Skip to content

Commit

Permalink
authorization layer
Browse files Browse the repository at this point in the history
  • Loading branch information
fulmicoton committed Nov 1, 2024
1 parent 33b8e7d commit 5a924f6
Show file tree
Hide file tree
Showing 21 changed files with 894 additions and 187 deletions.
17 changes: 17 additions & 0 deletions quickwit/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 6 additions & 2 deletions quickwit/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
resolver = "2"
members = [
"quickwit-actors",
"quickwit-auth",
"quickwit-aws",
"quickwit-cli",
"quickwit-cluster",
Expand All @@ -20,6 +21,7 @@ members = [
"quickwit-jaeger",
"quickwit-janitor",
"quickwit-lambda",
"quickwit-license",
"quickwit-macros",
"quickwit-metastore",

Expand All @@ -34,13 +36,14 @@ members = [
"quickwit-serve",
"quickwit-storage",
"quickwit-telemetry",
"quickwit-license",
"quickwit-telemetry",
]

# The following list excludes `quickwit-metastore-utils` and `quickwit-lambda`
# from the default member to ease build/deps.
default-members = [
"quickwit-actors",
"quickwit-auth",
"quickwit-aws",
"quickwit-cli",
"quickwit-cluster",
Expand All @@ -52,6 +55,7 @@ default-members = [
"quickwit-datetime",
"quickwit-directories",
"quickwit-doc-mapper",
"quickwit-license",
"quickwit-index-management",
"quickwit-indexing",
"quickwit-ingest",
Expand Down Expand Up @@ -89,7 +93,6 @@ async-trait = "0.1"
base64 = "0.22"
binggan = { version = "0.14" }
biscuit-auth = "5.0.0"

bytes = { version = "1", features = ["serde"] }
bytesize = { version = "1.3.0", features = ["serde"] }
bytestring = "1.3.0"
Expand Down Expand Up @@ -303,6 +306,7 @@ opendal = { version = "0.44", default-features = false }
reqsign = { version = "0.14", default-features = false }

quickwit-actors = { path = "quickwit-actors" }
quickwit-auth = { path = "quickwit-auth" }
quickwit-aws = { path = "quickwit-aws" }
quickwit-cli = { path = "quickwit-cli" }
quickwit-cluster = { path = "quickwit-cluster" }
Expand Down
1 change: 1 addition & 0 deletions quickwit/quickwit-codegen/example/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ tower = { workspace = true }
utoipa = { workspace = true }

quickwit-actors = { workspace = true }
quickwit-auth = { workspace = true }
quickwit-common = { workspace = true }
quickwit-proto = { workspace = true }

Expand Down
26 changes: 26 additions & 0 deletions quickwit/quickwit-codegen/example/src/authorization.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
use quickwit_auth::Authorization;
use quickwit_auth::AuthorizationError;
use quickwit_auth::AuthorizationToken;
use quickwit_auth::StreamAuthorization;

use crate::GoodbyeRequest;
use crate::HelloRequest;
use crate::PingRequest;

impl Authorization for HelloRequest {
fn attenuate(&self, auth_token: quickwit_auth::AuthorizationToken) -> Result<quickwit_auth::AuthorizationToken, AuthorizationError> {
Ok(auth_token)
}
}

impl Authorization for GoodbyeRequest {
fn attenuate(&self, auth_token: quickwit_auth::AuthorizationToken) -> Result<AuthorizationToken, AuthorizationError> {
Ok(auth_token)
}
}

impl StreamAuthorization for PingRequest {
fn attenuate(auth_token: quickwit_auth::AuthorizationToken) -> Result<AuthorizationToken, AuthorizationError> {
Ok(auth_token)
}
}
36 changes: 24 additions & 12 deletions quickwit/quickwit-codegen/example/src/codegen/hello.rs

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions quickwit/quickwit-codegen/example/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ mod error;

