commit 9ffa1f9577003ab70a6b483475874f3552d1ccc3
author Serge Bazanski <serge@monogon.tech> Wed Sep 01 15:42:23 2021 +0200
committer Sergiusz Bazanski <serge@monogon.tech> Thu Sep 02 10:38:15 2021 +0000
tree a688d02424e8601ed830d12021b5867688d31438
parent 6bd415920b84bd695038caeb386f1e97184f0c51

m/n/core/curator: authenticated RPC

This adds authentication middleware (server interceptors) for gRPC
services running on the public curator listener.

Most of this code is testing harnesses to start up just the curator
listener with enough of a PKI infrastructure copy from a real Metropolis
cluster to be able to start running tests against GetRegisterTicket.

Change-Id: I429ff29e3c1233d74e8da619ddb543d56bc051b9
Reviewed-on: https://review.monogon.dev/c/monogon/+/311
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

metropolis/proto/api/aaa.proto

diff --git a/metropolis/proto/api/aaa.proto b/metropolis/proto/api/aaa.proto
index e469d0d..faf6dda 100644
--- a/metropolis/proto/api/aaa.proto
+++ b/metropolis/proto/api/aaa.proto
@@ -18,6 +18,8 @@
 package metropolis.proto.api;
 option go_package = "source.monogon.dev/metropolis/proto/api";
 
+import "metropolis/proto/ext/authorization.proto";
+
 // Authentication, authorization and accounting.
 service AAA {
     // Escrow is an endpoint used to retrieve short-lived access credentials to
@@ -144,7 +146,13 @@
     // will lead to retrieving identities from with the same namespace of
     // entities.
     //
-    rpc Escrow(stream EscrowFromClient) returns (stream EscrowFromServer);
+    rpc Escrow(stream EscrowFromClient) returns (stream EscrowFromServer) {
+        option (metropolis.proto.ext.authorization) = {
+            // The AAA implementation performs its own checks as needed, so the
+            // RPC middleware should allow everything through.
+            allow_unauthenticated: true
+        };
+    }
 }
 
 message EscrowFromClient {