translator to agency

Makefile

@@ -4,6 +4,8 @@ API_BRANCH=$(shell ./scripts/branch.sh ../findy-agent-api/)
 SRC_ROOT=$(PWD)/../../..
 IDL_PATH=../findy-agent-api/idl/v1
 
+check: lint test
+
 protoc:	protoc_protocol protoc_agency protoc_agent protoc_authn
 
 protoc_protocol:
@@ -81,8 +83,6 @@ test_cov_out:
 test_cov: test_cov_out
 	go tool cover -html=coverage.txt
 
-check: check_fmt vet shadow
-
 release:
 	gh workflow run do-release.yml
 

agency/client/client.go

@@ -46,6 +46,8 @@ func BuildConnBase(tlsPath, fullAddr string, opts []grpc.DialOption) *rpc.Client
 	return cfg
 }
 
+// BuildClientConnBase builds the rpc.ClientCfg from tls path, address, port and
+// opts.g. localhost:50051.
 func BuildClientConnBase(
 	tlsPath, addr string,
 	port int,
@@ -61,6 +63,7 @@ func BuildClientConnBase(
 	return cfg
 }
 
+// BuildInsecureClientConnBase is helper to create rpc.ClientCfg easily.
 func BuildInsecureClientConnBase(
 	addr string,
 	port int,

client/main.go

@@ -18,6 +18,7 @@ import (
 )
 
 var (
+	cert       = flag.String("cert", "../cert", "pki cert path")
 	user       = flag.String("user", "", "test user name")
 	serverAddr = flag.String("addr", "localhost", "agency host gRPC address")
 	port       = flag.Int("port", 50051, "agency host gRPC port")
@@ -55,7 +56,7 @@ func newClient(user, addr string) (conn *grpc.ClientConn, err error) {
 	var pki *rpc.PKI
 	jwtStr := ""
 	if !*noTLS {
-		pki = rpc.LoadPKIWithServerName("./cert", addr)
+		pki = rpc.LoadPKIWithServerName(*cert, addr)
 		jwtStr = jwt.BuildJWT(user)
 	}
 	glog.V(5).Infoln("client with user:", user)

jwt/jwt.go

@@ -32,8 +32,12 @@
 
 // UserCtxKey is type for key to access user value from context. It's currently
 // exported for possible outside use.
+// NOTE: Must be own type and cannot be type alias because linter warnings with
+// context!
 type UserCtxKey string
 
+const userKey = "UserKey"
+
 type customClaims struct {
 	Username string `json:"un"`
 	Label    string `json:"label,omitempty"`
@@ -48,7 +52,11 @@
 
 // User is a helper function to get user from the current ctx as a string.
 func User(ctx context.Context) string {
-	return ctx.Value(UserCtxKey("UserKey")).(string)
+	return ctx.Value(UserCtxKey(userKey)).(string)
+}
+
+func NewContextWithUser(ctx context.Context, user string) context.Context {
+	return context.WithValue(ctx, UserCtxKey(userKey), user)
 }
 
 // BuildJWT builds a signed JWT token from user string. User string can be user
@@ -93,7 +101,7 @@
 		return ctx, false
 	}
 	if claims, ok := token.Claims.(*customClaims); ok && token.Valid {
-		ctx = context.WithValue(ctx, UserCtxKey("UserKey"), claims.Username)
+		ctx = context.WithValue(ctx, UserCtxKey(userKey), claims.Username)
 	} else {
 		glog.Error("no claims in token")
 		return ctx, false

rpc/client.go

@@ -9,6 +9,7 @@
 	"github.com/findy-network/findy-common-go/jwt"
 	"github.com/golang/glog"
 	"github.com/lainio/err2"
+	"github.com/lainio/err2/assert"
 	"github.com/lainio/err2/try"
 	"golang.org/x/oauth2"
 	"google.golang.org/grpc"
@@ -72,6 +73,7 @@
 		glog.V(3).Infoln("insecure gRPC call")
 	default:
 		glog.Warning("PKI nor Insecure not set")
+		assert.NotImplemented()
 	}
 
 	if cfg.Opts != nil {

rpc/server.go

@@ -43,11 +43,18 @@ func Server(cfg *ServerCfg) (s *grpc.Server, err error) {
 	glog.V(2).Infof("cfg.PKI: %v", cfg.PKI)
 	opts := make([]grpc.ServerOption, 0, 4)
 	if cfg.PKI != nil {
-		creds := try.To1(loadTLSCredentials(cfg.PKI))
+		creds := try.To1(mTLSCredentials(cfg.PKI))
 		opts = append(opts, grpc.Creds(creds))
 	}
 
-	errHandler := func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+	errHandler := func(ctx context.Context,
+		req interface{},
+		info *grpc.UnaryServerInfo,
+		handler grpc.UnaryHandler,
+	) (
+		interface{},
+		error,
+	) {
 		glog.V(1).Infoln("-agent gRPC call:", info.FullMethod)
 		resp, err := handler(ctx, req)
 		if err != nil {
@@ -119,7 +126,7 @@ func PrepareServe(cfg *ServerCfg) (s *grpc.Server, lis net.Listener, err error)
 	return s, lis, nil
 }
 
-func loadTLSCredentials(pw *PKI) (creds credentials.TransportCredentials, err error) {
+func mTLSCredentials(pw *PKI) (creds credentials.TransportCredentials, err error) {
 	defer err2.Handle(&err)
 
 	caCert := try.To1(os.ReadFile(pw.Client.CertFile))
@@ -129,13 +136,13 @@ func loadTLSCredentials(pw *PKI) (creds credentials.TransportCredentials, err er
 	// Load server's certificate and private key
 	serverCert := try.To1(tls.LoadX509KeyPair(pw.Server.CertFile, pw.Server.KeyFile))
 
-	// Create the credentials and return it
+	// Create the mTLS credentials and return it
 	config := &tls.Config{
 		Certificates: []tls.Certificate{serverCert},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 		ClientCAs:    rootCAs,
 	}
 
-	glog.V(3).Infoln("cert files loaded")
+	glog.V(1).Infoln("mTLS cert files loaded")
 	return credentials.NewTLS(config), nil
 }

server/main.go

@@ -17,6 +17,7 @@ import (
 )
 
 var (
+	cert       = flag.String("cert", "../cert", "pki cert path")
 	user       = flag.String("user", "findy-root", "test user name")
 	serverAddr = flag.String("addr", "localhost", "agency host gRPC address")
 	port       = flag.Int("port", 50051, "agency host gRPC port")
@@ -35,7 +36,7 @@ func main() {
 
 	var pki *rpc.PKI
 	if !*noTLS {
-		pki = rpc.LoadPKI("./cert")
+		pki = rpc.LoadPKI(*cert)
 		glog.V(3).Infof("starting gRPC server with\ncrt:\t%s\nkey:\t%s\nclient:\t%s",
 			pki.Server.CertFile, pki.Server.KeyFile, pki.Client.CertFile)
 	}
@@ -57,6 +58,17 @@ type devOpsServer struct {
 	Root string
 }
 
+func (d devOpsServer) AuthFuncOverride(
+	ctx context.Context,
+	fullMethodName string,
+) (
+	context.Context,
+	error, //nolint: unparam
+) {
+	glog.V(1).Infoln("======== AuthFuncOverride", fullMethodName)
+	return jwt.NewContextWithUser(ctx, d.Root), nil
+}
+
 func (d devOpsServer) Enter(ctx context.Context, cmd *ops.Cmd) (cr *ops.CmdReturn, err error) {
 	defer err2.Handle(&err)