lumjjb/diff for policy registrations SPIRE API

## diff for policy registrations SPIRE API
diff --git a/pkg/server/endpoints/config.go b/pkg/server/endpoints/config.go
index 1263d1c3..dfab306f 100644
--- a/pkg/server/endpoints/config.go
+++ b/pkg/server/endpoints/config.go
@@ -74,12 +74,11 @@ type Config struct {

 func (c *Config) makeOldAPIServers() OldAPIServers {
 	registrationHandler := &registration.Handler{
-		Log:          c.Log.WithField(telemetry.SubsystemName, telemetry.RegistrationAPI),
-		Metrics:      c.Metrics,
-		Catalog:      c.Catalog,
-		TrustDomain:  c.TrustDomain,
-		ServerCA:     c.ServerCA,
-		PolicyEngine: c.PolicyEngine,
+		Log:         c.Log.WithField(telemetry.SubsystemName, telemetry.RegistrationAPI),
+		Metrics:     c.Metrics,
+		Catalog:     c.Catalog,
+		TrustDomain: c.TrustDomain,
+		ServerCA:    c.ServerCA,
 	}

 	return OldAPIServers{
diff --git a/pkg/server/endpoints/registration/handler.go b/pkg/server/endpoints/registration/handler.go
index 8d95d4d8..a61ca97a 100644
--- a/pkg/server/endpoints/registration/handler.go
+++ b/pkg/server/endpoints/registration/handler.go
@@ -13,7 +13,6 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/auth"
 	"github.com/spiffe/spire/pkg/common/idutil"
-	"github.com/spiffe/spire/pkg/common/policy"
 	"github.com/spiffe/spire/pkg/common/selector"
 	"github.com/spiffe/spire/pkg/common/telemetry"
 	telemetry_common "github.com/spiffe/spire/pkg/common/telemetry/common"
@@ -41,12 +40,11 @@ const defaultListEntriesPageSize = 50
 type Handler struct {
 	registration.UnsafeRegistrationServer

-	Log          logrus.FieldLogger
-	Metrics      telemetry.Metrics
-	Catalog      catalog.Catalog
-	TrustDomain  spiffeid.TrustDomain
-	ServerCA     ca.ServerCA
-	PolicyEngine *policy.Engine
+	Log         logrus.FieldLogger
+	Metrics     telemetry.Metrics
+	Catalog     catalog.Catalog
+	TrustDomain spiffeid.TrustDomain
+	ServerCA    ca.ServerCA
 }

 // CreateEntry creates an entry in the Registration table,
@@ -830,14 +828,13 @@ func (h *Handler) prepareRegistrationEntry(entry *common.RegistrationEntry, forU
 	return entry, nil
 }

-func (h *Handler) AuthorizeCall(ctx context.Context, req interface{}, fullMethod string) (_ context.Context, err error) {
+func (h *Handler) AuthorizeCall(ctx context.Context, fullMethod string) (_ context.Context, err error) {
 	// For the time being, authorization is not per-method. In other words, all or nothing.
-	fmt.Println("In AuthorizeCall")
 	counter := telemetry_registrationapi.StartAuthorizeCall(h.Metrics, fullMethod)
 	defer counter.Done(&err)
 	log := h.Log.WithField(telemetry.Method, fullMethod)

-	callerID, err := authorizeCaller(ctx, h.getDataStore(), h.PolicyEngine, req, fullMethod)
+	callerID, err := authorizeCaller(ctx, h.getDataStore())
 	if err != nil {
 		log.WithError(err).Error("Failed to authorize caller")
 		return nil, err
@@ -878,9 +875,7 @@ func getSpiffeIDFromCert(cert *x509.Certificate) (string, error) {
 	return spiffeID.String(), nil
 }

-func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *policy.Engine, req interface{}, fullMethod string) (spiffeID string, err error) {
-	fmt.Println("authorizeCaller")
-
+func authorizeCaller(ctx context.Context, ds datastore.DataStore) (spiffeID string, err error) {
 	ctxPeer, ok := peer.FromContext(ctx)
 	if !ok {
 		return "", status.Error(codes.PermissionDenied, "no peer information for caller")
@@ -907,31 +902,21 @@ func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *
 		// The caller came over UDS and is therefore authorized but does not
 		// provide a spiffeID. The file permissions on the UDS are restricted to
 		// processes belonging to the same user or group as the server.
-		fmt.Println("in UDS auth")
-
+		return "", nil
 	default:
 		// The caller came over an unknown transport
 		return "", status.Errorf(codes.PermissionDenied, "unsupported peer auth info type (%T)", authInfo)
 	}

