grpc 1.43.1 → 1.44.0.pre2

data/src/core/lib/{gprpp → resource_quota}/arena.h

@@ -22,8 +22,8 @@
 // Tracks the total memory allocated against it, so that future arenas can
 // pre-allocate the right amount of memory
 
-#ifndef GRPC_CORE_LIB_GPRPP_ARENA_H
-#define GRPC_CORE_LIB_GPRPP_ARENA_H
+#ifndef GRPC_CORE_LIB_RESOURCE_QUOTA_ARENA_H
+#define GRPC_CORE_LIB_RESOURCE_QUOTA_ARENA_H
 
 #include <grpc/support/port_platform.h>
 
@@ -38,20 +38,22 @@
 #include <grpc/support/sync.h>
 
 #include "src/core/lib/gpr/alloc.h"
-#include "src/core/lib/gpr/spinlock.h"
+#include "src/core/lib/promise/context.h"
+#include "src/core/lib/resource_quota/memory_quota.h"
 
 namespace grpc_core {
 
 class Arena {
  public:
   // Create an arena, with \a initial_size bytes in the first allocated buffer.
-  static Arena* Create(size_t initial_size);
+  static Arena* Create(size_t initial_size, MemoryAllocator* memory_allocator);
 
   // Create an arena, with \a initial_size bytes in the first allocated buffer,
   // and return both a void pointer to the returned arena and a void* with the
   // first allocation.
-  static std::pair<Arena*, void*> CreateWithAlloc(size_t initial_size,
-                                                  size_t alloc_size);
+  static std::pair<Arena*, void*> CreateWithAlloc(
+      size_t initial_size, size_t alloc_size,
+      MemoryAllocator* memory_allocator);
 
   // Destroy an arena, returning the total number of bytes allocated.
   size_t Destroy();
@@ -96,9 +98,11 @@ class Arena {
   //   quick optimization (avoiding an atomic fetch-add) for the common case
   //   where we wish to create an arena and then perform an immediate
   //   allocation.
-  explicit Arena(size_t initial_size, size_t initial_alloc = 0)
+  explicit Arena(size_t initial_size, size_t initial_alloc,
+                 MemoryAllocator* memory_allocator)
       : total_used_(GPR_ROUND_UP_TO_ALIGNMENT_SIZE(initial_alloc)),
-        initial_zone_size_(initial_size) {}
+        initial_zone_size_(initial_size),
+        memory_allocator_(memory_allocator) {}
 
   ~Arena();
 
@@ -107,14 +111,16 @@ class Arena {
   // Keep track of the total used size. We use this in our call sizing
   // hysteresis.
   std::atomic<size_t> total_used_{0};
+  std::atomic<size_t> total_allocated_{0};
   const size_t initial_zone_size_;
-  gpr_spinlock arena_growth_spinlock_ = GPR_SPINLOCK_STATIC_INITIALIZER;
   // If the initial arena allocation wasn't enough, we allocate additional zones
   // in a reverse linked list. Each additional zone consists of (1) a pointer to
   // the zone added before this zone (null if this is the first additional zone)
   // and (2) the allocated memory. The arena itself maintains a pointer to the
   // last zone; the zone list is reverse-walked during arena destruction only.
-  Zone* last_zone_ = nullptr;
+  std::atomic<Zone*> last_zone_{nullptr};
+  // The backing memory quota
+  MemoryAllocator* const memory_allocator_;
 };
 
 // Smart pointer for arenas when the final size is not required.
@@ -122,10 +128,15 @@ struct ScopedArenaDeleter {
   void operator()(Arena* arena) { arena->Destroy(); }
 };
 using ScopedArenaPtr = std::unique_ptr<Arena, ScopedArenaDeleter>;
-inline ScopedArenaPtr MakeScopedArena(size_t initial_size) {
-  return ScopedArenaPtr(Arena::Create(initial_size));
+inline ScopedArenaPtr MakeScopedArena(size_t initial_size,
+                                      MemoryAllocator* memory_allocator) {
+  return ScopedArenaPtr(Arena::Create(initial_size, memory_allocator));
 }
 
