rpcauth

package
v1.38.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 20, 2024 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Overview

Package rpcauth provides OPA policy authorization for Sansshell RPCs.

Index

Constants

View Source
const (
	// ReqJustKey is the key name that must exist in the incoming
	// context metadata if client side provided justification is required.
	ReqJustKey = "sansshell-justification"
)

Variables

View Source
var (
	// ErrJustification is the error returned for missing justification.
	ErrJustification = status.Error(codes.FailedPrecondition, "missing justification")
)

Functions

func AddPeerToContext added in v1.25.0

func AddPeerToContext(ctx context.Context, p *PeerAuthInput) context.Context

AddPeerToContext adds a PeerAuthInput to the context. This is typically added by the rpcauth grpc interceptors.

Types

type Authorizer

type Authorizer struct {
	// contains filtered or unexported fields
}

An Authorizer performs authorization of Sanshsell RPCs based on an OPA/Rego policy.

It can be used as both a unary and stream interceptor, or manually invoked to perform policy checks using `Eval`

func New

func New(policy *opa.AuthzPolicy, authzHooks ...RPCAuthzHook) *Authorizer

New creates a new Authorizer from an opa.AuthzPolicy. Any supplied authorization hooks will be executed, in the order provided, on each policy evauluation. NOTE: The policy is used for both client and server hooks below. If you need

distinct policy for client vs server, create 2 Authorizer's.

func NewWithPolicy

func NewWithPolicy(ctx context.Context, policy string, authzHooks ...RPCAuthzHook) (*Authorizer, error)

NewWithPolicy creates a new Authorizer from a policy string. Any supplied authorization hooks will be executed, in the order provided, on each policy evaluation. NOTE: The policy is used for both client and server hooks below. If you need

distinct policy for client vs server, create 2 Authorizer's.

func (*Authorizer) Authorize

func (g *Authorizer) Authorize(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)

Authorize implements grpc.UnaryServerInterceptor

func (*Authorizer) AuthorizeClient added in v1.0.9

func (g *Authorizer) AuthorizeClient(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error

AuthorizeClient implements grpc.UnaryClientInterceptor

func (*Authorizer) AuthorizeClientStream added in v1.0.9

func (g *Authorizer) AuthorizeClientStream(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, streamer grpc.Streamer, opts ...grpc.CallOption) (grpc.ClientStream, error)

AuthorizeClientStream implements grpc.StreamClientInterceptor and applies policy checks on any SendMsg calls.

func (*Authorizer) AuthorizeStream

func (g *Authorizer) AuthorizeStream(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error

AuthorizeStream implements grpc.StreamServerInterceptor and applies policy checks on any RecvMsg calls.

func (*Authorizer) Eval

func (g *Authorizer) Eval(ctx context.Context, input *RPCAuthInput) error

Eval will evalulate the supplied input against the authorization policy, returning nil iff policy evaulation was successful, and the request is permitted, or an appropriate status.Error otherwise. Any input hooks will be executed prior to policy evaluation, and may mutate `input`, regardless of the the success or failure of policy.

type CertAuthInput

type CertAuthInput struct {
	// The certificate subject
	Subject pkix.Name `json:"subject"`

	// The certificate issuer
	Issuer pkix.Name `json:"issuer"`

	// DNS names, from SubjectAlternativeName
	DNSNames []string `json:"dnsnames"`

	// The raw SPIFFE identifier, if present
	SPIFFEID string `json:"spiffeid"`
}

CertAuthInput contains policy-relevant information derived from a certificate

func CertInputFrom

func CertInputFrom(authInfo credentials.AuthInfo) *CertAuthInput

CertInputFrom populates certificate information from the supplied credentials, if available.

type EnvironmentInput added in v1.10.0

type EnvironmentInput struct {
	// True if the policy evaluation is being performed by some entity other than the host
	// (for example, policy checks performed by an authorizing proxy or other agent)
	NonHostPolicyCheck bool `json:"non_host_policy_check"`
}

EnvironmentInput contains information about the environment in which the policy evaluation is happening.

type HookPredicate

type HookPredicate func(*RPCAuthInput) bool

A HookPredicate returns true if a conditional hook should run

type HostAuthInput

type HostAuthInput struct {
	// The host address
	Net *NetAuthInput `json:"net"`

	// Information about the certificate served by the host, if any
	Cert *CertAuthInput `json:"cert"`

	// Information about the principal associated with the host, if any
	Principal *PrincipalAuthInput `json:"principal"`
}

HostAuthInput contains policy-relevant information about the system receiving an RPC

type NetAuthInput

type NetAuthInput struct {
	// The 'network' as returned by net.Addr.Network() (e.g. "tcp", "udp")
	Network string `json:"network"`

	// The address string, as returned by net.Addr.String(), with port (if any) removed
	Address string `json:"address"`

	// The port, as parsed from net.Addr.String(), if present
	Port string `json:"port"`
}

NetAuthInput contains policy-relevant information related to a network endpoint

func NetInputFromAddr

func NetInputFromAddr(addr net.Addr) *NetAuthInput

NetInputFromAddr returns NetAuthInput from the supplied net.Addr

type PeerAuthInput

type PeerAuthInput struct {
	// Network information about the peer
	Net *NetAuthInput `json:"net"`

