intermediate changes

ref:cde9a383711a11544ce7e107a78147fb96cc4029

3 files changed, 140 insertions, 0 deletions

diff --git a/library/cpp/monlib/service/auth/tvm/auth.cpp b/library/cpp/monlib/service/auth/tvm/auth.cpp
new file mode 100644
index 0000000000..e071c11ebc
--- /dev/null
+++ b/library/cpp/monlib/service/auth/tvm/auth.cpp
@@ -0,0 +1,93 @@
+#include "auth.h"
+
+#include <util/generic/hash_set.h>
+
+
+using namespace NTvmAuth;
+
+
+namespace NMonitoring {
+namespace {
+    template <class TTvmClientPtr = THolder<TTvmClient>>
+    class TTvmManager final: public ITvmManager {
+    public:
+        TTvmManager(NTvmApi::TClientSettings settings, TVector<TTvmId> clients, TLoggerPtr logger)
+            : AllowedClients_{clients.begin(), clients.end()}
+            , Tvm_(new TTvmClient{std::move(settings), std::move(logger)})
+        {
+        }
+
+        TTvmManager(NTvmTool::TClientSettings settings, TVector<TTvmId> clients, TLoggerPtr logger)
+            : AllowedClients_{clients.begin(), clients.end()}
+            , Tvm_(new TTvmClient{std::move(settings), std::move(logger)})
+        {
+        }
+
+        TTvmManager(TTvmClientPtr tvm, TVector<TTvmId> clients)
+            : AllowedClients_{clients.begin(), clients.end()}
+            , Tvm_(std::move(tvm))
+        {
+        }
+
+        bool IsAllowedClient(TTvmId clientId) override {
+            return AllowedClients_.contains(clientId);
+        }
+
+        TCheckedServiceTicket CheckServiceTicket(TStringBuf ticket) override {
+            return Tvm_->CheckServiceTicket(ticket);
+        }
+
+    private:
+        THashSet<TTvmId> AllowedClients_;
+        TTvmClientPtr Tvm_;
+    };
+
+    class TTvmAuthProvider final: public IAuthProvider {
+    public:
+        TTvmAuthProvider(THolder<ITvmManager> manager)
+            : TvmManager_{std::move(manager)}
+        {
+        }
+
+        TAuthResult Check(const IHttpRequest& req) override {
+            auto ticketHeader = req.GetHeaders().FindHeader("X-Ya-Service-Ticket");
+            if (!ticketHeader) {
+                return TAuthResult::NoCredentials();
+            }
+
+            const auto ticket = TvmManager_->CheckServiceTicket(ticketHeader->Value());
+            if (!ticket) {
+                return TAuthResult::Denied();
+            }
+
+            return TvmManager_->IsAllowedClient(ticket.GetSrc())
+                ? TAuthResult::Ok()
+                : TAuthResult::Denied();
+        }
+
+    private:
+        THolder<ITvmManager> TvmManager_;
+    };
+} // namespace
+
+THolder<ITvmManager> CreateDefaultTvmManager(NTvmApi::TClientSettings settings, TVector<TTvmId> allowedClients, TLoggerPtr logger) {
+    return MakeHolder<TTvmManager<>>(std::move(settings), std::move(allowedClients), std::move(logger));
+}
+
+THolder<ITvmManager> CreateDefaultTvmManager(NTvmTool::TClientSettings settings, TVector<TTvmId> allowedClients, TLoggerPtr logger) {
+    return MakeHolder<TTvmManager<>>(std::move(settings), std::move(allowedClients), std::move(logger));
+}
+
+THolder<ITvmManager> CreateDefaultTvmManager(TAtomicSharedPtr<NTvmAuth::TTvmClient> client, TVector<TTvmId> allowedClients) {
+    return MakeHolder<TTvmManager<TAtomicSharedPtr<NTvmAuth::TTvmClient>>>(std::move(client), std::move(allowedClients));
+}
+
+THolder<ITvmManager> CreateDefaultTvmManager(std::shared_ptr<NTvmAuth::TTvmClient> client, TVector<TTvmId> allowedClients) {
+    return MakeHolder<TTvmManager<std::shared_ptr<NTvmAuth::TTvmClient>>>(std::move(client), std::move(allowedClients));
+}
+
+THolder<IAuthProvider> CreateTvmAuth(THolder<ITvmManager> manager) {
+    return MakeHolder<TTvmAuthProvider>(std::move(manager));
+}
+
+} // namespace NMonitoring
diff --git a/library/cpp/monlib/service/auth/tvm/auth.h b/library/cpp/monlib/service/auth/tvm/auth.h
new file mode 100644
index 0000000000..432beff9d6
--- /dev/null
+++ b/library/cpp/monlib/service/auth/tvm/auth.h
@@ -0,0 +1,33 @@
+#pragma once
+
+#include <library/cpp/monlib/service/mon_service_http_request.h>
+#include <library/cpp/monlib/service/auth.h>
+#include <library/cpp/tvmauth/client/facade.h>
+
+namespace NMonitoring {
+    struct ITvmManager {
+        virtual ~ITvmManager() = default;
+        virtual bool IsAllowedClient(NTvmAuth::TTvmId clientId) = 0;
+        virtual NTvmAuth::TCheckedServiceTicket CheckServiceTicket(TStringBuf ticket) = 0;
+    };
+
+    THolder<ITvmManager> CreateDefaultTvmManager(
+        NTvmAuth::NTvmApi::TClientSettings settings,
+        TVector<NTvmAuth::TTvmId> allowedClients,
+        NTvmAuth::TLoggerPtr logger = NTvmAuth::TDevNullLogger::IAmBrave());
+
+    THolder<ITvmManager> CreateDefaultTvmManager(
+        NTvmAuth::NTvmTool::TClientSettings settings,
+        TVector<NTvmAuth::TTvmId> allowedClients,
+        NTvmAuth::TLoggerPtr logger = NTvmAuth::TDevNullLogger::IAmBrave());
+
+    THolder<ITvmManager> CreateDefaultTvmManager(
+        TAtomicSharedPtr<NTvmAuth::TTvmClient> client,
+        TVector<NTvmAuth::TTvmId> allowedClients);
+
+    THolder<ITvmManager> CreateDefaultTvmManager(
+        std::shared_ptr<NTvmAuth::TTvmClient> client,
+        TVector<NTvmAuth::TTvmId> allowedClients);
+
+    THolder<IAuthProvider> CreateTvmAuth(THolder<ITvmManager> tvmManager);
+} // namespace NMonitoring
diff --git a/library/cpp/monlib/service/auth/tvm/ya.make b/library/cpp/monlib/service/auth/tvm/ya.make
new file mode 100644
index 0000000000..4437a65b62
--- /dev/null
+++ b/library/cpp/monlib/service/auth/tvm/ya.make
@@ -0,0 +1,14 @@
+LIBRARY()
+
+OWNER(g:solomon)
+
+SRCS(
+    auth.cpp
+)
+
+PEERDIR(
+    library/cpp/tvmauth/client
+    library/cpp/monlib/service
+)
+
+END()