Skip to content

Commit

Permalink
Add a "shared reader" auth mode for accessing caches without a projec…
Browse files Browse the repository at this point in the history
…t or admin token
  • Loading branch information
airhorns authored and angelini committed May 8, 2024
1 parent 50e15c9 commit e5fa9bf
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 6 deletions.
18 changes: 13 additions & 5 deletions internal/auth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,10 @@ const (
type Role int

const (
None Role = iota
Project
Admin
None Role = iota
Project // read and write to one project
Admin // read and write to any project
SharedReader // read the shared caches, but no specific project data
)

type Auth struct {
Expand All @@ -36,14 +37,17 @@ func (a Auth) String() string {
return fmt.Sprintf("project[%d]", *a.Project)
case Admin:
return "admin"
case SharedReader:
return "sharedReader"
default:
return "unknown"
}
}

var (
noAuth = Auth{Role: None}
adminAuth = Auth{Role: Admin}
noAuth = Auth{Role: None}
adminAuth = Auth{Role: Admin}
sharedReaderAuth = Auth{Role: SharedReader}
)

type AuthValidator struct {
Expand Down Expand Up @@ -71,6 +75,10 @@ func (av *AuthValidator) Validate(ctx context.Context, token string) (Auth, erro
return adminAuth, nil
}

if payload.Subject == "shared-reader" {
return sharedReaderAuth, nil
}

project, err := strconv.ParseInt(payload.Subject, 10, 64)
if err != nil {
return noAuth, fmt.Errorf("parse Paseto subject %v: %w", payload.Subject, err)
Expand Down
20 changes: 19 additions & 1 deletion pkg/api/fs.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,24 @@ func requireProjectAuth(ctx context.Context) (int64, error) {
return -1, status.Errorf(codes.PermissionDenied, "FS endpoint requires project access")
}

func requireSharedReaderAuth(ctx context.Context) error {
ctxAuth := ctx.Value(auth.AuthCtxKey).(auth.Auth)

if ctxAuth.Role == auth.Admin {
return nil
}

if ctxAuth.Role == auth.Project {
return nil
}

if ctxAuth.Role == auth.SharedReader {
return nil
}

return status.Errorf(codes.PermissionDenied, "FS endpoint requires shared reader access")
}

type Fs struct {
pb.UnimplementedFsServer

Expand Down Expand Up @@ -948,7 +966,7 @@ func (f *Fs) GetCache(req *pb.GetCacheRequest, stream pb.Fs_GetCacheServer) erro
ctx := stream.Context()
trace.SpanFromContext(ctx)

_, err := requireProjectAuth(ctx)
err := requireSharedReaderAuth(ctx)
if err != nil {
return err
}
Expand Down

0 comments on commit e5fa9bf

Please sign in to comment.