Merge #150225

150225: server: add drpc server authentication interceptors r=shubhamdhama a=shubhamdhama

Port existing authorization/authentication interceptors from gRPC to DRPC.

There is currently some code duplication between the gRPC and DRPC
implementations, which will be refactored in a future commit to extract
common functionality.

Corresponding PR with the DRPC framework changes: cockroachdb/drpc#11

Epic: CRDB-49359
Release note: none

Co-authored-by: Shubham Dhama <[email protected]>

Author: craig[bot]

DEPS.bzl

@@ -11146,10 +11146,10 @@ def go_deps():
         name = "io_storj_drpc",
         build_file_proto_mode = "disable_global",
         importpath = "storj.io/drpc",
-        sha256 = "612016b7a145f386a2163d788e3376cb0f63410b8423f2ef3f723f7aa24c1971",
-        strip_prefix = "github.com/cockroachdb/[email protected]20250618091105-e79a954a2193",
+        sha256 = "ebb4b3ca9a6c5944255506b4cf5091b86b76851e52211940b609c98e8bcc7aab",
+        strip_prefix = "github.com/cockroachdb/[email protected]20250807091527-65dcebaa113e",
         urls = [
-            "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/cockroachdb/drpc/com_github_cockroachdb_drpc-v0.0.0-20250618091105-e79a954a2193.zip",
+            "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/cockroachdb/drpc/com_github_cockroachdb_drpc-v0.0.0-20250807091527-65dcebaa113e.zip",
         ],
     )
     go_repository(

build/bazelutil/distdir_files.bzl

@@ -351,7 +351,7 @@ DISTDIR_FILES = {
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/cockroachdb/crlfmt/com_github_cockroachdb_crlfmt-v0.0.0-20221214225007-b2fc5c302548.zip": "fedc01bdd6d964da0425d5eaac8efadc951e78e13f102292cc0774197f09ab63",
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/cockroachdb/crlib/com_github_cockroachdb_crlib-v0.0.0-20250718215705-7ff5051265b9.zip": "4fb4d32f15fb3c63decb9625406f291874f975518d5937493a7a9d1f3a644f18",
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/cockroachdb/datadriven/com_github_cockroachdb_datadriven-v1.0.3-0.20250407164829-2945557346d5.zip": "251593cd9c040fe84a99a3919de7ce6f85030d522159a37d625dc2dea7a4d17f",
-    "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/cockroachdb/drpc/com_github_cockroachdb_drpc-v0.0.0-20250618091105-e79a954a2193.zip": "612016b7a145f386a2163d788e3376cb0f63410b8423f2ef3f723f7aa24c1971",
+    "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/cockroachdb/drpc/com_github_cockroachdb_drpc-v0.0.0-20250807091527-65dcebaa113e.zip": "ebb4b3ca9a6c5944255506b4cf5091b86b76851e52211940b609c98e8bcc7aab",
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/cockroachdb/errors/com_github_cockroachdb_errors-v1.12.0.zip": "f73d8a5f4d8fcbc4ed61db2b47f17e2601d8b32e9a49c0665667489d9d9d6e7c",
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/cockroachdb/go-test-teamcity/com_github_cockroachdb_go_test_teamcity-v0.0.0-20191211140407-cff980ad0a55.zip": "bac30148e525b79d004da84d16453ddd2d5cd20528e9187f1d7dac708335674b",
     "https://storage.googleapis.com/cockroach-godeps/gomod/github.com/cockroachdb/gogoproto/com_github_cockroachdb_gogoproto-v1.3.3-0.20241216150617-2358cdb156a1.zip": "bf052c9a7f9e23fb3ec7e9f3b7201cfc264c18ed6da0d662952d276dbc339003",

go.mod

@@ -524,7 +524,7 @@ replace golang.org/x/time => github.com/cockroachdb/x-time v0.3.1-0.202305251236
 
 replace github.com/gogo/protobuf => github.com/cockroachdb/gogoproto v1.3.3-0.20241216150617-2358cdb156a1
 
-replace storj.io/drpc => github.com/cockroachdb/drpc v0.0.0-20250618091105-e79a954a2193
+replace storj.io/drpc => github.com/cockroachdb/drpc v0.0.0-20250807091527-65dcebaa113e
 
