From b6f27821f148927102a35476d5babc810dd40243 Mon Sep 17 00:00:00 2001 From: Yuri Shkuro Date: Sat, 2 Nov 2024 13:09:08 -0400 Subject: [PATCH] Revert "Use GRPC interceptors for bearer token (#6063)" This reverts commit f5575e27db8e31f36e60691b6b043da40c4b2998. --- cmd/query/app/server.go | 20 +--- cmd/remote-storage/app/server.go | 19 +-- pkg/bearertoken/grpc.go | 135 --------------------- pkg/bearertoken/grpc_test.go | 196 ------------------------------- plugin/storage/grpc/factory.go | 4 - 5 files changed, 9 insertions(+), 365 deletions(-) delete mode 100644 pkg/bearertoken/grpc.go delete mode 100644 pkg/bearertoken/grpc_test.go diff --git a/cmd/query/app/server.go b/cmd/query/app/server.go index db5c141c703..a2c916149e0 100644 --- a/cmd/query/app/server.go +++ b/cmd/query/app/server.go @@ -124,24 +124,14 @@ func createGRPCServerLegacy( grpcOpts = append(grpcOpts, grpc.Creds(creds)) } - - unaryInterceptors := []grpc.UnaryServerInterceptor{ - bearertoken.NewUnaryServerInterceptor(), - } - streamInterceptors := []grpc.StreamServerInterceptor{ - bearertoken.NewStreamServerInterceptor(), - } - //nolint:contextcheck if tm.Enabled { - unaryInterceptors = append(unaryInterceptors, tenancy.NewGuardingUnaryInterceptor(tm)) - streamInterceptors = append(streamInterceptors, tenancy.NewGuardingStreamInterceptor(tm)) + //nolint:contextcheck + grpcOpts = append(grpcOpts, + grpc.StreamInterceptor(tenancy.NewGuardingStreamInterceptor(tm)), + grpc.UnaryInterceptor(tenancy.NewGuardingUnaryInterceptor(tm)), + ) } - grpcOpts = append(grpcOpts, - grpc.ChainUnaryInterceptor(unaryInterceptors...), - grpc.ChainStreamInterceptor(streamInterceptors...), - ) - server := grpc.NewServer(grpcOpts...) return server, nil } diff --git a/cmd/remote-storage/app/server.go b/cmd/remote-storage/app/server.go index 51f88a16699..934175eb9c0 100644 --- a/cmd/remote-storage/app/server.go +++ b/cmd/remote-storage/app/server.go @@ -16,7 +16,6 @@ import ( "google.golang.org/grpc/reflection" "github.com/jaegertracing/jaeger/cmd/query/app/querysvc" - "github.com/jaegertracing/jaeger/pkg/bearertoken" "github.com/jaegertracing/jaeger/pkg/telemetery" "github.com/jaegertracing/jaeger/pkg/tenancy" "github.com/jaegertracing/jaeger/plugin/storage/grpc/shared" @@ -97,23 +96,13 @@ func createGRPCServer(opts *Options, tm *tenancy.Manager, handler *shared.GRPCHa creds := credentials.NewTLS(tlsCfg) grpcOpts = append(grpcOpts, grpc.Creds(creds)) } - - unaryInterceptors := []grpc.UnaryServerInterceptor{ - bearertoken.NewUnaryServerInterceptor(), - } - streamInterceptors := []grpc.StreamServerInterceptor{ - bearertoken.NewStreamServerInterceptor(), - } if tm.Enabled { - unaryInterceptors = append(unaryInterceptors, tenancy.NewGuardingUnaryInterceptor(tm)) - streamInterceptors = append(streamInterceptors, tenancy.NewGuardingStreamInterceptor(tm)) + grpcOpts = append(grpcOpts, + grpc.StreamInterceptor(tenancy.NewGuardingStreamInterceptor(tm)), + grpc.UnaryInterceptor(tenancy.NewGuardingUnaryInterceptor(tm)), + ) } - grpcOpts = append(grpcOpts, - grpc.ChainUnaryInterceptor(unaryInterceptors...), - grpc.ChainStreamInterceptor(streamInterceptors...), - ) - server := grpc.NewServer(grpcOpts...) healthServer := health.NewServer() reflection.Register(server) diff --git a/pkg/bearertoken/grpc.go b/pkg/bearertoken/grpc.go deleted file mode 100644 index 2be9c7c3860..00000000000 --- a/pkg/bearertoken/grpc.go +++ /dev/null @@ -1,135 +0,0 @@ -// Copyright (c) 2024 The Jaeger Authors. -// SPDX-License-Identifier: Apache-2.0 - -package bearertoken - -import ( - "context" - "fmt" - - "google.golang.org/grpc" - "google.golang.org/grpc/metadata" -) - -const Key = "bearer.token" - -type tokenatedServerStream struct { - grpc.ServerStream - context context.Context -} - -func (tss *tokenatedServerStream) Context() context.Context { - return tss.context -} - -// extract bearer token from the metadata -func ValidTokenFromGRPCMetadata(ctx context.Context, bearerHeader string) (string, error) { - md, ok := metadata.FromIncomingContext(ctx) - if !ok { - return "", nil - } - - tokens := md.Get(bearerHeader) - if len(tokens) < 1 { - return "", nil - } - if len(tokens) > 1 { - return "", fmt.Errorf("malformed token: multiple tokens found") - } - return tokens[0], nil -} - -// NewStreamServerInterceptor creates a new stream interceptor that injects the bearer token into the context if available. -func NewStreamServerInterceptor() grpc.StreamServerInterceptor { - return func(srv any, ss grpc.ServerStream, _ *grpc.StreamServerInfo, handler grpc.StreamHandler) error { - if token, _ := GetBearerToken(ss.Context()); token != "" { - return handler(srv, ss) - } - - bearerToken, err := ValidTokenFromGRPCMetadata(ss.Context(), Key) - if err != nil { - return err - } - - return handler(srv, &tokenatedServerStream{ - ServerStream: ss, - context: ContextWithBearerToken(ss.Context(), bearerToken), - }) - } -} - -// NewUnaryServerInterceptor creates a new unary interceptor that injects the bearer token into the context if available. -func NewUnaryServerInterceptor() grpc.UnaryServerInterceptor { - return func(ctx context.Context, req any, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { - if token, _ := GetBearerToken(ctx); token != "" { - return handler(ctx, req) - } - - bearerToken, err := ValidTokenFromGRPCMetadata(ctx, Key) - if err != nil { - return nil, err - } - - return handler(ContextWithBearerToken(ctx, bearerToken), req) - } -} - -// NewUnaryClientInterceptor injects the bearer token header into gRPC request metadata. -func NewUnaryClientInterceptor() grpc.UnaryClientInterceptor { - return grpc.UnaryClientInterceptor(func( - ctx context.Context, - method string, - req, reply any, - cc *grpc.ClientConn, - invoker grpc.UnaryInvoker, - opts ...grpc.CallOption, - ) error { - var token string - token, err := ValidTokenFromGRPCMetadata(ctx, Key) - if err != nil { - return err - } - - if token == "" { - bearerToken, ok := GetBearerToken(ctx) - if ok && bearerToken != "" { - token = bearerToken - } - } - - if token != "" { - ctx = metadata.AppendToOutgoingContext(ctx, Key, token) - } - return invoker(ctx, method, req, reply, cc, opts...) - }) -} - -// NewStreamClientInterceptor injects the bearer token header into gRPC request metadata. -func NewStreamClientInterceptor() grpc.StreamClientInterceptor { - return grpc.StreamClientInterceptor(func( - ctx context.Context, - desc *grpc.StreamDesc, - cc *grpc.ClientConn, - method string, - streamer grpc.Streamer, - opts ...grpc.CallOption, - ) (grpc.ClientStream, error) { - var token string - token, err := ValidTokenFromGRPCMetadata(ctx, Key) - if err != nil { - return nil, err - } - - if token == "" { - bearerToken, ok := GetBearerToken(ctx) - if ok && bearerToken != "" { - token = bearerToken - } - } - - if token != "" { - ctx = metadata.AppendToOutgoingContext(ctx, Key, token) - } - return streamer(ctx, desc, cc, method, opts...) - }) -} diff --git a/pkg/bearertoken/grpc_test.go b/pkg/bearertoken/grpc_test.go deleted file mode 100644 index 9b4a87ecbaf..00000000000 --- a/pkg/bearertoken/grpc_test.go +++ /dev/null @@ -1,196 +0,0 @@ -// Copyright (c) 2024 The Jaeger Authors. -// SPDX-License-Identifier: Apache-2.0 - -package bearertoken - -import ( - "context" - "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - "google.golang.org/grpc" - "google.golang.org/grpc/metadata" -) - -type mockServerStream struct { - ctx context.Context - grpc.ServerStream -} - -func (s *mockServerStream) Context() context.Context { - return s.ctx -} - -func TestClientInterceptors(t *testing.T) { - tests := []struct { - name string - ctx context.Context - expectedErr string - expectedMD metadata.MD - }{ - { - name: "no token in context", - ctx: context.Background(), - expectedErr: "", - expectedMD: nil, // Expecting no metadata - }, - { - name: "token in context", - ctx: ContextWithBearerToken(context.Background(), "test-token"), - expectedErr: "", - expectedMD: metadata.MD{Key: []string{"test-token"}}, - }, - { - name: "multiple tokens in metadata", - ctx: metadata.NewIncomingContext(context.Background(), metadata.MD{Key: []string{"token1", "token2"}}), - expectedErr: "malformed token: multiple tokens found", - }, - { - name: "valid token in metadata", - ctx: metadata.NewIncomingContext(context.Background(), metadata.MD{Key: []string{"valid-token"}}), - expectedErr: "", - expectedMD: metadata.MD{Key: []string{"valid-token"}}, // Valid token setup - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - // Unary interceptor test - verifyMetadata := func(ctx context.Context) error { - md, ok := metadata.FromOutgoingContext(ctx) - if test.expectedMD == nil { - require.False(t, ok, "metadata should not be present") - } else { - require.True(t, ok, "metadata should be present") - assert.Equal(t, test.expectedMD, md) - } - return nil - } - unaryInterceptor := NewUnaryClientInterceptor() - unaryInvoker := func(ctx context.Context, _ string, _, _ any, _ *grpc.ClientConn, _ ...grpc.CallOption) error { - return verifyMetadata(ctx) - } - err := unaryInterceptor(test.ctx, "method", nil, nil, nil, unaryInvoker) - if test.expectedErr == "" { - require.NoError(t, err) - } else { - require.Error(t, err) - require.ErrorContains(t, err, test.expectedErr) - } - - // Stream interceptor test - streamInterceptor := NewStreamClientInterceptor() - streamInvoker := func(ctx context.Context, _ *grpc.StreamDesc, _ *grpc.ClientConn, _ string, _ ...grpc.CallOption) (grpc.ClientStream, error) { - if err := verifyMetadata(ctx); err != nil { - return nil, err - } - return nil, nil - } - _, err = streamInterceptor(test.ctx, &grpc.StreamDesc{}, nil, "method", streamInvoker) - if test.expectedErr == "" { - require.NoError(t, err) - } else { - require.Error(t, err) - assert.ErrorContains(t, err, test.expectedErr) - } - }) - } -} - -func TestServerInterceptors(t *testing.T) { - tests := []struct { - name string - ctx context.Context - expectedErr string - wantToken string - }{ - { - name: "no token in context", - ctx: context.Background(), - expectedErr: "", - wantToken: "", - }, - { - name: "token in context", - ctx: ContextWithBearerToken(context.Background(), "test-token"), - expectedErr: "", - wantToken: "test-token", - }, - { - name: "multiple tokens in metadata", - ctx: metadata.NewIncomingContext(context.Background(), metadata.MD{ - Key: []string{"token1", "token2"}, - }), - expectedErr: "malformed token: multiple tokens found", - wantToken: "", - }, - { - name: "valid token in metadata", - ctx: metadata.NewIncomingContext(context.Background(), metadata.MD{ - Key: []string{"valid-token"}, - }), - expectedErr: "", - wantToken: "valid-token", - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - verifyToken := func(ctx context.Context) error { - token, ok := GetBearerToken(ctx) - if test.wantToken == "" { - assert.False(t, ok, "expected no token") - } else { - assert.True(t, ok, "expected token to be present") - assert.Equal(t, test.wantToken, token) - } - return nil - } - // Test unary server interceptor - unaryInterceptor := NewUnaryServerInterceptor() - unaryHandler := func(ctx context.Context, _ any) (any, error) { - return nil, verifyToken(ctx) - } - - _, err := unaryInterceptor(test.ctx, nil, &grpc.UnaryServerInfo{}, unaryHandler) - if test.expectedErr == "" { - require.NoError(t, err) - } else { - require.Error(t, err) - require.ErrorContains(t, err, test.expectedErr) - } - - // Test stream server interceptor - streamInterceptor := NewStreamServerInterceptor() - mockStream := &mockServerStream{ctx: test.ctx} - streamHandler := func(_ any, stream grpc.ServerStream) error { - return verifyToken(stream.Context()) - } - - err = streamInterceptor(nil, mockStream, &grpc.StreamServerInfo{}, streamHandler) - if test.expectedErr == "" { - require.NoError(t, err) - } else { - require.Error(t, err) - assert.ErrorContains(t, err, test.expectedErr) - } - }) - } -} - -func TestTokenatedServerStream(t *testing.T) { - originalCtx := context.Background() - testToken := "test-token" - newCtx := ContextWithBearerToken(originalCtx, testToken) - - stream := &tokenatedServerStream{ - ServerStream: &mockServerStream{ctx: originalCtx}, - context: newCtx, - } - - // Verify that Context() returns the modified context - token, ok := GetBearerToken(stream.Context()) - require.True(t, ok) - assert.Equal(t, testToken, token) -} diff --git a/plugin/storage/grpc/factory.go b/plugin/storage/grpc/factory.go index 12ec6e5ceb5..c0d3de2b9f2 100644 --- a/plugin/storage/grpc/factory.go +++ b/plugin/storage/grpc/factory.go @@ -23,7 +23,6 @@ import ( "go.uber.org/zap" "google.golang.org/grpc" - "github.com/jaegertracing/jaeger/pkg/bearertoken" "github.com/jaegertracing/jaeger/pkg/metrics" "github.com/jaegertracing/jaeger/pkg/tenancy" "github.com/jaegertracing/jaeger/plugin" @@ -133,9 +132,6 @@ func (f *Factory) newRemoteStorage(telset component.TelemetrySettings, newClient opts = append(opts, grpc.WithStreamInterceptor(tenancy.NewClientStreamInterceptor(tenancyMgr))) } - opts = append(opts, grpc.WithUnaryInterceptor(bearertoken.NewUnaryClientInterceptor())) - opts = append(opts, grpc.WithStreamInterceptor(bearertoken.NewStreamClientInterceptor())) - remoteConn, err := newClient(opts...) if err != nil { return nil, fmt.Errorf("error creating remote storage client: %w", err)