@@ -84,6 +84,7 @@ func newRpcProxy(cfg *Config, validator macaroons.MacaroonValidator,
8484 p := & rpcProxy {
8585 cfg : cfg ,
8686 basicAuth : basicAuth ,
87+ permissionMap : permissionMap ,
8788 macValidator : validator ,
8889 superMacValidator : superMacValidator ,
8990 bufListener : bufListener ,
@@ -92,12 +93,8 @@ func newRpcProxy(cfg *Config, validator macaroons.MacaroonValidator,
9293 // From the grpxProxy doc: This codec is *crucial* to the
9394 // functioning of the proxy.
9495 grpc .CustomCodec (grpcProxy .Codec ()), // nolint:staticcheck
95- grpc .ChainStreamInterceptor (p .StreamServerInterceptor (
96- permissionMap ,
97- )),
98- grpc .ChainUnaryInterceptor (p .UnaryServerInterceptor (
99- permissionMap ,
100- )),
96+ grpc .ChainStreamInterceptor (p .StreamServerInterceptor ),
97+ grpc .ChainUnaryInterceptor (p .UnaryServerInterceptor ),
10198 grpc .UnknownServiceHandler (
10299 grpcProxy .TransparentHandler (p .director ),
103100 ),
@@ -156,8 +153,9 @@ func newRpcProxy(cfg *Config, validator macaroons.MacaroonValidator,
156153// +---------------------+
157154//
158155type rpcProxy struct {
159- cfg * Config
160- basicAuth string
156+ cfg * Config
157+ basicAuth string
158+ permissionMap map [string ][]bakery.Op
161159
162160 macValidator macaroons.MacaroonValidator
163161 superMacValidator session.SuperMacaroonValidator
@@ -346,93 +344,86 @@ func (p *rpcProxy) director(ctx context.Context,
346344
347345// UnaryServerInterceptor is a gRPC interceptor that checks whether the
348346// request is authorized by the included macaroons.
349- func (p * rpcProxy ) UnaryServerInterceptor (
350- permissionMap map [string ][]bakery.Op ) grpc.UnaryServerInterceptor {
347+ func (p * rpcProxy ) UnaryServerInterceptor (ctx context.Context , req interface {},
348+ info * grpc.UnaryServerInfo , handler grpc.UnaryHandler ) (interface {},
349+ error ) {
351350
352- return func (ctx context.Context , req interface {},
353- info * grpc.UnaryServerInfo ,
354- handler grpc.UnaryHandler ) (interface {}, error ) {
355-
356- uriPermissions , ok := permissionMap [info .FullMethod ]
357- if ! ok {
358- return nil , fmt .Errorf ("%s: unknown permissions " +
359- "required for method" , info .FullMethod )
360- }
351+ uriPermissions , ok := p .permissionMap [info .FullMethod ]
352+ if ! ok {
353+ return nil , fmt .Errorf ("%s: unknown permissions " +
354+ "required for method" , info .FullMethod )
355+ }
361356
362- // For now, basic authentication is just a quick fix until we
363- // have proper macaroon support implemented in the UI. We allow
364- // gRPC web requests to have it and "convert" the auth into a
365- // proper macaroon now.
366- newCtx , err := p .convertBasicAuth (ctx , info .FullMethod , nil )
367- if err != nil {
368- // Make sure we handle the case where the super macaroon
369- // is still empty on startup.
370- if pErr , ok := err .(* proxyErr ); ok &&
371- pErr .proxyContext == "supermacaroon" {
357+ // For now, basic authentication is just a quick fix until we
358+ // have proper macaroon support implemented in the UI. We allow
359+ // gRPC web requests to have it and "convert" the auth into a
360+ // proper macaroon now.
361+ newCtx , err := p .convertBasicAuth (ctx , info .FullMethod , nil )
362+ if err != nil {
363+ // Make sure we handle the case where the super macaroon
364+ // is still empty on startup.
365+ if pErr , ok := err .(* proxyErr ); ok &&
366+ pErr .proxyContext == "supermacaroon" {
372367
373- return nil , fmt .Errorf ("super macaroon error: " +
374- "%v" , pErr )
375- }
376- return nil , err
377- }
378-
379- // With the basic auth converted to a macaroon if necessary,
380- // let's now validate the macaroon.