+// Arenas form a context for activities
+template <>
+struct ContextType<Arena> {};
+
 }  // namespace grpc_core
 
-#endif /* GRPC_CORE_LIB_GPRPP_ARENA_H */
+#endif /* GRPC_CORE_LIB_RESOURCE_QUOTA_ARENA_H */

data/src/core/lib/security/authorization/evaluate_args.cc

@@ -81,14 +81,13 @@ EvaluateArgs::PerChannelArgs::PerChannelArgs(grpc_auth_context* auth_context,
 }
 
 absl::string_view EvaluateArgs::GetPath() const {
-  absl::string_view path;
-  if (metadata_ != nullptr &&
-      metadata_->legacy_index()->named.path != nullptr) {
-    grpc_linked_mdelem* elem = metadata_->legacy_index()->named.path;
-    const grpc_slice& val = GRPC_MDVALUE(elem->md);
-    path = StringViewFromSlice(val);
+  if (metadata_ != nullptr) {
+    const auto* path = metadata_->get_pointer(HttpPathMetadata());
+    if (path != nullptr) {
+      return path->as_string_view();
+    }
   }
-  return path;
+  return absl::string_view();
 }
 
 absl::string_view EvaluateArgs::GetHost() const {
@@ -101,15 +100,24 @@ absl::string_view EvaluateArgs::GetHost() const {
   return host;
 }
 
+absl::string_view EvaluateArgs::GetAuthority() const {
+  absl::string_view authority;
+  if (metadata_ != nullptr) {
+    if (auto* authority_md = metadata_->get_pointer(HttpAuthorityMetadata())) {
+      authority = authority_md->as_string_view();
+    }
+  }
+  return authority;
+}
+
 absl::string_view EvaluateArgs::GetMethod() const {
-  absl::string_view method;
-  if (metadata_ != nullptr &&
-      metadata_->legacy_index()->named.method != nullptr) {
-    grpc_linked_mdelem* elem = metadata_->legacy_index()->named.method;
-    const grpc_slice& val = GRPC_MDVALUE(elem->md);
-    method = StringViewFromSlice(val);
+  if (metadata_ != nullptr) {
+    auto method_md = metadata_->get(HttpMethodMetadata());
+    if (method_md.has_value()) {
+      return HttpMethodMetadata::Encode(*method_md).as_string_view();
+    }
   }
-  return method;
+  return absl::string_view();
 }
 
 absl::optional<absl::string_view> EvaluateArgs::GetHeaderValue(
@@ -117,7 +125,14 @@ absl::optional<absl::string_view> EvaluateArgs::GetHeaderValue(
   if (metadata_ == nullptr) {
     return absl::nullopt;
   }
-  return metadata_->GetValue(key, concatenated_value);
+  if (absl::EqualsIgnoreCase(key, "te")) {
+    return absl::nullopt;
+  }
+  if (absl::EqualsIgnoreCase(key, "host")) {
+    // Maps legacy host header to :authority.
+    return GetAuthority();
+  }
+  return metadata_->GetStringValue(key, concatenated_value);
 }
 
 grpc_resolved_address EvaluateArgs::GetLocalAddress() const {

data/src/core/lib/security/authorization/evaluate_args.h

@@ -58,6 +58,7 @@ class EvaluateArgs {
 
   absl::string_view GetPath() const;
   absl::string_view GetHost() const;
+  absl::string_view GetAuthority() const;
   absl::string_view GetMethod() const;
   // Returns metadata value(s) for the specified key.
   // If the key is not present in the batch, returns absl::nullopt.

