cmd/server/server.go - gomodules/twpt-server - Gitiles

 package main

 import (
 	"context"
 	"database/sql"
 	"flag"
 	"fmt"
 	"log"
 	"net"
 	"net/http"
 	"time"

 	"github.com/ReneKroon/ttlcache/v2"
 	_ "github.com/go-sql-driver/mysql"
 	"google.golang.org/api/idtoken"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/reflection"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/proto"

 	pb "gomodules.avm99963.com/twpt-server/api_proto"
 	db "gomodules.avm99963.com/twpt-server/internal/db"
 )

 var (
 	authorizedUsersCacheTime = 15 * time.Minute
 )

 var (
 	port              = flag.Int("port", 10000, "The server port")
 	dbDsn             = flag.String("db", "", "MySQL/MariaDB database data source name (DSN)") // https://github.com/go-sql-driver/mysql#dsn-data-source-name
 	dbConnMaxLifetime = flag.Int("dbConnMaxLifetime", 3*60, "Maximum amount of time a connection to the database may be reused in seconds.")
 	dbMaxOpenConns    = flag.Int("dbMaxOpenConns", 5, "Maximum number of open connections to the database.")
 	dbMaxIdleConns    = flag.Int("dbMaxIdleConns", *dbMaxOpenConns, "Maximum number of connections to the database in the idle connection pool.")
 	jwtAudience       = flag.String("jwtAudience", "", "JWT audience string.")
 )

 type killSwitchServiceServer struct {
 	pb.UnimplementedKillSwitchServiceServer
 	dbPool       *sql.DB
 	jwtValidator *idtoken.Validator
 	cache        ttlcache.SimpleCache
 }

 func newKillSwitchServiceServer() *killSwitchServiceServer {
 	s := &killSwitchServiceServer{}
 	db, err := sql.Open("mysql", *dbDsn)
 	if err != nil {
 		log.Fatalf("unable to open database connection: %v", err)
 	}
 	db.SetConnMaxLifetime(time.Duration(*dbConnMaxLifetime) * time.Second)
 	db.SetMaxOpenConns(*dbMaxOpenConns)
 	db.SetMaxIdleConns(*dbMaxIdleConns)

 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
 	defer cancel()

 	if err := db.PingContext(ctx); err != nil {
 		log.Fatalf("unable to connect to database: %v", err)
 	}

 	s.dbPool = db

 	client := &http.Client{}
 	validator, err := idtoken.NewValidator(context.Background(), idtoken.WithHTTPClient(client))
 	if err != nil {
 		log.Fatalf("unable to start idtoken validator: %v", err)
 	}
 	s.jwtValidator = validator

 	s.cache = ttlcache.NewCache()

 	return s
 }

 func getAuthenticatedUser(s *killSwitchServiceServer, ctx context.Context) (*pb.KillSwitchAuthorizedUser, error) {
 	md, ok := metadata.FromIncomingContext(ctx)
 	if !ok {
 		return nil, status.Errorf(codes.Internal, "getAuthenticatedUser: can't retrieve metadata from incoming request")
 	}

 	authorization := md.Get("authorization")
 	if len(authorization) < 1 {
 		return nil, status.Errorf(codes.Unauthenticated, "Unauthenticated")
 	}

 	token := authorization[0]
 	payload, err := s.jwtValidator.Validate(ctx, token, *jwtAudience)
 	if err != nil {
 		return nil, status.Errorf(codes.Unauthenticated, "getAuthenticatedUser: can't parse or validate idtoken")
 	}

 	var authorizedUsers []*pb.KillSwitchAuthorizedUser
 	var okAssertion bool

 	authorizedUsersInterface, err := s.cache.Get("AuthorizedUsers")
 	if err == nil {
 		authorizedUsers, okAssertion = authorizedUsersInterface.([]*pb.KillSwitchAuthorizedUser)
 	}
 	if err != nil || !okAssertion {
 		freshAuthorizedUsers, err := db.ListAuthorizedUsers(s.dbPool, ctx)
 		if err != nil {
 			log.Printf("getAuthenticatedUser: error while getting authorized users: %v", err)
 			return nil, status.Errorf(codes.Internal, "getAuthenticatedUser: can't get list of authorized users")
 		}
 		s.cache.SetWithTTL("AuthorizedUsers", freshAuthorizedUsers, authorizedUsersCacheTime)
 		authorizedUsers = freshAuthorizedUsers
 	}

