grpc 1.31.1 → 1.32.0.pre1

data/src/core/lib/security/authorization/authorization_engine.h

@@ -0,0 +1,84 @@
+
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_AUTHORIZATION_ENGINE_H
+#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_AUTHORIZATION_ENGINE_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/support/log.h>
+#include <map>
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "absl/container/flat_hash_set.h"
+#include "envoy/config/rbac/v3/rbac.upb.h"
+#include "google/api/expr/v1alpha1/syntax.upb.h"
+#include "upb/upb.hpp"
+
+#include "src/core/lib/security/authorization/evaluate_args.h"
+#include "src/core/lib/security/authorization/mock_cel/activation.h"
+
+namespace grpc_core {
+
+// AuthorizationEngine makes an AuthorizationDecision to ALLOW or DENY the
+// current action based on the condition fields in provided RBAC policies.
+// The engine may be constructed with one or two policies. If two polcies,
+// the first policy is deny-if-matched and the second is allow-if-matched.
+// The engine returns UNDECIDED decision if it fails to find a match in any
+// policy. This engine ignores the principal and permission fields in RBAC
+// policies. It is the caller's responsibility to provide RBAC policies that
+// are compatible with this engine.
+//
+// Example:
+// AuthorizationEngine*
+// auth_engine = AuthorizationEngine::CreateAuthorizationEngine(rbac_policies);
+// auth_engine->Evaluate(evaluate_args); // returns authorization decision.
+class AuthorizationEngine {
+ public:
+  // rbac_policies must be a vector containing either a single policy of any
+  // kind, or one deny policy and one allow policy, in that order.
+  static std::unique_ptr<AuthorizationEngine> CreateAuthorizationEngine(
+      const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies);
+
+  // Users should use the CreateAuthorizationEngine factory function
+  // instead of calling the AuthorizationEngine constructor directly.
+  explicit AuthorizationEngine(
+      const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies);
+  // TODO(mywang@google.com): add an Evaluate member function.
+
+ private:
+  enum Action {
+    kAllow,
+    kDeny,
+  };
+
+  std::unique_ptr<mock_cel::Activation> CreateActivation(
+      const EvaluateArgs& args);
+
+  std::map<const std::string, const google_api_expr_v1alpha1_Expr*>
+      deny_if_matched_;
+  std::map<const std::string, const google_api_expr_v1alpha1_Expr*>
+      allow_if_matched_;
+  upb::Arena arena_;
+  absl::flat_hash_set<std::string> envoy_attributes_;
+  absl::flat_hash_set<std::string> header_keys_;
+  std::unique_ptr<mock_cel::CelMap> headers_;
+};
+
+}  // namespace grpc_core
+
+#endif /* GRPC_CORE_LIB_SECURITY_AUTHORIZATION_AUTHORIZATION_ENGINE_H */

