diff --git a/internal/authtoken/authtoken_test.go b/internal/authtoken/authtoken_test.go index bb2cd23b46..fad118a0fe 100644 --- a/internal/authtoken/authtoken_test.go +++ b/internal/authtoken/authtoken_test.go @@ -94,7 +94,7 @@ func TestAuthToken_DbUpdate(t *testing.T) { assert := assert.New(t) w := db.New(conn) - authTok := testAuthToken(t, conn, wrapper) + authTok := TestAuthToken(t, conn, wrapper) proto.Merge(authTok.AuthToken, tt.args.authTok) err := authTok.encrypt(context.Background(), wrapper) @@ -119,7 +119,7 @@ func TestAuthToken_DbCreate(t *testing.T) { u := iam.TestUser(t, conn, org.GetPublicId()) amId := setupAuthMethod(t, conn, org.GetPublicId()) acct := setupAuthAccount(t, conn, org.GetPublicId(), amId, u.GetPublicId()) - createdAuthToken := testAuthToken(t, conn, wrapper) + createdAuthToken := TestAuthToken(t, conn, wrapper) testAuthTokenId := func() string { id, err := newAuthTokenId() @@ -177,7 +177,7 @@ func TestAuthToken_DbDelete(t *testing.T) { } wrapper := db.TestWrapper(t) - existingAuthTok := testAuthToken(t, conn, wrapper) + existingAuthTok := TestAuthToken(t, conn, wrapper) var tests = []struct { name string diff --git a/internal/authtoken/repository_test.go b/internal/authtoken/repository_test.go index 8a51cc0567..fd4d292939 100644 --- a/internal/authtoken/repository_test.go +++ b/internal/authtoken/repository_test.go @@ -196,7 +196,7 @@ func TestRepository_LookupAuthToken(t *testing.T) { rw := db.New(conn) wrapper := db.TestWrapper(t) - at := testAuthToken(t, conn, wrapper) + at := TestAuthToken(t, conn, wrapper) at.Token = "" at.CtToken = nil @@ -262,7 +262,7 @@ func TestRepository_ValidateToken(t *testing.T) { require.NoError(t, err) require.NotNil(t, repo) - at := testAuthToken(t, conn, wrapper) + at := TestAuthToken(t, conn, wrapper) atToken := at.GetToken() at.Token = "" at.CtToken = nil @@ -362,7 +362,7 @@ func TestRepository_ValidateToken_expired(t *testing.T) { require.NoError(t, err) require.NotNil(t, repo) - baseAT := testAuthToken(t, conn, wrapper) + baseAT := TestAuthToken(t, conn, wrapper) baseAT.GetAuthAccountId() aAcct := &iam.AuthAccount{AuthAccount: &iamStore.AuthAccount{PublicId: baseAT.GetAuthAccountId()}} require.NoError(t, rw.LookupByPublicId(context.Background(), aAcct)) @@ -430,7 +430,7 @@ func TestRepository_DeleteAuthToken(t *testing.T) { rw := db.New(conn) wrapper := db.TestWrapper(t) - at := testAuthToken(t, conn, wrapper) + at := TestAuthToken(t, conn, wrapper) badId, err := newAuthTokenId() require.NoError(t, err) require.NotNil(t, badId) diff --git a/internal/authtoken/testing.go b/internal/authtoken/testing.go index 0b97575009..7c83d77d07 100644 --- a/internal/authtoken/testing.go +++ b/internal/authtoken/testing.go @@ -12,7 +12,7 @@ import ( "github.com/stretchr/testify/require" ) -func testAuthToken(t *testing.T, conn *gorm.DB, wrapper wrapping.Wrapper) *AuthToken { +func TestAuthToken(t *testing.T, conn *gorm.DB, wrapper wrapping.Wrapper) *AuthToken { t.Helper() require := require.New(t) org, _ := iam.TestScopes(t, conn) diff --git a/internal/servers/controller/common/common.go b/internal/servers/controller/common/common.go index 42347230dc..32b7265d14 100644 --- a/internal/servers/controller/common/common.go +++ b/internal/servers/controller/common/common.go @@ -1,11 +1,13 @@ package common import ( + "github.com/hashicorp/watchtower/internal/authtoken" "github.com/hashicorp/watchtower/internal/host/static" "github.com/hashicorp/watchtower/internal/iam" ) type ( - IamRepoFactory func() (*iam.Repository, error) - StaticRepoFactory func() (*static.Repository, error) + IamRepoFactory