	// Unix peer credentials if peer connects via Unix socket, nil otherwise
	Unix *UnixAuthInput `json:"unix"`

	// Information about the certificate presented by the peer, if any
	Cert *CertAuthInput `json:"cert"`

	// Information about the principal associated with the peer, if any
	Principal *PrincipalAuthInput `json:"principal"`
}

PeerAuthInput contains policy-relevant information about an RPC peer.

func PeerInputFromContext

func PeerInputFromContext(ctx context.Context) *PeerAuthInput

PeerInputFromContext populates peer information from the supplied context, if available.

type PrincipalAuthInput

type PrincipalAuthInput struct {
	// The principal identifier (e.g. a username or service role)
	ID string `json:"id"`

	// Auxilliary groups associated with this principal.
	Groups []string `json:"groups"`
}

PrincipalAuthInput contains policy-relevant information about the principal associated with an operation.

type RPCAuthInput

type RPCAuthInput struct {
	// The GRPC method name, as '/Package.Service/Method'
	Method string `json:"method"`

	// The request protocol buffer, serialized as JSON.
	Message json.RawMessage `json:"message"`

	// The message type as 'Package.Message'
	MessageType string `json:"type"`

	// Raw grpc metdata associated with this call.
	Metadata metadata.MD `json:"metadata"`

	// Information about the calling peer, if available.
	Peer *PeerAuthInput `json:"peer"`

	// Information about the host serving the RPC.
	Host *HostAuthInput `json:"host"`

	// Information about approvers when using multi-party authentication.
	Approvers []*PrincipalAuthInput `json:"approvers"`

	// Information about the environment in which the policy evaluation is
	// happening.
	Environment *EnvironmentInput `json:"environment"`

	// Implementation specific extensions.
	Extensions json.RawMessage `json:"extensions"`

	// TargetConn is a connection to the target under evaluation. It is only non-nil when
	// the policy evaluation is being performed by some entity other than the host and
	// can be used in rpcauth hooks to gather information by making RPC calls to the
	// host.
	// TargetConn is not exposed to policy evaluation.
	TargetConn grpc.ClientConnInterface `json:"-"`
}

RPCAuthInput is used as policy input to validate Sansshell RPCs

func NewRPCAuthInput

func NewRPCAuthInput(ctx context.Context, method string, req proto.Message) (*RPCAuthInput, error)

NewRPCAuthInput creates RpcAuthInput for the supplied method and request, deriving other information (if available) from the context.

type RPCAuthzHook

type RPCAuthzHook interface {
	Hook(context.Context, *RPCAuthInput) error
}

A RPCAuthzHook is invoked on populated RpcAuthInput prior to policy evaluation, and may augment / mutate the input, or pre-emptively reject a request.

func HookIf

func HookIf(hook RPCAuthzHook, condition HookPredicate) RPCAuthzHook

HookIf wraps an existing hook, and only executes it when the provided condition returns true

func HostNetHook

func HostNetHook(addr net.Addr) RPCAuthzHook

HostNetHook returns an RPCAuthzHook that sets host networking information.

func JustificationHook added in v1.0.3

func JustificationHook(justificationFunc func(string) error) RPCAuthzHook

JustificationHook takes the given optional justification function and returns an RPCAuthzHook that validates if justification was included. If it is required and passes the optional validation function it will return nil, otherwise an error.

func PeerPrincipalFromCertHook added in v1.24.8

func PeerPrincipalFromCertHook() RPCAuthzHook

PeerPrincipalFromCertHook returns an RPCAuthzHook that sets principal information based on the peer's certificate, using the common name as the id and the organizational units as the groups.

type RPCAuthzHookFunc

type RPCAuthzHookFunc func(context.Context, *RPCAuthInput) error

RPCAuthzHookFunc implements RpcAuthzHook for a simple function

func (RPCAuthzHookFunc) Hook

func (r RPCAuthzHookFunc) Hook(ctx context.Context, input *RPCAuthInput) error

Hook runs the hook function on the given input

type UnixAuthInput added in v1.38.0

type UnixAuthInput struct {
	// The user ID of the peer.
	Uid int `json:"uid"`

	// The username of the peer, or the stringified UID if user is not known.
	UserName string `json:"username"`

	// The group IDs (primary and supplementary) of the peer.
	Gids []int `json:"gids"`

	// The group names of the peer. If not available, the stringified IDs is used.
	GroupNames []string `json:"groupnames"`
}

UnixAuthInput contains information about a Unix socket peer.

func UnixInputFrom added in v1.38.0

func UnixInputFrom(authInfo credentials.AuthInfo) *UnixAuthInput

UnixInputFrom returns UnixAuthInput from the supplied credentials, if available.

type UnixPeerAuthInfo added in v1.38.0

type UnixPeerAuthInfo struct {
	credentials.CommonAuthInfo
	Credentials UnixPeerCredentials
}

UnixPeerAuthInfo contains the authentication information for a Unix peer, in a form suitable for authentication info returned by gRPC transport credentials.

func (UnixPeerAuthInfo) AuthType added in v1.38.0

func (UnixPeerAuthInfo) AuthType() string

type UnixPeerCredentials added in v1.38.0

type UnixPeerCredentials struct {
	Uid        int
	Gids       []int // Primary and supplementary group IDs.
	UserName   string
	GroupNames []string
}

UnixPeerCreds represents the credentials of a Unix peer.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL