Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use GRPC interceptors for bearer token #6063

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
+365 −9
Open

Use GRPC interceptors for bearer token #6063

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
5dd58d5
grpc implementation for bearer token
chahatsagarmain Oct 6, 2024
fd0e021
interceptor for bearer token
chahatsagarmain Oct 8, 2024
6462183
interceptor usage in server creation
chahatsagarmain Oct 9, 2024
770a74e
minor changes in implementation
chahatsagarmain Oct 10, 2024
64ebf86
minor changes
chahatsagarmain Oct 15, 2024
ede3568
decoupled interceptors
chahatsagarmain Oct 16, 2024
1d9c54b
linting fix
chahatsagarmain Oct 16, 2024
4611214
minor changes
chahatsagarmain Oct 16, 2024
05d95d4
linting fix
chahatsagarmain Oct 16, 2024
2a30902
changes and tests
chahatsagarmain Oct 17, 2024
65a64fd
refactoring code
chahatsagarmain Oct 20, 2024
fd728bb
minor changes and test
chahatsagarmain Oct 23, 2024
17827f9
Merge branch 'main' into bearertokenmain
chahatsagarmain Oct 24, 2024
c813cc6
no lint context check
chahatsagarmain Oct 24, 2024
b73817e
minor changes
chahatsagarmain Oct 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 14 additions & 5 deletions cmd/query/app/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,14 +124,23 @@

grpcOpts = append(grpcOpts, grpc.Creds(creds))
}

unaryInterceptors := []grpc.UnaryServerInterceptor{
bearertoken.NewUnaryServerInterceptor(),
}
streamInterceptors := []grpc.StreamServerInterceptor{
bearertoken.NewStreamServerInterceptor(),
}
if tm.Enabled {
//nolint:contextcheck
grpcOpts = append(grpcOpts,
grpc.StreamInterceptor(tenancy.NewGuardingStreamInterceptor(tm)),
grpc.UnaryInterceptor(tenancy.NewGuardingUnaryInterceptor(tm)),
)
unaryInterceptors = append(unaryInterceptors, tenancy.NewGuardingUnaryInterceptor(tm))
streamInterceptors = append(streamInterceptors, tenancy.NewGuardingStreamInterceptor(tm))

Check failure on line 136 in cmd/query/app/server.go

View workflow job for this annotation

GitHub Actions / lint 

Function `NewGuardingStreamInterceptor->NewGuardingStreamInterceptor$1` should pass the context parameter (contextcheck)

Check warning on line 136 in cmd/query/app/server.go

View check run for this annotation

Codecov / codecov/patch

cmd/query/app/server.go#L135-L136 

Added lines #L135 - L136 were not covered by tests
}

grpcOpts = append(grpcOpts,
grpc.ChainUnaryInterceptor(unaryInterceptors...),
grpc.ChainStreamInterceptor(streamInterceptors...),
)

server := grpc.NewServer(grpcOpts...)
return server, nil
}
Expand Down
19 changes: 15 additions & 4 deletions cmd/remote-storage/app/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"google.golang.org/grpc/reflection"

"github.com/jaegertracing/jaeger/cmd/query/app/querysvc"
"github.com/jaegertracing/jaeger/pkg/bearertoken"
"github.com/jaegertracing/jaeger/pkg/telemetery"
"github.com/jaegertracing/jaeger/pkg/tenancy"
"github.com/jaegertracing/jaeger/plugin/storage/grpc/shared"
Expand Down Expand Up @@ -96,13 +97,23 @@ func createGRPCServer(opts *Options, tm *tenancy.Manager, handler *shared.GRPCHa
creds := credentials.NewTLS(tlsCfg)
grpcOpts = append(grpcOpts, grpc.Creds(creds))
}

unaryInterceptors := []grpc.UnaryServerInterceptor{
bearertoken.NewUnaryServerInterceptor(),
}
streamInterceptors := []grpc.StreamServerInterceptor{
bearertoken.NewStreamServerInterceptor(),
}
if tm.Enabled {
grpcOpts = append(grpcOpts,
grpc.StreamInterceptor(tenancy.NewGuardingStreamInterceptor(tm)),
grpc.UnaryInterceptor(tenancy.NewGuardingUnaryInterceptor(tm)),
)
unaryInterceptors = append(unaryInterceptors, tenancy.NewGuardingUnaryInterceptor(tm))
streamInterceptors = append(streamInterceptors, tenancy.NewGuardingStreamInterceptor(tm))
}

grpcOpts = append(grpcOpts,
grpc.ChainUnaryInterceptor(unaryInterceptors...),
grpc.ChainStreamInterceptor(streamInterceptors...),
)

server := grpc.NewServer(grpcOpts...)
yurishkuro marked this conversation as resolved.
Show resolved Hide resolved
healthServer := health.NewServer()
reflection.Register(server)
Expand Down
154 changes: 154 additions & 0 deletions pkg/bearertoken/grpc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
// Copyright (c) 2024 The Jaeger Authors.
// SPDX-License-Identifier: Apache-2.0

package bearertoken

import (
"context"
"fmt"

