khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 1 | // Copyright 2016 The etcd Authors |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
| 15 | package clientv3 |
| 16 | |
| 17 | import ( |
| 18 | "context" |
| 19 | "fmt" |
| 20 | "strings" |
| 21 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 22 | "github.com/coreos/etcd/auth/authpb" |
| 23 | pb "github.com/coreos/etcd/etcdserver/etcdserverpb" |
| 24 | |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 25 | "google.golang.org/grpc" |
| 26 | ) |
| 27 | |
| 28 | type ( |
| 29 | AuthEnableResponse pb.AuthEnableResponse |
| 30 | AuthDisableResponse pb.AuthDisableResponse |
| 31 | AuthenticateResponse pb.AuthenticateResponse |
| 32 | AuthUserAddResponse pb.AuthUserAddResponse |
| 33 | AuthUserDeleteResponse pb.AuthUserDeleteResponse |
| 34 | AuthUserChangePasswordResponse pb.AuthUserChangePasswordResponse |
| 35 | AuthUserGrantRoleResponse pb.AuthUserGrantRoleResponse |
| 36 | AuthUserGetResponse pb.AuthUserGetResponse |
| 37 | AuthUserRevokeRoleResponse pb.AuthUserRevokeRoleResponse |
| 38 | AuthRoleAddResponse pb.AuthRoleAddResponse |
| 39 | AuthRoleGrantPermissionResponse pb.AuthRoleGrantPermissionResponse |
| 40 | AuthRoleGetResponse pb.AuthRoleGetResponse |
| 41 | AuthRoleRevokePermissionResponse pb.AuthRoleRevokePermissionResponse |
| 42 | AuthRoleDeleteResponse pb.AuthRoleDeleteResponse |
| 43 | AuthUserListResponse pb.AuthUserListResponse |
| 44 | AuthRoleListResponse pb.AuthRoleListResponse |
| 45 | |
| 46 | PermissionType authpb.Permission_Type |
| 47 | Permission authpb.Permission |
| 48 | ) |
| 49 | |
| 50 | const ( |
| 51 | PermRead = authpb.READ |
| 52 | PermWrite = authpb.WRITE |
| 53 | PermReadWrite = authpb.READWRITE |
| 54 | ) |
| 55 | |
| 56 | type Auth interface { |
| 57 | // AuthEnable enables auth of an etcd cluster. |
| 58 | AuthEnable(ctx context.Context) (*AuthEnableResponse, error) |
| 59 | |
| 60 | // AuthDisable disables auth of an etcd cluster. |
| 61 | AuthDisable(ctx context.Context) (*AuthDisableResponse, error) |
| 62 | |
| 63 | // UserAdd adds a new user to an etcd cluster. |
| 64 | UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error) |
| 65 | |
| 66 | // UserDelete deletes a user from an etcd cluster. |
| 67 | UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error) |
| 68 | |
| 69 | // UserChangePassword changes a password of a user. |
| 70 | UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error) |
| 71 | |
| 72 | // UserGrantRole grants a role to a user. |
| 73 | UserGrantRole(ctx context.Context, user string, role string) (*AuthUserGrantRoleResponse, error) |
| 74 | |
| 75 | // UserGet gets a detailed information of a user. |
| 76 | UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error) |
| 77 | |
| 78 | // UserList gets a list of all users. |
| 79 | UserList(ctx context.Context) (*AuthUserListResponse, error) |
| 80 | |
| 81 | // UserRevokeRole revokes a role of a user. |
| 82 | UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error) |
| 83 | |
| 84 | // RoleAdd adds a new role to an etcd cluster. |
| 85 | RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error) |
| 86 | |
| 87 | // RoleGrantPermission grants a permission to a role. |
| 88 | RoleGrantPermission(ctx context.Context, name string, key, rangeEnd string, permType PermissionType) (*AuthRoleGrantPermissionResponse, error) |
| 89 | |
| 90 | // RoleGet gets a detailed information of a role. |
| 91 | RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error) |
| 92 | |
| 93 | // RoleList gets a list of all roles. |
| 94 | RoleList(ctx context.Context) (*AuthRoleListResponse, error) |
| 95 | |
| 96 | // RoleRevokePermission revokes a permission from a role. |
| 97 | RoleRevokePermission(ctx context.Context, role string, key, rangeEnd string) (*AuthRoleRevokePermissionResponse, error) |
| 98 | |
| 99 | // RoleDelete deletes a role. |
| 100 | RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error) |
