zitadel/internal/api/grpc/server/connect_middleware/access_interceptor.go

package connect_middleware

import (
	"context"
	"net/http"
	"time"

	"connectrpc.com/connect"

	"github.com/zitadel/zitadel/internal/api/authz"
	http_util "github.com/zitadel/zitadel/internal/api/http"
	"github.com/zitadel/zitadel/internal/logstore"
	"github.com/zitadel/zitadel/internal/logstore/record"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
)

func AccessStorageInterceptor(svc *logstore.Service[*record.AccessLog]) connect.UnaryInterceptorFunc {
	return func(handler connect.UnaryFunc) connect.UnaryFunc {
		return func(ctx context.Context, req connect.AnyRequest) (_ connect.AnyResponse, err error) {
			if !svc.Enabled() {
				return handler(ctx, req)
			}
			resp, handlerErr := handler(ctx, req)

			interceptorCtx, span := tracing.NewServerInterceptorSpan(ctx)
			defer func() { span.EndWithError(err) }()

			var respStatus uint32
			if code := connect.CodeOf(handlerErr); code != connect.CodeUnknown {
				respStatus = uint32(code)
			}

			respHeader := http.Header{}
			if resp != nil {
				respHeader = resp.Header()
			}
			instance := authz.GetInstance(ctx)
			domainCtx := http_util.DomainContext(ctx)

			r := &record.AccessLog{
				LogDate:         time.Now(),
				Protocol:        record.GRPC,
				RequestURL:      req.Spec().Procedure,
				ResponseStatus:  respStatus,
				RequestHeaders:  req.Header(),
				ResponseHeaders: respHeader,
				InstanceID:      instance.InstanceID(),
				ProjectID:       instance.ProjectID(),
				RequestedDomain: domainCtx.RequestedDomain(),
				RequestedHost:   domainCtx.RequestedHost(),
			}

			svc.Handle(interceptorCtx, r)
			return resp, handlerErr
		}
	}
}
feat: exchange gRPC server implementation to connectRPC (#10145) # Which Problems Are Solved The current maintained gRPC server in combination with a REST (grpc) gateway is getting harder and harder to maintain. Additionally, there have been and still are issues with supporting / displaying `oneOf`s correctly. We therefore decided to exchange the server implementation to connectRPC, which apart from supporting connect as protocol, also also "standard" gRCP clients as well as HTTP/1.1 / rest like clients, e.g. curl directly call the server without any additional gateway. # How the Problems Are Solved - All v2 services are moved to connectRPC implementation. (v1 services are still served as pure grpc servers) - All gRPC server interceptors were migrated / copied to a corresponding connectRPC interceptor. - API.ListGrpcServices and API. ListGrpcMethods were changed to include the connect services and endpoints. - gRPC server reflection was changed to a `StaticReflector` using the `ListGrpcServices` list. - The `grpc.Server` interfaces was split into different combinations to be able to handle the different cases (grpc server and prefixed gateway, connect server with grpc gateway, connect server only, ...) - Docs of services serving connectRPC only with no additional gateway (instance, webkey, project, app, org v2 beta) are changed to expose that - since the plugin is not yet available on buf, we download it using `postinstall` hook of the docs # Additional Changes - WebKey service is added as v2 service (in addition to the current v2beta) # Additional Context closes #9483 --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2025-07-04 10:06:20 -04:00			`package connect_middleware`

			`import (`
			`"context"`
			`"net/http"`
			`"time"`

			`"connectrpc.com/connect"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
			`http_util "github.com/zitadel/zitadel/internal/api/http"`
			`"github.com/zitadel/zitadel/internal/logstore"`
			`"github.com/zitadel/zitadel/internal/logstore/record"`
			`"github.com/zitadel/zitadel/internal/telemetry/tracing"`
			`)`

			`func AccessStorageInterceptor(svc logstore.Service[record.AccessLog]) connect.UnaryInterceptorFunc {`
			`return func(handler connect.UnaryFunc) connect.UnaryFunc {`
			`return func(ctx context.Context, req connect.AnyRequest) (_ connect.AnyResponse, err error) {`
			`if !svc.Enabled() {`
			`return handler(ctx, req)`
			`}`
			`resp, handlerErr := handler(ctx, req)`

			`interceptorCtx, span := tracing.NewServerInterceptorSpan(ctx)`
			`defer func() { span.EndWithError(err) }()`

			`var respStatus uint32`
			`if code := connect.CodeOf(handlerErr); code != connect.CodeUnknown {`
			`respStatus = uint32(code)`
			`}`

			`respHeader := http.Header{}`
			`if resp != nil {`
			`respHeader = resp.Header()`
			`}`
			`instance := authz.GetInstance(ctx)`
			`domainCtx := http_util.DomainContext(ctx)`

			`r := &record.AccessLog{`
			`LogDate: time.Now(),`
			`Protocol: record.GRPC,`
			`RequestURL: req.Spec().Procedure,`
			`ResponseStatus: respStatus,`
			`RequestHeaders: req.Header(),`
			`ResponseHeaders: respHeader,`
			`InstanceID: instance.InstanceID(),`
			`ProjectID: instance.ProjectID(),`
			`RequestedDomain: domainCtx.RequestedDomain(),`
			`RequestedHost: domainCtx.RequestedHost(),`
			`}`

			`svc.Handle(interceptorCtx, r)`
			`return resp, handlerErr`
			`}`
			`}`
			`}`