-	if spiffeID == "" {
-		if err := allowRequest(ctx, policyEngine, "UDS", req, fullMethod); err != nil {
-			return "", nil
-		}
-	} else {
-		resp, err := ds.ListRegistrationEntries(ctx, &datastore.ListRegistrationEntriesRequest{
-			BySpiffeID: spiffeID,
-		})
-		if err != nil {
-			return "", err
-		}
+	resp, err := ds.ListRegistrationEntries(ctx, &datastore.ListRegistrationEntriesRequest{
+		BySpiffeID: spiffeID,
+	})
+	if err != nil {
+		return "", err
+	}

-		for _, entry := range resp.Entries {
-			if entry.Admin {
-				return spiffeID, nil
-			}
-		}
-		if err := allowRequest(ctx, policyEngine, spiffeID, req, fullMethod); err != nil {
+	for _, entry := range resp.Entries {
+		if entry.Admin {
 			return spiffeID, nil
 		}
 	}
@@ -939,28 +924,6 @@ func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *
 	return "", status.Errorf(codes.PermissionDenied, "SPIFFE ID %q is not authorized", spiffeID)
 }

-func allowRequest(ctx context.Context, policyEngine *policy.Engine, caller string, req interface{}, fullMethod string) error {
-	fmt.Println("allowRequest")
-	// TODO: remove this
-	if policyEngine == nil {
-		return nil
-	}
-	input := policy.Input{
-		Caller:     caller,
-		FullMethod: fullMethod,
-		Req:        req,
-	}
-	result, err := policyEngine.Eval(ctx, input)
-	if err != nil {
-		return err
-	}
-	if !result.Allow {
-		return errors.New("not authorized")
-	}
-
-	return nil
-}
-
 type callerIDKey struct{}

 func withCallerID(ctx context.Context, callerID string) context.Context {
diff --git a/pkg/server/endpoints/registration/handler_test.go b/pkg/server/endpoints/registration/handler_test.go
index 14b5bf8f..bd82c9df 100644
--- a/pkg/server/endpoints/registration/handler_test.go
+++ b/pkg/server/endpoints/registration/handler_test.go
@@ -1403,7 +1403,7 @@ func (s *HandlerSuite) TestAuthorizeCall() {
 		if testCase.Peer != nil {
 			ctx = peer.NewContext(ctx, testCase.Peer)
 		}
-		ctx, err := handler.AuthorizeCall(ctx, nil, "SOMEMETHOD")
+		ctx, err := handler.AuthorizeCall(ctx, "SOMEMETHOD")
 		if testCase.Err != "" {
 			s.requireErrorContains(err, testCase.Err)
 			s.requireGRPCStatusCode(err, codes.PermissionDenied)
	diff --git a/pkg/server/endpoints/config.go b/pkg/server/endpoints/config.go
	index 1263d1c3..dfab306f 100644
	--- a/pkg/server/endpoints/config.go
	+++ b/pkg/server/endpoints/config.go
	@@ -74,12 +74,11 @@ type Config struct {

	func (c *Config) makeOldAPIServers() OldAPIServers {
	registrationHandler := &registration.Handler{
	- Log: c.Log.WithField(telemetry.SubsystemName, telemetry.RegistrationAPI),
	- Metrics: c.Metrics,
	- Catalog: c.Catalog,
	- TrustDomain: c.TrustDomain,
	- ServerCA: c.ServerCA,
	- PolicyEngine: c.PolicyEngine,
	+ Log: c.Log.WithField(telemetry.SubsystemName, telemetry.RegistrationAPI),
	+ Metrics: c.Metrics,
	+ Catalog: c.Catalog,
	+ TrustDomain: c.TrustDomain,
	+ ServerCA: c.ServerCA,
	}

	return OldAPIServers{
	diff --git a/pkg/server/endpoints/registration/handler.go b/pkg/server/endpoints/registration/handler.go
	index 8d95d4d8..a61ca97a 100644
	--- a/pkg/server/endpoints/registration/handler.go
	+++ b/pkg/server/endpoints/registration/handler.go
	@@ -13,7 +13,6 @@ import (
	"github.com/spiffe/go-spiffe/v2/spiffeid"
	"github.com/spiffe/spire/pkg/common/auth"
	"github.com/spiffe/spire/pkg/common/idutil"
	- "github.com/spiffe/spire/pkg/common/policy"
	"github.com/spiffe/spire/pkg/common/selector"
	"github.com/spiffe/spire/pkg/common/telemetry"
	telemetry_common "github.com/spiffe/spire/pkg/common/telemetry/common"
	@@ -41,12 +40,11 @@ const defaultListEntriesPageSize = 50
	type Handler struct {
	registration.UnsafeRegistrationServer

	- Log logrus.FieldLogger
	- Metrics telemetry.Metrics
	- Catalog catalog.Catalog
	- TrustDomain spiffeid.TrustDomain
	- ServerCA ca.ServerCA
	- PolicyEngine *policy.Engine
	+ Log logrus.FieldLogger
	+ Metrics telemetry.Metrics
	+ Catalog catalog.Catalog
	+ TrustDomain spiffeid.TrustDomain
	+ ServerCA ca.ServerCA
	}

