mirror of
https://github.com/signalapp/Signal-Server
synced 2026-04-18 20:05:18 +01:00
Make GrpcAllowListInterceptor dynamically configurable
This commit is contained in:
Ravi Khadiwala
committed by
ravi-signal
ravi-signal
parent
f17a39386b
commit
c8d4ea97e4
@@ -31,7 +31,7 @@ import org.whispersystems.textsecuregcm.configuration.DeviceCheckConfiguration;
|
||||
import org.whispersystems.textsecuregcm.configuration.DirectoryV2Configuration;
|
||||
import org.whispersystems.textsecuregcm.configuration.DynamoDbClientFactory;
|
||||
import org.whispersystems.textsecuregcm.configuration.DynamoDbTables;
|
||||
import org.whispersystems.textsecuregcm.configuration.GrpcAllowListConfiguration;
|
||||
import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicGrpcAllowListConfiguration;
|
||||
import org.whispersystems.textsecuregcm.configuration.ExternalRequestFilterConfiguration;
|
||||
import org.whispersystems.textsecuregcm.configuration.FaultTolerantRedisClientFactory;
|
||||
import org.whispersystems.textsecuregcm.configuration.FaultTolerantRedisClusterFactory;
|
||||
@@ -352,7 +352,7 @@ public class WhisperServerConfiguration extends Configuration {
|
||||
@NotNull
|
||||
@Valid
|
||||
@JsonProperty
|
||||
private GrpcAllowListConfiguration grpcAllowList = new GrpcAllowListConfiguration();
|
||||
private DynamicGrpcAllowListConfiguration grpcAllowList = new DynamicGrpcAllowListConfiguration();
|
||||
|
||||
@Valid
|
||||
@NotNull
|
||||
@@ -595,7 +595,7 @@ public class WhisperServerConfiguration extends Configuration {
|
||||
return grpc;
|
||||
}
|
||||
|
||||
public GrpcAllowListConfiguration getGrpcAllowList() {
|
||||
public DynamicGrpcAllowListConfiguration getGrpcAllowList() {
|
||||
return grpcAllowList;
|
||||
}
|
||||
|
||||
|
||||
@@ -882,8 +882,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
|
||||
|
||||
final ErrorMappingInterceptor errorMappingInterceptor = new ErrorMappingInterceptor();
|
||||
final ErrorConformanceInterceptor errorConformanceInterceptor = new ErrorConformanceInterceptor();
|
||||
final GrpcAllowListInterceptor grpcAllowListInterceptor =
|
||||
new GrpcAllowListInterceptor(config.getGrpcAllowList().enableAll(), config.getGrpcAllowList().enabledServices(), config.getGrpcAllowList().enabledMethods());
|
||||
final GrpcAllowListInterceptor grpcAllowListInterceptor = new GrpcAllowListInterceptor(dynamicConfigurationManager);
|
||||
final RequestAttributesInterceptor requestAttributesInterceptor = new RequestAttributesInterceptor();
|
||||
|
||||
final ValidatingInterceptor validatingInterceptor = new ValidatingInterceptor();
|
||||
|
||||
@@ -72,6 +72,10 @@ public class DynamicConfiguration {
|
||||
@Valid
|
||||
private DynamicCarrierDataLookupConfiguration carrierDataLookup = new DynamicCarrierDataLookupConfiguration();
|
||||
|
||||
@JsonProperty
|
||||
@Valid
|
||||
private DynamicGrpcAllowListConfiguration grpcAllowList = new DynamicGrpcAllowListConfiguration();
|
||||
|
||||
public Optional<DynamicExperimentEnrollmentConfiguration> getExperimentEnrollmentConfiguration(
|
||||
final String experimentName) {
|
||||
return Optional.ofNullable(experiments.get(experimentName));
|
||||
@@ -129,4 +133,8 @@ public class DynamicConfiguration {
|
||||
public DynamicCarrierDataLookupConfiguration getCarrierDataLookupConfiguration() {
|
||||
return carrierDataLookup;
|
||||
}
|
||||
|
||||
public DynamicGrpcAllowListConfiguration getGrpcAllowList() {
|
||||
return grpcAllowList;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,10 +2,11 @@
|
||||
* Copyright 2026 Signal Messenger, LLC
|
||||
* SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
