[databroker] Refactor authorization

eclipse · Sep 5, 2023 · cb3b5d1 · cb3b5d1
1 parent 90b10ec
commit cb3b5d1
Show file tree

Hide file tree

Showing 10 changed files with 76 additions and 33 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/kuksa_databroker/databroker/Cargo.toml b/kuksa_databroker/databroker/Cargo.toml
@@ -53,6 +53,7 @@ regex = "1.7.1"
 
 jemallocator = { version = "0.5.0", optional = true }
 lazy_static = "1.4.0"
+thiserror = "1.0.47"
 
 [features]
 default = ["tls"]

diff --git a/..._databroker/databroker/src/jwt/decoder.rs → ...tabroker/src/authorization/jwt/decoder.rs b/..._databroker/databroker/src/jwt/decoder.rs → ...tabroker/src/authorization/jwt/decoder.rs
diff --git a/kuksa_databroker/databroker/src/jwt/mod.rs → ...r/databroker/src/authorization/jwt/mod.rs b/kuksa_databroker/databroker/src/jwt/mod.rs → ...r/databroker/src/authorization/jwt/mod.rs
diff --git a/kuksa_databroker/databroker/src/jwt/scope.rs → ...databroker/src/authorization/jwt/scope.rs b/kuksa_databroker/databroker/src/jwt/scope.rs → ...databroker/src/authorization/jwt/scope.rs
@@ -35,7 +35,7 @@ pub fn parse_whitespace_separated(scope: &str) -> Result<Vec<Scope>, Error> {
         r"(?x)
         ^
         (?P<action>([^:]*)) # match action
-        
+
         (?::
             (?P<path>
                 (
@@ -49,7 +49,7 @@ pub fn parse_whitespace_separated(scope: &str) -> Result<Vec<Scope>, Error> {
                         (
                             [A-Z][a-zA-Z0-1]*
                             |
-                            \*    
+                            \*
                         )
                     )*
                 )

diff --git a/kuksa_databroker/databroker/src/authorization/mod.rs b/kuksa_databroker/databroker/src/authorization/mod.rs
@@ -0,0 +1,37 @@
+/********************************************************************************
+* Copyright (c) 2023 Contributors to the Eclipse Foundation
+*
+* See the NOTICE file(s) distributed with this work for additional
+* information regarding copyright ownership.
+*
+* This program and the accompanying materials are made available under the
+* terms of the Apache License 2.0 which is available at
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* SPDX-License-Identifier: Apache-2.0
+********************************************************************************/
+
+use thiserror::Error;
+
+pub mod jwt;
+
+#[derive(Clone)]
+#[allow(clippy::large_enum_variant)]
+pub enum Authorization {
+    Disabled,
+    Enabled { token_decoder: jwt::Decoder },
+}
+
+#[derive(Error, Debug)]
+pub enum Error {
+    #[error("Invalid public key")]
+    InvalidPublicKey,
+}
+
+impl Authorization {
+    pub fn new(public_key: String) -> Result<Authorization, Error> {
+        Ok(Authorization::Enabled {
+            token_decoder: jwt::Decoder::new(public_key).map_err(|_| Error::InvalidPublicKey)?,
+        })
+    }
+}
diff --git a/kuksa_databroker/databroker/src/grpc/server.rs b/kuksa_databroker/databroker/src/grpc/server.rs
@@ -17,22 +17,16 @@ use tokio_stream::wrappers::TcpListenerStream;
 use tonic::transport::Server;
 #[cfg(feature = "tls")]
 use tonic::transport::ServerTlsConfig;
-use tracing::{debug, info, warn};
+use tracing::{debug, info};
 
 use databroker_proto::{kuksa, sdv};
 
 use crate::{
-    broker, jwt,
+    authorization::Authorization,
+    broker,
     permissions::{self, Permissions},
 };
 
