MPA method-wide mode for sansshell

auth/rpcauth/input.go

@@ -56,6 +56,9 @@ type RPCAuthInput struct {
 	// Information about approvers when using multi-party authentication.
 	Approvers []*PrincipalAuthInput `json:"approvers"`
 
+	// TODO: commentary.
+	ApprovedMethodWideMpa bool `json:"approved-method-wide-mpa"`
+
 	// Information about the environment in which the policy evaluation is
 	// happening.
 	Environment *EnvironmentInput `json:"environment"`

cmd/sanssh/client/client.go

@@ -23,12 +23,13 @@ import (
 	"context"
 	"flag"
 	"fmt"
-	"google.golang.org/grpc/credentials"
 	"io"
 	"os"
 	"path/filepath"
 	"time"
 
+	"google.golang.org/grpc/credentials"
+
 	"github.com/google/subcommands"
 	"google.golang.org/grpc"
 
@@ -78,6 +79,8 @@ type RunState struct {
 	BatchSize int
 	// If true, add an interceptor that performs the multi-party auth flow
 	EnableMPA bool
+	// If true, configure MPA interceptor to request approval method-wide.
+	EnableMethodWideMPA bool
 	// If true, the command is authz dry run and real action should not be executed
 	AuthzDryRun bool
 
@@ -284,8 +287,8 @@ func Run(ctx context.Context, rs RunState) {
 		unaryInterceptors = append(unaryInterceptors, clientAuthz.AuthorizeClient)
 	}
 	if rs.EnableMPA {
-		unaryInterceptors = append(unaryInterceptors, mpahooks.UnaryClientIntercepter())
-		streamInterceptors = append(streamInterceptors, mpahooks.StreamClientIntercepter())
+		unaryInterceptors = append(unaryInterceptors, mpahooks.UnaryClientIntercepter(rs.EnableMethodWideMPA))
+		streamInterceptors = append(streamInterceptors, mpahooks.StreamClientIntercepter(rs.EnableMethodWideMPA))
 	}
 	// timeout interceptor should be the last item in ops so that it's executed first.
 	streamInterceptors = append(streamInterceptors, StreamClientTimeoutInterceptor(rs.IdleTimeout))
@@ -366,8 +369,8 @@ func Run(ctx context.Context, rs RunState) {
 		conn.AuthzDryRun = rs.AuthzDryRun
 
 		if rs.EnableMPA {
-			conn.UnaryInterceptors = []proxy.UnaryInterceptor{mpahooks.ProxyClientUnaryInterceptor(state)}
-			conn.StreamInterceptors = []proxy.StreamInterceptor{mpahooks.ProxyClientStreamInterceptor(state)}
+			conn.UnaryInterceptors = []proxy.UnaryInterceptor{mpahooks.ProxyClientUnaryInterceptor(state, rs.EnableMethodWideMPA)}
+			conn.StreamInterceptors = []proxy.StreamInterceptor{mpahooks.ProxyClientStreamInterceptor(state, rs.EnableMethodWideMPA)}
 		}
 		state.Conn = conn
 		state.Out = output[start:end]

cmd/sanssh/main.go

@@ -89,6 +89,7 @@ If port is blank the default of %d will be used`, proxyEnv, defaultProxyPort))
 	prefixHeader     = flag.Bool("h", false, "If true prefix each line of output with '<index>-<target>: '")
 	batchSize        = flag.Int("batch-size", 0, "If non-zero will perform the proxy->target work in batches of this size (with any remainder done at the end).")
 	mpa              = flag.Bool("mpa", false, "Request multi-party approval for commands. This will create an MPA request, wait for approval, and then execute the command.")
+	methodWideMpa    = flag.Bool("method-wide-mpa", false, "Request multi-party approval for entire method, regardless of the payload.")
 	authzDryRun      = flag.Bool("authz-dry-run", false, "If true, the client will send a request to the server to check if the user has the permission to run the command. The server will respond with a success or failure message.")
 
 	// targets will be bound to --targets for sending a single request to N nodes.
@@ -200,17 +201,18 @@ func main() {
 	}
 
 	rs := client.RunState{
-		Proxy:             *proxyAddr,
-		Targets:           *targetsFlag.Target,
-		Outputs:           *outputsFlag.Target,
-		AuthzDryRun:       *authzDryRun,
-		OutputsDir:        *outputsDir,
-		CredSource:        *credSource,
-		IdleTimeout:       *idleTimeout,
-		ClientAuthzPolicy: clientPolicy,
-		PrefixOutput:      *prefixHeader,
-		BatchSize:         *batchSize,
-		EnableMPA:         *mpa,
+		Proxy:               *proxyAddr,
+		Targets:             *targetsFlag.Target,
+		Outputs:             *outputsFlag.Target,
+		AuthzDryRun:         *authzDryRun,
+		OutputsDir:          *outputsDir,
+		CredSource:          *credSource,
+		IdleTimeout:         *idleTimeout,
+		ClientAuthzPolicy:   clientPolicy,
+		PrefixOutput:        *prefixHeader,
+		BatchSize:           *batchSize,
+		EnableMPA:           *mpa,
+		EnableMethodWideMPA: *methodWideMpa,
 	}
 
 	if *justification != "" {

services/mpa/mpa.proto

@@ -61,6 +61,9 @@ message Action {
   string method = 3;
   // The request protocol buffer.
   google.protobuf.Any message = 4;
+  // Method-wide MPA requested, will ignore `message` and only match request on
+  // `method`.
+  bool method_wide_mpa = 5;
 }
 
 message Principal {
@@ -76,6 +79,9 @@ message StoreRequest {
   string method = 1;
   // The request protocol buffer. 
   google.protobuf.Any message = 2;
+    // Method-wide MPA requested, will ignore `message` and only match request on
+  // `method`.
+  bool method_wide_mpa = 5;
 }
 
 message StoreResponse {