data/src/core/lib/security/authorization/grpc_authorization_engine.cc

@@ -0,0 +1,60 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/authorization/grpc_authorization_engine.h"
+
+namespace grpc_core {
+
+GrpcAuthorizationEngine::GrpcAuthorizationEngine(Rbac policy)
+    : action_(policy.action) {
+  for (auto& sub_policy : policy.policies) {
+    Policy policy;
+    policy.name = sub_policy.first;
+    policy.matcher = absl::make_unique<PolicyAuthorizationMatcher>(
+        std::move(sub_policy.second));
+    policies_.push_back(std::move(policy));
+  }
+}
+
+GrpcAuthorizationEngine::GrpcAuthorizationEngine(
+    GrpcAuthorizationEngine&& other) noexcept
+    : action_(other.action_), policies_(std::move(other.policies_)) {}
+
+GrpcAuthorizationEngine& GrpcAuthorizationEngine::operator=(
+    GrpcAuthorizationEngine&& other) noexcept {
+  action_ = other.action_;
+  policies_ = std::move(other.policies_);
+  return *this;
+}
+
+AuthorizationEngine::Decision GrpcAuthorizationEngine::Evaluate(
+    const EvaluateArgs& args) const {
+  Decision decision;
+  bool matches = false;
+  for (const auto& policy : policies_) {
+    if (policy.matcher->Matches(args)) {
+      matches = true;
+      decision.matching_policy_name = policy.name;
+      break;
+    }
+  }
+  decision.type = (matches == (action_ == Rbac::Action::kAllow))
+                      ? Decision::Type::kAllow
+                      : Decision::Type::kDeny;
+  return decision;
+}
+
+}  // namespace grpc_core

data/src/core/lib/security/authorization/grpc_authorization_engine.h

@@ -0,0 +1,62 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_ENGINE_H
+#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_ENGINE_H
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/authorization/authorization_engine.h"
+#include "src/core/lib/security/authorization/matchers.h"
+#include "src/core/lib/security/authorization/rbac_policy.h"
+
+namespace grpc_core {
+
+// GrpcAuthorizationEngine can be either an Allow engine or Deny engine. This
+// engine makes authorization decisions to Allow or Deny incoming RPC request
+// based on permission and principal configs in the provided RBAC policy and the
+// engine type. This engine ignores condition field in RBAC config. It is the
+// caller's responsibility to provide RBAC policies that are compatible with
+// this engine.
+class GrpcAuthorizationEngine : public AuthorizationEngine {
+ public:
+  // Builds GrpcAuthorizationEngine without any policies.
+  explicit GrpcAuthorizationEngine(Rbac::Action action) : action_(action) {}
+  // Builds GrpcAuthorizationEngine with allow/deny RBAC policy.
+  explicit GrpcAuthorizationEngine(Rbac policy);
+
+  GrpcAuthorizationEngine(GrpcAuthorizationEngine&& other) noexcept;
+  GrpcAuthorizationEngine& operator=(GrpcAuthorizationEngine&& other) noexcept;
+
+  Rbac::Action action() const { return action_; }
+
+  // Required only for testing purpose.
+  size_t num_policies() const { return policies_.size(); }
+
+  // Evaluates incoming request against RBAC policy and makes a decision to
+  // whether allow/deny this request.
+  Decision Evaluate(const EvaluateArgs& args) const override;
+
+ private:
+  struct Policy {
+    std::string name;
+    std::unique_ptr<AuthorizationMatcher> matcher;
+  };
+  Rbac::Action action_;
+  std::vector<Policy> policies_;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_ENGINE_H

