RubyGems - grpc - Versions diffs - 1.31.0.pre1 → 1.33.0.pre1 - Mend

grpc 1.31.0.pre1 → 1.33.0.pre1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (614) hide show

data/src/core/lib/json/json_util.cc ADDED

@@ -0,0 +1,58 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+#include <grpc/support/port_platform.h>
+#include "src/core/lib/json/json_util.h"
+#include <grpc/support/string_util.h>
+#include "src/core/lib/gpr/string.h"
+namespace grpc_core {
+bool ParseDurationFromJson(const Json& field, grpc_millis* duration) {
+  if (field.type() != Json::Type::STRING) return false;
+  size_t len = field.string_value().size();
+  if (field.string_value()[len - 1] != 's') return false;
+  grpc_core::UniquePtr<char> buf(gpr_strdup(field.string_value().c_str()));
+  *(buf.get() + len - 1) = '\0';  // Remove trailing 's'.
+  char* decimal_point = strchr(buf.get(), '.');
+  int nanos = 0;
+  if (decimal_point != nullptr) {
+    *decimal_point = '\0';
+    nanos = gpr_parse_nonnegative_int(decimal_point + 1);
+    if (nanos == -1) {
+      return false;
+    }
+    int num_digits = static_cast<int>(strlen(decimal_point + 1));
+    if (num_digits > 9) {  // We don't accept greater precision than nanos.
+      return false;
+    }
+    for (int i = 0; i < (9 - num_digits); ++i) {
+      nanos *= 10;
+    }
+  }
+  int seconds =
+      decimal_point == buf.get() ? 0 : gpr_parse_nonnegative_int(buf.get());
+  if (seconds == -1) return false;
+  *duration = seconds * GPR_MS_PER_SEC + nanos / GPR_NS_PER_MS;
+  return true;
+}
+}  // namespace grpc_core

data/src/core/lib/json/json_util.h ADDED

@@ -0,0 +1,37 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+#ifndef GRPC_CORE_LIB_JSON_JSON_UTIL_H
+#define GRPC_CORE_LIB_JSON_JSON_UTIL_H
+#include <grpc/support/port_platform.h>
+#include "src/core/lib/iomgr/exec_ctx.h"
+#include "src/core/lib/json/json.h"
+namespace grpc_core {
+// Parses a JSON field of the form generated for a google.proto.Duration
+// proto message, as per:
+//   https://developers.google.com/protocol-buffers/docs/proto3#json
+// Returns true on success, false otherwise.
+bool ParseDurationFromJson(const Json& field, grpc_millis* duration);
+}  // namespace grpc_core
+#endif  // GRPC_CORE_LIB_JSON_JSON_UTIL_H

