quickwit-oss
diff --git a/‎quickwit/Cargo.lock
Lines changed: 17 additions & 0 deletions b/‎quickwit/Cargo.lock
Lines changed: 17 additions & 0 deletions
diff --git a/‎quickwit/Cargo.toml
Lines changed: 6 additions & 2 deletions b/‎quickwit/Cargo.toml
Lines changed: 6 additions & 2 deletions
diff --git a/‎quickwit/quickwit-codegen/example/Cargo.toml
Lines changed: 1 addition & 0 deletions b/‎quickwit/quickwit-codegen/example/Cargo.toml
Lines changed: 1 addition & 0 deletions
diff --git a/‎quickwit/quickwit-codegen/example/src/authorization.rs
Lines changed: 26 additions & 0 deletions b/‎quickwit/quickwit-codegen/example/src/authorization.rs
Lines changed: 26 additions & 0 deletions
diff --git a/‎quickwit/quickwit-codegen/example/src/codegen/hello.rs
Lines changed: 24 additions & 12 deletions b/‎quickwit/quickwit-codegen/example/src/codegen/hello.rs
Lines changed: 24 additions & 12 deletions
diff --git a/‎quickwit/quickwit-codegen/example/src/lib.rs
Lines changed: 1 addition & 0 deletions b/‎quickwit/quickwit-codegen/example/src/lib.rs
Lines changed: 1 addition & 0 deletions
diff --git a/‎quickwit/quickwit-codegen/src/codegen.rs
Lines changed: 23 additions & 5 deletions b/‎quickwit/quickwit-codegen/src/codegen.rs
Lines changed: 23 additions & 5 deletions
diff --git a/‎quickwit/quickwit-ingest/Cargo.toml
Lines changed: 1 addition & 0 deletions b/‎quickwit/quickwit-ingest/Cargo.toml
Lines changed: 1 addition & 0 deletions
diff --git a/‎quickwit/quickwit-ingest/src/authorize.rs
Lines changed: 25 additions & 0 deletions b/‎quickwit/quickwit-ingest/src/authorize.rs
Lines changed: 25 additions & 0 deletions
diff --git a/‎quickwit/quickwit-ingest/src/codegen/ingest_service.rs
Lines changed: 24 additions & 9 deletions b/‎quickwit/quickwit-ingest/src/codegen/ingest_service.rs
Lines changed: 24 additions & 9 deletions
@@ -2,6 +2,7 @@
 resolver = "2"
 members = [
   "quickwit-actors",
+  "quickwit-auth",
   "quickwit-aws",
   "quickwit-cli",
   "quickwit-cluster",
@@ -20,6 +21,7 @@ members = [
   "quickwit-jaeger",
   "quickwit-janitor",
   "quickwit-lambda",
+  "quickwit-license",
   "quickwit-macros",
   "quickwit-metastore",
 
@@ -34,13 +36,14 @@ members = [
   "quickwit-serve",
   "quickwit-storage",
   "quickwit-telemetry",
-  "quickwit-license",
+  "quickwit-telemetry",
 ]
 
 # The following list excludes `quickwit-metastore-utils` and `quickwit-lambda`
 # from the default member to ease build/deps.
 default-members = [
   "quickwit-actors",
+  "quickwit-auth",
   "quickwit-aws",
   "quickwit-cli",
   "quickwit-cluster",
@@ -52,6 +55,7 @@ default-members = [
   "quickwit-datetime",
   "quickwit-directories",
   "quickwit-doc-mapper",
+  "quickwit-license",
   "quickwit-index-management",
   "quickwit-indexing",
   "quickwit-ingest",
@@ -89,7 +93,6 @@ async-trait = "0.1"
 base64 = "0.22"
 binggan = { version = "0.14" }
 biscuit-auth = "5.0.0"
-
 bytes = { version = "1", features = ["serde"] }
 bytesize = { version = "1.3.0", features = ["serde"] }
 bytestring = "1.3.0"
@@ -303,6 +306,7 @@ opendal = { version = "0.44", default-features = false }
 reqsign = { version = "0.14", default-features = false }
 
 quickwit-actors = { path = "quickwit-actors" }
+quickwit-auth = { path = "quickwit-auth" }
 quickwit-aws = { path = "quickwit-aws" }
 quickwit-cli = { path = "quickwit-cli" }
 quickwit-cluster = { path = "quickwit-cluster" }
 
@@ -27,6 +27,7 @@ tower = { workspace = true }
 utoipa = { workspace = true }
 
 quickwit-actors = { workspace = true }
+quickwit-auth = { workspace = true }
 quickwit-common = { workspace = true }
 quickwit-proto = { workspace = true }
 
