mirror of
https://github.com/cloudflare/cloudflared.git
synced 2025-07-28 11:09:58 +00:00
TUN-6772: Add a JWT Validator as an ingress verifier
This adds a new verifier interface that can be attached to ingress.Rule. This would act as a middleware layer that gets executed at the start of proxy.ProxyHTTP. A jwt validator implementation for this verifier is also provided. The validator downloads the public key from the access teams endpoint and uses it to verify the JWT sent to cloudflared with the audtag (clientID) information provided in the config.
This commit is contained in:
Sudarsan Reddy
81
vendor/google.golang.org/grpc/server.go
generated
vendored
81
vendor/google.golang.org/grpc/server.go
generated
vendored
@@ -134,7 +134,7 @@ type Server struct {
|
||||
channelzRemoveOnce sync.Once
|
||||
serveWG sync.WaitGroup // counts active Serve goroutines for GracefulStop
|
||||
|
||||
channelzID int64 // channelz unique identification number
|
||||
channelzID *channelz.Identifier
|
||||
czData *channelzData
|
||||
|
||||
serverWorkerChannels []chan *serverWorkerData
|
||||
@@ -584,9 +584,8 @@ func NewServer(opt ...ServerOption) *Server {
|
||||
s.initServerWorkers()
|
||||
}
|
||||
|
||||
if channelz.IsOn() {
|
||||
s.channelzID = channelz.RegisterServer(&channelzServer{s}, "")
|
||||
}
|
||||
s.channelzID = channelz.RegisterServer(&channelzServer{s}, "")
|
||||
channelz.Info(logger, s.channelzID, "Server created")
|
||||
return s
|
||||
}
|
||||
|
||||
@@ -712,7 +711,7 @@ var ErrServerStopped = errors.New("grpc: the server has been stopped")
|
||||
|
||||
type listenSocket struct {
|
||||
net.Listener
|
||||
channelzID int64
|
||||
channelzID *channelz.Identifier
|
||||
}
|
||||
|
||||
func (l *listenSocket) ChannelzMetric() *channelz.SocketInternalMetric {
|
||||
@@ -724,9 +723,8 @@ func (l *listenSocket) ChannelzMetric() *channelz.SocketInternalMetric {
|
||||
|
||||
func (l *listenSocket) Close() error {
|
||||
err := l.Listener.Close()
|
||||
if channelz.IsOn() {
|
||||
channelz.RemoveEntry(l.channelzID)
|
||||
}
|
||||
channelz.RemoveEntry(l.channelzID)
|
||||
channelz.Info(logger, l.channelzID, "ListenSocket deleted")
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -759,11 +757,6 @@ func (s *Server) Serve(lis net.Listener) error {
|
||||
ls := &listenSocket{Listener: lis}
|
||||
s.lis[ls] = true
|
||||
|
||||
if channelz.IsOn() {
|
||||
ls.channelzID = channelz.RegisterListenSocket(ls, s.channelzID, lis.Addr().String())
|
||||
}
|
||||
s.mu.Unlock()
|
||||
|
||||
defer func() {
|
||||
s.mu.Lock()
|
||||
if s.lis != nil && s.lis[ls] {
|
||||
@@ -773,8 +766,16 @@ func (s *Server) Serve(lis net.Listener) error {
|
||||
s.mu.Unlock()
|
||||
}()
|
||||
|
||||
var tempDelay time.Duration // how long to sleep on accept failure
|
||||
var err error
|
||||
ls.channelzID, err = channelz.RegisterListenSocket(ls, s.channelzID, lis.Addr().String())
|
||||
if err != nil {
|
||||
s.mu.Unlock()
|
||||
return err
|
||||
}
|
||||
s.mu.Unlock()
|
||||
channelz.Info(logger, ls.channelzID, "ListenSocket created")
|
||||
|
||||
var tempDelay time.Duration // how long to sleep on accept failure
|
||||
for {
|
||||
rawConn, err := lis.Accept()
|
||||
if err != nil {
|
||||
@@ -1709,11 +1710,7 @@ func (s *Server) Stop() {
|
||||
s.done.Fire()
|
||||
}()
|
||||
|
||||
s.channelzRemoveOnce.Do(func() {
|
||||
if channelz.IsOn() {
|
||||
channelz.RemoveEntry(s.channelzID)
|
||||
}
|
||||
})
|
||||
s.channelzRemoveOnce.Do(func() { channelz.RemoveEntry(s.channelzID) })
|
||||
|
||||
s.mu.Lock()
|
||||
listeners := s.lis
|
||||
@@ -1751,11 +1748,7 @@ func (s *Server) GracefulStop() {
|
||||
s.quit.Fire()
|
||||
defer s.done.Fire()
|
||||
|
||||
s.channelzRemoveOnce.Do(func() {
|
||||
if channelz.IsOn() {
|
||||
channelz.RemoveEntry(s.channelzID)
|
||||
}
|
||||
})
|
||||
s.channelzRemoveOnce.Do(func() { channelz.RemoveEntry(s.channelzID) })
|
||||
s.mu.Lock()
|
||||
if s.conns == nil {
|
||||
s.mu.Unlock()
|
||||
@@ -1808,12 +1801,26 @@ func (s *Server) getCodec(contentSubtype string) baseCodec {
|
||||
return codec
|
||||
}
|
||||
|
||||
// SetHeader sets the header metadata.