 // Note: This forked dependency adds a commit that opens up some
 // private APIs to enable us to make some perf improvements to

go.sum

@@ -565,8 +565,8 @@ github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:z
 github.com/cockroachdb/datadriven v1.0.2/go.mod h1:a9RdTaap04u637JoCzcUoIcDmvwSUtcUFtT/C3kJlTU=
 github.com/cockroachdb/datadriven v1.0.3-0.20250407164829-2945557346d5 h1:UycK/E0TkisVrQbSoxvU827FwgBBcZ95nRRmpj/12QI=
 github.com/cockroachdb/datadriven v1.0.3-0.20250407164829-2945557346d5/go.mod h1:jsaKMvD3RBCATk1/jbUZM8C9idWBJME9+VRZ5+Liq1g=
-github.com/cockroachdb/drpc v0.0.0-20250618091105-e79a954a2193 h1:c/lx52g2cnFUVPkHqYX+6Nyh+3L/l5ae0SSrkvrUM4M=
-github.com/cockroachdb/drpc v0.0.0-20250618091105-e79a954a2193/go.mod h1:UWP+upGv1Z+4nWxcdwhv3/wQXSOgCZteytaRVez5PDc=
+github.com/cockroachdb/drpc v0.0.0-20250807091527-65dcebaa113e h1:Fzex8ZwZ/Exh7ZJf9bTS8BELh93bVFvdzqqKc9jaWUo=
+github.com/cockroachdb/drpc v0.0.0-20250807091527-65dcebaa113e/go.mod h1:UWP+upGv1Z+4nWxcdwhv3/wQXSOgCZteytaRVez5PDc=
 github.com/cockroachdb/errors v1.9.1/go.mod h1:2sxOtL2WIc096WSZqZ5h8fa17rdDq9HZOZLBCor4mBk=
 github.com/cockroachdb/errors v1.12.0 h1:d7oCs6vuIMUQRVbi6jWWWEJZahLCfJpnJSVobd1/sUo=
 github.com/cockroachdb/errors v1.12.0/go.mod h1:SvzfYNNBshAVbZ8wzNc/UPK3w1vf0dKDUP41ucAIf7g=

pkg/rpc/BUILD.bazel

@@ -80,7 +80,9 @@ go_library(
         "@io_storj_drpc//:drpc",
         "@io_storj_drpc//drpcclient",
         "@io_storj_drpc//drpcconn",
+        "@io_storj_drpc//drpcctx",
         "@io_storj_drpc//drpcmanager",
+        "@io_storj_drpc//drpcmetadata",
         "@io_storj_drpc//drpcmigrate",
         "@io_storj_drpc//drpcmux",
         "@io_storj_drpc//drpcpool",
@@ -177,6 +179,8 @@ go_test(
         "@com_github_prometheus_client_model//go",
         "@com_github_stretchr_testify//assert",
         "@com_github_stretchr_testify//require",
+        "@io_storj_drpc//drpcctx",
+        "@io_storj_drpc//drpcmetadata",
         "@org_golang_google_grpc//:grpc",
         "@org_golang_google_grpc//codes",
         "@org_golang_google_grpc//credentials",

pkg/rpc/auth.go

@@ -23,6 +23,10 @@ import (
 	"google.golang.org/grpc/credentials"
 	grpcpeer "google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
+	"storj.io/drpc"
+	"storj.io/drpc/drpcctx"
+	"storj.io/drpc/drpcmetadata"
+	"storj.io/drpc/drpcmux"
 )
 
 var errTLSInfoMissing = authError("TLSInfo is not available in request context")
@@ -41,11 +45,14 @@ func authErrorf(format string, a ...interface{}) error {
 type kvAuth struct {
 	sv     *settings.Values
 	tenant tenantAuthorizer
+	isDRPC bool
 }
 
 // kvAuth implements the auth interface.
-func (a kvAuth) AuthUnary() grpc.UnaryServerInterceptor   { return a.unaryInterceptor }
-func (a kvAuth) AuthStream() grpc.StreamServerInterceptor { return a.streamInterceptor }
+func (a kvAuth) AuthUnary() grpc.UnaryServerInterceptor          { return a.unaryInterceptor }
+func (a kvAuth) AuthDRPCUnary() drpcmux.UnaryServerInterceptor   { return a.unaryDRPCInterceptor }
+func (a kvAuth) AuthDRPCStream() drpcmux.StreamServerInterceptor { return a.streamDRPCInterceptor }
+func (a kvAuth) AuthStream() grpc.StreamServerInterceptor        { return a.streamInterceptor }
 
