aboutsummaryrefslogtreecommitdiffstats
path: root/library/cpp/monlib/service/auth/tvm/auth.cpp
blob: 22f126eaade84d7143f4fc10e0a1bec356c5d31c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#include "auth.h"

#include <util/generic/hash_set.h>


using namespace NTvmAuth;


namespace NMonitoring {
namespace {
    template <class TTvmClientPtr = THolder<TTvmClient>>
    class TTvmManager final: public ITvmManager {
    public:
        TTvmManager(NTvmApi::TClientSettings settings, TVector<TTvmId> clients, TLoggerPtr logger)
            : AllowedClients_{clients.begin(), clients.end()}
            , Tvm_(new TTvmClient{std::move(settings), std::move(logger)})
        {
        }

        TTvmManager(NTvmTool::TClientSettings settings, TVector<TTvmId> clients, TLoggerPtr logger)
            : AllowedClients_{clients.begin(), clients.end()}
            , Tvm_(new TTvmClient{std::move(settings), std::move(logger)})
        {
        }

        TTvmManager(TTvmClientPtr tvm, TVector<TTvmId> clients)
            : AllowedClients_{clients.begin(), clients.end()}
            , Tvm_(std::move(tvm))
        {
        }

        bool IsAllowedClient(TTvmId clientId) override {
            return AllowedClients_.contains(clientId);
        }

        TCheckedServiceTicket CheckServiceTicket(TStringBuf ticket) override { 
            return Tvm_->CheckServiceTicket(ticket);
        }

    private:
        THashSet<TTvmId> AllowedClients_;
        TTvmClientPtr Tvm_;
    };

    class TTvmAuthProvider final: public IAuthProvider {
    public:
        TTvmAuthProvider(THolder<ITvmManager> manager)
            : TvmManager_{std::move(manager)}
        {
        }

        TAuthResult Check(const IHttpRequest& req) override {
            auto ticketHeader = req.GetHeaders().FindHeader("X-Ya-Service-Ticket");
            if (!ticketHeader) {
                return TAuthResult::NoCredentials();
            }

            const auto ticket = TvmManager_->CheckServiceTicket(ticketHeader->Value());
            if (!ticket) {
                return TAuthResult::Denied();
            }

            return TvmManager_->IsAllowedClient(ticket.GetSrc())
                ? TAuthResult::Ok()
                : TAuthResult::Denied();
        }

    private:
        THolder<ITvmManager> TvmManager_;
    };
} // namespace

THolder<ITvmManager> CreateDefaultTvmManager(NTvmApi::TClientSettings settings, TVector<TTvmId> allowedClients, TLoggerPtr logger) {
    return MakeHolder<TTvmManager<>>(std::move(settings), std::move(allowedClients), std::move(logger));
}

THolder<ITvmManager> CreateDefaultTvmManager(NTvmTool::TClientSettings settings, TVector<TTvmId> allowedClients, TLoggerPtr logger) {
    return MakeHolder<TTvmManager<>>(std::move(settings), std::move(allowedClients), std::move(logger));
}

THolder<ITvmManager> CreateDefaultTvmManager(TAtomicSharedPtr<NTvmAuth::TTvmClient> client, TVector<TTvmId> allowedClients) {
    return MakeHolder<TTvmManager<TAtomicSharedPtr<NTvmAuth::TTvmClient>>>(std::move(client), std::move(allowedClients));
}

THolder<ITvmManager> CreateDefaultTvmManager(std::shared_ptr<NTvmAuth::TTvmClient> client, TVector<TTvmId> allowedClients) {
    return MakeHolder<TTvmManager<std::shared_ptr<NTvmAuth::TTvmClient>>>(std::move(client), std::move(allowedClients));
}

THolder<IAuthProvider> CreateTvmAuth(THolder<ITvmManager> manager) {
    return MakeHolder<TTvmAuthProvider>(std::move(manager));
}

} // namespace NMonitoring