The latest articles on DEV Community by Nguyễn Văn Cao Nguyên (@nvcnvn). https://dev.to/nvcnvn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F425730%2F5822722d-8214-4a17-a37c-7af66bd54b93.jpeg https://dev.to/nvcnvn en Nguyễn Văn Cao Nguyên Tue, 15 Oct 2024 16:10:46 +0000 https://dev.to/nvcnvn/grpc-and-rbac-right-on-your-proto-file-pnc https://dev.to/nvcnvn/grpc-and-rbac-right-on-your-proto-file-pnc <p>We have a simple gRPC service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight protobuf"><code><span class="kd">message</span> <span class="nc">GetUserRequest</span> <span class="p">{</span> <span class="kt">string</span> <span class="na">id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="kd">message</span> <span class="nc">GetUserResponse</span> <span class="p">{</span> <span class="kt">string</span> <span class="na">id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="kt">string</span> <span class="na">name</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="kt">string</span> <span class="na">email</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="p">}</span> <span class="kd">service</span> <span class="n">UsersService</span> <span class="p">{</span> <span class="k">rpc</span> <span class="n">GetUser</span><span class="p">(</span><span class="n">GetUserRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">GetUserResponse</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>gRPC is great in many ways, its performance is great, its ecosystem cannot be compared.<br><br> But imho, top over all of that is a typed contract its provide.<br><br> I'm a backend engineer, I and my mobile and web friends can sit down, discuss, come up with an agreement then we generate the stub client code in flutter and es for mock implementation, regroup after 3 days.<br><br> A good and performance day! </p> <p>But wait, we're missing something!</p> <h3> What exactly user role can call this API? </h3> <div class="highlight js-code-highlight"> <pre class="highlight protobuf"><code><span class="kd">service</span> <span class="n">UsersService</span> <span class="p">{</span> <span class="k">rpc</span> <span class="n">GetUser</span><span class="p">(</span><span class="n">GetUserRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">GetUserResponse</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><code>GetUser</code> method almost have everything, but still not enough for describing the authorization requirement.</p> <ul> <li> <code>Get</code>: this is the verb, the action</li> <li> <code>User</code>: this is the resource</li> </ul> <p>And we only missing the <code>Role</code> part to describe a <strong>RBAC</strong> rule. </p> <p>Tooooo bad, we come so close, just if we can do something, something type-safe, something generic... 😢</p> <p>Your wish will come true, with the help of proto descriptor</p> <h4> First, extend the <code>google.protobuf.MethodOptions</code> to describe your policy </h4> <div class="highlight js-code-highlight"> <pre class="highlight protobuf"><code><span class="kd">enum</span> <span class="n">Role</span> <span class="p">{</span> <span class="na">ROLE_UNSPECIFIED</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="na">ROLE_CUSTOMER</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="na">ROLE_ADMIN</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="p">}</span> <span class="kd">message</span> <span class="nc">RoleBasedAccessControl</span> <span class="p">{</span> <span class="k">repeated</span> <span class="n">Role</span> <span class="na">allowed_roles</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="kt">bool</span> <span class="na">allow_unauthenticated</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="p">}</span> <span class="kd">extend</span> <span class="nc">google</span><span class="o">.</span><span class="n">protobuf.MethodOptions</span> <span class="p">{</span> <span class="k">optional</span> <span class="n">RoleBasedAccessControl</span> <span class="na">access_control</span> <span class="o">=</span> <span class="mi">90000</span><span class="p">;</span> <span class="c1">// I don't know about this 90000, seem as long as it's unique</span> <span class="p">}</span> </code></pre> </div> <h4> Then, use the new <code>MethodOptions</code> in your Methods definition (mind the import path) </h4> <div class="highlight js-code-highlight"> <pre class="highlight protobuf"><code><span class="kd">service</span> <span class="n">UsersService</span> <span class="p">{</span> <span class="k">rpc</span> <span class="n">GetUser</span><span class="p">(</span><span class="n">GetUserRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">GetUserResponse</span><span class="p">)</span> <span class="p">{</span> <span class="k">option</span> <span class="p">(</span><span class="n">components.rbac.v1.access_control</span><span class="p">)</span> <span class="o">=</span> <span class="p">{</span> <span class="n">allowed_roles</span><span class="o">:</span> <span class="p">[</span> <span class="n">ROLE_CUSTOMER</span><span class="p">,</span> <span class="n">ROLE_ADMIN</span> <span class="p">]</span> <span class="n">allow_unauthenticated</span><span class="o">:</span> <span class="kc">false</span> <span class="p">};</span> <span class="p">}</span> <span class="k">rpc</span> <span class="n">DeleteUser</span><span class="p">(</span><span class="n">DeleteUserRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">DeleteUserResponse</span><span class="p">)</span> <span