DCS-gRPC · rurounijones · Sep 28, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `GetClients` to `SrsService`, which retrieves a list of units that are connected to SRS and the frequencies they are connected to.
 - Added `SrsConnectEvent` and `SrsDisconnectEvent` events 
 - Added `GetDrawArgumentValue` API for units, which returns the value for drawing. (useful for "hook down", "doors open" checks)
+- Added Authentication Interceptor. This enables authentication on a per client basis.
 
 ### Fixed
 - Fixed `MarkAddEvent`, `MarkChangeEvent` and `MarkRemoveEvent` position

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -65,6 +65,7 @@ time = { version = "0.3", features = ["formatting", "parsing"] }
 tokio.workspace = true
 tokio-stream.workspace = true
 tonic.workspace = true
+tonic-middleware = "0.1.4"
 
 [build-dependencies]
 walkdir = "2.3"

diff --git a/README.md b/README.md
@@ -81,6 +81,15 @@ throughputLimit = 600
 -- Whether the integrity check, meant to spot installation issues, is disabled.
 integrityCheckDisabled = false
 
+-- Whether or not authentication is required
+auth.enabled = false 
+-- Authentication tokens table with client names and their tokens for split tokens. 
+auth.tokens = {
+  -- client => clientName, token => Any token. Advice to use UTF-8 only. Length not limited explicitly 
+  { client = "SomeClient", token = "SomeToken" }, 
+  { client = "SomeClient2", token = "SomeOtherToken" }
+}
+
 -- The default TTS provider to use if a TTS request does not explicitly specify another one.
 tts.defaultProvider = "win"
 

diff --git a/lua/DCS-gRPC/grpc-mission.lua b/lua/DCS-gRPC/grpc-mission.lua
@@ -3,6 +3,7 @@ if not GRPC then
     -- scaffold nested tables to allow direct assignment in config file
     tts = { provider = { gcloud = {}, aws = {}, azure = {}, win = {} } },
     srs = {},
+    auth = {}
   }
 end
 

diff --git a/lua/DCS-gRPC/grpc.lua b/lua/DCS-gRPC/grpc.lua
@@ -21,6 +21,7 @@ if isMissionEnv then
     integrityCheckDisabled = GRPC.integrityCheckDisabled,
     tts = GRPC.tts,
     srs = GRPC.srs,
+    auth = GRPC.auth
   }))
 end
 

diff --git a/lua/Hooks/DCS-gRPC.lua b/lua/Hooks/DCS-gRPC.lua
@@ -9,6 +9,7 @@ local function init()
       -- scaffold nested tables to allow direct assignment in config file
       tts = { provider = { gcloud = {}, aws = {}, azure = {}, win = {} } },
       srs = {},
+      auth = {}
     }
   end
 

diff --git a/src/authentication.rs b/src/authentication.rs
@@ -0,0 +1,39 @@
+use crate::config::AuthConfig;
+use tonic::codegen::http::Request;
+use tonic::transport::Body;
+use tonic::{async_trait, Status};
+use tonic_middleware::RequestInterceptor;
+
+#[derive(Clone)]
+pub struct AuthInterceptor {
+    pub auth_config: AuthConfig,
+}
+
+#[async_trait]
+impl RequestInterceptor for AuthInterceptor {
+    async fn intercept(&self, req: Request<Body>) -> Result<Request<Body>, Status> {
+        if !self.auth_config.enabled {
+            Ok(req)
+        } else {
+            match req.headers().get("X-API-Key").map(|v| v.to_str()) {
+                Some(Ok(token)) => {
+                    let mut client: Option<&String> = None;
+                    for key in &self.auth_config.tokens {
+                        if key.token == token {
+                            client = Some(&key.client);
+                            break;
+                        }
+                    }
+
+                    if client.is_some() {
+                        log::debug!("Authenticated client: {}", client.unwrap());
+                        Ok(req)
+                    } else {
+                        Err(Status::unauthenticated("Unauthenticated"))
+                    }
+                }
+                _ => Err(Status::unauthenticated("Unauthenticated")),
+            }
+        }
+    }
+}
diff --git a/src/config.rs b/src/config.rs
@@ -21,6 +21,7 @@ pub struct Config {
     pub integrity_check_disabled: bool,
     pub tts: Option<TtsConfig>,
     pub srs: Option<SrsConfig>,
+    pub auth: Option<AuthConfig>,
 }
 
