Ilia Denisov
81 lines
2.6 KiB
Go
81 lines
2.6 KiB
Go
package grpcapi
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"galaxy/gateway/authn"
|
|
gatewayv1 "galaxy/gateway/proto/galaxy/gateway/v1"
|
|
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
// signatureVerifyingService applies client-signature verification after
|
|
// payload integrity checks and before later auth or routing steps run.
|
|
type signatureVerifyingService struct {
|
|
gatewayv1.UnimplementedEdgeGatewayServer
|
|
|
|
delegate gatewayv1.EdgeGatewayServer
|
|
}
|
|
|
|
// ExecuteCommand verifies req client signature before delegating to the
|
|
// configured service implementation.
|
|
func (s signatureVerifyingService) ExecuteCommand(ctx context.Context, req *gatewayv1.ExecuteCommandRequest) (*gatewayv1.ExecuteCommandResponse, error) {
|
|
if err := verifyRequestSignature(ctx); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return s.delegate.ExecuteCommand(ctx, req)
|
|
}
|
|
|
|
// SubscribeEvents verifies req client signature before delegating to the
|
|
// configured service implementation.
|
|
func (s signatureVerifyingService) SubscribeEvents(req *gatewayv1.SubscribeEventsRequest, stream grpc.ServerStreamingServer[gatewayv1.GatewayEvent]) error {
|
|
if err := verifyRequestSignature(stream.Context()); err != nil {
|
|
return err
|
|
}
|
|
|
|
return s.delegate.SubscribeEvents(req, stream)
|
|
}
|
|
|
|
// newSignatureVerifyingService wraps delegate with the client-signature
|
|
// verification gate.
|
|
func newSignatureVerifyingService(delegate gatewayv1.EdgeGatewayServer) gatewayv1.EdgeGatewayServer {
|
|
return signatureVerifyingService{delegate: delegate}
|
|
}
|
|
|
|
func verifyRequestSignature(ctx context.Context) error {
|
|
envelope, ok := parsedEnvelopeFromContext(ctx)
|
|
if !ok {
|
|
return status.Error(codes.Internal, "authenticated request context is incomplete")
|
|
}
|
|
|
|
record, ok := resolvedSessionFromContext(ctx)
|
|
if !ok {
|
|
return status.Error(codes.Internal, "authenticated request context is incomplete")
|
|
}
|
|
|
|
err := authn.VerifyRequestSignature(record.ClientPublicKey, envelope.Signature, authn.RequestSigningFields{
|
|
ProtocolVersion: envelope.ProtocolVersion,
|
|
DeviceSessionID: envelope.DeviceSessionID,
|
|
MessageType: envelope.MessageType,
|
|
TimestampMS: envelope.TimestampMS,
|
|
RequestID: envelope.RequestID,
|
|
PayloadHash: envelope.PayloadHash,
|
|
})
|
|
switch {
|
|
case err == nil:
|
|
return nil
|
|
case errors.Is(err, authn.ErrInvalidClientPublicKey):
|
|
return status.Error(codes.Unavailable, "session cache is unavailable")
|
|
case errors.Is(err, authn.ErrInvalidRequestSignature):
|
|
return status.Error(codes.Unauthenticated, "invalid request signature")
|
|
default:
|
|
return status.Error(codes.Internal, "request signature verification failed")
|
|
}
|
|
}
|
|
|
|
var _ gatewayv1.EdgeGatewayServer = signatureVerifyingService{}
|