func() (*iam.Repository, error) + StaticRepoFactory func() (*static.Repository, error) + AuthTokenRepoFactory func() (*authtoken.Repository, error) ) diff --git a/internal/servers/controller/controller.go b/internal/servers/controller/controller.go index 0e3707cb8d..b98de7d3c7 100644 --- a/internal/servers/controller/controller.go +++ b/internal/servers/controller/controller.go @@ -7,6 +7,7 @@ import ( "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/sdk/helper/mlock" + "github.com/hashicorp/watchtower/internal/authtoken" "github.com/hashicorp/watchtower/internal/db" "github.com/hashicorp/watchtower/internal/host/static" "github.com/hashicorp/watchtower/internal/iam" @@ -23,6 +24,7 @@ type Controller struct { // Repo factory methods IamRepoFn common.IamRepoFactory StaticHostRepoFn common.StaticRepoFactory + AuthTokenRepoFn common.AuthTokenRepoFactory } func New(conf *Config) (*Controller, error) { @@ -61,6 +63,9 @@ func New(conf *Config) (*Controller, error) { c.StaticHostRepoFn = func() (*static.Repository, error) { return static.NewRepository(dbase, dbase, c.conf.ControllerKMS) } + c.AuthTokenRepoFn = func() (*authtoken.Repository, error) { + return authtoken.NewRepository(dbase, dbase, c.conf.ControllerKMS) + } return c, nil } diff --git a/internal/servers/controller/handler.go b/internal/servers/controller/handler.go index 2d26a4440d..9ba2daf53e 100644 --- a/internal/servers/controller/handler.go +++ b/internal/servers/controller/handler.go @@ -112,7 +112,8 @@ func handleGrpcGateway(c *Controller) (http.Handler, error) { // Register*ServiceHandlerServer methods ignore the passed in ctx. Using the baseContext now just in case this changes // in the future, at which point we'll want to be using the baseContext. ctx := c.baseContext - mux := runtime.NewServeMux(runtime.WithProtoErrorHandler(handlers.ErrorHandler(c.logger))) + mux := runtime.NewServeMux(runtime.WithMetadata(handlers.TokenAuthenticator(c.logger, c.AuthTokenRepoFn)), + runtime.WithProtoErrorHandler(handlers.ErrorHandler(c.logger))) hcs, err := host_catalogs.NewService(c.StaticHostRepoFn) if err != nil { return nil, fmt.Errorf("failed to create host catalog handler service: %w", err) diff --git a/internal/servers/controller/handlers/authtoken_intercept.go b/internal/servers/controller/handlers/authtoken_intercept.go new file mode 100644 index 0000000000..833f6d2cb0 --- /dev/null +++ b/internal/servers/controller/handlers/authtoken_intercept.go @@ -0,0 +1,182 @@ +package handlers + +import ( + "context" + "fmt" + "net/http" + "strconv" + "strings" + + "github.com/hashicorp/go-hclog" + "github.com/hashicorp/watchtower/internal/servers/controller/common" + "google.golang.org/grpc/metadata" +) + +const ( + headerAuthMethod = "Authorization" + httpOnlyCookieName = "wt-http-token-cookie" + jsVisibleCookieName = "wt-js-token-cookie" +) + +// TokenAuthenticator returns a function that can be used in grpc-gateway's runtime.WithMetadata ServerOption. +// It looks at the cookies and headers of the incoming request and returns metadata that can later be +// used by handlers to build a TokenMetadata using the ToTokenMetadata function. +func TokenAuthenticator(l hclog.Logger, tokenRepo common.AuthTokenRepoFactory) func(context.Context, *http.Request) metadata.MD { + return func(ctx context.Context, req *http.Request) metadata.MD { + tMD := TokenMetadata{} + if authHeader := req.Header.Get(headerAuthMethod); authHeader != "" { + headerSplit := strings.SplitN(strings.TrimSpace(authHeader), " ", 2) + if len(headerSplit) == 2 && strings.EqualFold(strings.TrimSpace(headerSplit[0]), "bearer") { + tMD.recievedTokenType = authTokenTypeBearer + tMD.bearerPayload = strings.TrimSpace(headerSplit[1]) + } + } + if tMD.recievedTokenType != authTokenTypeBearer { + if hc, err := req.Cookie(httpOnlyCookieName); err == nil { + tMD.httpCookiePayload = hc.Value + } + if jc, err := req.Cookie(jsVisibleCookieName); err == nil { + tMD.jsCookiePayload = jc.Value + } + if tMD.httpCookiePayload != "" && tMD.jsCookiePayload != "" { + tMD.recievedTokenType = authTokenTypeSplitCookie + } + } + + repo, err := tokenRepo() + if err != nil { + l.Error("failed to get authtoken repo", "error", err) + return tMD.toMetadata() + } + at, err := repo.ValidateToken(ctx, tMD.publicId(), tMD.token()) + if err != nil { + l.Error("failed to validate token", "error", err) + } + if at != nil { + tMD.UserId = at.GetIamUserId() + } + + return tMD.toMetadata() + } +} + +type tokenFormat int + +const ( + authTokenTypeUnknown tokenFormat = iota + authTokenTypeBearer + authTokenTypeSplitCookie +) + +// TokenMetadata allows easy writing/reading of tokens to clients and authenticating the provided token. +// Expected usage for authorization is +// func (s *Service) GetResource(ctx context.Context, req GetResourceRequest) (GetResourceResponse, error) { +// amd := handlers.ToTokenMetadata(ctx) +// if !authorizer.isAuthorized(amd.UserId, "ReadResource", req.GetId()) { return nil, UnauthorizedError } +// ... +// +// A new token will be created by the Authenticate method on an Organization. The token value will be returned +// through json and not be intercepted by these tools. +// TODO: Intercept the outgoing Authenticate/Deauthenticate response and manipulate +// the response if the token type was cookie. +type TokenMetadata struct { + // Only set the UserId if the token was found and was not expired. + UserId string + + recievedTokenType tokenFormat + bearerPayload string + + jsCookiePayload string + httpCookiePayload string +} + +const ( + mdAuthTokenUserKey = "wt-authtoken-user-key" + mdAuthTokenBearerTokenKey = "wt-authtoken-bearer-token-key" + mdAuthTokenHttpTokenKey = "wt-authtoken-http-token-key" + mdAuthTokenJsTokenKey = "wt-authtoken-js-token-key" + mdAuthTokenTypeKey = "wt-authtoken-type-key" +) + +// ToTokenMetadata takes an incoming context and builds a TokenMetadata based on the metadata attached to it. +// If the context has no TokenMetadata attached to it an empty TokenMetadata is returned. +func ToTokenMetadata(ctx context.Context) TokenMetadata { + md, ok := metadata.FromIncomingContext(ctx) + if !ok { + return TokenMetadata{} + } + tMD := TokenMetadata{} + if uid := md.Get(mdAuthTokenUserKey); len(uid) > 0 { + tMD.UserId = uid[0] + } + if token := md.Get(mdAuthTokenBearerTokenKey); len(token) > 0 { + tMD.bearerPayload = token[0] + } + if token := md.Get(mdAuthTokenHttpTokenKey); len(token) > 0 { + tMD.httpCookiePayload = token[0] + } + if token := md.Get(mdAuthTokenJsTokenKey); len(token) > 0 { + tMD.jsCookiePayload = token[0] + } + if sType := md.Get(mdAuthTokenTypeKey); len(sType) > 0 { + if st, err := strconv.Atoi(sType[0]); err == nil { + tMD.recievedTokenType = tokenFormat(st) + } + } + + return tMD +} + +func (s TokenMetadata) toMetadata() metadata.MD { + md := metadata.MD{} + if s.UserId != "" { + md.Set(mdAuthTokenUserKey, s.UserId) + } + if s.bearerPayload != "" { + md.Set(mdAuthTokenBearerTokenKey, s.bearerPayload) + } + if s.httpCookiePayload != "" { + md.Set(mdAuthTokenHttpTokenKey, s.httpCookiePayload) + } + if s.jsCookiePayload != "" { + md.Set(mdAuthTokenJsTokenKey, s.jsCookiePayload) + } + if s.recievedTokenType != authTokenTypeUnknown { + md.Set(mdAuthTokenTypeKey, fmt.Sprint(s.recievedTokenType)) + } + return md +} + +// publicId returns the public id parsed out of the provided auth token. If the provided auth token +// is malformed then this returns an empty string. +func (s TokenMetadata) publicId() string { + tok := "" + switch s.recievedTokenType { + case authTokenTypeBearer: + tok = s.bearerPayload + case authTokenTypeSplitCookie: + tok = s.jsCookiePayload + s.httpCookiePayload + } + l := strings.Split(tok, "_")[:strings.Count(tok, "_")] + if len(l) != 2 { + return "" + } + return strings.Join(l, "_") +} + +// token returns the token value parsed out of the provided auth token. If the provided auth token +// is malformed then this returns an empty string. +func (s TokenMetadata) token() string { + var tok string + switch s.recievedTokenType { + case authTokenTypeBearer: + tok = s.bearerPayload + case authTokenTypeSplitCookie: + tok = s.jsCookiePayload + s.httpCookiePayload + } + l := strings.Split(tok, "_") + if len(l) != 3 { + return "" + } + return l[2] +} diff --git a/internal/servers/controller/handlers/authtoken_intercept_test.go b/internal/servers/controller/handlers/authtoken_intercept_test.go new file mode 100644 index 0000000000..9e8834f33a --- /dev/null +++ b/internal/servers/controller/handlers/authtoken_intercept_test.go @@ -0,0 +1,194 @@ +package handlers + +import ( + "context" + "errors" + "fmt" + "net/http" + "net/http/httptest" + "testing" + + "github.com/grpc-ecosystem/grpc-gateway/runtime" + "github.com/hashicorp/go-hclog" + "github.com/hashicorp/watchtower/internal/authtoken" + "github.com/hashicorp/watchtower/internal/db" + "github.com/hashicorp/watchtower/internal/gen/controller/api/services" + pbs "github.com/hashicorp/watchtower/internal/gen/controller/api/services" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// Any generated service would do, but using organization since the path is the shortest for testing. +type fakeHandler struct { + pbs.UnimplementedOrganizationServiceServer + validateFn func(context.Context) +} + +func (s *fakeHandler) GetOrganization(ctx context.Context, _ *pbs.GetOrganizationRequest) (*pbs.GetOrganizationResponse, error) { + s.validateFn(ctx) + return nil, errors.New("Doesn't matter this is just for testing input.") +} + +func TestAuthTokenPublicIdTokenValue(t *testing.T) { + cases := []struct { + name string + in TokenMetadata + wantId string + wantToken string + }{ + { + name: "no delimeter", + in: TokenMetadata{ + recievedTokenType: authTokenTypeBearer, + bearerPayload: "prefix_publicid_token", + jsCookiePayload: "this_is_just_junk", + httpCookiePayload: "this_can_be_ignored", + }, + wantId: "prefix_publicid", + wantToken: "token", + }, + { + name: "no delimeter", + in: TokenMetadata{ + recievedTokenType: authTokenTypeSplitCookie, + bearerPayload: "this_is_just_junk_that_should_be_ignored", + jsCookiePayload: "prefix_publicid_token", + httpCookiePayload: "cookiepayload", + }, + wantId: "prefix_publicid", + wantToken: "tokencookiepayload", + }, + { + name: "no delimeter", + in: TokenMetadata{ + recievedTokenType: authTokenTypeBearer, + bearerPayload: "this-doesnt-have-the-expected-delimiter", + }, + wantId: "", + wantToken: "", + }, + { + name: "to many delimeters", + in: TokenMetadata{ + recievedTokenType: authTokenTypeBearer, + bearerPayload: "this_has_to_many_delimiters", + }, + wantId: "", + wantToken: "", + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + assert.Equal(t, tc.wantId, tc.in.publicId(), "got wrong public id") + assert.Equal(t, tc.wantToken, tc.in.token(), "got wrong token value") + }) + } +} + +func TestAuthTokenAuthenticator(t *testing.T) { + conn, _ := db.TestSetup(t, "postgres") + rw := db.New(conn) + wrapper := db.TestWrapper(t) + repo, err := authtoken.NewRepository(rw, rw, wrapper) + require.NoError(t, err) + repoFn := func() (*authtoken.Repository, error) { + return repo, nil + } + + at := authtoken.TestAuthToken(t, conn, wrapper) + + tokValue := at.GetPublicId() + "_" + at.GetToken() + jsCookieVal, httpCookieVal := tokValue[:len(tokValue)/2], tokValue[len(tokValue)/2:] + + cases := []struct { + name string + headers map[string]string + cookies []http.Cookie + wantAuthTokMd TokenMetadata + }{ + { + name: "Empty headers", + headers: map[string]string{}, + wantAuthTokMd: TokenMetadata{recievedTokenType: authTokenTypeUnknown}, + }, + { + name: "Bear token", + headers: map[string]string{"Authorization": fmt.Sprintf("Bearer %s", tokValue)}, + wantAuthTokMd: TokenMetadata{ + recievedTokenType: authTokenTypeBearer, + bearerPayload: tokValue, + UserId: at.GetIamUserId(), + }, + }, + { + name: "Split cookie token", + cookies: []http.Cookie{ + {Name: httpOnlyCookieName, Value: httpCookieVal}, + {Name: jsVisibleCookieName, Value: jsCookieVal}, + }, + wantAuthTokMd: TokenMetadata{ + recievedTokenType: authTokenTypeSplitCookie, + httpCookiePayload: httpCookieVal, + jsCookiePayload: jsCookieVal, + UserId: at.GetIamUserId(), + }, + }, + { + name: "Split cookie token only http cookie", + cookies: []http.Cookie{ + {Name: httpOnlyCookieName, Value: httpCookieVal}, + }, + wantAuthTokMd: TokenMetadata{ + recievedTokenType: authTokenTypeUnknown, + httpCookiePayload: httpCookieVal, + }, + }, + { + name: "Split cookie token only js cookie", + cookies: []http.Cookie{ + {Name: jsVisibleCookieName, Value: jsCookieVal}, + }, + wantAuthTokMd: TokenMetadata{ + recievedTokenType: authTokenTypeUnknown, + jsCookiePayload: jsCookieVal, + }, + }, + { + name: "Cookie and auth header", + headers: map[string]string{"Authorization": fmt.Sprintf("Bearer %s", tokValue)}, + cookies: []http.Cookie{ + {Name: httpOnlyCookieName, Value: httpCookieVal}, + {Name: jsVisibleCookieName, Value: jsCookieVal}, + }, + // We prioritize the auth header over the cookie and if the header is set we ignore the cookies completely. + wantAuthTokMd: TokenMetadata{ + recievedTokenType: authTokenTypeBearer, + bearerPayload: tokValue, + UserId: at.GetIamUserId(), + }, + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + hook := &fakeHandler{validateFn: func(ctx context.Context) { + tMD := ToTokenMetadata(ctx) + assert.Equal(t, tc.wantAuthTokMd, tMD) + }} + mux := runtime.NewServeMux(runtime.WithMetadata(TokenAuthenticator(hclog.L(), repoFn))) + require.NoError(t, services.RegisterOrganizationServiceHandlerServer(context.Background(), mux, hook)) + + req := httptest.NewRequest("GET", "http://127.0.0.1/v1/orgs/1", nil) + for k, v := range tc.headers { + req.Header.Set(k, v) + } + for _, c := range tc.cookies { + req.AddCookie(&c) + } + + resp := httptest.NewRecorder() + mux.ServeHTTP(resp, req) + }) + } +} diff --git a/internal/servers/controller/handlers/groups/group_service.go b/internal/servers/controller/handlers/groups/group_service.go index 7cc509ab67..def366d9ca 100644 --- a/internal/servers/controller/handlers/groups/group_service.go +++ b/internal/servers/controller/handlers/groups/group_service.go @@ -49,6 +49,8 @@ var _ pbs.GroupServiceServer = Service{} // ListGroups implements the interface pbs.GroupServiceServer. func (s Service) ListGroups(ctx context.Context, req *pbs.ListGroupsRequest) (*pbs.ListGroupsResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateListRequest(req); err != nil { return nil, err } @@ -61,6 +63,8 @@ func (s Service) ListGroups(ctx context.Context, req *pbs.ListGroupsRequest) (*p // GetGroups implements the interface pbs.GroupServiceServer. func (s Service) GetGroup(ctx context.Context, req *pbs.GetGroupRequest) (*pbs.GetGroupResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateGetRequest(req); err != nil { return nil, err } @@ -73,6 +77,8 @@ func (s Service) GetGroup(ctx context.Context, req *pbs.GetGroupRequest) (*pbs.G // CreateGroup implements the interface pbs.GroupServiceServer. func (s Service) CreateGroup(ctx context.Context, req *pbs.CreateGroupRequest) (*pbs.CreateGroupResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateCreateRequest(req); err != nil { return nil, err } @@ -89,6 +95,8 @@ func (s Service) CreateGroup(ctx context.Context, req *pbs.CreateGroupRequest) ( // UpdateGroup implements the interface pbs.GroupServiceServer. func (s Service) UpdateGroup(ctx context.Context, req *pbs.UpdateGroupRequest) (*pbs.UpdateGroupResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateUpdateRequest(req); err != nil { return nil, err } @@ -101,6 +109,8 @@ func (s Service) UpdateGroup(ctx context.Context, req *pbs.UpdateGroupRequest) ( // DeleteGroup implements the interface pbs.GroupServiceServer. func (s Service) DeleteGroup(ctx context.Context, req *pbs.DeleteGroupRequest) (*pbs.DeleteGroupResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateDeleteRequest(req); err != nil { return nil, err } diff --git a/internal/servers/controller/handlers/host_catalogs/host_catalog_service.go b/internal/servers/controller/handlers/host_catalogs/host_catalog_service.go index 41ffb9cdd3..cfc827d55c 100644 --- a/internal/servers/controller/handlers/host_catalogs/host_catalog_service.go +++ b/internal/servers/controller/handlers/host_catalogs/host_catalog_service.go @@ -91,6 +91,8 @@ func (s Service) ListHostCatalogs(ctx context.Context, req *pbs.ListHostCatalogs // GetHostCatalog implements the interface pbs.HostCatalogServiceServer. func (s Service) GetHostCatalog(ctx context.Context, req *pbs.GetHostCatalogRequest) (*pbs.GetHostCatalogResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth ct := typeFromId(req.GetId()) if ct == unknownType { return nil, handlers.InvalidArgumentErrorf("Invalid argument provided.", map[string]string{"id": "Improperly formatted identifier used."}) @@ -107,6 +109,8 @@ func (s Service) GetHostCatalog(ctx context.Context, req *pbs.GetHostCatalogRequ // CreateHostCatalog implements the interface pbs.HostCatalogServiceServer. func (s Service) CreateHostCatalog(ctx context.Context, req *pbs.CreateHostCatalogRequest) (*pbs.CreateHostCatalogResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateCreateRequest(req); err != nil { return nil, err } @@ -122,6 +126,8 @@ func (s Service) CreateHostCatalog(ctx context.Context, req *pbs.CreateHostCatal // UpdateHostCatalog implements the interface pbs.HostCatalogServiceServer. func (s Service) UpdateHostCatalog(ctx context.Context, req *pbs.UpdateHostCatalogRequest) (*pbs.UpdateHostCatalogResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth ct := typeFromId(req.GetId()) if ct == unknownType { return nil, handlers.InvalidArgumentErrorf("Invalid argument provided.", map[string]string{"id": "Improperly formatted identifier used."}) @@ -138,6 +144,8 @@ func (s Service) UpdateHostCatalog(ctx context.Context, req *pbs.UpdateHostCatal // DeleteHostCatalog implements the interface pbs.HostCatalogServiceServer. func (s Service) DeleteHostCatalog(ctx context.Context, req *pbs.DeleteHostCatalogRequest) (*pbs.DeleteHostCatalogResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth ct := typeFromId(req.GetId()) if ct == unknownType { return nil, handlers.InvalidArgumentErrorf("Invalid argument provided.", map[string]string{"id": "Improperly formatted identifier used."