specify admin-only api auth better where needed

iot_config/src/admin_service.rs

@@ -49,7 +49,11 @@ impl AdminService {
         })
     }
 
-    fn verify_request_signature<R>(&self, signer: &PublicKey, request: &R) -> Result<(), Status>
+    fn verify_admin_request_signature<R>(
+        &self,
+        signer: &PublicKey,
+        request: &R,
+    ) -> Result<(), Status>
     where
         R: MsgVerify,
     {
@@ -59,6 +63,16 @@ impl AdminService {
         Ok(())
     }
 
+    fn verify_request_signature<R>(&self, signer: &PublicKey, request: &R) -> Result<(), Status>
+    where
+        R: MsgVerify,
+    {
+        self.auth_cache
+            .verify_signature(signer, request)
+            .map_err(|_| Status::permission_denied("invalid request signature"))?;
+        Ok(())
+    }
+
     fn verify_network(&self, public_key: PublicKey) -> Result<PublicKey, Status> {
         if self.required_network == public_key.network {
             Ok(public_key)
@@ -91,7 +105,7 @@ impl iot_config::Admin for AdminService {
         let request = request.into_inner();
 
         let signer = self.verify_public_key(&request.signer)?;
-        self.verify_request_signature(&signer, &request)?;
+        self.verify_admin_request_signature(&signer, &request)?;
 
         let key_type = request.key_type().into();
         let pubkey = self
@@ -137,7 +151,7 @@ impl iot_config::Admin for AdminService {
         let request = request.into_inner();
 
         let signer = self.verify_public_key(&request.signer)?;
-        self.verify_request_signature(&signer, &request)?;
+        self.verify_admin_request_signature(&signer, &request)?;
 
         admin::remove_key(request.pubkey.clone().into(), &self.pool)
             .and_then(|deleted| async move {
@@ -177,7 +191,7 @@ impl iot_config::Admin for AdminService {
         let request = request.into_inner();
 
         let signer = self.verify_public_key(&request.signer)?;
-        self.verify_request_signature(&signer, &request)?;
+        self.verify_admin_request_signature(&signer, &request)?;
 
         let region = request.region();
 

iot_config/src/org_service.rs

@@ -60,7 +60,7 @@ impl OrgService {
             .map_err(|_| Status::invalid_argument(format!("invalid public key: {bytes:?}")))
     }
 
-    async fn verify_request_signature<R>(
+    fn verify_admin_request_signature<R>(
         &self,
         signer: &PublicKey,
         request: &R,
@@ -74,6 +74,16 @@ impl OrgService {
         Ok(())
     }
 
+    fn verify_request_signature<R>(&self, signer: &PublicKey, request: &R) -> Result<(), Status>
+    where
+        R: MsgVerify,
+    {
+        self.auth_cache
+            .verify_signature(signer, request)
+            .map_err(|_| Status::permission_denied("invalid request signature"))?;
+        Ok(())
+    }
+
     fn sign_response<R>(&self, response: &R) -> Result<Vec<u8>, Status>
     where
         R: Message,
@@ -147,7 +157,7 @@ impl iot_config::Org for OrgService {
         let request = request.into_inner();
 
         let signer = self.verify_public_key(&request.signer)?;
-        self.verify_request_signature(&signer, &request).await?;
+        self.verify_admin_request_signature(&signer, &request)?;
 
         let mut verify_keys: Vec<&[u8]> = vec![request.owner.as_ref(), request.payer.as_ref()];
         let mut verify_delegates: Vec<&[u8]> = request
@@ -219,7 +229,7 @@ impl iot_config::Org for OrgService {
         let request = request.into_inner();
 
         let signer = self.verify_public_key(&request.signer)?;
-        self.verify_request_signature(&signer, &request).await?;
+        self.verify_admin_request_signature(&signer, &request)?;
 
         let mut verify_keys: Vec<&[u8]> = vec![request.owner.as_ref(), request.payer.as_ref()];
         let mut verify_delegates: Vec<&[u8]> = request
@@ -286,7 +296,7 @@ impl iot_config::Org for OrgService {
         let request = request.into_inner();
 
         let signer = self.verify_public_key(&request.signer)?;
-        self.verify_request_signature(&signer, &request).await?;
+        self.verify_request_signature(&signer, &request)?;
 
         if !org::is_locked(request.oui, &self.pool)
             .await
@@ -351,7 +361,7 @@ impl iot_config::Org for OrgService {
         let request = request.into_inner();
 
         let signer = self.verify_public_key(&request.signer)?;
-        self.verify_request_signature(&signer, &request).await?;
+        self.verify_request_signature(&signer, &request)?;
 
         if org::is_locked(request.oui, &self.pool)
             .await