server

Documentation

Index

• func RegisterAll(s grpc.ServiceRegistrar, ctx *app.Context, handles *handlestore.HandleStore)
• func StreamAuthInterceptor(auth Authorizer) grpc.StreamServerInterceptor
• func UnaryAuthInterceptor(auth Authorizer) grpc.UnaryServerInterceptor
• type ACLAuth
  • func (a ACLAuth) Authorize(ctx context.Context, fullMethod string) error
• type AuthServiceServer
  • func (s *AuthServiceServer) ListMyPermissions(ctx context.Context, _ *pb.ListMyPermissionsRequest) (*pb.ListMyPermissionsResponse, error)
  • func (s *AuthServiceServer) Register(_ context.Context, req *pb.RegisterRequest) (*pb.RegisterResponse, error)
  • func (s *AuthServiceServer) RequestPermission(ctx context.Context, req *pb.RequestPermissionRequest) (*pb.RequestPermissionResponse, error)
• type Authorizer
• type PermissionRequestNotifier

Functions

func RegisterAll

func RegisterAll(s grpc.ServiceRegistrar, ctx *app.Context, handles *handlestore.HandleStore)

RegisterAll registers all generated gRPC service servers. The handles parameter provides the shared object handle store for services that pass JNI object references over gRPC.

func StreamAuthInterceptor

func StreamAuthInterceptor(auth Authorizer) grpc.StreamServerInterceptor

StreamAuthInterceptor returns a gRPC stream interceptor that checks authorization before handling each stream.

func UnaryAuthInterceptor

func UnaryAuthInterceptor(auth Authorizer) grpc.UnaryServerInterceptor

UnaryAuthInterceptor returns a gRPC unary interceptor that checks authorization before handling each request.

Types

type ACLAuth

type ACLAuth struct {
	Store *acl.Store
}

ACLAuth checks client identity from mTLS peer cert and verifies method permissions against the ACL store.

func (ACLAuth) Authorize

func (a ACLAuth) Authorize(ctx context.Context, fullMethod string) error

Authorize extracts the client CN from the TLS peer certificate and checks the ACL store for a matching method grant. The Register RPC is always allowed (unauthenticated enrollment), and all AuthService RPCs are allowed for any authenticated client.

type AuthServiceServer

type AuthServiceServer struct {
	pb.UnimplementedAuthServiceServer
	CA                  *certauth.CA
	Store               *acl.Store
	OnPermissionRequest PermissionRequestNotifier
}

AuthServiceServer implements pb.AuthServiceServer.

func (*AuthServiceServer) ListMyPermissions

func (s *AuthServiceServer) ListMyPermissions(
	ctx context.Context,
	_ *pb.ListMyPermissionsRequest,
) (*pb.ListMyPermissionsResponse, error)

ListMyPermissions returns all granted method patterns for the calling client (identified via mTLS peer certificate CN).

func (*AuthServiceServer) Register

func (s *AuthServiceServer) Register(
	_ context.Context,
	req *pb.RegisterRequest,
) (*pb.RegisterResponse, error)

Register handles unauthenticated registration: it signs the submitted CSR and registers the resulting client in the ACL store.

func (*AuthServiceServer) RequestPermission

func (s *AuthServiceServer) RequestPermission(
	ctx context.Context,
	req *pb.RequestPermissionRequest,
) (*pb.RequestPermissionResponse, error)

RequestPermission creates a pending permission request for the calling client (identified via mTLS peer certificate CN).

type Authorizer

type Authorizer interface {
	Authorize(ctx context.Context, fullMethod string) error
}

Authorizer checks whether a gRPC call is allowed.

type PermissionRequestNotifier

type PermissionRequestNotifier func(requestID int64, clientID string, methods []string)

PermissionRequestNotifier is called when a new permission request is created. The implementation should notify the device user (e.g. launch a dialog Activity or push a notification).