data/src/core/lib/security/authorization/evaluate_args.cc

@@ -0,0 +1,153 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/authorization/evaluate_args.h"
+
+#include "src/core/lib/iomgr/parse_address.h"
+#include "src/core/lib/iomgr/resolve_address.h"
+#include "src/core/lib/iomgr/sockaddr_utils.h"
+#include "src/core/lib/slice/slice_utils.h"
+
+namespace grpc_core {
+
+absl::string_view EvaluateArgs::GetPath() const {
+  absl::string_view path;
+  if (metadata_ != nullptr && metadata_->idx.named.path != nullptr) {
+    grpc_linked_mdelem* elem = metadata_->idx.named.path;
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    path = StringViewFromSlice(val);
+  }
+  return path;
+}
+
+absl::string_view EvaluateArgs::GetHost() const {
+  absl::string_view host;
+  if (metadata_ != nullptr && metadata_->idx.named.host != nullptr) {
+    grpc_linked_mdelem* elem = metadata_->idx.named.host;
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    host = StringViewFromSlice(val);
+  }
+  return host;
+}
+
+absl::string_view EvaluateArgs::GetMethod() const {
+  absl::string_view method;
+  if (metadata_ != nullptr && metadata_->idx.named.method != nullptr) {
+    grpc_linked_mdelem* elem = metadata_->idx.named.method;
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    method = StringViewFromSlice(val);
+  }
+  return method;
+}
+
+std::multimap<absl::string_view, absl::string_view> EvaluateArgs::GetHeaders()
+    const {
+  std::multimap<absl::string_view, absl::string_view> headers;
+  if (metadata_ == nullptr) {
+    return headers;
+  }
+  for (grpc_linked_mdelem* elem = metadata_->list.head; elem != nullptr;
+       elem = elem->next) {
+    const grpc_slice& key = GRPC_MDKEY(elem->md);
+    const grpc_slice& val = GRPC_MDVALUE(elem->md);
+    headers.emplace(StringViewFromSlice(key), StringViewFromSlice(val));
+  }
+  return headers;
+}
+
+absl::string_view EvaluateArgs::GetLocalAddress() const {
+  absl::string_view addr = grpc_endpoint_get_local_address(endpoint_);
+  size_t first_colon = addr.find(":");
+  size_t last_colon = addr.rfind(":");
+  if (first_colon == std::string::npos || last_colon == std::string::npos) {
+    return "";
+  } else {
+    return addr.substr(first_colon + 1, last_colon - first_colon - 1);
+  }
+}
+
+int EvaluateArgs::GetLocalPort() const {
+  if (endpoint_ == nullptr) {
+    return 0;
+  }
+  grpc_uri* uri = grpc_uri_parse(
+      std::string(grpc_endpoint_get_local_address(endpoint_)).c_str(), true);
+  grpc_resolved_address resolved_addr;
+  if (uri == nullptr || !grpc_parse_uri(uri, &resolved_addr)) {
+    grpc_uri_destroy(uri);
+    return 0;
+  }
+  grpc_uri_destroy(uri);
+  return grpc_sockaddr_get_port(&resolved_addr);
+}
+
+absl::string_view EvaluateArgs::GetPeerAddress() const {
+  absl::string_view addr = grpc_endpoint_get_peer(endpoint_);
+  size_t first_colon = addr.find(":");
+  size_t last_colon = addr.rfind(":");
+  if (first_colon == std::string::npos || last_colon == std::string::npos) {
+    return "";
+  } else {
+    return addr.substr(first_colon + 1, last_colon - first_colon - 1);
+  }
+}
+
+int EvaluateArgs::GetPeerPort() const {
+  if (endpoint_ == nullptr) {
+    return 0;
+  }
+  grpc_uri* uri = grpc_uri_parse(
+      std::string(grpc_endpoint_get_peer(endpoint_)).c_str(), true);
+  grpc_resolved_address resolved_addr;
+  if (uri == nullptr || !grpc_parse_uri(uri, &resolved_addr)) {
+    grpc_uri_destroy(uri);
+    return 0;
+  }
+  grpc_uri_destroy(uri);
+  return grpc_sockaddr_get_port(&resolved_addr);
+}
+
+absl::string_view EvaluateArgs::GetSpiffeId() const {
+  if (auth_context_ == nullptr) {
+    return "";
+  }
+  grpc_auth_property_iterator it = grpc_auth_context_find_properties_by_name(
+      auth_context_, GRPC_PEER_SPIFFE_ID_PROPERTY_NAME);
+  const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
+  if (prop == nullptr || grpc_auth_property_iterator_next(&it) != nullptr) {
+    return "";
+  }
+  return absl::string_view(prop->value, prop->value_length);
+}
+
+absl::string_view EvaluateArgs::GetCertServerName() const {
+  if (auth_context_ == nullptr) {
+    return "";
+  }
+  grpc_auth_property_iterator it = grpc_auth_context_find_properties_by_name(
+      auth_context_, GRPC_X509_CN_PROPERTY_NAME);
+  const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
+  if (prop == nullptr || grpc_auth_property_iterator_next(&it) != nullptr) {
+    return "";
+  }
+  return absl::string_view(prop->value, prop->value_length);
+}
+
+}  // namespace grpc_core

data/src/core/lib/security/authorization/evaluate_args.h

@@ -0,0 +1,59 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_EVALUATE_ARGS_H
+#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_EVALUATE_ARGS_H
+
+#include <grpc/support/port_platform.h>
+
+#include <map>
+
+#include "src/core/lib/iomgr/endpoint.h"
+#include "src/core/lib/security/context/security_context.h"
+#include "src/core/lib/transport/metadata_batch.h"
+
+namespace grpc_core {
+
+class EvaluateArgs {
+ public:
+  EvaluateArgs(grpc_metadata_batch* metadata, grpc_auth_context* auth_context,
+               grpc_endpoint* endpoint)
+      : metadata_(metadata), auth_context_(auth_context), endpoint_(endpoint) {}
+
+  absl::string_view GetPath() const;
+  absl::string_view GetHost() const;
+  absl::string_view GetMethod() const;
+  std::multimap<absl::string_view, absl::string_view> GetHeaders() const;
+  absl::string_view GetLocalAddress() const;
+  int GetLocalPort() const;
+  absl::string_view GetPeerAddress() const;
+  int GetPeerPort() const;
+  absl::string_view GetSpiffeId() const;
+  absl::string_view GetCertServerName() const;
+
+  // TODO: Add a getter function for source.principal
+
+ private:
+  grpc_metadata_batch* metadata_;
+  grpc_auth_context* auth_context_;
+  grpc_endpoint* endpoint_;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_EVALUATE_ARGS_H

