lumjjb · July 9, 2021 18:34
diff --git a/diff for policy registrations SPIRE API b/diff for policy registrations SPIRE API
 diff --git a/pkg/server/endpoints/config.go b/pkg/server/endpoints/config.go
 index 1263d1c3..dfab306f 100644
 --- a/pkg/server/endpoints/config.go
 +++ b/pkg/server/endpoints/config.go
 @@ -74,12 +74,11 @@ type Config struct {
 
 func (c *Config) makeOldAPIServers() OldAPIServers {
 	registrationHandler := &registration.Handler{
 -		Log:          c.Log.WithField(telemetry.SubsystemName, telemetry.RegistrationAPI),
 -		Metrics:      c.Metrics,
 -		Catalog:      c.Catalog,
 -		TrustDomain:  c.TrustDomain,
 -		ServerCA:     c.ServerCA,
 -		PolicyEngine: c.PolicyEngine,
 +		Log:         c.Log.WithField(telemetry.SubsystemName, telemetry.RegistrationAPI),
 +		Metrics:     c.Metrics,
 +		Catalog:     c.Catalog,
 +		TrustDomain: c.TrustDomain,
 +		ServerCA:    c.ServerCA,
 	}
 
 	return OldAPIServers{
 diff --git a/pkg/server/endpoints/registration/handler.go b/pkg/server/endpoints/registration/handler.go
 index 8d95d4d8..a61ca97a 100644
 --- a/pkg/server/endpoints/registration/handler.go
 +++ b/pkg/server/endpoints/registration/handler.go
 @@ -13,7 +13,6 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/auth"
 	"github.com/spiffe/spire/pkg/common/idutil"
 -	"github.com/spiffe/spire/pkg/common/policy"
 	"github.com/spiffe/spire/pkg/common/selector"
 	"github.com/spiffe/spire/pkg/common/telemetry"
 	telemetry_common "github.com/spiffe/spire/pkg/common/telemetry/common"
 @@ -41,12 +40,11 @@ const defaultListEntriesPageSize = 50
 type Handler struct {
 	registration.UnsafeRegistrationServer
 
 -	Log          logrus.FieldLogger
 -	Metrics      telemetry.Metrics
 -	Catalog      catalog.Catalog
 -	TrustDomain  spiffeid.TrustDomain
 -	ServerCA     ca.ServerCA
 -	PolicyEngine *policy.Engine
 +	Log         logrus.FieldLogger
 +	Metrics     telemetry.Metrics
 +	Catalog     catalog.Catalog
 +	TrustDomain spiffeid.TrustDomain
 +	ServerCA    ca.ServerCA
 }
 
 // CreateEntry creates an entry in the Registration table,
 @@ -830,14 +828,13 @@ func (h *Handler) prepareRegistrationEntry(entry *common.RegistrationEntry, forU
 	return entry, nil
 }
 
 -func (h *Handler) AuthorizeCall(ctx context.Context, req interface{}, fullMethod string) (_ context.Context, err error) {
 +func (h *Handler) AuthorizeCall(ctx context.Context, fullMethod string) (_ context.Context, err error) {
 	// For the time being, authorization is not per-method. In other words, all or nothing.
 -	fmt.Println("In AuthorizeCall")
 	counter := telemetry_registrationapi.StartAuthorizeCall(h.Metrics, fullMethod)
 	defer counter.Done(&err)
 	log := h.Log.WithField(telemetry.Method, fullMethod)
 
 -	callerID, err := authorizeCaller(ctx, h.getDataStore(), h.PolicyEngine, req, fullMethod)
 +	callerID, err := authorizeCaller(ctx, h.getDataStore())
 	if err != nil {
 		log.WithError(err).Error("Failed to authorize caller")
 		return nil, err
 @@ -878,9 +875,7 @@ func getSpiffeIDFromCert(cert *x509.Certificate) (string, error) {
 	return spiffeID.String(), nil
 }
 
 -func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *policy.Engine, req interface{}, fullMethod string) (spiffeID string, err error) {
 -	fmt.Println("authorizeCaller")
 -
 +func authorizeCaller(ctx context.Context, ds datastore.DataStore) (spiffeID string, err error) {
 	ctxPeer, ok := peer.FromContext(ctx)
 	if !ok {
 		return "", status.Error(codes.PermissionDenied, "no peer information for caller")
 @@ -907,31 +902,21 @@ func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *
 		// The caller came over UDS and is therefore authorized but does not
 		// provide a spiffeID. The file permissions on the UDS are restricted to
 		// processes belonging to the same user or group as the server.
 -		fmt.Println("in UDS auth")
 -
 +		return "", nil
 	default:
 		// The caller came over an unknown transport
 		return "", status.Errorf(codes.PermissionDenied, "unsupported peer auth info type (%T)", authInfo)
 	}
 