#[path = "codegen/hello.rs"]
mod hello;
mod authorization;

use std::sync::atomic::{AtomicUsize, Ordering};
use std::sync::Arc;
Expand Down
28 changes: 23 additions & 5 deletions quickwit/quickwit-codegen/src/codegen.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1231,7 +1231,12 @@ fn generate_grpc_server_adapter_methods(context: &CodegenContext) -> TokenStream
}
}
} else {
quote! { request.into_inner() }
quote! {
{
let req = request.into_inner();
req
}
}
};
let response_type = if syn_method.server_streaming {
let associated_type_name = quote::format_ident!("{}Stream", syn_method.proto_name);
Expand All @@ -1253,14 +1258,25 @@ fn generate_grpc_server_adapter_methods(context: &CodegenContext) -> TokenStream
} else {
quote! { tonic::Response::new }
};

let authorize_block = if syn_method.client_streaming {
let stream_item = &syn_method.request_type;
quote! {
quickwit_auth::authorize_stream::<#stream_item>(&auth_token)?;
}
} else {
quote! {
quickwit_auth::authorize(&req, &auth_token)?;
}
};
let method = quote! {
#associated_type

async fn #method_name(&self, request: tonic::Request<#request_type>) -> Result<tonic::Response<#response_type>, tonic::Status> {
self.inner
.0
.#method_name(#method_arg)
.await
let auth_token = quickwit_auth::get_auth_token(request.metadata())?;
let req = #method_arg;
#authorize_block;
quickwit_auth::AUTHORIZATION_TOKEN.scope(auth_token, self.inner.0.#method_name(req)).await
.map(#into_response_type)
.map_err(crate::error::grpc_error_to_grpc_status)
}
Expand All @@ -1270,6 +1286,8 @@ fn generate_grpc_server_adapter_methods(context: &CodegenContext) -> TokenStream
stream
}



/// A [`ServiceGenerator`] wrapper that appends a suffix to the name of the wrapped service. It is
/// used to add a `Grpc` suffix to the service, client, and server generated by tonic.
struct WithSuffixServiceGenerator {
Expand Down
1 change: 1 addition & 0 deletions quickwit/quickwit-ingest/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ ulid = { workspace = true }
utoipa = { workspace = true }

quickwit-actors = { workspace = true }
quickwit-auth = { workspace = true }
quickwit-cluster = { workspace = true }
quickwit-common = { workspace = true, features = ["testsuite"] }
quickwit-config = { workspace = true }
Expand Down
25 changes: 25 additions & 0 deletions quickwit/quickwit-ingest/src/authorize.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
use quickwit_auth::Authorization;
use quickwit_auth::AuthorizationError;
use quickwit_auth::AuthorizationToken;

use crate::FetchRequest;
use crate::IngestRequest;
use crate::TailRequest;

impl Authorization for TailRequest {
fn attenuate(&self, auth_token: AuthorizationToken) -> Result<AuthorizationToken, AuthorizationError> {
Ok(auth_token)
}
}

impl Authorization for IngestRequest {
fn attenuate(&self, auth_token: AuthorizationToken) -> Result<AuthorizationToken, AuthorizationError> {
Ok(auth_token)
}
}

impl Authorization for FetchRequest {
fn attenuate(&self, auth_token: AuthorizationToken) -> Result<AuthorizationToken, AuthorizationError> {
Ok(auth_token)
}
}
33 changes: 24 additions & 9 deletions quickwit/quickwit-ingest/src/codegen/ingest_service.rs

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions quickwit/quickwit-ingest/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ mod mrecordlog_async;
mod notifications;
mod position;
mod queue;
mod authorize;

use std::collections::HashMap;
use std::path::{Path, PathBuf};
Expand Down
2 changes: 2 additions & 0 deletions quickwit/quickwit-proto/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ license.workspace = true
[dependencies]
anyhow = { workspace = true }
async-trait = { workspace = true }
biscuit-auth = { workspace = true }
bytes = { workspace = true }
bytesize = { workspace = true }
bytestring = { workspace = true }
Expand All @@ -36,6 +37,7 @@ utoipa = { workspace = true }
zstd = { workspace = true }

quickwit-actors = { workspace = true }
quickwit-auth = { workspace = true }
quickwit-common = { workspace = true }

[dev-dependencies]
Expand Down
Loading

0 comments on commit 5a924f6

Please sign in to comment.