authorize: use query instead of sync for databroker data (#3377)

2025-08-03 16:59:22 +02:00 · 2022-06-01 15:40:07 -06:00 · 2022-06-01 15:40:07 -06:00 · f61e7efe73
commit f61e7efe73
parent fd82cc7870
24 changed files with 661 additions and 1008 deletions
--- a/pkg/grpc/audit/audit.pb.go
+++ b/pkg/grpc/audit/audit.pb.go
@ -26,10 +26,8 @@ type Record struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Request                 *v3.CheckRequest  `protobuf:"bytes,1,opt,name=request,proto3" json:"request,omitempty"`
-	Response                *v3.CheckResponse `protobuf:"bytes,2,opt,name=response,proto3" json:"response,omitempty"`
-	DatabrokerServerVersion uint64            `protobuf:"varint,3,opt,name=databroker_server_version,json=databrokerServerVersion,proto3" json:"databroker_server_version,omitempty"`
-	DatabrokerRecordVersion uint64            `protobuf:"varint,4,opt,name=databroker_record_version,json=databrokerRecordVersion,proto3" json:"databroker_record_version,omitempty"`
+	Request  *v3.CheckRequest  `protobuf:"bytes,1,opt,name=request,proto3" json:"request,omitempty"`
+	Response *v3.CheckResponse `protobuf:"bytes,2,opt,name=response,proto3" json:"response,omitempty"`
 }

 func (x *Record) Reset() {
@ -78,20 +76,6 @@ func (x *Record) GetResponse() *v3.CheckResponse {
 	return nil
 }

-func (x *Record) GetDatabrokerServerVersion() uint64 {
-	if x != nil {
-		return x.DatabrokerServerVersion
-	}
-	return 0
-}
-
-func (x *Record) GetDatabrokerRecordVersion() uint64 {
-	if x != nil {
-		return x.DatabrokerRecordVersion
-	}
-	return 0
-}
-
 var File_audit_proto protoreflect.FileDescriptor

 var file_audit_proto_rawDesc = []byte{
@ -99,7 +83,7 @@ var file_audit_proto_rawDesc = []byte{
 	0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x61, 0x75, 0x64, 0x69, 0x74, 0x1a, 0x29, 0x65,
 	0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x61, 0x75, 0x74,
 	0x68, 0x2f, 0x76, 0x33, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x61, 0x75,
-	0x74, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x81, 0x02, 0x0a, 0x06, 0x52, 0x65, 0x63,
+	0x74, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x89, 0x01, 0x0a, 0x06, 0x52, 0x65, 0x63,
 	0x6f, 0x72, 0x64, 0x12, 0x3d, 0x0a, 0x07, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x73, 0x65, 0x72,
 	0x76, 0x69, 0x63, 0x65, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x33, 0x2e, 0x43, 0x68, 0x65,
@ -108,18 +92,10 @@ var file_audit_proto_rawDesc = []byte{
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x73, 0x65, 0x72,
 	0x76, 0x69, 0x63, 0x65, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x33, 0x2e, 0x43, 0x68, 0x65,
 	0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x08, 0x72, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a, 0x19, 0x64, 0x61, 0x74, 0x61, 0x62, 0x72, 0x6f, 0x6b,
-	0x65, 0x72, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f,
-	0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x04, 0x52, 0x17, 0x64, 0x61, 0x74, 0x61, 0x62, 0x72, 0x6f,
-	0x6b, 0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
-	0x12, 0x3a, 0x0a, 0x19, 0x64, 0x61, 0x74, 0x61, 0x62, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x5f, 0x72,
-	0x65, 0x63, 0x6f, 0x72, 0x64, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x04, 0x52, 0x17, 0x64, 0x61, 0x74, 0x61, 0x62, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x52,
-	0x65, 0x63, 0x6f, 0x72, 0x64, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x42, 0x2d, 0x5a, 0x2b,
-	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72,
-	0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67,
-	0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x61, 0x75, 0x64, 0x69, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x33,
+	0x6f, 0x6e, 0x73, 0x65, 0x42, 0x2d, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
+	0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65,
+	0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x61, 0x75,
+	0x64, 0x69, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
--- a/pkg/grpc/audit/audit.proto
+++ b/pkg/grpc/audit/audit.proto
@ -8,6 +8,4 @@ import "envoy/service/auth/v3/external_auth.proto";
 message Record {
  envoy.service.auth.v3.CheckRequest request = 1;
  envoy.service.auth.v3.CheckResponse response = 2;
-  uint64 databroker_server_version = 3;
-  uint64 databroker_record_version = 4;
 }
--- a/pkg/grpc/databroker/databroker.go
+++ b/pkg/grpc/databroker/databroker.go
@ -7,6 +7,7 @@ import (
 	"io"

 	"google.golang.org/protobuf/proto"
+	structpb "google.golang.org/protobuf/types/known/structpb"

 	"github.com/pomerium/pomerium/pkg/grpcutil"
 	"github.com/pomerium/pomerium/pkg/protoutil"
@ -118,6 +119,27 @@ func (x *PutResponse) GetRecord() *Record {
 	return records[0]
 }

+// SetFilterByID sets the filter to an id.
+func (x *QueryRequest) SetFilterByID(id string) {
+	x.Filter = &structpb.Struct{Fields: map[string]*structpb.Value{
+		"id": structpb.NewStringValue(id),
+	}}
+}
+
+// SetFilterByIDOrIndex sets the filter to an id or an index.
+func (x *QueryRequest) SetFilterByIDOrIndex(idOrIndex string) {
+	x.Filter = &structpb.Struct{Fields: map[string]*structpb.Value{
+		"$or": structpb.NewListValue(&structpb.ListValue{Values: []*structpb.Value{
+			structpb.NewStructValue(&structpb.Struct{Fields: map[string]*structpb.Value{
+				"id": structpb.NewStringValue(idOrIndex),
+			}}),
+			structpb.NewStructValue(&structpb.Struct{Fields: map[string]*structpb.Value{
+				"$index": structpb.NewStringValue(idOrIndex),
+			}}),
+		}}),
+	}}
+}
+
 // default is 4MB, but we'll do 1MB
 const maxMessageSize = 1024 * 1024 * 1