authz client cfg changes

- removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud
- reusing settings from "grpc_client_authentication", instead of duplicating in "authorization" section

Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
This commit is contained in:
Claudiu Dragalina-Paraipan 2024-09-03 10:38:19 +03:00
parent 14a1021605
commit 84866a8a51
2 changed files with 23 additions and 20 deletions

View File

@ -57,14 +57,16 @@ func ProvideAuthZClient(
return nil, err
}
case ModeGRPC:
client, err = newGrpcLegacyClient(authCfg)
if err != nil {
return nil, err
}
case ModeCloud:
client, err = newCloudLegacyClient(authCfg)
if err != nil {
return nil, err
if cfg.StackID == "" {
client, err = newGrpcLegacyClient(authCfg)
if err != nil {
return nil, err
}
} else {
client, err = newCloudLegacyClient(authCfg)
if err != nil {
return nil, err
}
}
}

View File

@ -10,7 +10,7 @@ type Mode string
func (s Mode) IsValid() bool {
switch s {
case ModeGRPC, ModeInProc, ModeCloud:
case ModeGRPC, ModeInProc:
return true
}
return false
@ -19,7 +19,6 @@ func (s Mode) IsValid() bool {
const (
ModeGRPC Mode = "grpc"
ModeInProc Mode = "inproc"
ModeCloud Mode = "cloud"
)
type Cfg struct {
@ -35,28 +34,30 @@ type Cfg struct {
}
func ReadCfg(cfg *setting.Cfg) (*Cfg, error) {
section := cfg.SectionWithEnvOverrides("authorization")
authorizationSection := cfg.SectionWithEnvOverrides("authorization")
grpcClientAuthSection := cfg.SectionWithEnvOverrides("grpc_client_authentication")
mode := Mode(section.Key("mode").MustString(string(ModeInProc)))
mode := Mode(authorizationSection.Key("mode").MustString(string(ModeInProc)))
if !mode.IsValid() {
return nil, fmt.Errorf("authorization: invalid mode %q", mode)
}
token := section.Key("token").MustString("")
tokenExchangeURL := section.Key("token_exchange_url").MustString("")
tokenNamespace := section.Key("token_namespace").MustString("stack-" + cfg.StackID)
token := grpcClientAuthSection.Key("token").MustString("")
tokenExchangeURL := grpcClientAuthSection.Key("token_exchange_url").MustString("")
tokenNamespace := grpcClientAuthSection.Key("token_namespace").MustString("stack-" + cfg.StackID)
if mode == ModeCloud && token == "" && tokenExchangeURL == "" {
return nil, fmt.Errorf("authorization: missing token or tokenExchangeUrl")
// When running in cloud mode, the token and tokenExchangeURL are required.
if cfg.StackID != "" && token == "" && tokenExchangeURL == "" {
return nil, fmt.Errorf("authorization: missing token or tokenExchangeUrl")
}
return &Cfg{
remoteAddress: section.Key("remote_address").MustString(""),
listen: section.Key("listen").MustBool(false),
remoteAddress: authorizationSection.Key("remote_address").MustString(""),
listen: authorizationSection.Key("listen").MustBool(false),
mode: mode,
token: token,
tokenExchangeURL: tokenExchangeURL,
tokenNamespace: tokenNamespace,
allowInsecure: cfg.Env == "development",
allowInsecure: cfg.Env == setting.Dev,
}, nil
}