turul-a2a 0.1.17

A2A Protocol v1.0 server framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

//! Tower layer that runs the shared `MiddlewareStack` against a tonic
//! server (ADR-007 §3, ADR-014 §2.4).
//!
//! This is a transport adapter only — the authentication *business logic*
//! lives in `crate::middleware::stack::MiddlewareStack` and is shared
//! verbatim with the HTTP path. The two transports differ only in:
//!   * request body type (`tonic::body::Body` vs. `axum::body::Body`)
//!   * error encoding (gRPC status codes with `ErrorInfo` vs. HTTP JSON
//!     error body)
//!
//! On auth success the layer injects a [`RequestContext`] into the HTTP
//! request's extensions; tonic surfaces those same extensions to the
//! service impl via `tonic::Request::extensions()`, so the gRPC adapter
//! reads the authenticated owner through `RequestContext::identity` —
//! exactly like the HTTP handlers do.
//!
//! On auth failure the layer produces a gRPC-formatted response carrying
//! the correct `tonic::Status` code. No `A2aError`, no JSON error body —
//! transport-level auth failures bypass the A2A error model.

use std::sync::Arc;
use std::task::{Context, Poll};

use http::{Request, Response};
use tonic::body::Body;
use tower::{Layer, Service};

use crate::middleware::bearer::extract_bearer_token;
use crate::middleware::context::{AuthIdentity, RequestContext};
use crate::middleware::error::MiddlewareError;
use crate::middleware::stack::MiddlewareStack;

/// Tower layer that wraps a tonic service with the shared middleware stack.
#[derive(Clone)]
pub struct GrpcAuthLayer {
    stack: Arc<MiddlewareStack>,
}

impl GrpcAuthLayer {
    pub fn new(stack: Arc<MiddlewareStack>) -> Self {
        Self { stack }
    }
}

impl<S> Layer<S> for GrpcAuthLayer {
    type Service = GrpcAuthService<S>;

    fn layer(&self, inner: S) -> Self::Service {
        GrpcAuthService {
            inner,
            stack: self.stack.clone(),
        }
    }
}

/// Tower service produced by [`GrpcAuthLayer`].
#[derive(Clone)]
pub struct GrpcAuthService<S> {
    inner: S,
    stack: Arc<MiddlewareStack>,
}

impl<S> Service<Request<Body>> for GrpcAuthService<S>
where
    S: Service<Request<Body>, Response = Response<Body>> + Clone + Send + 'static,
    S::Future: Send,
{
    type Response = Response<Body>;
    type Error = S::Error;
    type Future = std::pin::Pin<
        Box<dyn std::future::Future<Output = Result<Self::Response, Self::Error>> + Send>,
    >;

    fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
        self.inner.poll_ready(cx)
    }

    fn call(&mut self, mut req: Request<Body>) -> Self::Future {
        let stack = self.stack.clone();
        let mut inner = self.inner.clone();

        Box::pin(async move {
            let headers = req.headers().clone();

            // Matches the HTTP layer's "no middleware configured" short
            // circuit — still inject a default RequestContext so handlers
            // can read `identity.owner()` without conditional access.
            if stack.is_empty() {
                req.extensions_mut().insert(RequestContext {
                    bearer_token: None,
                    headers,
                    identity: AuthIdentity::Anonymous,
                    extensions: Default::default(),
                });
                return inner.call(req).await;
            }

            // Same header extraction as the HTTP AuthLayer — tonic
            // metadata surfaces as `http::HeaderMap`, so `authorization`
            // + `x-api-key` arrive at the same keys.
            let bearer_token = headers
                .get(http::header::AUTHORIZATION)
                .and_then(|v| v.to_str().ok())
                .and_then(extract_bearer_token);

            let mut ctx = RequestContext {
                bearer_token,
                headers: headers.clone(),
                identity: AuthIdentity::Anonymous,
                extensions: Default::default(),
            };

            match stack.before_request(&mut ctx).await {
                Ok(()) => {
                    req.extensions_mut().insert(ctx);
                    inner.call(req).await
                }
                Err(err) => Ok(middleware_error_to_grpc_response(&err)),
            }
        })
    }
}

/// Map a `MiddlewareError` to a gRPC-formatted HTTP response.
///
/// Uses `tonic::Status::into_http()` so the response carries proper
/// gRPC trailers (`grpc-status`, `grpc-message`) — `tonic::Status` is
/// the canonical encoding for transport-level auth failure.
fn middleware_error_to_grpc_response(err: &MiddlewareError) -> Response<Body> {
    let message = format!("{err:?}");
    let status = match err {
        MiddlewareError::Unauthenticated(_) | MiddlewareError::HttpChallenge { .. } => {
            tonic::Status::unauthenticated(message)
        }
        MiddlewareError::Forbidden(_) => tonic::Status::permission_denied(message),
        MiddlewareError::Internal(_) => tonic::Status::internal(message),
    };
    status.into_http()
}