 	// Check if the current user is one of the authorized users, and if so return it.
 	for _, u := range authorizedUsers {
 		if u.GetGoogleUid() != "" && u.GetGoogleUid() == payload.Subject {
 			return u, nil
 		}

 		email, emailExists := payload.Claims["email"]
 		emailVerified, emailVerifiedExists := payload.Claims["email_verified"]

 		if u.GetEmail() != "" && emailVerifiedExists && emailExists && emailVerified == true && email == u.GetEmail() {
 			return u, nil
 		}
 	}

 	return nil, status.Errorf(codes.PermissionDenied, "User is not part of the authorized users list.")
 }

 func userHasAccessLevel(requiredLevel pb.KillSwitchAuthorizedUser_AccessLevel, user *pb.KillSwitchAuthorizedUser) bool {
 	return requiredLevel <= user.GetAccessLevel()
 }

 func errorWhenMissingAccess(requiredLevel pb.KillSwitchAuthorizedUser_AccessLevel, user *pb.KillSwitchAuthorizedUser) error {
 	if userHasAccessLevel(requiredLevel, user) {
 		return nil
 	}

 	return status.Errorf(codes.PermissionDenied, "User has lower access level than the action that they are trying to perform.")
 }

 func (s *killSwitchServiceServer) GetKillSwitchStatus(ctx context.Context, req *pb.GetKillSwitchStatusRequest) (*pb.GetKillSwitchStatusResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "Unimplemented method.")
 }

 func (s *killSwitchServiceServer) GetKillSwitchOverview(ctx context.Context, req *pb.GetKillSwitchOverviewRequest) (*pb.GetKillSwitchOverviewResponse, error) {
 	killSwitches, err := db.ListKillSwitches(s.dbPool, ctx)
 	if err != nil {
 		return nil, status.Errorf(codes.Unavailable, err.Error())
 	}
 	res := &pb.GetKillSwitchOverviewResponse{
 		KillSwitches: killSwitches,
 	}
 	return res, nil
 }

 func (s *killSwitchServiceServer) SyncFeatures(ctx context.Context, req *pb.SyncFeaturesRequest) (*pb.SyncFeaturesResponse, error) {
 	// This method requires authentication
 	authenticatedUser, err := getAuthenticatedUser(s, ctx)
 	if err != nil {
 		return nil, err
 	}
 	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser)
 	if err != nil {
 		return nil, err
 	}

 	log.Println("Syncing features...")

 	for _, feature := range req.Features {
 		existingFeature, err := db.GetFeatureByCodename(s.dbPool, ctx, feature.Codename)
 		if err != nil {
 			return nil, status.Errorf(codes.Unavailable, err.Error())
 		}
 		// If the feature didn't exist in the db, add it. Otherwise, update it if applicable.
 		if existingFeature == nil {
 			if err := db.AddFeature(s.dbPool, ctx, feature); err != nil {
 				return nil, status.Error(codes.Unavailable, err.Error())
 			}
 		} else {
 			canonicalExistingFeature := *existingFeature
 			canonicalExistingFeature.Id = 0
 			if !proto.Equal(&canonicalExistingFeature, feature) {
 				if err := db.UpdateFeature(s.dbPool, ctx, existingFeature.Id, feature); err != nil {
 					return nil, status.Error(codes.Unavailable, err.Error())
 				}
 			}
 		}
 	}