 -	if spiffeID == "" {
 -		if err := allowRequest(ctx, policyEngine, "UDS", req, fullMethod); err != nil {
 -			return "", nil
 -		}
 -	} else {
 -		resp, err := ds.ListRegistrationEntries(ctx, &datastore.ListRegistrationEntriesRequest{
 -			BySpiffeID: spiffeID,
 -		})
 -		if err != nil {
 -			return "", err
 -		}
 +	resp, err := ds.ListRegistrationEntries(ctx, &datastore.ListRegistrationEntriesRequest{
 +		BySpiffeID: spiffeID,
 +	})
 +	if err != nil {
 +		return "", err
 +	}
 
 -		for _, entry := range resp.Entries {
 -			if entry.Admin {
 -				return spiffeID, nil
 -			}
 -		}
 -		if err := allowRequest(ctx, policyEngine, spiffeID, req, fullMethod); err != nil {
 +	for _, entry := range resp.Entries {
 +		if entry.Admin {
 			return spiffeID, nil
 		}
 	}
 @@ -939,28 +924,6 @@ func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *
 	return "", status.Errorf(codes.PermissionDenied, "SPIFFE ID %q is not authorized", spiffeID)
 }
 
 -func allowRequest(ctx context.Context, policyEngine *policy.Engine, caller string, req interface{}, fullMethod string) error {
 -	fmt.Println("allowRequest")
 -	// TODO: remove this
 -	if policyEngine == nil {
 -		return nil
 -	}
 -	input := policy.Input{
 -		Caller:     caller,
 -		FullMethod: fullMethod,
 -		Req:        req,
 -	}
 -	result, err := policyEngine.Eval(ctx, input)
 -	if err != nil {
 -		return err
 -	}
 -	if !result.Allow {
 -		return errors.New("not authorized")
 -	}
 -
 -	return nil
 -}
 -
 type callerIDKey struct{}
 
 func withCallerID(ctx context.Context, callerID string) context.Context {
 diff --git a/pkg/server/endpoints/registration/handler_test.go b/pkg/server/endpoints/registration/handler_test.go
 index 14b5bf8f..bd82c9df 100644
 --- a/pkg/server/endpoints/registration/handler_test.go
 +++ b/pkg/server/endpoints/registration/handler_test.go
 @@ -1403,7 +1403,7 @@ func (s *HandlerSuite) TestAuthorizeCall() {
 		if testCase.Peer != nil {
 			ctx = peer.NewContext(ctx, testCase.Peer)
 		}
 -		ctx, err := handler.AuthorizeCall(ctx, nil, "SOMEMETHOD")
 +		ctx, err := handler.AuthorizeCall(ctx, "SOMEMETHOD")
 		if testCase.Err != "" {
 			s.requireErrorContains(err, testCase.Err)
 			s.requireGRPCStatusCode(err, codes.PermissionDenied)
	diff --git a/pkg/server/endpoints/config.go b/pkg/server/endpoints/config.go
	index 1263d1c3..dfab306f 100644
	--- a/pkg/server/endpoints/config.go
	+++ b/pkg/server/endpoints/config.go
	@@ -74,12 +74,11 @@ type Config struct {

	func (c *Config) makeOldAPIServers() OldAPIServers {
	registrationHandler := &registration.Handler{
	- Log: c.Log.WithField(telemetry.SubsystemName, telemetry.RegistrationAPI),
	- Metrics: c.Metrics,
	- Catalog: c.Catalog,
	- TrustDomain: c.TrustDomain,
	- ServerCA: c.ServerCA,
	- PolicyEngine: c.PolicyEngine,
	+ Log: c.Log.WithField(telemetry.SubsystemName, telemetry.RegistrationAPI),
	+ Metrics: c.Metrics,
	+ Catalog: c.Catalog,
	+ TrustDomain: c.TrustDomain,
	+ ServerCA: c.ServerCA,
	}

	return OldAPIServers{
	diff --git a/pkg/server/endpoints/registration/handler.go b/pkg/server/endpoints/registration/handler.go
	index 8d95d4d8..a61ca97a 100644
	--- a/pkg/server/endpoints/registration/handler.go
	+++ b/pkg/server/endpoints/registration/handler.go
	@@ -13,7 +13,6 @@ import (
	"github.com/spiffe/go-spiffe/v2/spiffeid"
	"github.com/spiffe/spire/pkg/common/auth"
	"github.com/spiffe/spire/pkg/common/idutil"
	- "github.com/spiffe/spire/pkg/common/policy"
	"github.com/spiffe/spire/pkg/common/selector"
	"github.com/spiffe/spire/pkg/common/telemetry"
	telemetry_common "github.com/spiffe/spire/pkg/common/telemetry/common"
	@@ -41,12 +40,11 @@ const defaultListEntriesPageSize = 50
	type Handler struct {
	registration.UnsafeRegistrationServer

	- Log logrus.FieldLogger
	- Metrics telemetry.Metrics
	- Catalog catalog.Catalog
	- TrustDomain spiffeid.TrustDomain
	- ServerCA ca.ServerCA
	- PolicyEngine *policy.Engine
	+ Log logrus.FieldLogger
	+ Metrics telemetry.Metrics
	+ Catalog catalog.Catalog
	+ TrustDomain spiffeid.TrustDomain
	+ ServerCA ca.ServerCA
	}