 
@@ -0,0 +1,26 @@
+use quickwit_auth::Authorization;
+use quickwit_auth::AuthorizationError;
+use quickwit_auth::AuthorizationToken;
+use quickwit_auth::StreamAuthorization;
+
+use crate::GoodbyeRequest;
+use crate::HelloRequest;
+use crate::PingRequest;
+
+impl Authorization for HelloRequest {
+    fn attenuate(&self, auth_token: quickwit_auth::AuthorizationToken) -> Result<quickwit_auth::AuthorizationToken, AuthorizationError> {
+        Ok(auth_token)
+    }
+}
+
+impl Authorization for GoodbyeRequest {
+    fn attenuate(&self, auth_token: quickwit_auth::AuthorizationToken) -> Result<AuthorizationToken, AuthorizationError> {
+        Ok(auth_token)
+    }
+}
+
+impl StreamAuthorization for PingRequest {
+    fn attenuate(auth_token: quickwit_auth::AuthorizationToken) -> Result<AuthorizationToken, AuthorizationError> {
+        Ok(auth_token)
+    }
+}
@@ -21,6 +21,7 @@ mod error;
 
 #[path = "codegen/hello.rs"]
 mod hello;
+mod authorization;
 
 use std::sync::atomic::{AtomicUsize, Ordering};
 use std::sync::Arc;
 
@@ -1231,7 +1231,12 @@ fn generate_grpc_server_adapter_methods(context: &CodegenContext) -> TokenStream
                 }
             }
         } else {
-            quote! { request.into_inner() }
+            quote! {
+                {
+                    let req = request.into_inner();
+                    req
+                }
+            }
         };
         let response_type = if syn_method.server_streaming {
             let associated_type_name = quote::format_ident!("{}Stream", syn_method.proto_name);
@@ -1253,14 +1258,25 @@ fn generate_grpc_server_adapter_methods(context: &CodegenContext) -> TokenStream
         } else {
             quote! { tonic::Response::new }
         };
+
+        let authorize_block = if syn_method.client_streaming {
+            let stream_item = &syn_method.request_type;
+            quote! {
+                quickwit_auth::authorize_stream::<#stream_item>(&auth_token)?;
+            }
+        } else {
+            quote! {
+                quickwit_auth::authorize(&req, &auth_token)?;
+            }
+        };
         let method = quote! {
             #associated_type
 
             async fn #method_name(&self, request: tonic::Request<#request_type>) -> Result<tonic::Response<#response_type>, tonic::Status> {
-                self.inner
-                    .0
-                    .#method_name(#method_arg)
-                    .await
+                let auth_token = quickwit_auth::get_auth_token(request.metadata())?;
+                let req = #method_arg;
+                #authorize_block;
+                quickwit_auth::AUTHORIZATION_TOKEN.scope(auth_token, self.inner.0.#method_name(req)).await
                     .map(#into_response_type)
                     .map_err(crate::error::grpc_error_to_grpc_status)
             }
@@ -1270,6 +1286,8 @@ fn generate_grpc_server_adapter_methods(context: &CodegenContext) -> TokenStream
     stream
 }
 
+
+
 /// A [`ServiceGenerator`] wrapper that appends a suffix to the name of the wrapped service. It is
 /// used to add a `Grpc` suffix to the service, client, and server generated by tonic.
 struct WithSuffixServiceGenerator {
 
@@ -36,6 +36,7 @@ ulid = { workspace = true }
 utoipa = { workspace = true }
 
 quickwit-actors = { workspace = true }
+quickwit-auth = { workspace = true }
 quickwit-cluster = { workspace = true }
 quickwit-common = { workspace = true, features = ["testsuite"] }
 quickwit-config = { workspace = true }
 
@@ -0,0 +1,25 @@
+use quickwit_auth::Authorization;
+use quickwit_auth::AuthorizationError;
+use quickwit_auth::AuthorizationToken;
+
+use crate::FetchRequest;
+use crate::IngestRequest;
+use crate::TailRequest;
+
+impl Authorization for TailRequest {
+    fn attenuate(&self, auth_token: AuthorizationToken) -> Result<AuthorizationToken, AuthorizationError> {
+        Ok(auth_token)
+    }
+}
+
+impl Authorization for IngestRequest {
+    fn attenuate(&self, auth_token: AuthorizationToken) -> Result<AuthorizationToken, AuthorizationError> {
+        Ok(auth_token)
+    }
+}
+
+impl Authorization for FetchRequest {
+    fn attenuate(&self, auth_token: AuthorizationToken) -> Result<AuthorizationToken, AuthorizationError> {
+        Ok(auth_token)
+    }
+}