 	res := &pb.SyncFeaturesResponse{}
 	return res, nil
 }

 func (s *killSwitchServiceServer) ListFeatures(ctx context.Context, req *pb.ListFeaturesRequest) (*pb.ListFeaturesResponse, error) {
 	features, err := db.ListFeatures(s.dbPool, ctx, req.WithDeprecatedFeatures)
 	if err != nil {
 		return nil, status.Errorf(codes.Unavailable, err.Error())
 	}
 	res := &pb.ListFeaturesResponse{
 		Features: features,
 	}
 	return res, nil
 }

 func (s *killSwitchServiceServer) EnableKillSwitch(ctx context.Context, req *pb.EnableKillSwitchRequest) (*pb.EnableKillSwitchResponse, error) {
 	// This method requires authentication
 	authenticatedUser, err := getAuthenticatedUser(s, ctx)
 	if err != nil {
 		return nil, err
 	}
 	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ACTIVATOR, authenticatedUser)
 	if err != nil {
 		return nil, err
 	}

 	if req.GetKillSwitch().GetFeature().GetId() == 0 {
 		return nil, status.Errorf(codes.InvalidArgument, "feature.id must be set.")
 	}

 	err = db.EnableKillSwitch(s.dbPool, ctx, req.KillSwitch, authenticatedUser)
 	if err != nil {
 		return nil, status.Errorf(codes.Unavailable, err.Error())
 	}
 	res := &pb.EnableKillSwitchResponse{}
 	return res, nil
 }

 func (s *killSwitchServiceServer) DisableKillSwitch(ctx context.Context, req *pb.DisableKillSwitchRequest) (*pb.DisableKillSwitchResponse, error) {
 	// This method requires authentication
 	authenticatedUser, err := getAuthenticatedUser(s, ctx)
 	if err != nil {
 		return nil, err
 	}
 	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ACTIVATOR, authenticatedUser)
 	if err != nil {
 		return nil, err
 	}

 	if req.GetKillSwitchId() == 0 {
 		return nil, status.Errorf(codes.InvalidArgument, "kill_switch_id must be set.")
 	}

 	err = db.DisableKillSwitch(s.dbPool, ctx, req.KillSwitchId, authenticatedUser)
 	if err != nil {
 		return nil, status.Errorf(codes.Unavailable, err.Error())
 	}
 	res := &pb.DisableKillSwitchResponse{}
 	return res, nil
 }

 func (s *killSwitchServiceServer) ListAuthorizedUsers(ctx context.Context, req *pb.ListAuthorizedUsersRequest) (*pb.ListAuthorizedUsersResponse, error) {
 	// This method requires authentication
 	authenticatedUser, err := getAuthenticatedUser(s, ctx)
 	if err != nil {
 		return nil, err
 	}
 	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ACTIVATOR, authenticatedUser)
 	if err != nil {
 		return nil, err
 	}

 	users, err := db.ListAuthorizedUsers(s.dbPool, ctx)
 	if err != nil {
 		return nil, status.Errorf(codes.Unavailable, err.Error())
 	}
 	res := &pb.ListAuthorizedUsersResponse{
 		Users: users,
 	}
 	return res, nil
 }

 func (s *killSwitchServiceServer) AddAuthorizedUser(ctx context.Context, req *pb.AddAuthorizedUserRequest) (*pb.AddAuthorizedUserResponse, error) {
 	// This method requires authentication
 	authenticatedUser, err := getAuthenticatedUser(s, ctx)
 	if err != nil {
 		return nil, err
 	}
 	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser)
 	if err != nil {
 		return nil, err
 	}

 	if req.GetUser().GetGoogleUid() == "" && req.GetUser().GetEmail() == "" {
 		return nil, status.Errorf(codes.InvalidArgument, "At least one of google_uid or email must be set.")
 	}

 	err = db.AddAuthorizedUser(s.dbPool, ctx, req.User, authenticatedUser)
 	if err != nil {
 		return nil, status.Errorf(codes.Unavailable, err.Error())
 	}
 	res := &pb.AddAuthorizedUserResponse{}
 	return res, nil
 }

