fix(rpc/flipt): implement Requester for evaluation data snapshot

internal/server/authz/middleware/grpc/middleware.go

@@ -90,21 +90,21 @@ func AuthorizationRequiredInterceptor(logger *zap.Logger, policyVerifier authz.V
 			return ctx, errUnauthorized
 		}
 
-		request := requester.Request()
-
-		allowed, err := policyVerifier.IsAllowed(ctx, map[string]interface{}{
-			"request":        request,
-			"authentication": auth,
-		})
-
-		if err != nil {
-			logger.Error("unauthorized", zap.Error(err))
-			return ctx, errUnauthorized
-		}
-
-		if !allowed {
-			logger.Error("unauthorized", zap.String("reason", "permission denied"))
-			return ctx, errUnauthorized
+		for _, request := range requester.Request() {
+			allowed, err := policyVerifier.IsAllowed(ctx, map[string]interface{}{
+				"request":        request,
+				"authentication": auth,
+			})
+
+			if err != nil {
+				logger.Error("unauthorized", zap.Error(err))
+				return ctx, errUnauthorized
+			}
+
+			if !allowed {
+				logger.Error("unauthorized", zap.String("reason", "permission denied"))
+				return ctx, errUnauthorized
+			}
 		}
 
 		return handler(ctx, req)

internal/server/evaluation/data/server.go

@@ -360,7 +360,3 @@ func (srv *Server) EvaluationSnapshotNamespace(ctx context.Context, r *evaluatio
 
 	return resp, nil
 }
-
-func (srv *Server) SkipsAuthorization(ctx context.Context) bool {
-	return true
-}

internal/server/evaluation/data/server_test.go

@@ -34,8 +34,3 @@ func TestEvaluationSnapshotNamespace(t *testing.T) {
 		store.AssertExpectations(t)
 	})
 }
-
-func Test_Server_SkipsAuthorization(t *testing.T) {
-	server := &Server{}
-	assert.True(t, server.SkipsAuthorization(context.Background()))
-}

internal/server/middleware/grpc/middleware.go

@@ -239,77 +239,78 @@
 // AuditEventUnaryInterceptor captures events and adds them to the trace span to be consumed downstream.
 func AuditEventUnaryInterceptor(logger *zap.Logger, eventPairChecker audit.EventPairChecker) grpc.UnaryServerInterceptor {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-		var request flipt.Request
+		var requests []flipt.Request
 		r, ok := req.(flipt.Requester)
 
 		if !ok {
 			return handler(ctx, req)
 		}
 
-		request = r.Request()
+		requests = r.Request()
 
-		var event *audit.Event
+		var events []*audit.Event
 
 		actor := authn.ActorFromContext(ctx)
 
 		defer func() {
-			if event != nil {
-				eventPair := fmt.Sprintf("%s:%s", event.Type, event.Action)
-
-				exists := eventPairChecker.Check(eventPair)
-				if exists {
-					span := trace.SpanFromContext(ctx)
-					span.AddEvent("event", trace.WithAttributes(event.DecodeToAttributes()...))
+			if events != nil {
+				for _, event := range events {
+					eventPair := fmt.Sprintf("%s:%s", event.Type, event.Action)
+
+					exists := eventPairChecker.Check(eventPair)
+					if exists {
+						span := trace.SpanFromContext(ctx)
+						span.AddEvent("event", trace.WithAttributes(event.DecodeToAttributes()...))
+					}
 				}
 			}
 		}()
 
 		resp, err := handler(ctx, req)
-		if err != nil {
-			var uerr errs.ErrUnauthorized
-			if errors.As(err, &uerr) {
-				request.Status = flipt.StatusDenied
-				event = audit.NewEvent(request, actor, nil)
+		for _, request := range requests {
+			if err != nil {
+				var uerr errs.ErrUnauthorized
+				if errors.As(err, &uerr) {
+					request.Status = flipt.StatusDenied
+					events = append(events, audit.NewEvent(request, actor, nil))
+				}
+
+				continue
+			}
+
+			// Delete and Order request(s) have to be handled separately because they do not
+			// return the concrete type but rather an *empty.Empty response.
+			if request.Action == flipt.ActionDelete {
+				events = append(events, audit.NewEvent(request, actor, r))
+				continue
 			}
-			return resp, err
-		}
 
-		// Delete and Order request(s) have to be handled separately because they do not
-		// return the concrete type but rather an *empty.Empty response.
-		if request.Action == flipt.ActionDelete {
-			event = audit.NewEvent(request, actor, r)
-		} else {
 			switch r := req.(type) {
 			case *flipt.OrderRulesRequest, *flipt.OrderRolloutsRequest:
-				event = audit.NewEvent(request, actor, r)
+				events = append(events, audit.NewEvent(request, actor, r))
+				continue
 			}
-		}
 