-#[derive(Clone)]
-#[allow(clippy::large_enum_variant)]
-pub enum Authorization {
-    Disabled,
-    Enabled { token_decoder: jwt::Decoder },
-}
-
 #[cfg(feature = "tls")]
 pub enum ServerTLS {
     Disabled,
@@ -119,12 +113,12 @@ where
             builder = builder.tls_config(tls_config)?;
         }
         ServerTLS::Disabled => {
-            warn!("TLS is not enabled")
+            info!("TLS is not enabled")
         }
     }
 
     if let Authorization::Disabled = &authorization {
-        warn!("Authorization is not enabled");
+        info!("Authorization is not enabled.");
     }
 
     let router = builder

diff --git a/kuksa_databroker/databroker/src/lib.rs b/kuksa_databroker/databroker/src/lib.rs
@@ -11,10 +11,10 @@
 * SPDX-License-Identifier: Apache-2.0
 ********************************************************************************/
 
+pub mod authorization;
 pub mod broker;
 pub mod glob;
 pub mod grpc;
-pub mod jwt;
 pub mod permissions;
 pub mod query;
 pub mod types;

diff --git a/kuksa_databroker/databroker/src/main.rs b/kuksa_databroker/databroker/src/main.rs
@@ -15,8 +15,9 @@
 #[global_allocator]
 static ALLOC: jemallocator::Jemalloc = jemallocator::Jemalloc;
 
+use databroker::authorization::Authorization;
 use databroker::broker::RegistrationError;
-use databroker::grpc::server::Authorization;
+
 #[cfg(feature = "tls")]
 use databroker::grpc::server::ServerTLS;
 
@@ -28,7 +29,7 @@ use tracing::{debug, error, info};
 
 use clap::{Arg, ArgAction, Command};
 
-use databroker::{broker, grpc, jwt, permissions, vss};
+use databroker::{broker, grpc, permissions, vss};
 
 // Hardcoded datapoints
 const DATAPOINTS: &[(
@@ -257,6 +258,13 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
                 .value_name("FILE")
                 .required(false),
         )
+        .arg(
+            Arg::new("disable-authorization")
+                .display_order(6)
+                .long("disable-authorization")
+                .help("Disable authorization")
+                .action(ArgAction::SetTrue),
+        )
         .arg(
             Arg::new("dummy-metadata")
                 .display_order(10)
@@ -391,35 +399,37 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
             }
             (None, None) => {
                 warn!(
-                    "Default behavior of accepting insecure connections \
-                        when TLS is not configured may change in the future! \
-                        Please use --insecure to explicitly enable this behavior."
+                    "TLS is not enabled. Default behavior of accepting insecure connections \
+                     when TLS is not configured may change in the future! \
+                     Please use --insecure to explicitly enable this behavior."
                 );
                 ServerTLS::Disabled
             }
         }
     };
 
+    let enable_authorization = !args.get_flag("disable-authorization");
     let jwt_public_key = match args.get_one::<String>("jwt-public-key") {
         Some(pub_key_filename) => match std::fs::read_to_string(pub_key_filename) {
             Ok(pub_key) => {
                 info!("Using '{pub_key_filename}' to authenticate access tokens");
-                Some(pub_key)
+                Ok(Some(pub_key))
             }
             Err(err) => {
                 error!("Failed to open file {:?}: {}", pub_key_filename, err);
-                None
+                Err(err)
             }
         },
-        None => None,
-    };
+        None => Ok(None),
+    }?;
 
-    let authorization = match jwt_public_key {
-        Some(pub_key) => {
-            let token_decoder = jwt::Decoder::new(pub_key)?;
-            Authorization::Enabled { token_decoder }
+    let authorization = match (enable_authorization, jwt_public_key) {
+        (true, Some(pub_key)) => Authorization::new(pub_key)?,
+        (true, None) => {
+            warn!("Authorization is not enabled.");
+            Authorization::Disabled
         }
-        None => Authorization::Disabled,
+        (false, _) => Authorization::Disabled,
     };
 
     grpc::server::serve(

diff --git a/kuksa_databroker/databroker/tests/world/mod.rs b/kuksa_databroker/databroker/tests/world/mod.rs
@@ -195,7 +195,7 @@ impl DataBrokerWorld {
             grpc::server::serve_with_incoming_shutdown(
                 tokio_stream::wrappers::TcpListenerStream::new(listener),
                 data_broker,
-                grpc::server::Authorization::Disabled,
+                databroker::authorization::Authorization::Disabled,
                 poll_fn(|cx| {
                     let mut state = owned_state
                         .lock()