data/src/core/lib/security/authorization/mock_cel/activation.h

@@ -0,0 +1,57 @@
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_MOCK_CEL_ACTIVATION_H
+#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_MOCK_CEL_ACTIVATION_H
+
+#include <grpc/support/port_platform.h>
+
+#include "absl/strings/string_view.h"
+
+#include "src/core/lib/security/authorization/mock_cel/cel_value.h"
+
+namespace grpc_core {
+namespace mock_cel {
+
+// Base class for an activation. This is a temporary stub implementation of CEL
+// APIs. Once gRPC imports the CEL library, this class will be removed.
+class BaseActivation {
+ public:
+  BaseActivation() = default;
+
+  // Non-copyable/non-assignable
+  BaseActivation(const BaseActivation&) = delete;
+  BaseActivation& operator=(const BaseActivation&) = delete;
+};
+
+// Instance of Activation class is used by evaluator.
+// It provides binding between references used in expressions
+// and actual values. This is a temporary stub implementation of CEL APIs.
+// Once gRPC imports the CEL library, this class will be removed.
+class Activation : public BaseActivation {
+ public:
+  Activation() = default;
+
+  // Non-copyable/non-assignable
+  Activation(const Activation&) = delete;
+  Activation& operator=(const Activation&) = delete;
+
+  // Insert value into Activation.
+  void InsertValue(absl::string_view name, const CelValue& value) {}
+};
+
+}  // namespace mock_cel
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_MOCK_CEL_ACTIVATION_H

data/src/core/lib/security/authorization/mock_cel/cel_expr_builder_factory.h

@@ -0,0 +1,42 @@
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_MOCK_CEL_CEL_EXPR_BUILDER_FACTORY_H
+#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_MOCK_CEL_CEL_EXPR_BUILDER_FACTORY_H
+
+#include <grpc/support/port_platform.h>
+
+#include <memory>
+
+#include "src/core/lib/security/authorization/mock_cel/flat_expr_builder.h"
+
+namespace grpc_core {
+namespace mock_cel {
+
+// This is a temporary stub implementation of CEL APIs.
+// Once gRPC imports the CEL library, this file will be removed.
+
+struct InterpreterOptions {
+  bool short_circuiting = true;
+};
+
+std::unique_ptr<CelExpressionBuilder> CreateCelExpressionBuilder(
+    const InterpreterOptions& options) {
+  return absl::make_unique<FlatExprBuilder>();
+}
+
+}  // namespace mock_cel
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_MOCK_CEL_CEL_EXPR_BUILDER_FACTORY_H

data/src/core/lib/security/authorization/mock_cel/cel_expression.h

@@ -0,0 +1,68 @@
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_MOCK_CEL_CEL_EXPRESSION_H
+#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_MOCK_CEL_CEL_EXPRESSION_H
+
+#include <grpc/support/port_platform.h>
+
+#include <memory>
+#include <vector>
+
+#include "google/api/expr/v1alpha1/syntax.upb.h"
+#include "src/core/lib/security/authorization/mock_cel/activation.h"
+#include "src/core/lib/security/authorization/mock_cel/cel_value.h"
+#include "src/core/lib/security/authorization/mock_cel/statusor.h"
+
+namespace grpc_core {
+namespace mock_cel {
+
+// This is a temporary stub implementation of CEL APIs.
+// Once gRPC imports the CEL library, this file will be removed.
+
+// Base interface for expression evaluating objects.
+class CelExpression {
+ public:
+  virtual ~CelExpression() = default;
+
+  // Evaluates expression and returns value.
+  // activation contains bindings from parameter names to values
+  virtual StatusOr<CelValue> Evaluate(
+      const BaseActivation& activation) const = 0;
+};
+
+// Base class for Expression Builder implementations
+// Provides user with factory to register extension functions.
+// ExpressionBuilder MUST NOT be destroyed before CelExpression objects
+// it built.
+class CelExpressionBuilder {
+ public:
+  virtual ~CelExpressionBuilder() = default;
+
+  // Creates CelExpression object from AST tree.
+  // expr specifies root of AST tree
+  virtual StatusOr<std::unique_ptr<CelExpression>> CreateExpression(
+      const google_api_expr_v1alpha1_Expr* expr,
+      const google_api_expr_v1alpha1_SourceInfo* source_info) const = 0;
+
+  virtual StatusOr<std::unique_ptr<CelExpression>> CreateExpression(
+      const google_api_expr_v1alpha1_Expr* expr,
+      const google_api_expr_v1alpha1_SourceInfo* source_info,
+      std::vector<absl::Status>* warnings) const = 0;
+};
+
+}  // namespace mock_cel
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_MOCK_CEL_CEL_EXPRESSION_H