Add capability request access filter to internal StorageAPI RPC method

This should always succeed today, as authz rules by default grant
all capabilities. But since this is a very hot call path, we'll
learn very quickly if the capability check incurs a measurable
overhead; it is not expected to do so in practice (really just a
virtual function call and a few bitwise ops).

1 files changed, 4 insertions, 0 deletions

diff --git a/storage/src/vespa/storage/storageserver/rpc/storage_api_rpc_service.cpp b/storage/src/vespa/storage/storageserver/rpc/storage_api_rpc_service.cpp
index 006193f0c37..41dcafc055a 100644
--- a/storage/src/vespa/storage/storageserver/rpc/storage_api_rpc_service.cpp
+++ b/storage/src/vespa/storage/storageserver/rpc/storage_api_rpc_service.cpp
@@ -5,6 +5,7 @@
 #include "rpc_envelope_proto.h"
 #include "shared_rpc_resources.h"
 #include "storage_api_rpc_service.h"
+#include <vespa/fnet/frt/require_capabilities.h>
 #include <vespa/fnet/frt/supervisor.h>
 #include <vespa/fnet/frt/target.h>
 #include <vespa/slobrok/sbmirror.h>
@@ -54,6 +55,9 @@ StorageApiRpcService::Params::~Params() = default;
 void StorageApiRpcService::register_server_methods(SharedRpcResources& rpc_resources) {
     FRT_ReflectionBuilder rb(&rpc_resources.supervisor());
     rb.DefineMethod(rpc_v1_method_name(), "bixbix", "bixbix", FRT_METHOD(StorageApiRpcService::RPC_rpc_v1_send), this);
+    rb.RequestAccessFilter(std::make_unique<FRT_RequireCapabilities>(vespalib::net::tls::CapabilitySet::of({
+        vespalib::net::tls::Capability::content_storage_api()
+    })));
     rb.MethodDesc("V1 of StorageAPI direct RPC protocol");
     rb.ParamDesc("header_encoding", "0=raw, 6=lz4");
     rb.ParamDesc("header_decoded_size", "Uncompressed header blob size");