| 101 | } |
| 102 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 103 | type auth struct { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 104 | remote pb.AuthClient |
| 105 | callOpts []grpc.CallOption |
| 106 | } |
| 107 | |
| 108 | func NewAuth(c *Client) Auth { |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 109 | api := &auth{remote: RetryAuthClient(c)} |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 110 | if c != nil { |
| 111 | api.callOpts = c.callOpts |
| 112 | } |
| 113 | return api |
| 114 | } |
| 115 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 116 | func (auth *auth) AuthEnable(ctx context.Context) (*AuthEnableResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 117 | resp, err := auth.remote.AuthEnable(ctx, &pb.AuthEnableRequest{}, auth.callOpts...) |
| 118 | return (*AuthEnableResponse)(resp), toErr(ctx, err) |
| 119 | } |
| 120 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 121 | func (auth *auth) AuthDisable(ctx context.Context) (*AuthDisableResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 122 | resp, err := auth.remote.AuthDisable(ctx, &pb.AuthDisableRequest{}, auth.callOpts...) |
| 123 | return (*AuthDisableResponse)(resp), toErr(ctx, err) |
| 124 | } |
| 125 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 126 | func (auth *auth) UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error) { |
| 127 | resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password}, auth.callOpts...) |
Scott Baker | 8461e15 | 2019-10-01 14:44:30 -0700 | [diff] [blame] | 128 | return (*AuthUserAddResponse)(resp), toErr(ctx, err) |
| 129 | } |
| 130 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 131 | func (auth *auth) UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 132 | resp, err := auth.remote.UserDelete(ctx, &pb.AuthUserDeleteRequest{Name: name}, auth.callOpts...) |
| 133 | return (*AuthUserDeleteResponse)(resp), toErr(ctx, err) |
| 134 | } |
| 135 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 136 | func (auth *auth) UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 137 | resp, err := auth.remote.UserChangePassword(ctx, &pb.AuthUserChangePasswordRequest{Name: name, Password: password}, auth.callOpts...) |
| 138 | return (*AuthUserChangePasswordResponse)(resp), toErr(ctx, err) |
| 139 | } |
| 140 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 141 | func (auth *auth) UserGrantRole(ctx context.Context, user string, role string) (*AuthUserGrantRoleResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 142 | resp, err := auth.remote.UserGrantRole(ctx, &pb.AuthUserGrantRoleRequest{User: user, Role: role}, auth.callOpts...) |
| 143 | return (*AuthUserGrantRoleResponse)(resp), toErr(ctx, err) |
| 144 | } |
| 145 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 146 | func (auth *auth) UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 147 | resp, err := auth.remote.UserGet(ctx, &pb.AuthUserGetRequest{Name: name}, auth.callOpts...) |
| 148 | return (*AuthUserGetResponse)(resp), toErr(ctx, err) |
| 149 | } |
| 150 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 151 | func (auth *auth) UserList(ctx context.Context) (*AuthUserListResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 152 | resp, err := auth.remote.UserList(ctx, &pb.AuthUserListRequest{}, auth.callOpts...) |
| 153 | return (*AuthUserListResponse)(resp), toErr(ctx, err) |
| 154 | } |
| 155 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 156 | func (auth *auth) UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 157 | resp, err := auth.remote.UserRevokeRole(ctx, &pb.AuthUserRevokeRoleRequest{Name: name, Role: role}, auth.callOpts...) |
| 158 | return (*AuthUserRevokeRoleResponse)(resp), toErr(ctx, err) |
| 159 | } |
| 160 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 161 | func (auth *auth) RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 162 | resp, err := auth.remote.RoleAdd(ctx, &pb.AuthRoleAddRequest{Name: name}, auth.callOpts...) |