"google.golang.org/grpc"
"google.golang.org/grpc/metadata"
)

const Key = "bearer.token"

type tokenatedServerStream struct {
grpc.ServerStream
context context.Context
yurishkuro marked this conversation as resolved.
Show resolved Hide resolved
}

func (tss *tokenatedServerStream) Context() context.Context {
chahatsagarmain marked this conversation as resolved.
Show resolved Hide resolved
return tss.context
}

// getValidBearerToken attempts to retrieve the bearer token from the context.
// It does not return an error if the token is missing.
func getValidBearerToken(ctx context.Context, bearerHeader string) (string, error) {
chahatsagarmain marked this conversation as resolved.
Show resolved Hide resolved
bearerToken, ok := GetBearerToken(ctx)
if ok && bearerToken != "" {
return bearerToken, nil
}

md, ok := metadata.FromIncomingContext(ctx)
if !ok {
return "", nil
}

tokens := md.Get(bearerHeader)
if len(tokens) < 1 {
return "", nil
}
if len(tokens) > 1 {
return "", fmt.Errorf("malformed token: multiple tokens found")
}
return tokens[0], nil
}

// NewStreamServerInterceptor creates a new stream interceptor that injects the bearer token into the context if available.
func NewStreamServerInterceptor() grpc.StreamServerInterceptor {
return streamServerInterceptor
chahatsagarmain marked this conversation as resolved.
Show resolved Hide resolved
}

func streamServerInterceptor(srv any, ss grpc.ServerStream, _ *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
bearerToken, err := getValidBearerToken(ss.Context(), Key)
if err != nil {
return err
}
// Upgrade the bearer token to be part of the context.

if token, _ := GetBearerToken(ss.Context()); token != "" {
return handler(srv, ss)
}

return handler(srv, &tokenatedServerStream{
ServerStream: ss,
context: ContextWithBearerToken(ss.Context(), bearerToken),
})
}

// NewUnaryServerInterceptor creates a new unary interceptor that injects the bearer token into the context if available.
func NewUnaryServerInterceptor() grpc.UnaryServerInterceptor {
return func(ctx context.Context, req any, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
bearerToken, err := getValidBearerToken(ctx, Key)
if err != nil {
return nil, err
}

if token, _ := GetBearerToken(ctx); token != "" {
return handler(ctx, req)
}
yurishkuro marked this conversation as resolved.
Show resolved Hide resolved

return handler(ContextWithBearerToken(ctx, bearerToken), req)
}
}

// NewUnaryClientInterceptor injects the bearer token header into gRPC request metadata.
func NewUnaryClientInterceptor() grpc.UnaryClientInterceptor {
return grpc.UnaryClientInterceptor(func(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unnecessary wrapping

Suggested change
return grpc.UnaryClientInterceptor(func(
return func(

ctx context.Context,
method string,
req, reply any,
cc *grpc.ClientConn,
invoker grpc.UnaryInvoker,
opts ...grpc.CallOption,
) error {
var token string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var token string

if md, ok := metadata.FromIncomingContext(ctx); ok {
chahatsagarmain marked this conversation as resolved.
Show resolved Hide resolved
tokens := md.Get(Key)
if len(tokens) > 1 {
return fmt.Errorf("malformed token: multiple tokens found")
}
if len(tokens) == 1 && tokens[0] != "" {
token = tokens[0]
}
}

if token == "" {
bearerToken, ok := GetBearerToken(ctx)
if ok && bearerToken != "" {
token = bearerToken
}
}

if token != "" {
ctx = metadata.AppendToOutgoingContext(ctx, Key, token)
}
return invoker(ctx, method, req, reply, cc, opts...)
})
}

// NewStreamClientInterceptor injects the bearer token header into gRPC request metadata.
func NewStreamClientInterceptor() grpc.StreamClientInterceptor {
return grpc.StreamClientInterceptor(func(
ctx context.Context,
desc *grpc.StreamDesc,
cc *grpc.ClientConn,
method string,
streamer grpc.Streamer,
opts ...grpc.CallOption,
) (grpc.ClientStream, error) {
var token string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var token string

if md, ok := metadata.FromIncomingContext(ctx); ok {
chahatsagarmain marked this conversation as resolved.
Show resolved Hide resolved
tokens := md.Get(Key)
if len(tokens) > 1 {
return nil, fmt.Errorf("malformed token: multiple tokens found")
}
if len(tokens) == 1 && tokens[0] != "" {
token = tokens[0]
}
}

if token == "" {
bearerToken, ok := GetBearerToken(ctx)
if ok && bearerToken != "" {
token = bearerToken
}
}

if token != "" {
ctx = metadata.AppendToOutgoingContext(ctx, Key, token)
}
return streamer(ctx, desc, cc, method, opts...)
})
}
Loading
Loading