Validate kt-query config has authorized-headers set

cmd/internal/config/config.go

@@ -188,6 +188,9 @@ func Read(filename string) (*Config, error) {
 		if parsed.KtQueryServiceConfig.ServerAddr == "" {
 			return nil, fmt.Errorf("field not provided for service kt-query: server-addr")
 		}
+		if parsed.KtQueryServiceConfig.AuthorizedHeaders == nil || len(parsed.KtQueryServiceConfig.AuthorizedHeaders) == 0 {
+			return nil, fmt.Errorf("field not provided for service kt-query: authorized-headers")
+		}
 		if parsed.APIConfig.MinimumSearchDelay == 0 {
 			return nil, fmt.Errorf("field not provided for service kt-query: min-search-delay")
 		}

cmd/kt-server/main.go

@@ -146,9 +146,11 @@ func main() {
 		})
 
 		// Register kt query server
-		ktQueryServer := grpc.NewServer(getServerOptions(config.KtQueryServiceConfig, []grpc.UnaryServerInterceptor{
-			grpc_recovery.UnaryServerInterceptor(logPanicOpt),
-		})...)
+		ktQueryServer := grpc.NewServer(
+			grpc.ChainUnaryInterceptor(
+				validateAuthorizedHeadersInterceptor(config.KtQueryServiceConfig),
+				grpc_recovery.UnaryServerInterceptor(logPanicOpt)),
+		)
 		pb.RegisterKeyTransparencyQueryServiceServer(ktQueryServer, ktQueryHandler)
 
 		util.Log().Infof("Starting kt-query server at: %v", config.KtQueryServiceConfig.ServerAddr)
@@ -243,11 +245,12 @@ func main() {
 			util.Log().Fatalf("Failed to create listener for kt server: %v", err)
 		}
 
-		ktServer := grpc.NewServer(getServerOptions(config.KtServiceConfig, []grpc.UnaryServerInterceptor{
-			// Downstream interceptors expect the auditor name to be stored in the context, so this interceptor must
-			// be listed first.
+		ktServer := grpc.NewServer(grpc.ChainUnaryInterceptor(
+			// storeAuditorNameInterceptor depends on the matched header value set by
+			// validateAuthorizedHeadersInterceptor, so order is important here.
+			validateAuthorizedHeadersInterceptor(ktServiceConfig),
 			storeAuditorNameInterceptor(config.KtServiceConfig),
-			grpcServiceNameMetricsInterceptor()})...)
+			grpcServiceNameMetricsInterceptor()))
 		pb.RegisterKeyTransparencyServiceServer(ktServer, ktHandler)
 		pb.RegisterKeyTransparencyAuditorServiceServer(ktServer, ktHandler)
 
@@ -274,7 +277,8 @@ func main() {
 			util.Log().Fatalf("Failed to create listener for kt test server: %v", err)
 		}
 
-		ktTestServer := grpc.NewServer(getServerOptions(config.KtTestServiceConfig, nil)...)
+		ktTestServer := grpc.NewServer(grpc.ChainUnaryInterceptor(
+			validateAuthorizedHeadersInterceptor(ktTestServiceConfig)))
 		pb.RegisterKeyTransparencyTestServiceServer(ktTestServer, updateHandler)
 		util.Log().Infof("Starting kt test server at: %v", ktTestServiceConfig.ServerAddr)
 		healthCheck.SetServingStatus(readiness, healthpb.HealthCheckResponse_SERVING)

cmd/kt-server/test_config.yaml

@@ -10,6 +10,10 @@ kt:
 
 kt-query:
   server-addr: localhost:8080
+  authorized-headers:
+    ExampleHeader1:
+      - example value one
+      - example value two
 
 kt-test:
   server-addr: localhost:8081

cmd/kt-server/util.go

@@ -50,12 +50,11 @@ func createDistinctValue(value []byte) []byte {
 	return distinctValue
 }
 
-func getServerOptions(config *config.ServiceConfig, additionalInterceptors []grpc.UnaryServerInterceptor) []grpc.ServerOption {
-	if config.AuthorizedHeaders == nil || len(config.AuthorizedHeaders) == 0 {
-		return nil
-	}
-
-	interceptors := []grpc.UnaryServerInterceptor{func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, err error) {
+func validateAuthorizedHeadersInterceptor(config *config.ServiceConfig) func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, err error) {
+	return func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, err error) {
+		if config.AuthorizedHeaders == nil || len(config.AuthorizedHeaders) == 0 {
+			return handler(ctx, req)
+		}
 		md, ok := metadata.FromIncomingContext(ctx)
 		if !ok {
 			return nil, status.Error(codes.Unavailable, "metadata read error")
@@ -70,14 +69,6 @@ func getServerOptions(config *config.ServiceConfig, additionalInterceptors []grp
 		ctx = context.WithValue(ctx, HeaderValueContextKey, matchedHeaderValue)
 
 		return handler(ctx, req)
-	}}
-
-	if len(additionalInterceptors) > 0 {
-		interceptors = append(interceptors, additionalInterceptors...)
-	}
-
-	return []grpc.ServerOption{
-		grpc.ChainUnaryInterceptor(interceptors...),
 	}
 }