 func (s *killSwitchServiceServer) UpdateAuthorizedUser(ctx context.Context, req *pb.UpdateAuthorizedUserRequest) (*pb.UpdateAuthorizedUserResponse, error) {
 	// This method requires authentication
 	authenticatedUser, err := getAuthenticatedUser(s, ctx)
 	if err != nil {
 		return nil, err
 	}
 	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser)
 	if err != nil {
 		return nil, err
 	}

 	if req.GetUserId() == 0 {
 		return nil, status.Errorf(codes.InvalidArgument, "user_id must be greater than 0.")
 	}

 	if req.GetUser().GetGoogleUid() == "" && req.GetUser().GetEmail() == "" {
 		return nil, status.Errorf(codes.InvalidArgument, "At least one of google_uid or email must be set.")
 	}

 	err = db.UpdateAuthorizedUser(s.dbPool, ctx, req.UserId, req.User, authenticatedUser)
 	if err != nil {
 		return nil, status.Errorf(codes.Unavailable, err.Error())
 	}
 	res := &pb.UpdateAuthorizedUserResponse{}
 	return res, nil
 }

 func (s *killSwitchServiceServer) DeleteAuthorizedUser(ctx context.Context, req *pb.DeleteAuthorizedUserRequest) (*pb.DeleteAuthorizedUserResponse, error) {
 	// This method requires authentication
 	authenticatedUser, err := getAuthenticatedUser(s, ctx)
 	if err != nil {
 		return nil, err
 	}
 	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser)
 	if err != nil {
 		return nil, err
 	}

 	if req.GetUserId() == 0 {
 		return nil, status.Errorf(codes.InvalidArgument, "user_id must be greater than 0.")
 	}

 	err = db.DeleteAuthorizedUser(s.dbPool, ctx, req.UserId, authenticatedUser)
 	if err != nil {
 		return nil, status.Errorf(codes.Unavailable, err.Error())
 	}
 	res := &pb.DeleteAuthorizedUserResponse{}
 	return res, nil
 }

 func main() {
 	flag.Parse()

 	lis, err := net.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", *port))
 	if err != nil {
 		log.Fatalf("Failed to listen: %v", err)
 	}

 	grpcServer := grpc.NewServer()
 	pb.RegisterKillSwitchServiceServer(grpcServer, newKillSwitchServiceServer())
 	// Register reflection service on gRPC server.
 	reflection.Register(grpcServer)
 	grpcServer.Serve(lis)
 }
	package main

	import (
	"context"
	"database/sql"
	"flag"
	"fmt"
	"log"
	"net"
	"net/http"
	"time"

	"github.com/ReneKroon/ttlcache/v2"
	_ "github.com/go-sql-driver/mysql"
	"google.golang.org/api/idtoken"
	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/reflection"
	"google.golang.org/grpc/status"
	"google.golang.org/protobuf/proto"

	pb "gomodules.avm99963.com/twpt-server/api_proto"
	db "gomodules.avm99963.com/twpt-server/internal/db"
	)

	var (
	authorizedUsersCacheTime = 15 * time.Minute
	)

	var (
	port = flag.Int("port", 10000, "The server port")
	dbDsn = flag.String("db", "", "MySQL/MariaDB database data source name (DSN)") // https://github.com/go-sql-driver/mysql#dsn-data-source-name
	dbConnMaxLifetime = flag.Int("dbConnMaxLifetime", 3*60, "Maximum amount of time a connection to the database may be reused in seconds.")
	dbMaxOpenConns = flag.Int("dbMaxOpenConns", 5, "Maximum number of open connections to the database.")
	dbMaxIdleConns = flag.Int("dbMaxIdleConns", *dbMaxOpenConns, "Maximum number of connections to the database in the idle connection pool.")
	jwtAudience = flag.String("jwtAudience", "", "JWT audience string.")
	)

	type killSwitchServiceServer struct {
	pb.UnimplementedKillSwitchServiceServer
	dbPool *sql.DB
	jwtValidator *idtoken.Validator
	cache ttlcache.SimpleCache
	}

	func newKillSwitchServiceServer() *killSwitchServiceServer {
	s := &killSwitchServiceServer{}
	db, err := sql.Open("mysql", *dbDsn)
	if err != nil {
	log.Fatalf("unable to open database connection: %v", err)
	}
	db.SetConnMaxLifetime(time.Duration(dbConnMaxLifetime) time.Second)
	db.SetMaxOpenConns(*dbMaxOpenConns)
	db.SetMaxIdleConns(*dbMaxIdleConns)

