diff --git a/.env b/.env index 8984b2f..7341fdb 100644 --- a/.env +++ b/.env @@ -5,3 +5,4 @@ DB_NAMESPACE = "brain" DB_NAME = "migration" CERT_PATH = "./tmp/brain-crt.pem" CERT_KEY_PATH = "./tmp/brain-key.pem" +# ADMIN_PUB_KEYS = "admin_key01, admin_key02, admin_key03" diff --git a/src/constants.rs b/src/constants.rs index c1a3ca1..bc95da8 100644 --- a/src/constants.rs +++ b/src/constants.rs @@ -1,3 +1,5 @@ +use std::sync::LazyLock; + pub const BRAIN_GRPC_ADDR: &str = "0.0.0.0:31337"; pub const CERT_PATH: &str = "/etc/detee/brain/brain-crt.pem"; pub const CERT_KEY_PATH: &str = "/etc/detee/brain/brain-key.pem"; @@ -5,11 +7,18 @@ pub const CONFIG_PATH: &str = "/etc/detee/brain/config.ini"; pub const DB_SCHEMA_FILE: &str = "interim_tables.surql"; -pub const ADMIN_ACCOUNTS: &[&str] = &[ - "x52w7jARC5erhWWK65VZmjdGXzBK6ZDgfv1A283d8XK", - "FHuecMbeC1PfjkW2JKyoicJAuiU7khgQT16QUB3Q1XdL", - "H21Shi4iE7vgfjWEQNvzmpmBMJSaiZ17PYUcdNoAoKNc", -]; +pub static ADMIN_ACCOUNTS: LazyLock> = LazyLock::new(|| { + let default_admin_keys = vec![ + "x52w7jARC5erhWWK65VZmjdGXzBK6ZDgfv1A283d8XK".to_string(), + "FHuecMbeC1PfjkW2JKyoicJAuiU7khgQT16QUB3Q1XdL".to_string(), + "H21Shi4iE7vgfjWEQNvzmpmBMJSaiZ17PYUcdNoAoKNc".to_string(), + ]; + + std::env::var("ADMIN_PUB_KEYS") + .ok() + .map(|keys| keys.split(',').map(|key| key.trim().to_string()).collect::>()) + .unwrap_or(default_admin_keys) +}); pub const OLD_BRAIN_DATA_PATH: &str = "./saved_data.yaml"; diff --git a/src/grpc/mod.rs b/src/grpc/mod.rs index 7833c5b..07bb334 100644 --- a/src/grpc/mod.rs +++ b/src/grpc/mod.rs @@ -166,7 +166,8 @@ pub fn check_admin_key(req: &Request) -> Result<(), Status> { }; let pubkey = pubkey .to_str() - .map_err(|_| Status::unauthenticated("could not parse pubkey metadata to str"))?; + .map_err(|_| Status::unauthenticated("could not parse pubkey metadata to str"))? + .to_owned(); if !ADMIN_ACCOUNTS.contains(&pubkey) { return Err(Status::unauthenticated("This operation is reserved to admin accounts"));