From d8f2a944d412e272eb803952f1771ad55376a45d Mon Sep 17 00:00:00 2001 From: Nikita Skrynnik Date: Wed, 7 Dec 2022 16:19:13 +1100 Subject: [PATCH] add client registry authorization to registry-k8s Signed-off-by: Nikita Skrynnik --- .../chains/registryk8s/registry-k8s.go | 32 +++++++++++++++++-- .../chains/registryk8s/registry-k8s_test.go | 2 +- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/pkg/registry/chains/registryk8s/registry-k8s.go b/pkg/registry/chains/registryk8s/registry-k8s.go index ccbb74f..c0c20c6 100644 --- a/pkg/registry/chains/registryk8s/registry-k8s.go +++ b/pkg/registry/chains/registryk8s/registry-k8s.go @@ -59,7 +59,9 @@ type Config struct { type serverOptions struct { authorizeNSRegistryServer registry.NetworkServiceRegistryServer + authorizeNSRegistryClient registry.NetworkServiceRegistryClient authorizeNSERegistryServer registry.NetworkServiceEndpointRegistryServer + authorizeNSERegistryClient registry.NetworkServiceEndpointRegistryClient dialOptions []grpc.DialOption } @@ -73,7 +75,7 @@ func WithDialOptions(dialOptions ...grpc.DialOption) Option { } } -// WithAuthorizeNSRegistryServer sets authorization NetworkServiceRegistry chain element +// WithAuthorizeNSRegistryServer sets server authorization NetworkServiceRegistry chain element func WithAuthorizeNSRegistryServer(authorizeNSRegistryServer registry.NetworkServiceRegistryServer) Option { if authorizeNSRegistryServer == nil { panic("authorizeNSRegistryServer cannot be nil") @@ -83,7 +85,7 @@ func WithAuthorizeNSRegistryServer(authorizeNSRegistryServer registry.NetworkSer } } -// WithAuthorizeNSERegistryServer sets authorization NetworkServiceEndpointRegistry chain element +// WithAuthorizeNSERegistryServer sets server authorization NetworkServiceEndpointRegistry chain element func WithAuthorizeNSERegistryServer(authorizeNSERegistryServer registry.NetworkServiceEndpointRegistryServer) Option { if authorizeNSERegistryServer == nil { panic("authorizeNSERegistryServer cannot be nil") @@ -93,11 +95,33 @@ func WithAuthorizeNSERegistryServer(authorizeNSERegistryServer registry.NetworkS } } +// WithAuthorizeNSRegistryClient sets client authorization NetworkServiceRegistry chain element +func WithAuthorizeNSRegistryClient(authorizeNSRegistryClient registry.NetworkServiceRegistryClient) Option { + if authorizeNSRegistryClient == nil { + panic("authorizeNSRegistryClient cannot be nil") + } + return func(o *serverOptions) { + o.authorizeNSRegistryClient = authorizeNSRegistryClient + } +} + +// WithAuthorizeNSERegistryClient sets client authorization NetworkServiceEndpointRegistry chain element +func WithAuthorizeNSERegistryClient(authorizeNSERegistryClient registry.NetworkServiceEndpointRegistryClient) Option { + if authorizeNSERegistryClient == nil { + panic("authorizeNSERegistryClient cannot be nil") + } + return func(o *serverOptions) { + o.authorizeNSERegistryClient = authorizeNSERegistryClient + } +} + // NewServer creates new registry server based on k8s etcd db storage func NewServer(config *Config, tokenGenerator token.GeneratorFunc, options ...Option) registryserver.Registry { opts := &serverOptions{ authorizeNSRegistryServer: registryauthorize.NewNetworkServiceRegistryServer(registryauthorize.Any()), authorizeNSERegistryServer: registryauthorize.NewNetworkServiceEndpointRegistryServer(registryauthorize.Any()), + authorizeNSRegistryClient: registryauthorize.NewNetworkServiceRegistryClient(registryauthorize.Any()), + authorizeNSERegistryClient: registryauthorize.NewNetworkServiceEndpointRegistryClient(registryauthorize.Any()), } for _, opt := range options { opt(opts) @@ -105,8 +129,8 @@ func NewServer(config *Config, tokenGenerator token.GeneratorFunc, options ...Op nseChain := chain.NewNetworkServiceEndpointRegistryServer( grpcmetadata.NewNetworkServiceEndpointRegistryServer(), - updatepath.NewNetworkServiceEndpointRegistryServer(tokenGenerator), begin.NewNetworkServiceEndpointRegistryServer(), + updatepath.NewNetworkServiceEndpointRegistryServer(tokenGenerator), opts.authorizeNSERegistryServer, switchcase.NewNetworkServiceEndpointRegistryServer(switchcase.NSEServerCase{ Condition: func(c context.Context, nse *registry.NetworkServiceEndpoint) bool { @@ -126,6 +150,7 @@ func NewServer(config *Config, tokenGenerator token.GeneratorFunc, options ...Op begin.NewNetworkServiceEndpointRegistryClient(), clienturl.NewNetworkServiceEndpointRegistryClient(config.ProxyRegistryURL), clientconn.NewNetworkServiceEndpointRegistryClient(), + opts.authorizeNSERegistryClient, grpcmetadata.NewNetworkServiceEndpointRegistryClient(), dial.NewNetworkServiceEndpointRegistryClient(config.ChainCtx, dial.WithDialOptions(opts.dialOptions...), @@ -160,6 +185,7 @@ func NewServer(config *Config, tokenGenerator token.GeneratorFunc, options ...Op clienturl.NewNetworkServiceRegistryClient(config.ProxyRegistryURL), begin.NewNetworkServiceRegistryClient(), clientconn.NewNetworkServiceRegistryClient(), + opts.authorizeNSRegistryClient, grpcmetadata.NewNetworkServiceRegistryClient(), dial.NewNetworkServiceRegistryClient(config.ChainCtx, dial.WithDialOptions(opts.dialOptions...), diff --git a/pkg/registry/chains/registryk8s/registry-k8s_test.go b/pkg/registry/chains/registryk8s/registry-k8s_test.go index 1bb14a9..6860058 100644 --- a/pkg/registry/chains/registryk8s/registry-k8s_test.go +++ b/pkg/registry/chains/registryk8s/registry-k8s_test.go @@ -166,7 +166,7 @@ func TestNSMGR_RemoteUsecase(t *testing.T) { func TestNSMGR_InterdomainUseCase(t *testing.T) { t.Cleanup(func() { goleak.VerifyNone(t, ignoreKLogDaemon) }) - ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5000) defer cancel() var dnsServer = sandbox.NewFakeResolver()