data/src/core/lib/security/authorization/authorization_engine.cc ADDED

@@ -0,0 +1,177 @@
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#include <grpc/support/port_platform.h>
+#include "absl/memory/memory.h"
+#include "src/core/lib/security/authorization/authorization_engine.h"
+namespace grpc_core {
+namespace {
+// Symbols for traversing Envoy Attributes
+constexpr char kUrlPath[] = "url_path";
+constexpr char kHost[] = "host";
+constexpr char kMethod[] = "method";
+constexpr char kHeaders[] = "headers";
+constexpr char kSourceAddress[] = "source_address";
+constexpr char kSourcePort[] = "source_port";
+constexpr char kDestinationAddress[] = "destination_address";
+constexpr char kDestinationPort[] = "destination_port";
+constexpr char kSpiffeId[] = "spiffe_id";
+constexpr char kCertServerName[] = "cert_server_name";
+}  // namespace
+std::unique_ptr<AuthorizationEngine>
+AuthorizationEngine::CreateAuthorizationEngine(
+    const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies) {
+  if (rbac_policies.empty() || rbac_policies.size() > 2) {
+    gpr_log(GPR_ERROR,
+            "Invalid rbac policies vector. Must contain either one or two rbac "
+            "policies.");
+    return nullptr;
+  } else if (rbac_policies.size() == 2 &&
+             (envoy_config_rbac_v3_RBAC_action(rbac_policies[0]) != kDeny ||
+              envoy_config_rbac_v3_RBAC_action(rbac_policies[1]) != kAllow)) {
+    gpr_log(GPR_ERROR,
+            "Invalid rbac policies vector. Must contain one deny \
+                         policy and one allow policy, in that order.");
+    return nullptr;
+  } else {
+    return absl::make_unique<AuthorizationEngine>(rbac_policies);
+  }
+}
+AuthorizationEngine::AuthorizationEngine(
+    const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies) {
+  for (const auto& rbac_policy : rbac_policies) {
+    // Extract array of policies and store their condition fields in either
+    // allow_if_matched_ or deny_if_matched_, depending on the policy action.
+    upb::Arena temp_arena;
+    size_t policy_num = UPB_MAP_BEGIN;
+    const envoy_config_rbac_v3_RBAC_PoliciesEntry* policy_entry;
+    while ((policy_entry = envoy_config_rbac_v3_RBAC_policies_next(
+                rbac_policy, &policy_num)) != nullptr) {
+      const upb_strview policy_name_strview =
+          envoy_config_rbac_v3_RBAC_PoliciesEntry_key(policy_entry);
+      const std::string policy_name(policy_name_strview.data,
+                                    policy_name_strview.size);
+      const envoy_config_rbac_v3_Policy* policy =
+          envoy_config_rbac_v3_RBAC_PoliciesEntry_value(policy_entry);
+      const google_api_expr_v1alpha1_Expr* condition =
+          envoy_config_rbac_v3_Policy_condition(policy);
+      // Parse condition to make a pointer tied to the lifetime of arena_.
+      size_t serial_len;
+      const char* serialized = google_api_expr_v1alpha1_Expr_serialize(
+          condition, temp_arena.ptr(), &serial_len);
+      const google_api_expr_v1alpha1_Expr* parsed_condition =
+          google_api_expr_v1alpha1_Expr_parse(serialized, serial_len,
+                                              arena_.ptr());
+      if (envoy_config_rbac_v3_RBAC_action(rbac_policy) == kAllow) {
+        allow_if_matched_.insert(std::make_pair(policy_name, parsed_condition));
+      } else {
+        deny_if_matched_.insert(std::make_pair(policy_name, parsed_condition));
+      }
+    }
+  }
+}
+std::unique_ptr<mock_cel::Activation> AuthorizationEngine::CreateActivation(
+    const EvaluateArgs& args) {
+  std::unique_ptr<mock_cel::Activation> activation;
+  for (const auto& elem : envoy_attributes_) {
+    if (elem == kUrlPath) {
+      absl::string_view url_path(args.GetPath());
+      if (!url_path.empty()) {
+        activation->InsertValue(kUrlPath,
+                                mock_cel::CelValue::CreateStringView(url_path));
+      }
+    } else if (elem == kHost) {
+      absl::string_view host(args.GetHost());
+      if (!host.empty()) {
+        activation->InsertValue(kHost,
+                                mock_cel::CelValue::CreateStringView(host));
+      }
+    } else if (elem == kMethod) {
+      absl::string_view method(args.GetMethod());
+      if (!method.empty()) {
+        activation->InsertValue(kMethod,
+                                mock_cel::CelValue::CreateStringView(method));
+      }
+    } else if (elem == kHeaders) {
+      std::multimap<absl::string_view, absl::string_view> headers =
+          args.GetHeaders();
+      std::vector<std::pair<mock_cel::CelValue, mock_cel::CelValue>>
+          header_items;
+      for (const auto& header_key : header_keys_) {
+        auto header_item = headers.find(header_key);
+        if (header_item != headers.end()) {
+          header_items.push_back(
+              std::pair<mock_cel::CelValue, mock_cel::CelValue>(
+                  mock_cel::CelValue::CreateStringView(header_key),
+                  mock_cel::CelValue::CreateStringView(header_item->second)));
+        }
+      }
+      headers_ = mock_cel::ContainerBackedMapImpl::Create(
+          absl::Span<std::pair<mock_cel::CelValue, mock_cel::CelValue>>(
+              header_items));
+      activation->InsertValue(kHeaders,
+                              mock_cel::CelValue::CreateMap(headers_.get()));
+    } else if (elem == kSourceAddress) {
+      absl::string_view source_address(args.GetPeerAddress());
+      if (!source_address.empty()) {
+        activation->InsertValue(
+            kSourceAddress,
+            mock_cel::CelValue::CreateStringView(source_address));
+      }
+    } else if (elem == kSourcePort) {
+      activation->InsertValue(
+          kSourcePort, mock_cel::CelValue::CreateInt64(args.GetPeerPort()));
+    } else if (elem == kDestinationAddress) {
+      absl::string_view destination_address(args.GetLocalAddress());
+      if (!destination_address.empty()) {
+        activation->InsertValue(
+            kDestinationAddress,
+            mock_cel::CelValue::CreateStringView(destination_address));
+      }
+    } else if (elem == kDestinationPort) {
+      activation->InsertValue(kDestinationPort, mock_cel::CelValue::CreateInt64(
+                                                    args.GetLocalPort()));
+    } else if (elem == kSpiffeId) {
+      absl::string_view spiffe_id(args.GetSpiffeId());
+      if (!spiffe_id.empty()) {
+        activation->InsertValue(
+            kSpiffeId, mock_cel::CelValue::CreateStringView(spiffe_id));
+      }
+    } else if (elem == kCertServerName) {
+      absl::string_view cert_server_name(args.GetCertServerName());
+      if (!cert_server_name.empty()) {
+        activation->InsertValue(
+            kCertServerName,
+            mock_cel::CelValue::CreateStringView(cert_server_name));
+      }
+    } else {
+      gpr_log(GPR_ERROR,
+              "Error: Authorization engine does not support evaluating "
+              "attribute %s.",
+              elem.c_str());
+    }
+  }
+  return activation;
+}
+}  // namespace grpc_core