	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
	defer cancel()

	if err := db.PingContext(ctx); err != nil {
	log.Fatalf("unable to connect to database: %v", err)
	}

	s.dbPool = db

	client := &http.Client{}
	validator, err := idtoken.NewValidator(context.Background(), idtoken.WithHTTPClient(client))
	if err != nil {
	log.Fatalf("unable to start idtoken validator: %v", err)
	}
	s.jwtValidator = validator

	s.cache = ttlcache.NewCache()

	return s
	}

	func getAuthenticatedUser(s killSwitchServiceServer, ctx context.Context) (pb.KillSwitchAuthorizedUser, error) {
	md, ok := metadata.FromIncomingContext(ctx)
	if !ok {
	return nil, status.Errorf(codes.Internal, "getAuthenticatedUser: can't retrieve metadata from incoming request")
	}

	authorization := md.Get("authorization")
	if len(authorization) < 1 {
	return nil, status.Errorf(codes.Unauthenticated, "Unauthenticated")
	}

	token := authorization[0]
	payload, err := s.jwtValidator.Validate(ctx, token, *jwtAudience)
	if err != nil {
	return nil, status.Errorf(codes.Unauthenticated, "getAuthenticatedUser: can't parse or validate idtoken")
	}

	var authorizedUsers []*pb.KillSwitchAuthorizedUser
	var okAssertion bool

	authorizedUsersInterface, err := s.cache.Get("AuthorizedUsers")
	if err == nil {
	authorizedUsers, okAssertion = authorizedUsersInterface.([]*pb.KillSwitchAuthorizedUser)
	}
	if err != nil \|\| !okAssertion {
	freshAuthorizedUsers, err := db.ListAuthorizedUsers(s.dbPool, ctx)
	if err != nil {
	log.Printf("getAuthenticatedUser: error while getting authorized users: %v", err)
	return nil, status.Errorf(codes.Internal, "getAuthenticatedUser: can't get list of authorized users")
	}
	s.cache.SetWithTTL("AuthorizedUsers", freshAuthorizedUsers, authorizedUsersCacheTime)
	authorizedUsers = freshAuthorizedUsers
	}

	// Check if the current user is one of the authorized users, and if so return it.
	for _, u := range authorizedUsers {
	if u.GetGoogleUid() != "" && u.GetGoogleUid() == payload.Subject {
	return u, nil
	}

	email, emailExists := payload.Claims["email"]
	emailVerified, emailVerifiedExists := payload.Claims["email_verified"]

	if u.GetEmail() != "" && emailVerifiedExists && emailExists && emailVerified == true && email == u.GetEmail() {
	return u, nil
	}
	}

	return nil, status.Errorf(codes.PermissionDenied, "User is not part of the authorized users list.")
	}

	func userHasAccessLevel(requiredLevel pb.KillSwitchAuthorizedUser_AccessLevel, user *pb.KillSwitchAuthorizedUser) bool {
	return requiredLevel <= user.GetAccessLevel()
	}

	func errorWhenMissingAccess(requiredLevel pb.KillSwitchAuthorizedUser_AccessLevel, user *pb.KillSwitchAuthorizedUser) error {
	if userHasAccessLevel(requiredLevel, user) {
	return nil
	}

	return status.Errorf(codes.PermissionDenied, "User has lower access level than the action that they are trying to perform.")
	}

	func (s killSwitchServiceServer) GetKillSwitchStatus(ctx context.Context, req pb.GetKillSwitchStatusRequest) (*pb.GetKillSwitchStatusResponse, error) {
	return nil, status.Errorf(codes.Unimplemented, "Unimplemented method.")
	}