-		// Short circuiting the middleware here since we have a non-nil event from
-		// detecting a delete.
-		if event != nil {
-			return resp, err
-		}
-
-		switch r := resp.(type) {
-		case *flipt.Flag:
-			event = audit.NewEvent(request, actor, audit.NewFlag(r))
-		case *flipt.Variant:
-			event = audit.NewEvent(request, actor, audit.NewVariant(r))
-		case *flipt.Segment:
-			event = audit.NewEvent(request, actor, audit.NewSegment(r))
-		case *flipt.Distribution:
-			event = audit.NewEvent(request, actor, audit.NewDistribution(r))
-		case *flipt.Constraint:
-			event = audit.NewEvent(request, actor, audit.NewConstraint(r))
-		case *flipt.Namespace:
-			event = audit.NewEvent(request, actor, audit.NewNamespace(r))
-		case *flipt.Rollout:
-			event = audit.NewEvent(request, actor, audit.NewRollout(r))
-		case *flipt.Rule:
-			event = audit.NewEvent(request, actor, audit.NewRule(r))
-		case *auth.CreateTokenResponse:
-			event = audit.NewEvent(request, actor, r.Authentication.Metadata)
+			switch r := resp.(type) {
+			case *flipt.Flag:
+				events = append(events, audit.NewEvent(request, actor, audit.NewFlag(r)))
+			case *flipt.Variant:
+				events = append(events, audit.NewEvent(request, actor, audit.NewVariant(r)))
+			case *flipt.Segment:
+				events = append(events, audit.NewEvent(request, actor, audit.NewSegment(r)))
+			case *flipt.Distribution:
+				events = append(events, audit.NewEvent(request, actor, audit.NewDistribution(r)))
+			case *flipt.Constraint:
+				events = append(events, audit.NewEvent(request, actor, audit.NewConstraint(r)))
+			case *flipt.Namespace:
+				events = append(events, audit.NewEvent(request, actor, audit.NewNamespace(r)))
+			case *flipt.Rollout:
+				events = append(events, audit.NewEvent(request, actor, audit.NewRollout(r)))
+			case *flipt.Rule:
+				events = append(events, audit.NewEvent(request, actor, audit.NewRule(r)))
+			case *auth.CreateTokenResponse:
+				events = append(events, audit.NewEvent(request, actor, r.Authentication.Metadata))
+			}
 		}
 
 		return resp, err

rpc/flipt/auth/request.go

@@ -4,18 +4,18 @@ import (
 	"go.flipt.io/flipt/rpc/flipt"
 )
 
-func (req *CreateTokenRequest) Request() flipt.Request {
-	return flipt.NewRequest(flipt.ResourceAuthentication, flipt.ActionCreate, flipt.WithSubject(flipt.SubjectToken))
+func (req *CreateTokenRequest) Request() []flipt.Request {
+	return []flipt.Request{flipt.NewRequest(flipt.ResourceAuthentication, flipt.ActionCreate, flipt.WithSubject(flipt.SubjectToken))}
 }
 
-func (req *ListAuthenticationsRequest) Request() flipt.Request {
-	return flipt.NewRequest(flipt.ResourceAuthentication, flipt.ActionRead)
+func (req *ListAuthenticationsRequest) Request() []flipt.Request {
+	return []flipt.Request{flipt.NewRequest(flipt.ResourceAuthentication, flipt.ActionRead)}
 }
 
-func (req *GetAuthenticationRequest) Request() flipt.Request {
-	return flipt.NewRequest(flipt.ResourceAuthentication, flipt.ActionRead)
+func (req *GetAuthenticationRequest) Request() []flipt.Request {
+	return []flipt.Request{flipt.NewRequest(flipt.ResourceAuthentication, flipt.ActionRead)}
 }
 
-func (req *DeleteAuthenticationRequest) Request() flipt.Request {
-	return flipt.NewRequest(flipt.ResourceAuthentication, flipt.ActionDelete)
+func (req *DeleteAuthenticationRequest) Request() []flipt.Request {
+	return []flipt.Request{flipt.NewRequest(flipt.ResourceAuthentication, flipt.ActionDelete)}
 }

rpc/flipt/evaluation/request.go

@@ -0,0 +1,10 @@
+package evaluation
+
+import "go.flipt.io/flipt/rpc/flipt"
+
+func (r *EvaluationNamespaceSnapshotRequest) Request() []flipt.Request {
+	return []flipt.Request{
+		flipt.NewRequest(flipt.ResourceFlag, flipt.ActionRead, flipt.WithNamespace(r.Key)),
+		flipt.NewRequest(flipt.ResourceSegment, flipt.ActionRead, flipt.WithNamespace(r.Key)),
+	}
+}