go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/deploy/service/main.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/deploy/service/main.go (about)

     1  // Copyright 2022 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package main contains the main LUCI Deploy service binary.
    16  package main
    17  
    18  import (
    19  	"go.chromium.org/luci/server"
    20  	"go.chromium.org/luci/server/auth"
    21  	"go.chromium.org/luci/server/auth/openid"
    22  	"go.chromium.org/luci/server/auth/rpcacl"
    23  	"go.chromium.org/luci/server/cron"
    24  	"go.chromium.org/luci/server/encryptedcookies"
    25  	"go.chromium.org/luci/server/gaeemulation"
    26  	"go.chromium.org/luci/server/module"
    27  	"go.chromium.org/luci/server/secrets"
    28  	"go.chromium.org/luci/server/tq"
    29  
    30  	"go.chromium.org/luci/deploy/api/rpcpb"
    31  	"go.chromium.org/luci/deploy/service/model"
    32  	"go.chromium.org/luci/deploy/service/rpcs"
    33  	"go.chromium.org/luci/deploy/service/ui"
    34  
    35  	// Using datastore for user sessions.
    36  	_ "go.chromium.org/luci/server/encryptedcookies/session/datastore"
    37  	// Using datastore for transactional tasks.
    38  	_ "go.chromium.org/luci/server/tq/txn/datastore"
    39  )
    40  
    41  const (
    42  	// Members are actuation agents running actual deployments.
    43  	actuatorsGroup = "luci-deploy-actuators"
    44  	// Members have read-only access to the UI and API.
    45  	accessGroup = "luci-deploy-access"
    46  )
    47  
    48  // RPC-level ACLs.
    49  var rpcACL = rpcacl.Map{
    50  	"/discovery.Discovery/*":       rpcacl.All,
    51  	"/deploy.service.Actuations/*": actuatorsGroup,
    52  	"/deploy.service.Assets/*":     accessGroup,
    53  }
    54  
    55  func main() {
    56  	modules := []module.Module{
    57  		cron.NewModuleFromFlags(),
    58  		encryptedcookies.NewModuleFromFlags(),
    59  		gaeemulation.NewModuleFromFlags(),
    60  		secrets.NewModuleFromFlags(),
    61  		tq.NewModuleFromFlags(),
    62  	}
    63  
    64  	server.Main(nil, modules, func(srv *server.Server) error {
    65  		actuations := rpcs.Actuations{}
    66  		assets := rpcs.Assets{}
    67  
    68  		// All RPC APIs.
    69  		rpcpb.RegisterActuationsServer(srv, &actuations)
    70  		rpcpb.RegisterAssetsServer(srv, &assets)
    71  
    72  		// Authentication methods for RPC APIs.
    73  		srv.SetRPCAuthMethods([]auth.Method{
    74  			// The preferred authentication method.
    75  			&openid.GoogleIDTokenAuthMethod{
    76  				AudienceCheck: openid.AudienceMatchesHost,
    77  				SkipNonJWT:    true, // pass OAuth2 access tokens through
    78  			},
    79  			// Backward compatibility for the RPC Explorer and old clients.
    80  			&auth.GoogleOAuth2Method{
    81  				Scopes: []string{"https://www.googleapis.com/auth/userinfo.email"},
    82  			},
    83  		})
    84  
    85  		// Per-RPC authorization interceptor.
    86  		srv.RegisterUnifiedServerInterceptors(rpcacl.Interceptor(rpcACL))
    87  
    88  		// Web UI routes.
    89  		ui.RegisterRoutes(srv, accessGroup, &assets)
    90  
    91  		// Cron jobs.
    92  		cron.RegisterHandler("expire-actuations", model.ExpireActuations)
    93  		cron.RegisterHandler("cleanup-old-entities", model.CleanupOldEntities)
    94  
    95  		return nil
    96  	})
    97  }