	func (s killSwitchServiceServer) GetKillSwitchOverview(ctx context.Context, req pb.GetKillSwitchOverviewRequest) (*pb.GetKillSwitchOverviewResponse, error) {
	killSwitches, err := db.ListKillSwitches(s.dbPool, ctx)
	if err != nil {
	return nil, status.Errorf(codes.Unavailable, err.Error())
	}
	res := &pb.GetKillSwitchOverviewResponse{
	KillSwitches: killSwitches,
	}
	return res, nil
	}

	func (s killSwitchServiceServer) SyncFeatures(ctx context.Context, req pb.SyncFeaturesRequest) (*pb.SyncFeaturesResponse, error) {
	// This method requires authentication
	authenticatedUser, err := getAuthenticatedUser(s, ctx)
	if err != nil {
	return nil, err
	}
	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser)
	if err != nil {
	return nil, err
	}

	log.Println("Syncing features...")

	for _, feature := range req.Features {
	existingFeature, err := db.GetFeatureByCodename(s.dbPool, ctx, feature.Codename)
	if err != nil {
	return nil, status.Errorf(codes.Unavailable, err.Error())
	}
	// If the feature didn't exist in the db, add it. Otherwise, update it if applicable.
	if existingFeature == nil {
	if err := db.AddFeature(s.dbPool, ctx, feature); err != nil {
	return nil, status.Error(codes.Unavailable, err.Error())
	}
	} else {
	canonicalExistingFeature := *existingFeature
	canonicalExistingFeature.Id = 0
	if !proto.Equal(&canonicalExistingFeature, feature) {
	if err := db.UpdateFeature(s.dbPool, ctx, existingFeature.Id, feature); err != nil {
	return nil, status.Error(codes.Unavailable, err.Error())
	}
	}
	}
	}

	res := &pb.SyncFeaturesResponse{}
	return res, nil
	}

	func (s killSwitchServiceServer) ListFeatures(ctx context.Context, req pb.ListFeaturesRequest) (*pb.ListFeaturesResponse, error) {
	features, err := db.ListFeatures(s.dbPool, ctx, req.WithDeprecatedFeatures)
	if err != nil {
	return nil, status.Errorf(codes.Unavailable, err.Error())
	}
	res := &pb.ListFeaturesResponse{
	Features: features,
	}
	return res, nil
	}

	func (s killSwitchServiceServer) EnableKillSwitch(ctx context.Context, req pb.EnableKillSwitchRequest) (*pb.EnableKillSwitchResponse, error) {
	// This method requires authentication
	authenticatedUser, err := getAuthenticatedUser(s, ctx)
	if err != nil {
	return nil, err
	}
	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ACTIVATOR, authenticatedUser)
	if err != nil {
	return nil, err
	}

	if req.GetKillSwitch().GetFeature().GetId() == 0 {
	return nil, status.Errorf(codes.InvalidArgument, "feature.id must be set.")
	}

	err = db.EnableKillSwitch(s.dbPool, ctx, req.KillSwitch, authenticatedUser)
	if err != nil {
	return nil, status.Errorf(codes.Unavailable, err.Error())
	}
	res := &pb.EnableKillSwitchResponse{}
	return res, nil
	}

	func (s killSwitchServiceServer) DisableKillSwitch(ctx context.Context, req pb.DisableKillSwitchRequest) (*pb.DisableKillSwitchResponse, error) {
	// This method requires authentication
	authenticatedUser, err := getAuthenticatedUser(s, ctx)
	if err != nil {
	return nil, err
	}
	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ACTIVATOR, authenticatedUser)
	if err != nil {
	return nil, err
	}

	if req.GetKillSwitchId() == 0 {
	return nil, status.Errorf(codes.InvalidArgument, "kill_switch_id must be set.")
	}

	err = db.DisableKillSwitch(s.dbPool, ctx, req.KillSwitchId, authenticatedUser)
	if err != nil {
	return nil, status.Errorf(codes.Unavailable, err.Error())
	}
	res := &pb.DisableKillSwitchResponse{}
	return res, nil
	}

