diff --git a/auth/interceptor.go b/auth/interceptor.go deleted file mode 100644 index ee3a58c6f..000000000 --- a/auth/interceptor.go +++ /dev/null @@ -1,23 +0,0 @@ -package auth - -import ( - "context" - - "google.golang.org/grpc" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" -) - -func BlanketAuthorization(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) ( - resp interface{}, err error) { - identityContext := IdentityContextFromContext(ctx) - if identityContext.IsEmpty() { - return handler(ctx, req) - } - - if !identityContext.Scopes().Has(ScopeAll) { - return nil, status.Errorf(codes.Unauthenticated, "authenticated user doesn't have required scope") - } - - return handler(ctx, req) -} diff --git a/auth/interceptor_test.go b/auth/interceptor_test.go deleted file mode 100644 index 862f76a13..000000000 --- a/auth/interceptor_test.go +++ /dev/null @@ -1,61 +0,0 @@ -package auth - -import ( - "context" - "testing" - - "github.com/stretchr/testify/assert" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - "k8s.io/apimachinery/pkg/util/sets" -) - -func TestBlanketAuthorization(t *testing.T) { - t.Run("authenticated and authorized", func(t *testing.T) { - allScopes := sets.NewString(ScopeAll) - identityCtx := IdentityContext{ - audience: "aud", - userID: "uid", - appID: "appid", - scopes: &allScopes, - } - handlerCalled := false - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - handlerCalled = true - return nil, nil - } - ctx := context.WithValue(context.TODO(), ContextKeyIdentityContext, identityCtx) - _, err := BlanketAuthorization(ctx, nil, nil, handler) - assert.NoError(t, err) - assert.True(t, handlerCalled) - }) - t.Run("unauthenticated", func(t *testing.T) { - handlerCalled := false - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - handlerCalled = true - return nil, nil - } - ctx := context.TODO() - _, err := BlanketAuthorization(ctx, nil, nil, handler) - assert.NoError(t, err) - assert.True(t, handlerCalled) - }) - t.Run("authenticated and not authorized", func(t *testing.T) { - identityCtx := IdentityContext{ - audience: "aud", - userID: "uid", - appID: "appid", - } - handlerCalled := false - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - handlerCalled = true - return nil, nil - } - ctx := context.WithValue(context.TODO(), ContextKeyIdentityContext, identityCtx) - _, err := BlanketAuthorization(ctx, nil, nil, handler) - asStatus, ok := status.FromError(err) - assert.True(t, ok) - assert.Equal(t, asStatus.Code(), codes.Unauthenticated) - assert.False(t, handlerCalled) - }) -} diff --git a/pkg/rpc/adminservice/base.go b/pkg/rpc/adminservice/base.go index d3fada1be..8a515ee41 100644 --- a/pkg/rpc/adminservice/base.go +++ b/pkg/rpc/adminservice/base.go @@ -5,10 +5,6 @@ import ( "fmt" "runtime/debug" - grpcmiddleware "github.com/grpc-ecosystem/go-grpc-middleware" - - "github.com/flyteorg/flyteadmin/auth" - "github.com/flyteorg/flyteadmin/plugins" "github.com/flyteorg/flyteadmin/pkg/async/cloudevent" @@ -100,9 +96,6 @@ func NewAdminServer(ctx context.Context, pluginRegistry *plugins.Registry, confi logger.Info(ctx, "Successfully created a workflow executor engine") pluginRegistry.RegisterDefault(plugins.PluginIDWorkflowExecutor, workflowExecutor) - logger.Infof(ctx, "Registering default middleware with blanket auth validation") - pluginRegistry.RegisterDefault(plugins.PluginIDUnaryServiceMiddleware, grpcmiddleware.ChainUnaryServer(auth.BlanketAuthorization)) - publisher := notifications.NewNotificationsPublisher(*configuration.ApplicationConfiguration().GetNotificationsConfig(), adminScope) processor := notifications.NewNotificationsProcessor(*configuration.ApplicationConfiguration().GetNotificationsConfig(), adminScope) eventPublisher := notifications.NewEventsPublisher(*configuration.ApplicationConfiguration().GetExternalEventsConfig(), adminScope) diff --git a/pkg/server/service.go b/pkg/server/service.go index df80dfdf5..77dc460cf 100644 --- a/pkg/server/service.go +++ b/pkg/server/service.go @@ -32,10 +32,12 @@ import ( "github.com/grpc-ecosystem/grpc-gateway/runtime" "github.com/pkg/errors" "google.golang.org/grpc" + "google.golang.org/grpc/codes" "google.golang.org/grpc/credentials" "google.golang.org/grpc/health" "google.golang.org/grpc/health/grpc_health_v1" "google.golang.org/grpc/reflection" + "google.golang.org/grpc/status" ) var defaultCorsHeaders = []string{"Content-Type"} @@ -53,6 +55,21 @@ func Serve(ctx context.Context, pluginRegistry *plugins.Registry, additionalHand return serveGatewayInsecure(ctx, pluginRegistry, serverConfig, authConfig.GetConfig(), storage.GetConfig(), additionalHandlers, adminScope) } +func blanketAuthorization(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) ( + resp interface{}, err error) { + + identityContext := auth.IdentityContextFromContext(ctx) + if identityContext.IsEmpty() { + return handler(ctx, req) + } + + if !identityContext.Scopes().Has(auth.ScopeAll) { + return nil, status.Errorf(codes.Unauthenticated, "authenticated user doesn't have required scope") + } + + return handler(ctx, req) +} + // Creates a new gRPC Server with all the configuration func newGRPCServer(ctx context.Context, pluginRegistry *plugins.Registry, cfg *config.ServerConfig, storageCfg *storage.Config, authCtx interfaces.AuthenticationContext, @@ -61,12 +78,11 @@ func newGRPCServer(ctx context.Context, pluginRegistry *plugins.Registry, cfg *c var chainedUnaryInterceptors grpc.UnaryServerInterceptor if cfg.Security.UseAuth { logger.Infof(ctx, "Creating gRPC server with authentication") - middlewareInterceptors := plugins.Get[grpc.UnaryServerInterceptor](pluginRegistry, plugins.PluginIDUnaryServiceMiddleware) chainedUnaryInterceptors = grpcmiddleware.ChainUnaryServer(grpcprometheus.UnaryServerInterceptor, auth.GetAuthenticationCustomMetadataInterceptor(authCtx), grpcauth.UnaryServerInterceptor(auth.GetAuthenticationInterceptor(authCtx)), auth.AuthenticationLoggingInterceptor, - middlewareInterceptors, + blanketAuthorization, ) } else { logger.Infof(ctx, "Creating gRPC server without authentication") diff --git a/plugins/registry.go b/plugins/registry.go index 3c2186326..1ab0def69 100644 --- a/plugins/registry.go +++ b/plugins/registry.go @@ -9,9 +9,8 @@ import ( type PluginID = string const ( - PluginIDWorkflowExecutor PluginID = "WorkflowExecutor" - PluginIDDataProxy PluginID = "DataProxy" - PluginIDUnaryServiceMiddleware PluginID = "UnaryServiceMiddleware" + PluginIDWorkflowExecutor PluginID = "WorkflowExecutor" + PluginIDDataProxy PluginID = "DataProxy" ) type AtomicRegistry struct { diff --git a/tests/bootstrap.go b/tests/bootstrap.go index 3a798e2c3..54160b637 100644 --- a/tests/bootstrap.go +++ b/tests/bootstrap.go @@ -6,7 +6,6 @@ package tests import ( "context" "fmt" - "github.com/flyteorg/flytestdlib/database" "github.com/flyteorg/flyteadmin/pkg/repositories"