| 163 | return (*AuthRoleAddResponse)(resp), toErr(ctx, err) |
| 164 | } |
| 165 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 166 | func (auth *auth) RoleGrantPermission(ctx context.Context, name string, key, rangeEnd string, permType PermissionType) (*AuthRoleGrantPermissionResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 167 | perm := &authpb.Permission{ |
| 168 | Key: []byte(key), |
| 169 | RangeEnd: []byte(rangeEnd), |
| 170 | PermType: authpb.Permission_Type(permType), |
| 171 | } |
| 172 | resp, err := auth.remote.RoleGrantPermission(ctx, &pb.AuthRoleGrantPermissionRequest{Name: name, Perm: perm}, auth.callOpts...) |
| 173 | return (*AuthRoleGrantPermissionResponse)(resp), toErr(ctx, err) |
| 174 | } |
| 175 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 176 | func (auth *auth) RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 177 | resp, err := auth.remote.RoleGet(ctx, &pb.AuthRoleGetRequest{Role: role}, auth.callOpts...) |
| 178 | return (*AuthRoleGetResponse)(resp), toErr(ctx, err) |
| 179 | } |
| 180 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 181 | func (auth *auth) RoleList(ctx context.Context) (*AuthRoleListResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 182 | resp, err := auth.remote.RoleList(ctx, &pb.AuthRoleListRequest{}, auth.callOpts...) |
| 183 | return (*AuthRoleListResponse)(resp), toErr(ctx, err) |
| 184 | } |
| 185 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 186 | func (auth *auth) RoleRevokePermission(ctx context.Context, role string, key, rangeEnd string) (*AuthRoleRevokePermissionResponse, error) { |
| 187 | resp, err := auth.remote.RoleRevokePermission(ctx, &pb.AuthRoleRevokePermissionRequest{Role: role, Key: key, RangeEnd: rangeEnd}, auth.callOpts...) |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 188 | return (*AuthRoleRevokePermissionResponse)(resp), toErr(ctx, err) |
| 189 | } |
| 190 | |
khenaidoo | d948f77 | 2021-08-11 17:49:24 -0400 | [diff] [blame^] | 191 | func (auth *auth) RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error) { |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 192 | resp, err := auth.remote.RoleDelete(ctx, &pb.AuthRoleDeleteRequest{Role: role}, auth.callOpts...) |
| 193 | return (*AuthRoleDeleteResponse)(resp), toErr(ctx, err) |
| 194 | } |
| 195 | |
| 196 | func StrToPermissionType(s string) (PermissionType, error) { |
| 197 | val, ok := authpb.Permission_Type_value[strings.ToUpper(s)] |
| 198 | if ok { |
| 199 | return PermissionType(val), nil |
| 200 | } |
| 201 | return PermissionType(-1), fmt.Errorf("invalid permission type: %s", s) |
| 202 | } |
| 203 | |
| 204 | type authenticator struct { |
| 205 | conn *grpc.ClientConn // conn in-use |
| 206 | remote pb.AuthClient |
| 207 | callOpts []grpc.CallOption |
| 208 | } |
| 209 | |
| 210 | func (auth *authenticator) authenticate(ctx context.Context, name string, password string) (*AuthenticateResponse, error) { |
| 211 | resp, err := auth.remote.Authenticate(ctx, &pb.AuthenticateRequest{Name: name, Password: password}, auth.callOpts...) |
| 212 | return (*AuthenticateResponse)(resp), toErr(ctx, err) |
| 213 | } |
| 214 | |
| 215 | func (auth *authenticator) close() { |
| 216 | auth.conn.Close() |
| 217 | } |
| 218 | |
Stephane Barbarie | 260a563 | 2019-02-26 16:12:49 -0500 | [diff] [blame] | 219 | func newAuthenticator(ctx context.Context, target string, opts []grpc.DialOption, c *Client) (*authenticator, error) { |
| 220 | conn, err := grpc.DialContext(ctx, target, opts...) |
khenaidoo | ac63710 | 2019-01-14 15:44:34 -0500 | [diff] [blame] | 221 | if err != nil { |
| 222 | return nil, err |
| 223 | } |
| 224 | |
| 225 | api := &authenticator{ |
| 226 | conn: conn, |
| 227 | remote: pb.NewAuthClient(conn), |
| 228 | } |
| 229 | if c != nil { |
| 230 | api.callOpts = c.callOpts |
| 231 | } |
| 232 | return api, nil |
| 233 | } |