 func (a kvAuth) unaryInterceptor(
 	ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler,
@@ -81,7 +88,41 @@ func (a kvAuth) unaryInterceptor(
 			return nil, err
 		}
 	case authzTenantServerToTenantServer:
-	// Tenant servers can see all of each other's RPCs.
+		// Tenant servers can see all of each other's RPCs.
+	case authzPrivilegedPeerToServer:
+		// Privileged clients (root/node) can see all RPCs.
+	default:
+		return nil, errors.AssertionFailedf("unhandled case: %T", err)
+	}
+	return handler(ctx, req)
+}
+
+func (a kvAuth) unaryDRPCInterceptor(
+	ctx context.Context, req interface{}, rpc string, handler drpcmux.UnaryHandler,
+) (out interface{}, err error) {
+	// Perform authentication and authz selection.
+	authnRes, authz, err := a.authenticateAndSelectAuthzRule(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	// Enhance the context to ensure the API handler only sees a client tenant ID
+	// via roachpb.ClientTenantFromContext when relevant.
+	ctx = contextForRequest(ctx, authnRes)
+
+	// Handle authorization according to the selected authz method.
+	switch ar := authz.(type) {
+	case authzTenantServerToKVServer:
+		// Clear any leftover incoming DRPC metadata, if this call is
+		// originating from a RPC handler function called as a result of a
+		// tenant call. See unaryInterceptor for more details.
+		ctx = drpcmetadata.ClearContext(ctx)
+
+		if err := a.tenant.authorize(ctx, a.sv, roachpb.TenantID(ar), rpc, req); err != nil {
+			return nil, err
+		}
+	case authzTenantServerToTenantServer:
+		// Tenant servers can see all of each other's RPCs.
 	case authzPrivilegedPeerToServer:
 		// Privileged clients (root/node) can see all RPCs.
 	default:
@@ -143,7 +184,7 @@ func (a kvAuth) streamInterceptor(
 			},
 		}
 	case authzTenantServerToTenantServer:
-	// Tenant servers can see all of each other's RPCs.
+		// Tenant servers can see all of each other's RPCs.
 	case authzPrivilegedPeerToServer:
 		// Privileged clients (root/node) can see all RPCs.
 	default:
@@ -152,6 +193,55 @@ func (a kvAuth) streamInterceptor(
 	return handler(srv, ss)
 }
 
+func (a kvAuth) streamDRPCInterceptor(
+	stream drpc.Stream, rpc string, handler drpcmux.StreamHandler,
+) (out interface{}, err error) {
+	ctx := stream.Context()
+	// Perform authentication and authz selection.
+	authnRes, authz, err := a.authenticateAndSelectAuthzRule(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	// Enhance the context to ensure the API handler only sees a client tenant ID
+	// via roachpb.ClientTenantFromContext when relevant.
+	ctx = contextForRequest(ctx, authnRes)
+
+	// Handle authorization according to the selected authz method.
+	switch ar := authz.(type) {
+	case authzTenantServerToKVServer:
+		// Clear any leftover incoming DRPC metadata, if this call is
+		// originating from a RPC handler function called as a result of a
+		// tenant call. See streamInterceptor for more details.
+
+		if rpc == "/cockroach.blobs.Blob/PutStream" {
+			ctx = drpcmetadata.ClearContextExcept(ctx, "filename")
+		} else {
+			ctx = drpcmetadata.ClearContext(ctx)
+		}
+
+		originalStream := stream
+		stream = &wrappedDRPCServerStream{
+			Stream: originalStream,
+			ctx:    ctx,
+			recv: func(m drpc.Message, enc drpc.Encoding) error {
+				if err := originalStream.MsgRecv(m, enc); err != nil {
+					return err
+				}
+				// 'm' is now populated and contains the request from the client.
+				return a.tenant.authorize(ctx, a.sv, roachpb.TenantID(ar), rpc, m)
+			},
+		}
+	case authzTenantServerToTenantServer:
+		// Tenant servers can see all of each other's RPCs.
+	case authzPrivilegedPeerToServer:
+		// Privileged clients (root/node) can see all RPCs.
+	default:
+		return nil, errors.AssertionFailedf("unhandled case: %T", err)
+	}
+	return handler(stream)
+}
+
 func (a kvAuth) authenticateAndSelectAuthzRule(
 	ctx context.Context,
 ) (authnResult, requiredAuthzMethod, error) {
@@ -162,7 +252,7 @@ func (a kvAuth) authenticateAndSelectAuthzRule(
 	}
 
 	// Select authorization rules suitable for the peer.
-	authz, err := a.selectAuthzMethod(ctx, authnRes)
+	authz, err := a.selectAuthzMethod(authnRes)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -176,19 +266,30 @@ type authnResult interface {
 	authnResult()
 }
 
-func getClientCert(ctx context.Context) (*x509.Certificate, error) {
-	p, ok := grpcpeer.FromContext(ctx)
-	if !ok {
-		return nil, errTLSInfoMissing
+func (a kvAuth) getClientCert(ctx context.Context) (*x509.Certificate, error) {
+	var certs []*x509.Certificate
+	if a.isDRPC {
+		info, ok := drpcctx.GetPeerConnectionInfo(ctx)
+		if !ok {
+			return nil, errTLSInfoMissing
+		}
+		certs = info.Certificates
+	} else {
+		p, ok := grpcpeer.FromContext(ctx)
+		if !ok {
+			return nil, errTLSInfoMissing
+		}
+		tlsInfo, ok := p.AuthInfo.(credentials.TLSInfo)
+		if !ok {
+			return nil, errTLSInfoMissing
+		}
+		certs = tlsInfo.State.PeerCertificates
 	}
 
