mirror of
https://github.com/zitadel/zitadel.git
synced 2025-07-11 22:38:31 +00:00
9ebf2316c6
# Which Problems Are Solved The current maintained gRPC server in combination with a REST (grpc) gateway is getting harder and harder to maintain. Additionally, there have been and still are issues with supporting / displaying `oneOf`s correctly. We therefore decided to exchange the server implementation to connectRPC, which apart from supporting connect as protocol, also also "standard" gRCP clients as well as HTTP/1.1 / rest like clients, e.g. curl directly call the server without any additional gateway. # How the Problems Are Solved - All v2 services are moved to connectRPC implementation. (v1 services are still served as pure grpc servers) - All gRPC server interceptors were migrated / copied to a corresponding connectRPC interceptor. - API.ListGrpcServices and API. ListGrpcMethods were changed to include the connect services and endpoints. - gRPC server reflection was changed to a `StaticReflector` using the `ListGrpcServices` list. - The `grpc.Server` interfaces was split into different combinations to be able to handle the different cases (grpc server and prefixed gateway, connect server with grpc gateway, connect server only, ...) - Docs of services serving connectRPC only with no additional gateway (instance, webkey, project, app, org v2 beta) are changed to expose that - since the plugin is not yet available on buf, we download it using `postinstall` hook of the docs # Additional Changes - WebKey service is added as v2 service (in addition to the current v2beta) # Additional Context closes #9483 --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
54 lines
1.7 KiB
Go
54 lines
1.7 KiB
Go
package connect_middleware
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
|
|
"connectrpc.com/connect"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/logstore"
|
|
"github.com/zitadel/zitadel/internal/logstore/record"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
func QuotaExhaustedInterceptor(svc *logstore.Service[*record.AccessLog], ignoreService ...string) connect.UnaryInterceptorFunc {
|
|
for idx, service := range ignoreService {
|
|
if !strings.HasPrefix(service, "/") {
|
|
ignoreService[idx] = "/" + service
|
|
}
|
|
}
|
|
return func(handler connect.UnaryFunc) connect.UnaryFunc {
|
|
return func(ctx context.Context, req connect.AnyRequest) (_ connect.AnyResponse, err error) {
|
|
if !svc.Enabled() {
|
|
return handler(ctx, req)
|
|
}
|
|
interceptorCtx, span := tracing.NewServerInterceptorSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
// The auth interceptor will ensure that only authorized or public requests are allowed.
|
|
// So if there's no authorization context, we don't need to check for limitation
|
|
// Also, we don't limit calls with system user tokens
|
|
ctxData := authz.GetCtxData(ctx)
|
|
if ctxData.IsZero() || ctxData.SystemMemberships != nil {
|
|
return handler(ctx, req)
|
|
}
|
|
|
|
for _, service := range ignoreService {
|
|
if strings.HasPrefix(req.Spec().Procedure, service) {
|
|
return handler(ctx, req)
|
|
}
|
|
}
|
|
|
|
instance := authz.GetInstance(ctx)
|
|
remaining := svc.Limit(interceptorCtx, instance.InstanceID())
|
|
if remaining != nil && *remaining == 0 {
|
|
return nil, zerrors.ThrowResourceExhausted(nil, "QUOTA-vjAy8", "Quota.Access.Exhausted")
|
|
}
|
|
span.End()
|
|
return handler(ctx, req)
|
|
}
|
|
}
|
|
}
|