	// CreateEntry creates an entry in the Registration table,
	@@ -830,14 +828,13 @@ func (h Handler) prepareRegistrationEntry(entry common.RegistrationEntry, forU
	return entry, nil
	}

	-func (h *Handler) AuthorizeCall(ctx context.Context, req interface{}, fullMethod string) (_ context.Context, err error) {
	+func (h *Handler) AuthorizeCall(ctx context.Context, fullMethod string) (_ context.Context, err error) {
	// For the time being, authorization is not per-method. In other words, all or nothing.
	- fmt.Println("In AuthorizeCall")
	counter := telemetry_registrationapi.StartAuthorizeCall(h.Metrics, fullMethod)
	defer counter.Done(&err)
	log := h.Log.WithField(telemetry.Method, fullMethod)

	- callerID, err := authorizeCaller(ctx, h.getDataStore(), h.PolicyEngine, req, fullMethod)
	+ callerID, err := authorizeCaller(ctx, h.getDataStore())
	if err != nil {
	log.WithError(err).Error("Failed to authorize caller")
	return nil, err
	@@ -878,9 +875,7 @@ func getSpiffeIDFromCert(cert *x509.Certificate) (string, error) {
	return spiffeID.String(), nil
	}

	-func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *policy.Engine, req interface{}, fullMethod string) (spiffeID string, err error) {
	- fmt.Println("authorizeCaller")
	-
	+func authorizeCaller(ctx context.Context, ds datastore.DataStore) (spiffeID string, err error) {
	ctxPeer, ok := peer.FromContext(ctx)
	if !ok {
	return "", status.Error(codes.PermissionDenied, "no peer information for caller")
	@@ -907,31 +902,21 @@ func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *
	// The caller came over UDS and is therefore authorized but does not
	// provide a spiffeID. The file permissions on the UDS are restricted to
	// processes belonging to the same user or group as the server.
	- fmt.Println("in UDS auth")
	-
	+ return "", nil
	default:
	// The caller came over an unknown transport
	return "", status.Errorf(codes.PermissionDenied, "unsupported peer auth info type (%T)", authInfo)
	}

	- if spiffeID == "" {
	- if err := allowRequest(ctx, policyEngine, "UDS", req, fullMethod); err != nil {
	- return "", nil
	- }
	- } else {
	- resp, err := ds.ListRegistrationEntries(ctx, &datastore.ListRegistrationEntriesRequest{
	- BySpiffeID: spiffeID,
	- })
	- if err != nil {
	- return "", err
	- }
	+ resp, err := ds.ListRegistrationEntries(ctx, &datastore.ListRegistrationEntriesRequest{
	+ BySpiffeID: spiffeID,
	+ })
	+ if err != nil {
	+ return "", err
	+ }

	- for _, entry := range resp.Entries {
	- if entry.Admin {
	- return spiffeID, nil
	- }
	- }
	- if err := allowRequest(ctx, policyEngine, spiffeID, req, fullMethod); err != nil {
	+ for _, entry := range resp.Entries {
	+ if entry.Admin {
	return spiffeID, nil
	}
	}
	@@ -939,28 +924,6 @@ func authorizeCaller(ctx context.Context, ds datastore.DataStore, policyEngine *
	return "", status.Errorf(codes.PermissionDenied, "SPIFFE ID %q is not authorized", spiffeID)
	}

	-func allowRequest(ctx context.Context, policyEngine *policy.Engine, caller string, req interface{}, fullMethod string) error {
	- fmt.Println("allowRequest")
	- // TODO: remove this
	- if policyEngine == nil {
	- return nil
	- }
	- input := policy.Input{
	- Caller: caller,
	- FullMethod: fullMethod,
	- Req: req,
	- }
	- result, err := policyEngine.Eval(ctx, input)
	- if err != nil {
	- return err
	- }
	- if !result.Allow {
	- return errors.New("not authorized")
	- }
	-
	- return nil
	-}
	-
	type callerIDKey struct{}

	func withCallerID(ctx context.Context, callerID string) context.Context {
	diff --git a/pkg/server/endpoints/registration/handler_test.go b/pkg/server/endpoints/registration/handler_test.go
	index 14b5bf8f..bd82c9df 100644
	--- a/pkg/server/endpoints/registration/handler_test.go
	+++ b/pkg/server/endpoints/registration/handler_test.go
	@@ -1403,7 +1403,7 @@ func (s *HandlerSuite) TestAuthorizeCall() {
	if testCase.Peer != nil {
	ctx = peer.NewContext(ctx, testCase.Peer)
	}
	- ctx, err := handler.AuthorizeCall(ctx, nil, "SOMEMETHOD")
	+ ctx, err := handler.AuthorizeCall(ctx, "SOMEMETHOD")
	if testCase.Err != "" {
	s.requireErrorContains(err, testCase.Err)
	s.requireGRPCStatusCode(err, codes.PermissionDenied)