	// CreateEntry creates an entry in the Registration table,
	@@ -830,14 +828,13 @@ func (h Handler) prepareRegistrationEntry(entry common.RegistrationEntry, forU
	return entry, nil
	}

	-func (h *Handler) AuthorizeCall(ctx context.Context, req interface{}, fullMethod string) (_ context.Context, err error) {
	+func (h *Handler) AuthorizeCall(ctx context.Context, fullMethod string) (_ context.Context, err error) {
	// For the time being, authorization is not per-method. In other words, all or nothing.
	- fmt.Println("In AuthorizeCall")
	counter := telemetry_registrationapi.StartAuthorizeCall(h.Metrics, fullMethod)
	defer counter.Done(&err)
	log := h.Log.WithField(telemetry.Method, fullMethod)

	- callerID, err := authorizeCaller(ctx, h.getDataStore(), h.PolicyEngine, req, fullMethod)
	+ callerID, err := authorizeCaller(ctx, h.getDataStore())
	if err != nil {
	log.WithError(err).Error("Failed to authorize caller")
	return nil, err
	@@ -878,9 +875,7 @@ func getSpiffeIDFromCert(cert *x509.Certificate) (string, error) {
	return spiffeID.String(), nil
	}

	-func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *policy.Engine, req interface{}, fullMethod string) (spiffeID string, err error) {
	- fmt.Println("authorizeCaller")
	-
	+func authorizeCaller(ctx context.Context, ds datastore.DataStore) (spiffeID string, err error) {
	ctxPeer, ok := peer.FromContext(ctx)
	if !ok {
	return "", status.Error(codes.PermissionDenied, "no peer information for caller")
	@@ -907,31 +902,21 @@ func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *
	// The caller came over UDS and is therefore authorized but does not
	// provide a spiffeID. The file permissions on the UDS are restricted to
	// processes belonging to the same user or group as the server.
	- fmt.Println("in UDS auth")
	-
	+ return "", nil
	default:
	// The caller came over an unknown transport
	return "", status.Errorf(codes.PermissionDenied, "unsupported peer auth info type (%T)", authInfo)
	}

	- if spiffeID == "" {
	- if err := allowRequest(ctx, policyEngine, "UDS", req, fullMethod); err != nil {
	- return "", nil
	- }
	- } else {
	- resp, err := ds.ListRegistrationEntries(ctx, &datastore.ListRegistrationEntriesRequest{
	- BySpiffeID: spiffeID,
	- })
	- if err != nil {
	- return "", err
	- }
	+ resp, err := ds.ListRegistrationEntries(ctx, &datastore.ListRegistrationEntriesRequest{
	+ BySpiffeID: spiffeID,
	+ })
	+ if err != nil {
	+ return "", err
	+ }

	- for _, entry := range resp.Entries {
	- if entry.Admin {
	- return spiffeID, nil
	- }
	- }
	- if err := allowRequest(ctx, policyEngine, spiffeID, req, fullMethod); err != nil {
	+ for _, entry := range resp.Entries {
	+ if entry.Admin {
	return spiffeID, nil
	}
	}
	@@ -939,28 +924,6 @@ func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *
	return "", status.Errorf(codes.PermissionDenied, "SPIFFE ID %q is not authorized", spiffeID)
	}

	-func allowRequest(ctx context.Context, policyEngine *policy.Engine, caller string, req interface{}, fullMethod string) error {
	- fmt.Println("allowRequest")
	- // TODO: remove this
	- if policyEngine == nil {
	- return nil
	- }
	- input := policy.Input{
	- Caller: caller,
	- FullMethod: fullMethod,
	- Req: req,
	- }
	- result, err := policyEngine.Eval(ctx, input)
	- if err != nil {
	- return err
	- }
	- if !result.Allow {
	- return errors.New("not authorized")
	- }
	-
	- return nil
	-}
	-
	type callerIDKey struct{}

	func withCallerID(ctx context.Context, callerID string) context.Context {
	diff --git a/pkg/server/endpoints/registration/handler_test.go b/pkg/server/endpoints/registration/handler_test.go
	index 14b5bf8f..bd82c9df 100644
	--- a/pkg/server/endpoints/registration/handler_test.go
	+++ b/pkg/server/endpoints/registration/handler_test.go
	@@ -1403,7 +1403,7 @@ func (s *HandlerSuite) TestAuthorizeCall() {
	if testCase.Peer != nil {
	ctx = peer.NewContext(ctx, testCase.Peer)
	}
	- ctx, err := handler.AuthorizeCall(ctx, nil, "SOMEMETHOD")
	+ ctx, err := handler.AuthorizeCall(ctx, "SOMEMETHOD")
	if testCase.Err != "" {
	s.requireErrorContains(err, testCase.Err)
	s.requireGRPCStatusCode(err, codes.PermissionDenied)