status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-12 14:55:02 +00:00
Code Issues Projects Releases Wiki Activity
consul/agent/grpc/public/services/acl/logout.go
Dan Upton a668c36930
acl: gRPC login and logout endpoints (#12935) 
Introduces two new public gRPC endpoints (`Login` and `Logout`) and
includes refactoring of the equivalent net/rpc endpoints to enable the
majority of logic to be reused (i.e. by extracting the `Binder` and
`TokenWriter` types).

This contains the OSS portions of the following enterprise commits:

- 75fcdbfcfa6af21d7128cb2544829ead0b1df603
- bce14b714151af74a7f0110843d640204082630a
- cc508b70fbf58eda144d9af3d71bd0f483985893
2022-05-04 17:38:45 +01:00

70 lines
2.0 KiB
Go
Raw Blame History

package acl
import (
"context"
"errors"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/emptypb"
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/consul/auth"
"github.com/hashicorp/consul/agent/grpc/public"
"github.com/hashicorp/consul/proto-public/pbacl"
)
// Logout destroys the given ACL token once the caller is done with it.
func (s *Server) Logout(ctx context.Context, req *pbacl.LogoutRequest) (*emptypb.Empty, error) {
logger := s.Logger.Named("logout").With("request_id", public.TraceID())
logger.Trace("request received")
if err := s.requireACLsEnabled(logger); err != nil {
return nil, err
}
if req.Token == "" {
return nil, status.Error(codes.InvalidArgument, "token is required")
}
// Forward request to leader in the requested datacenter.
var rsp *emptypb.Empty
handled, err := s.forwardWriteDC(req.Datacenter, func(conn *grpc.ClientConn) error {
var err error
rsp, err = pbacl.NewACLServiceClient(conn).Logout(ctx, req)
return err
}, logger)
if handled || err != nil {
return rsp, err
}
if err := s.requireLocalTokens(logger); err != nil {
return nil, err
}
err = s.NewTokenWriter().Delete(req.Token, true)
switch {
case errors.Is(err, auth.ErrCannotWriteGlobalToken):
// Writes to global tokens must be forwarded to the primary DC.
req.Datacenter = s.PrimaryDatacenter
_, err = s.forwardWriteDC(s.PrimaryDatacenter, func(conn *grpc.ClientConn) error {
var err error
rsp, err = pbacl.NewACLServiceClient(conn).Logout(ctx, req)
return err
}, logger)
return rsp, err
case errors.Is(err, acl.ErrNotFound):
// No token? Pretend the delete was successful (for idempotency).
return &emptypb.Empty{}, nil
case errors.Is(err, acl.ErrPermissionDenied):
return nil, status.Error(codes.PermissionDenied, err.Error())
case err != nil:
logger.Error("failed to delete token", "error", err.Error())
return nil, status.Error(codes.Internal, "failed to delete token")
}
return &emptypb.Empty{}, nil
}
Reference in New Issue View Git Blame Copy Permalink