	func (s killSwitchServiceServer) ListAuthorizedUsers(ctx context.Context, req pb.ListAuthorizedUsersRequest) (*pb.ListAuthorizedUsersResponse, error) {
	// This method requires authentication
	authenticatedUser, err := getAuthenticatedUser(s, ctx)
	if err != nil {
	return nil, err
	}
	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ACTIVATOR, authenticatedUser)
	if err != nil {
	return nil, err
	}

	users, err := db.ListAuthorizedUsers(s.dbPool, ctx)
	if err != nil {
	return nil, status.Errorf(codes.Unavailable, err.Error())
	}
	res := &pb.ListAuthorizedUsersResponse{
	Users: users,
	}
	return res, nil
	}

	func (s killSwitchServiceServer) AddAuthorizedUser(ctx context.Context, req pb.AddAuthorizedUserRequest) (*pb.AddAuthorizedUserResponse, error) {
	// This method requires authentication
	authenticatedUser, err := getAuthenticatedUser(s, ctx)
	if err != nil {
	return nil, err
	}
	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser)
	if err != nil {
	return nil, err
	}

	if req.GetUser().GetGoogleUid() == "" && req.GetUser().GetEmail() == "" {
	return nil, status.Errorf(codes.InvalidArgument, "At least one of google_uid or email must be set.")
	}

	err = db.AddAuthorizedUser(s.dbPool, ctx, req.User, authenticatedUser)
	if err != nil {
	return nil, status.Errorf(codes.Unavailable, err.Error())
	}
	res := &pb.AddAuthorizedUserResponse{}
	return res, nil
	}

	func (s killSwitchServiceServer) UpdateAuthorizedUser(ctx context.Context, req pb.UpdateAuthorizedUserRequest) (*pb.UpdateAuthorizedUserResponse, error) {
	// This method requires authentication
	authenticatedUser, err := getAuthenticatedUser(s, ctx)
	if err != nil {
	return nil, err
	}
	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser)
	if err != nil {
	return nil, err
	}

	if req.GetUserId() == 0 {
	return nil, status.Errorf(codes.InvalidArgument, "user_id must be greater than 0.")
	}

	if req.GetUser().GetGoogleUid() == "" && req.GetUser().GetEmail() == "" {
	return nil, status.Errorf(codes.InvalidArgument, "At least one of google_uid or email must be set.")
	}

	err = db.UpdateAuthorizedUser(s.dbPool, ctx, req.UserId, req.User, authenticatedUser)
	if err != nil {
	return nil, status.Errorf(codes.Unavailable, err.Error())
	}
	res := &pb.UpdateAuthorizedUserResponse{}
	return res, nil
	}

	func (s killSwitchServiceServer) DeleteAuthorizedUser(ctx context.Context, req pb.DeleteAuthorizedUserRequest) (*pb.DeleteAuthorizedUserResponse, error) {
	// This method requires authentication
	authenticatedUser, err := getAuthenticatedUser(s, ctx)
	if err != nil {
	return nil, err
	}
	err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser)
	if err != nil {
	return nil, err
	}

	if req.GetUserId() == 0 {
	return nil, status.Errorf(codes.InvalidArgument, "user_id must be greater than 0.")
	}

	err = db.DeleteAuthorizedUser(s.dbPool, ctx, req.UserId, authenticatedUser)
	if err != nil {
	return nil, status.Errorf(codes.Unavailable, err.Error())
	}
	res := &pb.DeleteAuthorizedUserResponse{}
	return res, nil
	}

	func main() {
	flag.Parse()

	lis, err := net.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", *port))
	if err != nil {
	log.Fatalf("Failed to listen: %v", err)
	}

	grpcServer := grpc.NewServer()
	pb.RegisterKillSwitchServiceServer(grpcServer, newKillSwitchServiceServer())
	// Register reflection service on gRPC server.
	reflection.Register(grpcServer)
	grpcServer.Serve(lis)
	}