admin keys from env

2025-05-06 19:01:29 +05:30 · 2025-05-06 19:01:29 +05:30 · e335cc1b51
commit e335cc1b51
parent 4dfaa3f465
4 changed files with 22 additions and 8 deletions
--- a/.env
+++ b/.env
@ -3,3 +3,5 @@ DB_USER = "root"
 DB_PASS = "root"
 DB_NAMESPACE = "brain"
 DB_NAME = "migration"
+
+# ADMIN_PUB_KEYS = "admin_key01, admin_key02, admin_key03"
--- a/src/constants.rs
+++ b/src/constants.rs
@ -1,14 +1,23 @@
+use std::sync::LazyLock;
+
 pub const BRAIN_GRPC_ADDR: &str = "0.0.0.0:31337";
 pub const CERT_PATH: &str = "./tmp/brain-crt.pem";
 pub const CERT_KEY_PATH: &str = "./tmp/brain-key.pem";

 pub const DB_SCHEMA_FILE: &str = "interim_tables.surql";

-pub const ADMIN_ACCOUNTS: &[&str] = &[
-    "x52w7jARC5erhWWK65VZmjdGXzBK6ZDgfv1A283d8XK",
-    "FHuecMbeC1PfjkW2JKyoicJAuiU7khgQT16QUB3Q1XdL",
-    "H21Shi4iE7vgfjWEQNvzmpmBMJSaiZ17PYUcdNoAoKNc",
-];
+pub static ADMIN_ACCOUNTS: LazyLock<Vec<String>> = LazyLock::new(|| {
+    let default_admin_keys = vec![
+        "x52w7jARC5erhWWK65VZmjdGXzBK6ZDgfv1A283d8XK".to_string(),
+        "FHuecMbeC1PfjkW2JKyoicJAuiU7khgQT16QUB3Q1XdL".to_string(),
+        "H21Shi4iE7vgfjWEQNvzmpmBMJSaiZ17PYUcdNoAoKNc".to_string(),
+    ];
+
+    std::env::var("ADMIN_PUB_KEYS")
+        .ok()
+        .map(|keys| keys.split(',').map(|key| key.trim().to_string()).collect::<Vec<String>>())
+        .unwrap_or(default_admin_keys)
+});

 pub const OLD_BRAIN_DATA_PATH: &str = "./saved_data.yaml";

--- a/src/grpc/mod.rs
+++ b/src/grpc/mod.rs
@ -166,7 +166,8 @@ pub fn check_admin_key<T>(req: &Request<T>) -> Result<(), Status> {
    };
    let pubkey = pubkey
        .to_str()
-        .map_err(|_| Status::unauthenticated("could not parse pubkey metadata to str"))?;
+        .map_err(|_| Status::unauthenticated("could not parse pubkey metadata to str"))?
+        .to_owned();

    if !ADMIN_ACCOUNTS.contains(&pubkey) {
        return Err(Status::unauthenticated("This operation is reserved to admin accounts"));
--- a/src/grpc/vm.rs
+++ b/src/grpc/vm.rs
@ -207,7 +207,9 @@ impl BrainVmCli for VmCliServer {
    async fn new_vm(&self, req: Request<NewVmReq>) -> Result<Response<NewVmResp>, Status> {
        let req = check_sig_from_req(req)?;
        info!("New VM requested via CLI: {req:?}");
-        if db::general::Account::is_banned_by_node(&self.db, &req.admin_pubkey, &req.node_pubkey).await? {
+        if db::general::Account::is_banned_by_node(&self.db, &req.admin_pubkey, &req.node_pubkey)
+            .await?
+        {
            return Err(Status::permission_denied("This operator banned you. What did you do?"));
        }