tokenserver/appengine/frontend/main.go - infra/luci/luci-go - Git at Google

 // Copyright 2016 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 // Package frontend implements HTTP server that handles requests to 'default'
 // module.
 package frontend

 import (
 	"context"
 	"net/http"

 	"github.com/golang/protobuf/proto"

 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"

 	"go.chromium.org/luci/appengine/gaemiddleware/standard"
 	"go.chromium.org/luci/common/logging"
 	"go.chromium.org/luci/config/validation"
 	"go.chromium.org/luci/grpc/discovery"
 	"go.chromium.org/luci/grpc/grpcmon"
 	"go.chromium.org/luci/grpc/grpcutil"
 	"go.chromium.org/luci/grpc/prpc"
 	"go.chromium.org/luci/server/auth"
 	"go.chromium.org/luci/server/router"

 	"go.chromium.org/luci/tokenserver/api/admin/v1"
 	"go.chromium.org/luci/tokenserver/api/minter/v1"

 	"go.chromium.org/luci/tokenserver/appengine/impl/services/admin/adminsrv"
 	"go.chromium.org/luci/tokenserver/appengine/impl/services/admin/certauthorities"
 	"go.chromium.org/luci/tokenserver/appengine/impl/services/minter/tokenminter"
 )

 // adminPrelude returns a prelude that authorizes only administrators.
 func adminPrelude(serviceName string) func(context.Context, string, proto.Message) (context.Context, error) {
 	return func(c context.Context, method string, _ proto.Message) (context.Context, error) {
 		logging.Infof(c, "%s: %q is calling %q", serviceName, auth.CurrentIdentity(c), method)
 		switch admin, err := auth.IsMember(c, "administrators"); {
 		case err != nil:
 			return nil, status.Errorf(codes.Internal, "can't check ACL - %s", err)
 		case !admin:
 			return nil, status.Errorf(codes.PermissionDenied, "not an admin")
 		}
 		return c, nil
 	}
 }

 func init() {
 	r := router.New()
 	base := standard.Base()

 	// Register config validation rules.
 	adminSrv := adminsrv.NewServer()
 	tokenminter := tokenminter.NewServer()
 	adminSrv.ImportCAConfigsRPC.SetupConfigValidation(&validation.Rules)
 	adminSrv.ImportDelegationConfigsRPC.SetupConfigValidation(&validation.Rules)
 	adminSrv.ImportServiceAccountsConfigsRPC.SetupConfigValidation(&validation.Rules)
 	adminSrv.ImportProjectIdentityConfigsRPC.SetupConfigValidation(&validation.Rules)

 	// Install auth, config and tsmon handlers.
 	standard.InstallHandlers(r)

 	// The service has no UI, so just redirect to stock RPC explorer.
 	r.GET("/", router.MiddlewareChain{}, func(c *router.Context) {
 		http.Redirect(c.Writer, c.Request, "/rpcexplorer/", http.StatusFound)
 	})

 	// Install all RPC servers. Catch panics, report metrics to tsmon (including
 	// panics themselves, as Internal errors).
 	api := prpc.Server{
 		UnaryServerInterceptor: grpcmon.NewUnaryServerInterceptor(grpcutil.NewUnaryServerPanicCatcher(nil)),
 	}
 	admin.RegisterCertificateAuthoritiesServer(&api, &admin.DecoratedCertificateAuthorities{
 		Service: certauthorities.NewServer(),
 		Prelude: adminPrelude("admin.CertificateAuthorities"),
 	})
 	admin.RegisterAdminServer(&api, &admin.DecoratedAdmin{
 		Service: adminSrv,
 		Prelude: adminPrelude("admin.Admin"),
 	})
 	minter.RegisterTokenMinterServer(&api, tokenminter) // auth inside
 	discovery.Enable(&api)
 	api.InstallHandlers(r, base)

 	// Expose all this stuff.
 	http.DefaultServeMux.Handle("/", r)
 }
	// Copyright 2016 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	// Package frontend implements HTTP server that handles requests to 'default'
	// module.
	package frontend

	import (
	"context"
	"net/http"

	"github.com/golang/protobuf/proto"

	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	"go.chromium.org/luci/appengine/gaemiddleware/standard"
	"go.chromium.org/luci/common/logging"
	"go.chromium.org/luci/config/validation"
	"go.chromium.org/luci/grpc/discovery"
	"go.chromium.org/luci/grpc/grpcmon"
	"go.chromium.org/luci/grpc/grpcutil"
	"go.chromium.org/luci/grpc/prpc"
	"go.chromium.org/luci/server/auth"
	"go.chromium.org/luci/server/router"

	"go.chromium.org/luci/tokenserver/api/admin/v1"
	"go.chromium.org/luci/tokenserver/api/minter/v1"

	"go.chromium.org/luci/tokenserver/appengine/impl/services/admin/adminsrv"
	"go.chromium.org/luci/tokenserver/appengine/impl/services/admin/certauthorities"
	"go.chromium.org/luci/tokenserver/appengine/impl/services/minter/tokenminter"
	)

	// adminPrelude returns a prelude that authorizes only administrators.
	func adminPrelude(serviceName string) func(context.Context, string, proto.Message) (context.Context, error) {
	return func(c context.Context, method string, _ proto.Message) (context.Context, error) {
	logging.Infof(c, "%s: %q is calling %q", serviceName, auth.CurrentIdentity(c), method)
	switch admin, err := auth.IsMember(c, "administrators"); {
	case err != nil:
	return nil, status.Errorf(codes.Internal, "can't check ACL - %s", err)
	case !admin:
	return nil, status.Errorf(codes.PermissionDenied, "not an admin")
	}
	return c, nil
	}
	}

	func init() {
	r := router.New()
	base := standard.Base()

	// Register config validation rules.
	adminSrv := adminsrv.NewServer()
	tokenminter := tokenminter.NewServer()
	adminSrv.ImportCAConfigsRPC.SetupConfigValidation(&validation.Rules)
	adminSrv.ImportDelegationConfigsRPC.SetupConfigValidation(&validation.Rules)
	adminSrv.ImportServiceAccountsConfigsRPC.SetupConfigValidation(&validation.Rules)
	adminSrv.ImportProjectIdentityConfigsRPC.SetupConfigValidation(&validation.Rules)

	// Install auth, config and tsmon handlers.
	standard.InstallHandlers(r)

	// The service has no UI, so just redirect to stock RPC explorer.
	r.GET("/", router.MiddlewareChain{}, func(c *router.Context) {
	http.Redirect(c.Writer, c.Request, "/rpcexplorer/", http.StatusFound)
	})

	// Install all RPC servers. Catch panics, report metrics to tsmon (including
	// panics themselves, as Internal errors).
	api := prpc.Server{
	UnaryServerInterceptor: grpcmon.NewUnaryServerInterceptor(grpcutil.NewUnaryServerPanicCatcher(nil)),
	}
	admin.RegisterCertificateAuthoritiesServer(&api, &admin.DecoratedCertificateAuthorities{
	Service: certauthorities.NewServer(),
	Prelude: adminPrelude("admin.CertificateAuthorities"),
	})
	admin.RegisterAdminServer(&api, &admin.DecoratedAdmin{
	Service: adminSrv,
	Prelude: adminPrelude("admin.Admin"),
	})
	minter.RegisterTokenMinterServer(&api, tokenminter) // auth inside
	discovery.Enable(&api)
	api.InstallHandlers(r, base)

	// Expose all this stuff.
	http.DefaultServeMux.Handle("/", r)
	}