|
| 1 | +// Copyright 2026 Hyperscale. All rights reserved. |
| 2 | +// Use of this source code is governed by a MIT |
| 3 | +// license that can be found in the LICENSE file. |
| 4 | + |
| 5 | +// Command connectrpc-bearer is a runnable ConnectRPC Bearer-token demo. |
| 6 | +// |
| 7 | +// It exposes the gRPC-style health service behind two ConnectRPC interceptors: |
| 8 | +// one authenticates every RPC against a JWT, the other authorizes it against |
| 9 | +// an OAuth2 scope. The process also mints a demo token at start-up. |
| 10 | +// |
| 11 | +// Run: |
| 12 | +// |
| 13 | +// go run ./connectrpc-bearer |
| 14 | +// |
| 15 | +// The server logs a ready-to-use token. Probe it with curl over the Connect |
| 16 | +// protocol: |
| 17 | +// |
| 18 | +// curl -H "Authorization: Bearer <TOKEN>" \ |
| 19 | +// -H "Content-Type: application/json" \ |
| 20 | +// -d '{}' http://localhost:9091/grpc.health.v1.Health/Check |
| 21 | +// |
| 22 | +// Without the token the call fails with connect.CodeUnauthenticated (HTTP |
| 23 | +// 401); with a token that lacks the "health:read" scope it fails with |
| 24 | +// connect.CodePermissionDenied (HTTP 403). |
| 25 | +package main |
| 26 | + |
| 27 | +import ( |
| 28 | + "context" |
| 29 | + "crypto/ed25519" |
| 30 | + "crypto/rand" |
| 31 | + "fmt" |
| 32 | + "log" |
| 33 | + "net" |
| 34 | + "net/http" |
| 35 | + "time" |
| 36 | + |
| 37 | + "connectrpc.com/connect" |
| 38 | + "connectrpc.com/grpchealth" |
| 39 | + "github.com/hyperscale-stack/security" |
| 40 | + "github.com/hyperscale-stack/security/bearer" |
| 41 | + connectrpcsec "github.com/hyperscale-stack/security/connectrpc" |
| 42 | + jwtsec "github.com/hyperscale-stack/security/jwt" |
| 43 | + "github.com/hyperscale-stack/security/voter" |
| 44 | +) |
| 45 | + |
| 46 | +const ( |
| 47 | + issuer = "https://issuer.example" |
| 48 | + audience = "https://connect.example" |
| 49 | + keyID = "demo-key" |
| 50 | + scope = "health:read" |
| 51 | + addr = ":9091" |
| 52 | +) |
| 53 | + |
| 54 | +// minter signs a demo JWT carrying the requested scope. |
| 55 | +type minter func(scope string) (string, error) |
| 56 | + |
| 57 | +// newServer builds the ConnectRPC handler with the security interceptors and |
| 58 | +// returns a token minter sharing the server's signing key. It is separate |
| 59 | +// from main so the end-to-end test can serve it over httptest. |
| 60 | +func newServer() (http.Handler, minter, error) { |
| 61 | + pub, priv, err := ed25519.GenerateKey(rand.Reader) |
| 62 | + if err != nil { |
| 63 | + return nil, nil, fmt.Errorf("generate key: %w", err) |
| 64 | + } |
| 65 | + |
| 66 | + signer := jwtsec.NewSigner(jwtsec.PrivateKey{ |
| 67 | + KeyID: keyID, |
| 68 | + Algorithm: jwtsec.EdDSA, |
| 69 | + Key: priv, |
| 70 | + }) |
| 71 | + |
| 72 | + jwks := jwtsec.NewStaticJWKS([]jwtsec.PublicKey{{ |
| 73 | + KeyID: keyID, |
| 74 | + Algorithm: jwtsec.EdDSA, |
| 75 | + Key: pub, |
| 76 | + }}) |
| 77 | + |
| 78 | + verifier := jwtsec.NewVerifier(jwks, |
| 79 | + jwtsec.WithIssuer(issuer), |
| 80 | + jwtsec.WithAudience(audience), |
| 81 | + ) |
| 82 | + |
| 83 | + engine := security.NewEngine( |
| 84 | + security.NewManager(bearer.NewAuthenticator(jwtsec.BearerVerifier(verifier, nil))), |
| 85 | + bearer.NewExtractor(), |
| 86 | + ) |
| 87 | + |
| 88 | + adm := security.NewAffirmativeDecisionManager(voter.HasScope(scope)) |
| 89 | + |
| 90 | + path, handler := grpchealth.NewHandler( |
| 91 | + grpchealth.NewStaticChecker(grpchealth.HealthV1ServiceName), |
| 92 | + connect.WithInterceptors( |
| 93 | + connectrpcsec.NewAuthenticationInterceptor(engine), |
| 94 | + connectrpcsec.NewAuthorizationInterceptor(adm, []security.Attribute{security.Scope(scope)}), |
| 95 | + ), |
| 96 | + ) |
| 97 | + |
| 98 | + mux := http.NewServeMux() |
| 99 | + mux.Handle(path, handler) |
| 100 | + |
| 101 | + mint := func(grant string) (string, error) { |
| 102 | + now := time.Now() |
| 103 | + |
| 104 | + token, err := signer.Sign(context.Background(), &jwtsec.StandardClaims{ |
| 105 | + Issuer: issuer, |
| 106 | + Subject: "demo-user", |
| 107 | + Audience: jwtsec.Audience{audience}, |
| 108 | + IssuedAt: jwtsec.NewNumericDate(now), |
| 109 | + ExpiresAt: jwtsec.NewNumericDate(now.Add(time.Hour)), |
| 110 | + Scope: grant, |
| 111 | + }) |
| 112 | + if err != nil { |
| 113 | + return "", fmt.Errorf("mint token: %w", err) |
| 114 | + } |
| 115 | + |
| 116 | + return token, nil |
| 117 | + } |
| 118 | + |
| 119 | + return mux, mint, nil |
| 120 | +} |
| 121 | + |
| 122 | +func main() { |
| 123 | + handler, mint, err := newServer() |
| 124 | + if err != nil { |
| 125 | + log.Fatalf("connectrpc-bearer: %v", err) |
| 126 | + } |
| 127 | + |
| 128 | + token, err := mint(scope) |
| 129 | + if err != nil { |
| 130 | + log.Fatalf("connectrpc-bearer: %v", err) |
| 131 | + } |
| 132 | + |
| 133 | + var lc net.ListenConfig |
| 134 | + |
| 135 | + lis, err := lc.Listen(context.Background(), "tcp", addr) //nolint:gosec // G102: demo server, binding to all interfaces is intentional |
| 136 | + if err != nil { |
| 137 | + log.Fatalf("connectrpc-bearer: listen: %v", err) |
| 138 | + } |
| 139 | + |
| 140 | + srv := &http.Server{ |
| 141 | + Handler: handler, |
| 142 | + ReadHeaderTimeout: 5 * time.Second, |
| 143 | + } |
| 144 | + |
| 145 | + log.Printf("connectrpc-bearer: listening on %s", addr) |
| 146 | + log.Printf("connectrpc-bearer: demo token: %s", token) |
| 147 | + log.Fatal(srv.Serve(lis)) |
| 148 | +} |
0 commit comments