381- err = p .macValidator .ValidateMacaroon (
382- newCtx , uriPermissions , info .FullMethod ,
383- )
384- if err != nil {
385- return nil , err
368+ return nil , fmt .Errorf ("super macaroon error: " +
369+ "%v" , pErr )
386370 }
371+ return nil , err
372+ }
387373
388- return handler (ctx , req )
374+ // With the basic auth converted to a macaroon if necessary,
375+ // let's now validate the macaroon.
376+ err = p .macValidator .ValidateMacaroon (
377+ newCtx , uriPermissions , info .FullMethod ,
378+ )
379+ if err != nil {
380+ return nil , err
389381 }
382+
383+ return handler (ctx , req )
390384}
391385
392386// StreamServerInterceptor is a GRPC interceptor that checks whether the
393387// request is authorized by the included macaroons.
394- func (p * rpcProxy ) StreamServerInterceptor (
395- permissionMap map [string ][]bakery.Op ) grpc.StreamServerInterceptor {
396-
397- return func (srv interface {}, ss grpc.ServerStream ,
398- info * grpc.StreamServerInfo , handler grpc.StreamHandler ) error {
399-
400- uriPermissions , ok := permissionMap [info .FullMethod ]
401- if ! ok {
402- return fmt .Errorf ("%s: unknown permissions required " +
403- "for method" , info .FullMethod )
404- }
388+ func (p * rpcProxy ) StreamServerInterceptor (srv interface {},
389+ ss grpc.ServerStream , info * grpc.StreamServerInfo ,
390+ handler grpc.StreamHandler ) error {
405391
406- // For now, basic authentication is just a quick fix until we
407- // have proper macaroon support implemented in the UI. We allow
408- // gRPC web requests to have it and "convert" the auth into a
409- // proper macaroon now.
410- ctx , err := p .convertBasicAuth (
411- ss .Context (), info .FullMethod , nil ,
412- )
413- if err != nil {
414- // Make sure we handle the case where the super macaroon
415- // is still empty on startup.
416- if pErr , ok := err .(* proxyErr ); ok &&
417- pErr .proxyContext == "supermacaroon" {
392+ uriPermissions , ok := p .permissionMap [info .FullMethod ]
393+ if ! ok {
394+ return fmt .Errorf ("%s: unknown permissions required " +
395+ "for method" , info .FullMethod )
396+ }
418397
419- return fmt .Errorf ("super macaroon error: " +
420- "%v" , pErr )
421- }
422- return err
423- }
398+ // For now, basic authentication is just a quick fix until we
399+ // have proper macaroon support implemented in the UI. We allow
400+ // gRPC web requests to have it and "convert" the auth into a
401+ // proper macaroon now.
402+ ctx , err := p .convertBasicAuth (
403+ ss .Context (), info .FullMethod , nil ,
404+ )
405+ if err != nil {
406+ // Make sure we handle the case where the super macaroon
407+ // is still empty on startup.
408+ if pErr , ok := err .(* proxyErr ); ok &&
409+ pErr .proxyContext == "supermacaroon" {
424410
425- // With the basic auth converted to a macaroon if necessary,
426- // let's now validate the macaroon.
427- err = p .macValidator .ValidateMacaroon (
428- ctx , uriPermissions , info .FullMethod ,
429- )
430- if err != nil {
431- return err
411+ return fmt .Errorf ("super macaroon error: " +
412+ "%v" , pErr )
432413 }
414+ return err
415+ }
433416
434- return handler (srv , ss )
417+ // With the basic auth converted to a macaroon if necessary,
418+ // let's now validate the macaroon.
419+ err = p .macValidator .ValidateMacaroon (
420+ ctx , uriPermissions , info .FullMethod ,
421+ )
422+ if err != nil {
423+ return err
435424 }
425+
426+ return handler (srv , ss )
436427}
437428
438429// convertBasicAuth tries to convert the HTTP authorization header into a
0 commit comments