data/src/core/lib/security/authorization/matchers.cc

@@ -0,0 +1,227 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/authorization/matchers.h"
+
+#include <grpc/grpc_security_constants.h>
+
+#include "src/core/lib/address_utils/parse_address.h"
+#include "src/core/lib/address_utils/sockaddr_utils.h"
+
+namespace grpc_core {
+
+std::unique_ptr<AuthorizationMatcher> AuthorizationMatcher::Create(
+    Rbac::Permission permission) {
+  switch (permission.type) {
+    case Rbac::Permission::RuleType::kAnd: {
+      std::vector<std::unique_ptr<AuthorizationMatcher>> matchers;
+      for (const auto& rule : permission.permissions) {
+        matchers.push_back(AuthorizationMatcher::Create(std::move(*rule)));
+      }
+      return absl::make_unique<AndAuthorizationMatcher>(std::move(matchers));
+    }
+    case Rbac::Permission::RuleType::kOr: {
+      std::vector<std::unique_ptr<AuthorizationMatcher>> matchers;
+      for (const auto& rule : permission.permissions) {
+        matchers.push_back(AuthorizationMatcher::Create(std::move(*rule)));
+      }
+      return absl::make_unique<OrAuthorizationMatcher>(std::move(matchers));
+    }
+    case Rbac::Permission::RuleType::kNot:
+      return absl::make_unique<NotAuthorizationMatcher>(
+          AuthorizationMatcher::Create(std::move(*permission.permissions[0])));
+    case Rbac::Permission::RuleType::kAny:
+      return absl::make_unique<AlwaysAuthorizationMatcher>();
+    case Rbac::Permission::RuleType::kHeader:
+      return absl::make_unique<HeaderAuthorizationMatcher>(
+          std::move(permission.header_matcher));
+    case Rbac::Permission::RuleType::kPath:
+      return absl::make_unique<PathAuthorizationMatcher>(
+          std::move(permission.string_matcher));
+    case Rbac::Permission::RuleType::kDestIp:
+      return absl::make_unique<IpAuthorizationMatcher>(
+          IpAuthorizationMatcher::Type::kDestIp, std::move(permission.ip));
+    case Rbac::Permission::RuleType::kDestPort:
+      return absl::make_unique<PortAuthorizationMatcher>(permission.port);
+    case Rbac::Permission::RuleType::kMetadata:
+      return absl::make_unique<MetadataAuthorizationMatcher>(permission.invert);
+    case Rbac::Permission::RuleType::kReqServerName:
+      return absl::make_unique<ReqServerNameAuthorizationMatcher>(
+          std::move(permission.string_matcher));
+  }
+  return nullptr;
+}
+
+std::unique_ptr<AuthorizationMatcher> AuthorizationMatcher::Create(
+    Rbac::Principal principal) {
+  switch (principal.type) {
+    case Rbac::Principal::RuleType::kAnd: {
+      std::vector<std::unique_ptr<AuthorizationMatcher>> matchers;
+      for (const auto& id : principal.principals) {
+        matchers.push_back(AuthorizationMatcher::Create(std::move(*id)));
+      }
+      return absl::make_unique<AndAuthorizationMatcher>(std::move(matchers));
+    }
+    case Rbac::Principal::RuleType::kOr: {
+      std::vector<std::unique_ptr<AuthorizationMatcher>> matchers;
+      for (const auto& id : principal.principals) {
+        matchers.push_back(AuthorizationMatcher::Create(std::move(*id)));
+      }
+      return absl::make_unique<OrAuthorizationMatcher>(std::move(matchers));
+    }
+    case Rbac::Principal::RuleType::kNot:
+      return absl::make_unique<NotAuthorizationMatcher>(
+          AuthorizationMatcher::Create(std::move(*principal.principals[0])));
+    case Rbac::Principal::RuleType::kAny:
+      return absl::make_unique<AlwaysAuthorizationMatcher>();
+    case Rbac::Principal::RuleType::kPrincipalName:
+      return absl::make_unique<AuthenticatedAuthorizationMatcher>(
+          std::move(principal.string_matcher));
+    case Rbac::Principal::RuleType::kSourceIp:
+      return absl::make_unique<IpAuthorizationMatcher>(
+          IpAuthorizationMatcher::Type::kSourceIp, std::move(principal.ip));
+    case Rbac::Principal::RuleType::kDirectRemoteIp:
+      return absl::make_unique<IpAuthorizationMatcher>(
+          IpAuthorizationMatcher::Type::kDirectRemoteIp,
+          std::move(principal.ip));