class="p">{</span> <span class="k">option</span> <span class="p">(</span><span class="n">components.rbac.v1.access_control</span><span class="p">)</span> <span class="o">=</span> <span class="p">{</span> <span class="n">allowed_roles</span><span class="o">:</span> <span class="p">[</span><span class="n">ROLE_ADMIN</span><span class="p">]</span> <span class="n">allow_unauthenticated</span><span class="o">:</span> <span class="kc">false</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Then fork and modify the grpc-go proto generator command </h4> <p>Just kidding, the night is late and I need to be in the office before 08:00 AM 😢</p> <h4> Solution: write an interceptor and use it with your server </h4> <p>Load the methods descriptor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">RBACUnaryInterceptor</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">any</span><span class="p">,</span> <span class="n">info</span> <span class="o">*</span><span class="n">grpc</span><span class="o">.</span><span class="n">UnaryServerInfo</span><span class="p">,</span> <span class="n">handler</span> <span class="n">grpc</span><span class="o">.</span><span class="n">UnaryHandler</span><span class="p">)</span> <span class="p">(</span><span class="n">any</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="c">// the info give us: /components.users.v1.UsersService/GetUser</span> <span class="c">// we need to convert it to components.users.v1.UsersService.GetUser</span> <span class="n">methodName</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">Replace</span><span class="p">(</span><span class="n">strings</span><span class="o">.</span><span class="n">TrimPrefix</span><span class="p">(</span><span class="n">info</span><span class="o">.</span><span class="n">FullMethod</span><span class="p">,</span> <span class="s">"/"</span><span class="p">),</span> <span class="s">"/"</span><span class="p">,</span> <span class="s">"."</span><span class="p">,</span> <span class="o">-</span><span class="m">1</span><span class="p">)</span> <span class="n">desc</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">protoregistry</span><span class="o">.</span><span class="n">GlobalFiles</span><span class="o">.</span><span class="n">FindDescriptorByName</span><span class="p">(</span><span class="n">protoreflect</span><span class="o">.</span><span class="n">FullName</span><span class="p">(</span><span class="n">methodName</span><span class="p">))</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">status</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="n">codes</span><span class="o">.</span><span class="n">Internal</span><span class="p">,</span> <span class="s">"method not found descriptor"</span><span class="p">)</span> <span class="p">}</span> <span class="n">method</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">desc</span><span class="o">.</span><span class="p">(</span><span class="n">protoreflect</span><span class="o">.</span><span class="n">MethodDescriptor</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">status</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="n">codes</span><span class="o">.</span><span class="n">Internal</span><span class="p">,</span> <span class="s">"some hoe this is not a method"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Find our <code>access_control</code> option:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="k">var</span> <span class="n">policy</span> <span class="o">*</span><span class="n">rbacv1</span><span class="o">.</span><span class="n">RoleBasedAccessControl</span> <span class="n">method</span><span class="o">.</span><span class="n">Options</span><span class="p">()</span><span class="o">.</span><span class="n">ProtoReflect</span><span class="p">()</span><span class="o">.</span><span class="n">Range</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">fd</span> <span class="n">protoreflect</span><span class="o">.</span><span class="n">FieldDescriptor</span><span class="p">,</span> <span class="n">v</span> <span class="n">protoreflect</span><span class="o">.</span><span class="n">Value</span><span class="p">)</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">if</span> <span class="n">fd</span><span class="o">.</span><span class="n">FullName</span><span class="p">()</span> <span class="o">!=</span> <span class="n">rbacv1</span><span class="o">.</span><span class="n">E_AccessControl</span><span class="o">.</span><span class="n">TypeDescriptor</span><span class="p">()</span><span class="o">.</span><span class="n">FullName</span><span class="p">()</span> <span class="p">{</span> <span class="c">// continue finding the AccessControl field</span> <span class="k">return</span> <span class="no">true</span> <span class="p">}</span> <span class="n">b</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">proto</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="n">v</span><span class="o">.</span><span class="n">Message</span><span class="p">()</span><span class="o">.</span><span class="n">Interface</span><span class="p">())</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// TODO: better handle this as an Internal error</span> <span class="c">// but for now, just return PermissionDenied</span> <span class="k">return</span> <span class="no">false</span> <span class="p">}</span> <span class="n">policy</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">rbacv1</span><span class="o">.