library/cpp/monlib/service/auth/tvm/auth.cpp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

#include "auth.h" 
 
#include <util/generic/hash_set.h> 
 
 
using namespace NTvmAuth; 
 
 
namespace NMonitoring { 
namespace { 
    template <class TTvmClientPtr = THolder<TTvmClient>> 
    class TTvmManager final: public ITvmManager { 
    public: 
        TTvmManager(NTvmApi::TClientSettings settings, TVector<TTvmId> clients, TLoggerPtr logger) 
            : AllowedClients_{clients.begin(), clients.end()} 
            , Tvm_(new TTvmClient{std::move(settings), std::move(logger)}) 
        { 
        } 
 
        TTvmManager(NTvmTool::TClientSettings settings, TVector<TTvmId> clients, TLoggerPtr logger) 
            : AllowedClients_{clients.begin(), clients.end()} 
            , Tvm_(new TTvmClient{std::move(settings), std::move(logger)}) 
        { 
        } 
 
        TTvmManager(TTvmClientPtr tvm, TVector<TTvmId> clients) 
            : AllowedClients_{clients.begin(), clients.end()} 
            , Tvm_(std::move(tvm)) 
        { 
        } 
 
        bool IsAllowedClient(TTvmId clientId) override { 
            return AllowedClients_.contains(clientId); 
        } 
 
        TCheckedServiceTicket CheckServiceTicket(TStringBuf ticket) override {
            return Tvm_->CheckServiceTicket(ticket); 
        } 
 
    private: 
        THashSet<TTvmId> AllowedClients_; 
        TTvmClientPtr Tvm_; 
    }; 
 
    class TTvmAuthProvider final: public IAuthProvider { 
    public: 
        TTvmAuthProvider(THolder<ITvmManager> manager) 
            : TvmManager_{std::move(manager)} 
        { 
        } 
 
        TAuthResult Check(const IHttpRequest& req) override { 
            auto ticketHeader = req.GetHeaders().FindHeader("X-Ya-Service-Ticket"); 
            if (!ticketHeader) { 
                return TAuthResult::NoCredentials(); 
            } 
 
            const auto ticket = TvmManager_->CheckServiceTicket(ticketHeader->Value()); 
            if (!ticket) { 
                return TAuthResult::Denied(); 
            } 
 
            return TvmManager_->IsAllowedClient(ticket.GetSrc()) 
                ? TAuthResult::Ok() 
                : TAuthResult::Denied(); 
        } 
 
    private: 
        THolder<ITvmManager> TvmManager_; 
    }; 
} // namespace 
 
THolder<ITvmManager> CreateDefaultTvmManager(NTvmApi::TClientSettings settings, TVector<TTvmId> allowedClients, TLoggerPtr logger) { 
    return MakeHolder<TTvmManager<>>(std::move(settings), std::move(allowedClients), std::move(logger)); 
} 
 
THolder<ITvmManager> CreateDefaultTvmManager(NTvmTool::TClientSettings settings, TVector<TTvmId> allowedClients, TLoggerPtr logger) { 
    return MakeHolder<TTvmManager<>>(std::move(settings), std::move(allowedClients), std::move(logger)); 
} 
 
THolder<ITvmManager> CreateDefaultTvmManager(TAtomicSharedPtr<NTvmAuth::TTvmClient> client, TVector<TTvmId> allowedClients) { 
    return MakeHolder<TTvmManager<TAtomicSharedPtr<NTvmAuth::TTvmClient>>>(std::move(client), std::move(allowedClients)); 
} 
 
THolder<ITvmManager> CreateDefaultTvmManager(std::shared_ptr<NTvmAuth::TTvmClient> client, TVector<TTvmId> allowedClients) { 
    return MakeHolder<TTvmManager<std::shared_ptr<NTvmAuth::TTvmClient>>>(std::move(client), std::move(allowedClients)); 
} 
 
THolder<IAuthProvider> CreateTvmAuth(THolder<ITvmManager> manager) { 
    return MakeHolder<TTvmAuthProvider>(std::move(manager)); 
} 
 
} // namespace NMonitoring