data/src/core/lib/security/authorization/authorization_engine.h ADDED

@@ -0,0 +1,84 @@
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_AUTHORIZATION_ENGINE_H
+#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_AUTHORIZATION_ENGINE_H
+#include <grpc/support/port_platform.h>
+#include <grpc/support/log.h>
+#include <map>
+#include <memory>
+#include <string>
+#include <vector>
+#include "absl/container/flat_hash_set.h"
+#include "envoy/config/rbac/v3/rbac.upb.h"
+#include "google/api/expr/v1alpha1/syntax.upb.h"
+#include "upb/upb.hpp"
+#include "src/core/lib/security/authorization/evaluate_args.h"
+#include "src/core/lib/security/authorization/mock_cel/activation.h"
+namespace grpc_core {
+// AuthorizationEngine makes an AuthorizationDecision to ALLOW or DENY the
+// current action based on the condition fields in provided RBAC policies.
+// The engine may be constructed with one or two policies. If two polcies,
+// the first policy is deny-if-matched and the second is allow-if-matched.
+// The engine returns UNDECIDED decision if it fails to find a match in any
+// policy. This engine ignores the principal and permission fields in RBAC
+// policies. It is the caller's responsibility to provide RBAC policies that
+// are compatible with this engine.
+//
+// Example:
+// AuthorizationEngine*
+// auth_engine = AuthorizationEngine::CreateAuthorizationEngine(rbac_policies);
+// auth_engine->Evaluate(evaluate_args); // returns authorization decision.
+class AuthorizationEngine {
+ public:
+  // rbac_policies must be a vector containing either a single policy of any
+  // kind, or one deny policy and one allow policy, in that order.
+  static std::unique_ptr<AuthorizationEngine> CreateAuthorizationEngine(
+      const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies);
+  // Users should use the CreateAuthorizationEngine factory function
+  // instead of calling the AuthorizationEngine constructor directly.
+  explicit AuthorizationEngine(
+      const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies);
+  // TODO(mywang@google.com): add an Evaluate member function.
+ private:
+  enum Action {
+    kAllow,
+    kDeny,
+  };
+  std::unique_ptr<mock_cel::Activation> CreateActivation(
+      const EvaluateArgs& args);
+  std::map<const std::string, const google_api_expr_v1alpha1_Expr*>
+      deny_if_matched_;
+  std::map<const std::string, const google_api_expr_v1alpha1_Expr*>
+      allow_if_matched_;
+  upb::Arena arena_;
+  absl::flat_hash_set<std::string> envoy_attributes_;
+  absl::flat_hash_set<std::string> header_keys_;
+  std::unique_ptr<mock_cel::CelMap> headers_;
+};
+}  // namespace grpc_core
+#endif /* GRPC_CORE_LIB_SECURITY_AUTHORIZATION_AUTHORIZATION_ENGINE_H */