package org.whispersystems.textsecuregcm.configuration;
|
||||
package org.whispersystems.textsecuregcm.configuration.dynamic;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
/// Configure which gRPC methods are enabled
|
||||
///
|
||||
@@ -16,22 +17,22 @@ import java.util.List;
|
||||
/// @param enabledMethods A list of fully qualified method names of RPCs that should be enabled. For example,
|
||||
/// `org.signal.chat.account.AccountsAnonymous/LookupUsernameHash` would enable the
|
||||
/// `LookupUsernameHash` RPC method
|
||||
public record GrpcAllowListConfiguration(
|
||||
public record DynamicGrpcAllowListConfiguration(
|
||||
boolean enableAll,
|
||||
List<String> enabledServices,
|
||||
List<String> enabledMethods) {
|
||||
Set<String> enabledServices,
|
||||
Set<String> enabledMethods) {
|
||||
|
||||
public GrpcAllowListConfiguration {
|
||||
public DynamicGrpcAllowListConfiguration {
|
||||
if (enabledServices == null) {
|
||||
enabledServices = Collections.emptyList();
|
||||
enabledServices = Collections.emptySet();
|
||||
}
|
||||
if (enabledMethods == null) {
|
||||
enabledMethods = Collections.emptyList();
|
||||
enabledMethods = Collections.emptySet();
|
||||
}
|
||||
}
|
||||
|
||||
public GrpcAllowListConfiguration() {
|
||||
public DynamicGrpcAllowListConfiguration() {
|
||||
// By default, no GRPC methods are accessible
|
||||
this(false, Collections.emptyList(), Collections.emptyList());
|
||||
this(false, Collections.emptySet(), Collections.emptySet());
|
||||
}
|
||||
}
|
||||
@@ -10,31 +10,28 @@ import io.grpc.ServerCall;
|
||||
import io.grpc.ServerCallHandler;
|
||||
import io.grpc.ServerInterceptor;
|
||||
import io.grpc.Status;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicGrpcAllowListConfiguration;
|
||||
import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
|
||||
import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
|
||||
|
||||
public class GrpcAllowListInterceptor implements ServerInterceptor {
|
||||
|
||||
private final boolean enableAll;
|
||||
private final Set<String> enabledServices;
|
||||
private final Set<String> enabledMethods;
|
||||
private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;
|
||||
|
||||
|
||||
public GrpcAllowListInterceptor(
|
||||
final boolean enableAll,
|
||||
final List<String> enabledServices,
|
||||
final List<String> enabledMethods) {
|
||||
this.enableAll = enableAll;
|
||||
this.enabledServices = new HashSet<>(enabledServices);
|
||||
this.enabledMethods = new HashSet<>(enabledMethods);
|
||||
final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager) {
|
||||
this.dynamicConfigurationManager = dynamicConfigurationManager;
|
||||
}
|
||||
|
||||
@Override
|
||||
public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(final ServerCall<ReqT, RespT> serverCall,
|
||||
final Metadata metadata, final ServerCallHandler<ReqT, RespT> next) {
|
||||
final DynamicGrpcAllowListConfiguration allowList = this.dynamicConfigurationManager.getConfiguration().getGrpcAllowList();
|
||||
final MethodDescriptor<ReqT, RespT> methodDescriptor = serverCall.getMethodDescriptor();
|
||||
if (!enableAll && !enabledServices.contains(methodDescriptor.getServiceName()) && !enabledMethods.contains(methodDescriptor.getFullMethodName())) {
|
||||
if (!allowList.enableAll() &&
|
||||
!allowList.enabledServices().contains(methodDescriptor.getServiceName()) &&
|
||||
!allowList.enabledMethods().contains(methodDescriptor.getFullMethodName())) {
|
||||
return ServerInterceptorUtil.closeWithStatus(serverCall, Status.UNIMPLEMENTED);
|
||||
}
|
||||
return next.startCall(serverCall, metadata);
|
||||
|
||||
Reference in New Issue
Block a user