go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/auth_service/impl/acl.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/auth_service/impl/acl.go (about)

     1  // Copyright 2021 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package impl
    16  
    17  import (
    18  	"go.chromium.org/luci/server/auth/authdb"
    19  	"go.chromium.org/luci/server/auth/rpcacl"
    20  
    21  	"go.chromium.org/luci/auth_service/impl/model"
    22  )
    23  
    24  // AuthorizeRPCAccess is a gRPC server interceptor that checks the caller is
    25  // in the group that grants access to the auth service API.
    26  var AuthorizeRPCAccess = rpcacl.Interceptor(rpcacl.Map{
    27  	// Discovery API is used by the RPC Explorer to show the list of APIs. It just
    28  	// returns the proto descriptors already available through the public source
    29  	// code.
    30  	"/discovery.Discovery/*": rpcacl.All,
    31  
    32  	// GetSelf just checks credentials and doesn't access any data.
    33  	"/auth.service.Accounts/GetSelf": rpcacl.All,
    34  
    35  	// All methods to work with groups require authorization.
    36  	"/auth.service.Groups/*": authdb.AuthServiceAccessGroup,
    37  
    38  	// Only administrators can create groups.
    39  	"/auth.service.Groups/CreateGroup": model.AdminGroup,
    40  
    41  	// All methods to work with allowlists require authorization.
    42  	"/auth.service.Allowlists/*": authdb.AuthServiceAccessGroup,
    43  
    44  	// All methods to work with AuthDB require authorization.
    45  	"/auth.service.AuthDB/*": authdb.AuthServiceAccessGroup,
    46  
    47  	// All methods to work with ChangeLogs require authorization.
    48  	"/auth.service.ChangeLogs/*": authdb.AuthServiceAccessGroup,
    49  
    50  	// Internals are used by the UI which is accessible only to authorized users.
    51  	"/auth.internals.Internals/*": authdb.AuthServiceAccessGroup,
    52  
    53  	// All methods that LUCI Config interacts to perform config validation.
    54  	//
    55  	// Allow all callers as the service itself will check whether the request
    56  	// is from LUCI Config service.
    57  	"/config.Consumer/*": rpcacl.All,
    58  })