From cce3e0f170dfacb6b626a8777255c3183c5c5eb3 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 27 Jun 2025 16:45:17 -0600 Subject: refactor: extract authorization::Server type --- src/authorization/server.rs | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 src/authorization/server.rs (limited to 'src/authorization/server.rs') diff --git a/src/authorization/server.rs b/src/authorization/server.rs new file mode 100644 index 00000000..f11d0465 --- /dev/null +++ b/src/authorization/server.rs @@ -0,0 +1,41 @@ +use super::cedar_authorizer::CedarAuthorizer; +use super::check_service::CheckService; +use envoy_types::ext_authz::v3::pb::AuthorizationServer; +use std::sync::Arc; + +pub fn create_router() -> Result> { + let (_health_reporter, health_service) = tonic_health::server::health_reporter(); + let authorizer = Arc::new(CedarAuthorizer::default()); + let check_service = CheckService::new(authorizer); + let server = tonic::transport::Server::builder() + .add_service(AuthorizationServer::new(check_service)) + .add_service(health_service) + .add_service( + tonic_reflection::server::Builder::configure() + .register_encoded_file_descriptor_set(tonic_health::pb::FILE_DESCRIPTOR_SET) + .build_v1() + .unwrap(), + ); + Ok(server) +} + +pub struct Server { + router: tonic::transport::server::Router, +} + +impl Server { + pub fn new() -> Result> { + let router = create_router()?; + Ok(Server { router: router }) + } + + pub async fn serve(self, addr: std::net::SocketAddr) -> Result<(), tonic::transport::Error> { + self.router.serve(addr).await + } +} + +impl Default for Server { + fn default() -> Self { + Self::new().unwrap() + } +} -- cgit v1.2.3 From 9d950395315cef169fcb5e99d7109ea34af5b542 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 27 Jun 2025 17:26:37 -0600 Subject: refactor: attempt to create constructor that allows passing in services --- src/authorization/server.rs | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) (limited to 'src/authorization/server.rs') diff --git a/src/authorization/server.rs b/src/authorization/server.rs index f11d0465..7c39b51c 100644 --- a/src/authorization/server.rs +++ b/src/authorization/server.rs @@ -3,30 +3,34 @@ use super::check_service::CheckService; use envoy_types::ext_authz::v3::pb::AuthorizationServer; use std::sync::Arc; -pub fn create_router() -> Result> { - let (_health_reporter, health_service) = tonic_health::server::health_reporter(); - let authorizer = Arc::new(CedarAuthorizer::default()); - let check_service = CheckService::new(authorizer); - let server = tonic::transport::Server::builder() - .add_service(AuthorizationServer::new(check_service)) - .add_service(health_service) - .add_service( - tonic_reflection::server::Builder::configure() - .register_encoded_file_descriptor_set(tonic_health::pb::FILE_DESCRIPTOR_SET) - .build_v1() - .unwrap(), - ); - Ok(server) -} - pub struct Server { router: tonic::transport::server::Router, } impl Server { pub fn new() -> Result> { - let router = create_router()?; - Ok(Server { router: router }) + Ok(Self::new_with(|mut builder| { + let (_health_reporter, health_service) = tonic_health::server::health_reporter(); + let authorizer = Arc::new(CedarAuthorizer::default()); + let check_service = CheckService::new(authorizer); + builder + .add_service(AuthorizationServer::new(check_service)) + .add_service(health_service) + .add_service( + tonic_reflection::server::Builder::configure() + .register_encoded_file_descriptor_set(tonic_health::pb::FILE_DESCRIPTOR_SET) + .build_v1() + .unwrap(), + ) + })) + } + + pub fn new_with(f: F) -> Server + where + F: FnOnce(tonic::transport::Server) -> tonic::transport::server::Router, + { + let router = f(tonic::transport::Server::builder()); + Server { router } } pub async fn serve(self, addr: std::net::SocketAddr) -> Result<(), tonic::transport::Error> { -- cgit v1.2.3 From f86aa3653c5b88586aa51e218865e62b030c045b Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 27 Jun 2025 18:01:59 -0600 Subject: refactor: remove the reflection service --- Makefile | 3 --- src/authorization/server.rs | 6 ------ 2 files changed, 9 deletions(-) (limited to 'src/authorization/server.rs') diff --git a/Makefile b/Makefile index decb9a05..a134ae64 100644 --- a/Makefile +++ b/Makefile @@ -40,6 +40,3 @@ run-image: build-image # gRPC testing targets health-check: @grpcurl -plaintext localhost:50051 grpc.health.v1.Health/Check - -list-services: - @grpcurl -plaintext localhost:50051 list diff --git a/src/authorization/server.rs b/src/authorization/server.rs index 7c39b51c..2605bd54 100644 --- a/src/authorization/server.rs +++ b/src/authorization/server.rs @@ -16,12 +16,6 @@ impl Server { builder .add_service(AuthorizationServer::new(check_service)) .add_service(health_service) - .add_service( - tonic_reflection::server::Builder::configure() - .register_encoded_file_descriptor_set(tonic_health::pb::FILE_DESCRIPTOR_SET) - .build_v1() - .unwrap(), - ) })) } -- cgit v1.2.3 From 12550869b5f9c50a6ce6c9ab54eee456b32057da Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 27 Jun 2025 18:08:42 -0600 Subject: chore: add a logging interceptor to log request --- src/authorization/server.rs | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'src/authorization/server.rs') diff --git a/src/authorization/server.rs b/src/authorization/server.rs index 2605bd54..de7df580 