteHttpRequestAuthenticator(t *testing.T) { // The current implementation forwards headers in canonical form, so don't // allow configuring headers in other forms as that may confuse the users. t.Run("OnlyAcceptCanonicalHeaders", func(t *testing.T) { - _, err := bb_http.NewRemoteHTTPRequestAuthenticator( + _, err := bb_http.NewRemoteRequestAuthenticator( backend, []string{"Non-CANONICAL-Header"}, )