authz client cfg changes

- removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud - reusing settings from "grpc_client_authentication", instead of duplicating in "authorization" section Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2024-09-03 10:38:19 +03:00 · 2024-09-03 10:38:19 +03:00 · 84866a8a51
commit 84866a8a51
parent 14a1021605
2 changed files with 23 additions and 20 deletions
--- a/pkg/services/authz/client.go
+++ b/pkg/services/authz/client.go
@ -57,14 +57,16 @@ func ProvideAuthZClient(
 			return nil, err
 		}
 	case ModeGRPC:
-		client, err = newGrpcLegacyClient(authCfg)
-		if err != nil {
-			return nil, err
-		}
-	case ModeCloud:
-		client, err = newCloudLegacyClient(authCfg)
-		if err != nil {
-			return nil, err
+		if cfg.StackID == "" {
+			client, err = newGrpcLegacyClient(authCfg)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			client, err = newCloudLegacyClient(authCfg)
+			if err != nil {
+				return nil, err
+			}
 		}
 	}

--- a/pkg/services/authz/config.go
+++ b/pkg/services/authz/config.go
@ -10,7 +10,7 @@ type Mode string

 func (s Mode) IsValid() bool {
 	switch s {
-	case ModeGRPC, ModeInProc, ModeCloud:
+	case ModeGRPC, ModeInProc:
 		return true
 	}
 	return false
@ -19,7 +19,6 @@ func (s Mode) IsValid() bool {
 const (
 	ModeGRPC   Mode = "grpc"
 	ModeInProc Mode = "inproc"
-	ModeCloud  Mode = "cloud"
 )

 type Cfg struct {
@ -35,28 +34,30 @@ type Cfg struct {
 }

 func ReadCfg(cfg *setting.Cfg) (*Cfg, error) {
-	section := cfg.SectionWithEnvOverrides("authorization")
+	authorizationSection := cfg.SectionWithEnvOverrides("authorization")
+	grpcClientAuthSection := cfg.SectionWithEnvOverrides("grpc_client_authentication")

-	mode := Mode(section.Key("mode").MustString(string(ModeInProc)))
+	mode := Mode(authorizationSection.Key("mode").MustString(string(ModeInProc)))
 	if !mode.IsValid() {
 		return nil, fmt.Errorf("authorization: invalid mode %q", mode)
 	}

-	token := section.Key("token").MustString("")
-	tokenExchangeURL := section.Key("token_exchange_url").MustString("")
-	tokenNamespace := section.Key("token_namespace").MustString("stack-" + cfg.StackID)
+	token := grpcClientAuthSection.Key("token").MustString("")
+	tokenExchangeURL := grpcClientAuthSection.Key("token_exchange_url").MustString("")
+	tokenNamespace := grpcClientAuthSection.Key("token_namespace").MustString("stack-" + cfg.StackID)

-	if mode == ModeCloud && token == "" && tokenExchangeURL == "" {
-		return nil, fmt.Errorf("authorization:  missing token or tokenExchangeUrl")
+	// When running in cloud mode, the token and tokenExchangeURL are required.
+	if cfg.StackID != "" && token == "" && tokenExchangeURL == "" {
+		return nil, fmt.Errorf("authorization: missing token or tokenExchangeUrl")
 	}

 	return &Cfg{
-		remoteAddress:    section.Key("remote_address").MustString(""),
-		listen:           section.Key("listen").MustBool(false),
+		remoteAddress:    authorizationSection.Key("remote_address").MustString(""),
+		listen:           authorizationSection.Key("listen").MustBool(false),
 		mode:             mode,
 		token:            token,
 		tokenExchangeURL: tokenExchangeURL,
 		tokenNamespace:   tokenNamespace,
-		allowInsecure:    cfg.Env == "development",
+		allowInsecure:    cfg.Env == setting.Dev,
 	}, nil
 }