100644 --- a/src/authorization/server.rs +++ b/src/authorization/server.rs @@ -9,12 +9,15 @@ pub struct Server { impl Server { pub fn new() -> Result> { + let (_health_reporter, health_service) = tonic_health::server::health_reporter(); + let authorization_service = AuthorizationServer::with_interceptor( + CheckService::new(Arc::new(CedarAuthorizer::default())), + logging_interceptor, + ); + Ok(Self::new_with(|mut builder| { - let (_health_reporter, health_service) = tonic_health::server::health_reporter(); - let authorizer = Arc::new(CedarAuthorizer::default()); - let check_service = CheckService::new(authorizer); builder - .add_service(AuthorizationServer::new(check_service)) + .add_service(authorization_service) .add_service(health_service) })) } @@ -37,3 +40,8 @@ impl Default for Server { Self::new().unwrap() } } + +fn logging_interceptor(request: tonic::Request) -> Result, tonic::Status> { + log::info!("gRPC request received"); + Ok(request) +} -- cgit v1.2.3 From dbb213d385314e1f135d57e174ae8e41ff4b5329 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 2 Jul 2025 11:05:04 -0600 Subject: chore: remove logging interceptor --- src/authorization/check_service.rs | 6 +----- src/authorization/server.rs | 11 ++--------- 2 files changed, 3 insertions(+), 14 deletions(-) (limited to 'src/authorization/server.rs') diff --git a/src/authorization/check_service.rs b/src/authorization/check_service.rs index e66a0e7b..f8c7577f 100644 --- a/src/authorization/check_service.rs +++ b/src/authorization/check_service.rs @@ -22,13 +22,9 @@ impl envoy_types::ext_authz::v3::pb::Authorization for CheckService { &self, request: Request, ) -> Result, Status> { - let request = request.into_inner(); - - if self.authorizer.authorize(request) { - log::info!("OK"); + if self.authorizer.authorize(request.into_inner()) { Ok(Response::new(CheckResponse::with_status(Status::ok("OK")))) } else { - log::info!("Unauthorized"); Ok(Response::new(CheckResponse::with_status( Status::unauthenticated("Unauthorized"), ))) diff --git a/src/authorization/server.rs b/src/authorization/server.rs index de7df580..57712848 100644 --- a/src/authorization/server.rs +++ b/src/authorization/server.rs @@ -10,10 +10,8 @@ pub struct Server { impl Server { pub fn new() -> Result> { let (_health_reporter, health_service) = tonic_health::server::health_reporter(); - let authorization_service = AuthorizationServer::with_interceptor( - CheckService::new(Arc::new(CedarAuthorizer::default())), - logging_interceptor, - ); + let authorization_service = + AuthorizationServer::new(CheckService::new(Arc::new(CedarAuthorizer::default()))); Ok(Self::new_with(|mut builder| { builder @@ -40,8 +38,3 @@ impl Default for Server { Self::new().unwrap() } } - -fn logging_interceptor(request: tonic::Request) -> Result, tonic::Status> { - log::info!("gRPC request received"); - Ok(request) -} -- cgit v1.2.3 From 105b4b2c4af3716e128af84142f2ff0a3442855d Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 2 Jul 2025 11:11:45 -0600 Subject: chore: add requst timeout of 30 seconds --- src/authorization/server.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src/authorization/server.rs') diff --git a/src/authorization/server.rs b/src/authorization/server.rs index 57712848..6ae9361f 100644 --- a/src/authorization/server.rs +++ b/src/authorization/server.rs @@ -24,7 +24,9 @@ impl Server { where F: FnOnce(tonic::transport::Server) -> tonic::transport::server::Router, { - let router = f(tonic::transport::Server::builder()); + let builder = + tonic::transport::Server::builder().timeout(std::time::Duration::from_secs(30)); + let router = f(builder); Server { router } } -- cgit v1.2.3 From bc673b0de36342ef4fca8d0ae4f8bd029b4054b8 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 2 Jul 2025 12:16:29 -0600 Subject: chore: request method, path and headers in tracing --- src/authorization/server.rs | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'src/authorization/server.rs') diff --git a/src/authorization/server.rs b/src/authorization/server.rs index 6ae9361f..da686350 100644 --- a/src/authorization/server.rs +++ b/src/authorization/server.rs @@ -24,8 +24,16 @@ impl Server { where F: FnOnce(tonic::transport::Server) -> tonic::transport::server::Router, { - let builder = - tonic::transport::Server::builder().timeout(std::time::Duration::from_secs(30)); + let builder = tonic::transport::Server::builder() + .trace_fn(|req| { + tracing::info_span!( + "grpc_request", + method = %req.method(), + path = %req.uri().path(), + headers = ?req.headers(), + ) + }) + .timeout(std::time::Duration::from_secs(30)); let router = f(builder); Server { router } } -- cgit v1.2.3 From 0b610d061e45811130d8cf3919037fdc9513e340 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 2 Jul 2025 12:17:31 -0600 Subject: chore: rename log message --- src/authorization/server.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/authorization/server.rs') diff --git a/src/authorization/server.rs b/src/authorization/server.rs index da686350..2ad270df 100644 --- a/src/authorization/server.rs +++ b/src/authorization/server.rs @@ -27,7 +27,7 @@ impl Server { let builder = tonic::transport::Server::builder() .trace_fn(|req| { tracing::info_span!( - "grpc_request", + "request", method = %req.method(), path = %req.uri().path(), headers = ?req.headers(), -- cgit v1.2.3