 #[derive(Debug, Clone, Default, Deserialize, Serialize)]
@@ -87,6 +88,22 @@ pub struct SrsConfig {
     pub addr: Option<SocketAddr>,
 }
 
+#[derive(Debug, Clone, Default, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct AuthConfig {
+    #[serde(default)]
+    pub enabled: bool,
+    pub tokens: Vec<ApiKey>,
+}
+
+#[derive(Debug, Clone, Default, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ApiKey {
+    #[serde(default)]
+    pub client: String,
+    pub token: String,
+}
+
 fn default_host() -> String {
     String::from("127.0.0.1")
 }

diff --git a/src/lib.rs b/src/lib.rs
@@ -1,6 +1,7 @@
 #![allow(dead_code)]
 #![recursion_limit = "256"]
 
+mod authentication;
 mod config;
 mod fps;
 #[cfg(feature = "hot-reload")]

diff --git a/src/server.rs b/src/server.rs
@@ -3,6 +3,12 @@ use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
 
+use crate::authentication::AuthInterceptor;
+use crate::config::{AuthConfig, Config, SrsConfig, TtsConfig};
+use crate::rpc::{HookRpc, MissionRpc, Srs};
+use crate::shutdown::{Shutdown, ShutdownHandle};
+use crate::srs::SrsClients;
+use crate::stats::Stats;
 use dcs_module_ipc::IPC;
 use futures_util::FutureExt;
 use stubs::atmosphere::v0::atmosphere_service_server::AtmosphereServiceServer;
@@ -25,12 +31,7 @@ use tokio::sync::oneshot::{self, Receiver};
 use tokio::sync::{mpsc, Mutex};
 use tokio::time::sleep;
 use tonic::transport;
-
-use crate::config::{Config, SrsConfig, TtsConfig};
-use crate::rpc::{HookRpc, MissionRpc, Srs};
-use crate::shutdown::{Shutdown, ShutdownHandle};
-use crate::srs::SrsClients;
-use crate::stats::Stats;
+use tonic_middleware::RequestInterceptorLayer;
 
 pub struct Server {
     runtime: Runtime,
@@ -50,6 +51,7 @@ struct ServerState {
     tts_config: TtsConfig,
     srs_config: SrsConfig,
     srs_transmit: Arc<Mutex<mpsc::Receiver<TransmitRequest>>>,
+    auth_config: AuthConfig,
 }
 
 impl Server {
@@ -71,6 +73,7 @@ impl Server {
                 tts_config: config.tts.clone().unwrap_or_default(),
                 srs_config: config.srs.clone().unwrap_or_default(),
                 srs_transmit: Arc::new(Mutex::new(rx)),
+                auth_config: config.auth.clone().unwrap_or_default(),
             },
             srs_transmit: tx,
             shutdown,
@@ -203,6 +206,7 @@ async fn try_run(
         tts_config,
         srs_config,
         srs_transmit,
+        auth_config,
     } = state;
 
     let mut mission_rpc =
@@ -242,7 +246,14 @@ async fn try_run(
         }
     });
 
+    let auth_interceptor = AuthInterceptor {
+        auth_config: auth_config.clone(),
+    };
+
+    log::info!("Authentication enabled: {}", auth_config.enabled);
+
     transport::Server::builder()
+        .layer(RequestInterceptorLayer::new(auth_interceptor.clone()))
         .add_service(AtmosphereServiceServer::new(mission_rpc.clone()))
         .add_service(CoalitionServiceServer::new(mission_rpc.clone()))
         .add_service(ControllerServiceServer::new(mission_rpc.clone()))