|
||||
// When called multiple times, all the provided metadata will be merged.
|
||||
// All the metadata will be sent out when one of the following happens:
|
||||
// - grpc.SendHeader() is called;
|
||||
// - The first response is sent out;
|
||||
// - An RPC status is sent out (error or success).
|
||||
// SetHeader sets the header metadata to be sent from the server to the client.
|
||||
// The context provided must be the context passed to the server's handler.
|
||||
//
|
||||
// Streaming RPCs should prefer the SetHeader method of the ServerStream.
|
||||
//
|
||||
// When called multiple times, all the provided metadata will be merged. All
|
||||
// the metadata will be sent out when one of the following happens:
|
||||
//
|
||||
// - grpc.SendHeader is called, or for streaming handlers, stream.SendHeader.
|
||||
// - The first response message is sent. For unary handlers, this occurs when
|
||||
// the handler returns; for streaming handlers, this can happen when stream's
|
||||
// SendMsg method is called.
|
||||
// - An RPC status is sent out (error or success). This occurs when the handler
|
||||
// returns.
|
||||
//
|
||||
// SetHeader will fail if called after any of the events above.
|
||||
//
|
||||
// The error returned is compatible with the status package. However, the
|
||||
// status code will often not match the RPC status as seen by the client
|
||||
// application, and therefore, should not be relied upon for this purpose.
|
||||
func SetHeader(ctx context.Context, md metadata.MD) error {
|
||||
if md.Len() == 0 {
|
||||
return nil
|
||||
@@ -1825,8 +1832,14 @@ func SetHeader(ctx context.Context, md metadata.MD) error {
|
||||
return stream.SetHeader(md)
|
||||
}
|
||||
|
||||
// SendHeader sends header metadata. It may be called at most once.
|
||||
// The provided md and headers set by SetHeader() will be sent.
|
||||
// SendHeader sends header metadata. It may be called at most once, and may not
|
||||
// be called after any event that causes headers to be sent (see SetHeader for
|
||||
// a complete list). The provided md and headers set by SetHeader() will be
|
||||
// sent.
|
||||
//
|
||||
// The error returned is compatible with the status package. However, the
|
||||
// status code will often not match the RPC status as seen by the client
|
||||
// application, and therefore, should not be relied upon for this purpose.
|
||||
func SendHeader(ctx context.Context, md metadata.MD) error {
|
||||
stream := ServerTransportStreamFromContext(ctx)
|
||||
if stream == nil {
|
||||
@@ -1840,6 +1853,10 @@ func SendHeader(ctx context.Context, md metadata.MD) error {
|
||||
|
||||
// SetTrailer sets the trailer metadata that will be sent when an RPC returns.
|
||||
// When called more than once, all the provided metadata will be merged.
|
||||
//
|
||||
// The error returned is compatible with the status package. However, the
|
||||
// status code will often not match the RPC status as seen by the client
|
||||
// application, and therefore, should not be relied upon for this purpose.
|
||||
func SetTrailer(ctx context.Context, md metadata.MD) error {
|
||||
if md.Len() == 0 {
|
||||
return nil
|
||||
|
||||
Reference in New Issue
Block a user