go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/appengine/frontend/main.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/appengine/frontend/main.go (about)

     1  // Copyright 2016 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Binary frontend implements HTTP server that handles requests to 'default'
    16  // module.
    17  package main
    18  
    19  import (
    20  	"context"
    21  	"net/http"
    22  	"strings"
    23  
    24  	"google.golang.org/grpc"
    25  	"google.golang.org/grpc/codes"
    26  	"google.golang.org/grpc/status"
    27  
    28  	"go.chromium.org/luci/common/logging"
    29  	"go.chromium.org/luci/server"
    30  	"go.chromium.org/luci/server/auth"
    31  	"go.chromium.org/luci/server/router"
    32  
    33  	"go.chromium.org/luci/tokenserver/api/admin/v1"
    34  	"go.chromium.org/luci/tokenserver/api/minter/v1"
    35  
    36  	"go.chromium.org/luci/tokenserver/appengine/impl"
    37  )
    38  
    39  func main() {
    40  	impl.Main(func(srv *server.Server, services *impl.Services) error {
    41  		// Exposed RPC services.
    42  		admin.RegisterCertificateAuthoritiesServer(srv, services.Certs)
    43  		admin.RegisterAdminServer(srv, services.Admin)
    44  		minter.RegisterTokenMinterServer(srv, services.Minter)
    45  
    46  		// Authorization check for admin services.
    47  		srv.RegisterUnaryServerInterceptors(func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, err error) {
    48  			if strings.HasPrefix(info.FullMethod, "/tokenserver.admin.") {
    49  				logging.Warningf(ctx, "%q is calling %q", auth.CurrentIdentity(ctx), info.FullMethod)
    50  				switch admin, err := auth.IsMember(ctx, "administrators"); {
    51  				case err != nil:
    52  					return nil, status.Errorf(codes.Internal, "can't check ACL - %s", err)
    53  				case !admin:
    54  					return nil, status.Errorf(codes.PermissionDenied, "not an admin")
    55  				}
    56  			}
    57  			return handler(ctx, req)
    58  		})
    59  
    60  		// The service has no UI, so just redirect to the RPC Explorer.
    61  		srv.Routes.GET("/", nil, func(c *router.Context) {
    62  			http.Redirect(c.Writer, c.Request, "/rpcexplorer/", http.StatusFound)
    63  		})
    64  
    65  		return nil
    66  	})
    67  }