+    case Rbac::Principal::RuleType::kRemoteIp:
+      return absl::make_unique<IpAuthorizationMatcher>(
+          IpAuthorizationMatcher::Type::kRemoteIp, std::move(principal.ip));
+    case Rbac::Principal::RuleType::kHeader:
+      return absl::make_unique<HeaderAuthorizationMatcher>(
+          std::move(principal.header_matcher));
+    case Rbac::Principal::RuleType::kPath:
+      return absl::make_unique<PathAuthorizationMatcher>(
+          std::move(principal.string_matcher));
+    case Rbac::Principal::RuleType::kMetadata:
+      return absl::make_unique<MetadataAuthorizationMatcher>(principal.invert);
+  }
+  return nullptr;
+}
+
+bool AndAuthorizationMatcher::Matches(const EvaluateArgs& args) const {
+  for (const auto& matcher : matchers_) {
+    if (!matcher->Matches(args)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+bool OrAuthorizationMatcher::Matches(const EvaluateArgs& args) const {
+  for (const auto& matcher : matchers_) {
+    if (matcher->Matches(args)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+bool NotAuthorizationMatcher::Matches(const EvaluateArgs& args) const {
+  return !matcher_->Matches(args);
+}
+
+bool HeaderAuthorizationMatcher::Matches(const EvaluateArgs& args) const {
+  std::string concatenated_value;
+  return matcher_.Match(
+      args.GetHeaderValue(matcher_.name(), &concatenated_value));
+}
+
+IpAuthorizationMatcher::IpAuthorizationMatcher(Type type, Rbac::CidrRange range)
+    : type_(type), prefix_len_(range.prefix_len) {
+  grpc_error_handle error =
+      grpc_string_to_sockaddr(&subnet_address_, range.address_prefix.c_str(),
+                              /*port does not matter here*/ 0);
+  if (error == GRPC_ERROR_NONE) {
+    grpc_sockaddr_mask_bits(&subnet_address_, prefix_len_);
+  } else {
+    gpr_log(GPR_DEBUG, "CidrRange address %s is not IPv4/IPv6. Error: %s",
+            range.address_prefix.c_str(), grpc_error_std_string(error).c_str());
+  }
+  GRPC_ERROR_UNREF(error);
+}
+
+bool IpAuthorizationMatcher::Matches(const EvaluateArgs& args) const {
+  grpc_resolved_address address;
+  switch (type_) {
+    case Type::kDestIp: {
+      address = args.GetLocalAddress();
+      break;
+    }
+    case Type::kSourceIp:
+    case Type::kDirectRemoteIp:
+    case Type::kRemoteIp: {
+      address = args.GetPeerAddress();
+      break;
+    }
+    default:
+      return false;
+  }
+  return grpc_sockaddr_match_subnet(&address, &subnet_address_, prefix_len_);
+}
+
+bool PortAuthorizationMatcher::Matches(const EvaluateArgs& args) const {
+  return port_ == args.GetLocalPort();
+}
+
+bool AuthenticatedAuthorizationMatcher::Matches(
+    const EvaluateArgs& args) const {
+  if (args.GetTransportSecurityType() != GRPC_SSL_TRANSPORT_SECURITY_TYPE &&
+      args.GetTransportSecurityType() != GRPC_TLS_TRANSPORT_SECURITY_TYPE) {
+    // Connection is not authenticated.
+    return false;
+  }
+  if (matcher_.string_matcher().empty()) {
+    // Allows any authenticated user.
+    return true;
+  }
+  std::vector<absl::string_view> uri_sans = args.GetUriSans();
+  if (!uri_sans.empty()) {
+    for (const auto& uri : uri_sans) {
+      if (matcher_.Match(uri)) {
+        return true;
+      }
+    }
+  }
+  std::vector<absl::string_view> dns_sans = args.GetDnsSans();
+  if (!dns_sans.empty()) {
+    for (const auto& dns : dns_sans) {
+      if (matcher_.Match(dns)) {
+        return true;
+      }
+    }
+  }
+  return matcher_.Match(args.GetSubject());
+}
+
+bool ReqServerNameAuthorizationMatcher::Matches(const EvaluateArgs&) const {
+  // Currently we only support matching against an empty string.
+  return matcher_.Match("");
+}
+
+bool PathAuthorizationMatcher::Matches(const EvaluateArgs& args) const {
+  absl::string_view path = args.GetPath();
+  if (!path.empty()) {
+    return matcher_.Match(path);
+  }
+  return false;
+}
+
+bool PolicyAuthorizationMatcher::Matches(const EvaluateArgs& args) const {
+  return permissions_->Matches(args) && principals_->Matches(args);
+}
+
+}  // namespace grpc_core