data/src/core/lib/security/authorization/evaluate_args.cc ADDED

@@ -0,0 +1,153 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+#include <grpc/support/port_platform.h>
+#include "src/core/lib/security/authorization/evaluate_args.h"
+#include "src/core/lib/iomgr/parse_address.h"
+#include "src/core/lib/iomgr/resolve_address.h"
+#include "src/core/lib/iomgr/sockaddr_utils.h"
+#include "src/core/lib/slice/slice_utils.h"
+namespace grpc_core {
+absl::string_view EvaluateArgs::GetPath() const {
+  absl::string_view path;
+  if (metadata_ != nullptr && metadata_->idx.named.path != nullptr) {
+    grpc_linked_mdelem* elem = metadata_->idx.named.path;
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    path = StringViewFromSlice(val);
+  }
+  return path;
+}
+absl::string_view EvaluateArgs::GetHost() const {
+  absl::string_view host;
+  if (metadata_ != nullptr && metadata_->idx.named.host != nullptr) {
+    grpc_linked_mdelem* elem = metadata_->idx.named.host;
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    host = StringViewFromSlice(val);
+  }
+  return host;
+}
+absl::string_view EvaluateArgs::GetMethod() const {
+  absl::string_view method;
+  if (metadata_ != nullptr && metadata_->idx.named.method != nullptr) {
+    grpc_linked_mdelem* elem = metadata_->idx.named.method;
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    method = StringViewFromSlice(val);
+  }
+  return method;
+}
+std::multimap<absl::string_view, absl::string_view> EvaluateArgs::GetHeaders()
+    const {
+  std::multimap<absl::string_view, absl::string_view> headers;
+  if (metadata_ == nullptr) {
+    return headers;
+  }
+  for (grpc_linked_mdelem* elem = metadata_->list.head; elem != nullptr;
+       elem = elem->next) {
+    const grpc_slice& key = GRPC_MDKEY(elem->md);
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    headers.emplace(StringViewFromSlice(key), StringViewFromSlice(val));
+  }
+  return headers;
+}
+absl::string_view EvaluateArgs::GetLocalAddress() const {
+  absl::string_view addr = grpc_endpoint_get_local_address(endpoint_);
+  size_t first_colon = addr.find(":");
+  size_t last_colon = addr.rfind(":");
+  if (first_colon == std::string::npos || last_colon == std::string::npos) {
+    return "";
+  } else {
+    return addr.substr(first_colon + 1, last_colon - first_colon - 1);
+  }
+}
+int EvaluateArgs::GetLocalPort() const {
+  if (endpoint_ == nullptr) {
+    return 0;
+  }
+  grpc_uri* uri = grpc_uri_parse(
+      std::string(grpc_endpoint_get_local_address(endpoint_)).c_str(), true);
+  grpc_resolved_address resolved_addr;
+  if (uri == nullptr || !grpc_parse_uri(uri, &resolved_addr)) {
+    grpc_uri_destroy(uri);
+    return 0;
+  }
+  grpc_uri_destroy(uri);
+  return grpc_sockaddr_get_port(&resolved_addr);
+}
+absl::string_view EvaluateArgs::GetPeerAddress() const {
+  absl::string_view addr = grpc_endpoint_get_peer(endpoint_);
+  size_t first_colon = addr.find(":");
+  size_t last_colon = addr.rfind(":");
+  if (first_colon == std::string::npos || last_colon == std::string::npos) {
+    return "";
+  } else {
+    return addr.substr(first_colon + 1, last_colon - first_colon - 1);
+  }
+}
+int EvaluateArgs::GetPeerPort() const {
+  if (endpoint_ == nullptr) {
+    return 0;
+  }
+  grpc_uri* uri = grpc_uri_parse(
+      std::string(grpc_endpoint_get_peer(endpoint_)).c_str(), true);
+  grpc_resolved_address resolved_addr;
+  if (uri == nullptr || !grpc_parse_uri(uri, &resolved_addr)) {
+    grpc_uri_destroy(uri);
+    return 0;
+  }
+  grpc_uri_destroy(uri);
+  return grpc_sockaddr_get_port(&resolved_addr);
+}
+absl::string_view EvaluateArgs::GetSpiffeId() const {
+  if (auth_context_ == nullptr) {
+    return "";
+  }
+  grpc_auth_property_iterator it = grpc_auth_context_find_properties_by_name(
+      auth_context_, GRPC_PEER_SPIFFE_ID_PROPERTY_NAME);
+  const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
+  if (prop == nullptr || grpc_auth_property_iterator_next(&it) != nullptr) {
+    return "";
+  }
+  return absl::string_view(prop->value, prop->value_length);
+}
+absl::string_view EvaluateArgs::GetCertServerName() const {
+  if (auth_context_ == nullptr) {
+    return "";
+  }
+  grpc_auth_property_iterator it = grpc_auth_context_find_properties_by_name(
+      auth_context_, GRPC_X509_CN_PROPERTY_NAME);
+  const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
+  if (prop == nullptr || grpc_auth_property_iterator_next(&it) != nullptr) {
+    return "";
+  }
+  return absl::string_view(prop->value, prop->value_length);
+}
+}  // namespace grpc_core