-	tlsInfo, ok := p.AuthInfo.(credentials.TLSInfo)
-	if !ok || len(tlsInfo.State.PeerCertificates) == 0 {
+	if len(certs) == 0 {
 		return nil, errTLSInfoMissing
 	}
-
-	clientCert := tlsInfo.State.PeerCertificates[0]
-	return clientCert, nil
+	return certs[0], nil
 }
 
 // authnSuccessPeerIsTenantServer indicates authentication has
@@ -247,7 +348,7 @@ func (a kvAuth) authenticateLocalRequest(
 ) (authnResult, error) {
 	// Sanity check: verify that we do not also have gRPC network credentials
 	// in the context. This would indicate that metadata was improperly propagated.
-	maybeTid, err := tenantIDFromRPCMetadata(ctx)
+	maybeTid, err := a.tenantIDFromRPCMetadata(ctx)
 	if err != nil || maybeTid.IsSet() {
 		logcrash.ReportOrPanic(ctx, a.sv, "programming error: network credentials in internal adapter request (%v, %v)", maybeTid, err)
 		return nil, authErrorf("programming error")
@@ -268,12 +369,12 @@ func (a kvAuth) authenticateLocalRequest(
 func (a kvAuth) authenticateNetworkRequest(ctx context.Context) (authnResult, error) {
 	// We will need to look at the TLS cert in any case, so extract it
 	// first.
-	clientCert, err := getClientCert(ctx)
+	clientCert, err := a.getClientCert(ctx)
 	if err != nil {
 		return nil, err
 	}
 
-	tenantIDFromMetadata, err := tenantIDFromRPCMetadata(ctx)
+	tenantIDFromMetadata, err := a.tenantIDFromRPCMetadata(ctx)
 	if err != nil {
 		return nil, authErrorf("client provided invalid tenant ID: %v", err)
 	}
@@ -357,9 +458,7 @@ func (authzPrivilegedPeerToServer) rpcAuthzMethod()     {}
 
 // selectAuthzMethod selects the authorization rule to use for the
 // given authentication event.
-func (a kvAuth) selectAuthzMethod(
-	ctx context.Context, ar authnResult,
-) (requiredAuthzMethod, error) {
+func (a kvAuth) selectAuthzMethod(ar authnResult) (requiredAuthzMethod, error) {
 	switch res := ar.(type) {
 	case authnSuccessPeerIsTenantServer:
 		// The client is a tenant server. We have two possible cases:
@@ -488,9 +587,20 @@ func newTenantClientCreds(tid roachpb.TenantID) credentials.PerRPCCredentials {
 	}
 }
 
+func newPerRPCTIDMetdata(tid roachpb.TenantID) (string, string) {
+	return clientTIDMetadataHeaderKey, fmt.Sprint(tid)
+}
+
 // tenantIDFromRPCMetadata checks if there is a tenant ID in
 // the incoming gRPC metadata.
-func tenantIDFromRPCMetadata(ctx context.Context) (roachpb.TenantID, error) {
+func (a kvAuth) tenantIDFromRPCMetadata(ctx context.Context) (roachpb.TenantID, error) {
+	if a.isDRPC {
+		val, ok := drpcmetadata.GetValue(ctx, clientTIDMetadataHeaderKey)
+		if !ok {
+			return roachpb.TenantID{}, nil
+		}
+		return tenantIDFromString(val, "drpc metadata")
+	}
 	val, ok := grpcutil.FastFirstValueFromIncomingContext(ctx, clientTIDMetadataHeaderKey)
 	if !ok {
 		return roachpb.TenantID{}, nil

pkg/rpc/auth_tenant.go

@@ -19,6 +19,7 @@ import (
 	"github.com/cockroachdb/errors"
 	"github.com/cockroachdb/logtags"
 	"google.golang.org/grpc"
+	"storj.io/drpc"
 )
 
 // tenantAuthorizer authorizes RPCs sent by tenants to a node's tenant RPC
@@ -573,3 +574,19 @@ func (ss *wrappedServerStream) Context() context.Context {
 func (ss *wrappedServerStream) RecvMsg(m interface{}) error {
 	return ss.recv(m)
 }
+
+type wrappedDRPCServerStream struct {
+	drpc.Stream
+	ctx  context.Context
+	recv func(m drpc.Message, enc drpc.Encoding) error
+}
+
+// Context overrides the nested stream.Context().
+func (s *wrappedDRPCServerStream) Context() context.Context {
+	return s.ctx
+}
+
+// MsgRecv overrides the nested stream.MsgRecv().
+func (s *wrappedDRPCServerStream) MsgRecv(m drpc.Message, enc drpc.Encoding) error {
+	return s.recv(m, enc)
+}