}) diff --git a/internal/servers/controller/handlers/organizations/organization_service.go b/internal/servers/controller/handlers/organizations/organization_service.go index bddbcfa67d..9154c473a3 100644 --- a/internal/servers/controller/handlers/organizations/organization_service.go +++ b/internal/servers/controller/handlers/organizations/organization_service.go @@ -40,6 +40,8 @@ var _ pbs.OrganizationServiceServer = Service{} // ListOrganizations is not yet implemented but will implement the interface pbs.OrganizationServiceServer. func (s Service) ListOrganizations(ctx context.Context, req *pbs.ListOrganizationsRequest) (*pbs.ListOrganizationsResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth ol, err := s.listFromRepo(ctx) if err != nil { return nil, err @@ -49,6 +51,8 @@ func (s Service) ListOrganizations(ctx context.Context, req *pbs.ListOrganizatio // GetOrganizations implements the interface pbs.OrganizationServiceServer. func (s Service) GetOrganization(ctx context.Context, req *pbs.GetOrganizationRequest) (*pbs.GetOrganizationResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateGetRequest(req); err != nil { return nil, err } diff --git a/internal/servers/controller/handlers/projects/project_service.go b/internal/servers/controller/handlers/projects/project_service.go index abbcdcdd5e..019ab48f19 100644 --- a/internal/servers/controller/handlers/projects/project_service.go +++ b/internal/servers/controller/handlers/projects/project_service.go @@ -45,6 +45,8 @@ var _ pbs.ProjectServiceServer = Service{} // ListProjects implements the interface pbs.ProjectServiceServer. func (s Service) ListProjects(ctx context.Context, req *pbs.ListProjectsRequest) (*pbs.ListProjectsResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateListRequest(req); err != nil { return nil, err } @@ -57,6 +59,8 @@ func (s Service) ListProjects(ctx context.Context, req *pbs.ListProjectsRequest) // GetProjects implements the interface pbs.ProjectServiceServer. func (s Service) GetProject(ctx context.Context, req *pbs.GetProjectRequest) (*pbs.GetProjectResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateGetRequest(req); err != nil { return nil, err } @@ -69,6 +73,8 @@ func (s Service) GetProject(ctx context.Context, req *pbs.GetProjectRequest) (*p // CreateProject implements the interface pbs.ProjectServiceServer. func (s Service) CreateProject(ctx context.Context, req *pbs.CreateProjectRequest) (*pbs.CreateProjectResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateCreateRequest(req); err != nil { return nil, err } @@ -81,6 +87,8 @@ func (s Service) CreateProject(ctx context.Context, req *pbs.CreateProjectReques // UpdateProject implements the interface pbs.ProjectServiceServer. func (s Service) UpdateProject(ctx context.Context, req *pbs.UpdateProjectRequest) (*pbs.UpdateProjectResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateUpdateRequest(req); err != nil { return nil, err } @@ -93,6 +101,8 @@ func (s Service) UpdateProject(ctx context.Context, req *pbs.UpdateProjectReques // DeleteProject implements the interface pbs.ProjectServiceServer. func (s Service) DeleteProject(ctx context.Context, req *pbs.DeleteProjectRequest) (*pbs.DeleteProjectResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateDeleteRequest(req); err != nil { return nil, err } diff --git a/internal/servers/controller/handlers/roles/role_service.go b/internal/servers/controller/handlers/roles/role_service.go index b393d938d3..47599d2e3d 100644 --- a/internal/servers/controller/handlers/roles/role_service.go +++ b/internal/servers/controller/handlers/roles/role_service.go @@ -49,6 +49,8 @@ var _ pbs.RoleServiceServer = Service{} // ListRoles implements the interface pbs.RoleServiceServer. func (s Service) ListRoles(ctx context.Context, req *pbs.ListRolesRequest) (*pbs.ListRolesResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateListRequest(req); err != nil { return nil, err } @@ -61,6 +63,8 @@ func (s Service) ListRoles(ctx context.Context, req *pbs.ListRolesRequest) (*pbs // GetRoles implements the interface pbs.RoleServiceServer. func (s Service) GetRole(ctx context.Context, req *pbs.GetRoleRequest) (*pbs.GetRoleResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateGetRequest(req); err != nil { return nil, err } @@ -73,6 +77,8 @@ func (s Service) GetRole(ctx context.Context, req *pbs.GetRoleRequest) (*pbs.Get // CreateRole implements the interface pbs.RoleServiceServer. func (s Service) CreateRole(ctx context.Context, req *pbs.CreateRoleRequest) (*pbs.CreateRoleResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateCreateRequest(req); err != nil { return nil, err } @@ -89,6 +95,8 @@ func (s Service) CreateRole(ctx context.Context, req *pbs.CreateRoleRequest) (*p // UpdateRole implements the interface pbs.RoleServiceServer. func (s Service) UpdateRole(ctx context.Context, req *pbs.UpdateRoleRequest) (*pbs.UpdateRoleResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateUpdateRequest(req); err != nil { return nil, err } @@ -101,6 +109,8 @@ func (s Service) UpdateRole(ctx context.Context, req *pbs.UpdateRoleRequest) (*p // DeleteRole implements the interface pbs.RoleServiceServer. func (s Service) DeleteRole(ctx context.Context, req *pbs.DeleteRoleRequest) (*pbs.DeleteRoleResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateDeleteRequest(req); err != nil { return nil, err } diff --git a/internal/servers/controller/handlers/users/user_service.go b/internal/servers/controller/handlers/users/user_service.go index f0a2c1415c..e22592dabd 100644 --- a/internal/servers/controller/handlers/users/user_service.go +++ b/internal/servers/controller/handlers/users/user_service.go @@ -58,6 +58,8 @@ func (s Service) ListUsers(ctx context.Context, req *pbs.ListUsersRequest) (*pbs // GetUsers implements the interface pbs.UserServiceServer. func (s Service) GetUser(ctx context.Context, req *pbs.GetUserRequest) (*pbs.GetUserResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateGetRequest(req); err != nil { return nil, err } @@ -70,6 +72,8 @@ func (s Service) GetUser(ctx context.Context, req *pbs.GetUserRequest) (*pbs.Get // CreateUser implements the interface pbs.UserServiceServer. func (s Service) CreateUser(ctx context.Context, req *pbs.CreateUserRequest) (*pbs.CreateUserResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateCreateRequest(req); err != nil { return nil, err } @@ -82,6 +86,8 @@ func (s Service) CreateUser(ctx context.Context, req *pbs.CreateUserRequest) (*p // UpdateUser implements the interface pbs.UserServiceServer. func (s Service) UpdateUser(ctx context.Context, req *pbs.UpdateUserRequest) (*pbs.UpdateUserResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateUpdateRequest(req); err != nil { return nil, err } @@ -94,6 +100,8 @@ func (s Service) UpdateUser(ctx context.Context, req *pbs.UpdateUserRequest) (*p // DeleteUser implements the interface pbs.UserServiceServer. func (s Service) DeleteUser(ctx context.Context, req *pbs.DeleteUserRequest) (*pbs.DeleteUserResponse, error) { + auth := handlers.ToTokenMetadata(ctx) + _ = auth if err := validateDeleteRequest(req); err != nil { return nil, err }