</span><span class="n">RoleBasedAccessControl</span><span class="p">{}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">proto</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">b</span><span class="p">,</span> <span class="n">policy</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// same as above, better handle this as an Internal error</span> <span class="k">return</span> <span class="no">false</span> <span class="p">}</span> <span class="c">// btw I think this policy can be cached</span> <span class="k">return</span> <span class="no">false</span> <span class="p">})</span> <span class="k">if</span> <span class="n">policy</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// secure by default, DENY_ALL if no control policy is found</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">status</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="n">codes</span><span class="o">.</span><span class="n">PermissionDenied</span><span class="p">,</span> <span class="s">"permission denied"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h4> Example: </h4> <p>Add or append the newly created interceptor to your backend<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">newUsersServer</span><span class="p">()</span> <span class="o">*</span><span class="n">grpc</span><span class="o">.</span><span class="n">Server</span> <span class="p">{</span> <span class="n">svc</span> <span class="o">:=</span> <span class="n">grpc</span><span class="o">.</span><span class="n">NewServer</span><span class="p">(</span><span class="n">grpc</span><span class="o">.</span><span class="n">UnaryInterceptor</span><span class="p">(</span><span class="n">interceptors</span><span class="o">.</span><span class="n">RBACUnaryInterceptor</span><span class="p">))</span> <span class="n">usersv1</span><span class="o">.</span><span class="n">RegisterUsersServiceServer</span><span class="p">(</span><span class="n">svc</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">usersServer</span><span class="p">{})</span> <span class="k">return</span> <span class="n">svc</span> <span class="p">}</span> </code></pre> </div> <p>Then test it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="n">peasantCtx</span> <span class="o">:=</span> <span class="n">metadata</span><span class="o">.</span><span class="n">NewOutgoingContext</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="n">metadata</span><span class="o">.</span><span class="n">Pairs</span><span class="p">(</span><span class="s">"role"</span><span class="p">,</span> <span class="s">"ROLE_CUSTOMER"</span><span class="p">))</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">client</span><span class="o">.</span><span class="n">GetUser</span><span class="p">(</span><span class="n">peasantCtx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">usersv1</span><span class="o">.</span><span class="n">GetUserRequest</span><span class="p">{})</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">status</span><span class="o">.</span><span class="n">Code</span><span class="p">(</span><span class="n">err</span><span class="p">))</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">client</span><span class="o">.</span><span class="n">DeleteUser</span><span class="p">(</span><span class="n">peasantCtx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">usersv1</span><span class="o">.</span><span class="n">DeleteUserRequest</span><span class="p">{})</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">status</span><span class="o">.</span><span class="n">Code</span><span class="p">(</span><span class="n">err</span><span class="p">))</span> <span class="n">knightlyAdminCtx</span> <span class="o">:=</span> <span class="n">metadata</span><span class="o">.</span><span class="n">NewOutgoingContext</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="n">metadata</span><span class="o">.</span><span class="n">Pairs</span><span class="p">(</span><span class="s">"role"</span><span class="p">,</span> <span class="s">"ROLE_ADMIN"</span><span class="p">))</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">client</span><span class="o">.</span><span class="n">GetUser</span><span class="p">(</span><span class="n">knightlyAdminCtx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">usersv1</span><span class="o">.</span><span class="n">GetUserRequest</span><span class="p">{})</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">status</span><span class="o">.</span><span class="n">Code</span><span class="p">(</span><span class="n">err</span><span class="p">))</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">client</span><span class="o">.</span><span class="n">DeleteUser</span><span class="p">(</span><span class="n">knightlyAdminCtx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">usersv1</span><span class="o">.</span><span class="n">DeleteUserRequest</span><span class="p">{})</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">status</span><span class="o">.</span><span class="n">Code</span><span class="p">(</span><span class="n">err</span><span class="p">))</span> <span class="c">// Output:</span> <span class="c">// OK</span> <span class="c">// PermissionDenied</span> <span class="c">// OK</span> <span class="c">// OK</span> </code></pre> </div> <p>Finally, example code with testable Example published here <a href="https://github.com/nvcnvn/grpc-methods-descriptor-example" rel="noopener noreferrer">https://github.com/nvcnvn/grpc-methods-descriptor-example</a> </p> grpc protobuf go