From e5d308aacdc2456994a443e92a0aa3ca4a05c7b6 Mon Sep 17 00:00:00 2001
From: Dan Fuhry <dan@fuhry.com>
Date: Sat, 14 Mar 2026 19:37:01 -0400
Subject: [PATCH] [grpc/server] support loading ACLs from ephs

---
 grpc/imports.go                |  1 +
 grpc/internal/acl/acl_yaml.go  | 14 ++++++++------
 grpc/internal/server/server.go | 26 +++++++++++++++++++-------
 3 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/grpc/imports.go b/grpc/imports.go
index 59a11b5..498fedb 100644
--- a/grpc/imports.go
+++ b/grpc/imports.go
@@ -43,3 +43,4 @@ var PeerIdentity = server.PeerIdentity
 var NewHealthCheckServicer = server.NewHealthCheckServicer
 var SessionFromContext = server.SessionFromContext
 var WithTransport = server.WithTransport
+var WithoutEphsAcl = server.WithoutEphsAcl
diff --git a/grpc/internal/acl/acl_yaml.go b/grpc/internal/acl/acl_yaml.go
index 9fc0591..797c570 100644
--- a/grpc/internal/acl/acl_yaml.go
+++ b/grpc/internal/acl/acl_yaml.go
@@ -52,7 +52,7 @@ var aclSearchPaths = []string{
 	path.Join(constants.SystemConfDir, "grpc"),
 }
 
-func TryLoadAcl(serverId mtls.Identity) ACLChecker {
+func TryLoadAcl(serverId mtls.Identity, enableEphs bool) ACLChecker {
 	logger := log.WithPrefix("ACLChecker")
 	var (
 		fsErr, ephsErr error
@@ -67,11 +67,13 @@ func TryLoadAcl(serverId mtls.Identity) ACLChecker {
 		}
 	}
 
-	if ay, err := loadAclFromEphs(serverId); err == nil {
-		logger.V(1).Infof("loaded ACLs for service %q from ephs", serverId.Name())
-		return ay
-	} else {
-		ephsErr = err
+	if enableEphs {
+		if ay, err := loadAclFromEphs(serverId); err == nil {
+			logger.V(1).Infof("loaded ACLs for service %q from ephs", serverId.Name())
+			return ay
+		} else {
+			ephsErr = err
+		}
 	}
 
 	logger.V(1).Infof(
diff --git a/grpc/internal/server/server.go b/grpc/internal/server/server.go
index 49b273a..726e4e2 100644
--- a/grpc/internal/server/server.go
+++ b/grpc/internal/server/server.go
@@ -12,6 +12,13 @@ import (
 
 	lru "github.com/hashicorp/golang-lru/v2"
 	grpc_quic "go.fuhry.dev/grpc-quic"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/health/grpc_health_v1"
+	"google.golang.org/grpc/peer"
+	"google.golang.org/grpc/status"
+
 	"go.fuhry.dev/runtime/grpc/internal/acl"
 	"go.fuhry.dev/runtime/grpc/internal/common"
 	"go.fuhry.dev/runtime/mtls"
@@ -20,12 +27,6 @@ import (
 	"go.fuhry.dev/runtime/utils/hostname"
 	"go.fuhry.dev/runtime/utils/log"
 	"go.fuhry.dev/runtime/utils/option"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/health/grpc_health_v1"
-	"google.golang.org/grpc/peer"
-	"google.golang.org/grpc/status"
 )
 
 type Server struct {
@@ -35,6 +36,7 @@ type Server struct {
 	port       uint16
 	verifier   mtls.MTLSPeerVerifier
 	acl        acl.ACLChecker
+	aclEphs    bool
 	log        log.Logger
 	sessions   *lru.Cache[string, *session]
 	connFac    common.ConnectionFactory
@@ -50,6 +52,13 @@ func WithTransport(cf common.ConnectionFactory) ServerOption {
 	})
 }
 
+func WithoutEphsAcl() ServerOption {
+	return option.NewOption(func(s *Server) error {
+		s.aclEphs = false
+		return nil
+	})
+}
+
 var defaultPort *uint
 
 func RandomPort() uint {
@@ -95,7 +104,8 @@ func NewGrpcServerWithPort(id mtls.Identity, port uint16, opts ...ServerOption)
 		identity:  id,
 		publisher: pub,
 		port:      port,
-		acl:       acl.TryLoadAcl(id),
+		acl:       nil,
+		aclEphs:   true,
 		verifier:  cv,
 		log:       log.WithPrefix(fmt.Sprintf("grpcServer:%s", id.Name())),
 		sessions:  sessionsLru,
@@ -108,6 +118,8 @@ func NewGrpcServerWithPort(id mtls.Identity, port uint16, opts ...ServerOption)
 		}
 	}
 
+	server.acl = acl.TryLoadAcl(id, server.aclEphs)
+
 	if server.connFac == nil {
 		server.connFac = common.NewDefaultConnectionFactory()
 	}
-- 
2.52.0