grpc 1.50.0-x86_64-linux → 1.51.0-x86_64-linux
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +131 -42
- data/include/grpc/event_engine/event_engine.h +10 -3
- data/include/grpc/event_engine/slice_buffer.h +17 -0
- data/include/grpc/grpc.h +0 -10
- data/include/grpc/impl/codegen/grpc_types.h +1 -5
- data/include/grpc/impl/codegen/port_platform.h +0 -3
- data/src/core/ext/filters/channel_idle/channel_idle_filter.cc +19 -13
- data/src/core/ext/filters/channel_idle/channel_idle_filter.h +1 -0
- data/src/core/ext/filters/client_channel/backup_poller.cc +3 -3
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +7 -5
- data/src/core/ext/filters/client_channel/client_channel.cc +120 -140
- data/src/core/ext/filters/client_channel/client_channel.h +3 -4
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +0 -2
- data/src/core/ext/filters/client_channel/client_channel_plugin.cc +1 -1
- data/src/core/ext/filters/client_channel/client_channel_service_config.cc +153 -0
- data/src/core/ext/filters/client_channel/{resolver_result_parsing.h → client_channel_service_config.h} +26 -23
- data/src/core/ext/filters/client_channel/connector.h +1 -1
- data/src/core/ext/filters/client_channel/dynamic_filters.cc +20 -47
- data/src/core/ext/filters/client_channel/dynamic_filters.h +7 -8
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +3 -4
- data/src/core/ext/filters/client_channel/http_proxy.cc +0 -1
- data/src/core/ext/filters/client_channel/lb_policy/address_filtering.cc +3 -4
- data/src/core/ext/filters/client_channel/lb_policy/child_policy_handler.cc +5 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +8 -7
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +35 -44
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_balancer_addresses.cc +0 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb_client_stats.cc +1 -3
- data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric.cc +3 -4
- data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric.h +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.cc +41 -29
- data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.h +2 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +9 -11
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +15 -12
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +8 -10
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +26 -27
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +7 -9
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +44 -26
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +17 -27
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_attributes.cc +42 -0
- data/src/core/ext/filters/client_channel/lb_policy/xds/{xds.h → xds_attributes.h} +15 -17
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +13 -7
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +48 -47
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +40 -126
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_wrr_locality.cc +364 -0
- data/src/core/ext/filters/client_channel/resolver/binder/binder_resolver.cc +9 -9
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +23 -32
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +22 -23
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +50 -52
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +2 -4
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +1 -3
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +34 -26
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +3 -4
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +4 -7
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +63 -46
- data/src/core/ext/filters/client_channel/retry_filter.cc +80 -102
- data/src/core/ext/filters/client_channel/retry_service_config.cc +192 -234
- data/src/core/ext/filters/client_channel/retry_service_config.h +20 -23
- data/src/core/ext/filters/client_channel/retry_throttle.cc +8 -8
- data/src/core/ext/filters/client_channel/retry_throttle.h +8 -7
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +2 -2
- data/src/core/ext/filters/client_channel/subchannel.cc +21 -25
- data/src/core/ext/filters/client_channel/subchannel.h +2 -2
- data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +11 -12
- data/src/core/ext/filters/deadline/deadline_filter.cc +13 -14
- data/src/core/ext/filters/fault_injection/fault_injection_filter.cc +1 -1
- data/src/core/ext/filters/fault_injection/fault_injection_filter.h +0 -4
- data/src/core/ext/filters/fault_injection/fault_injection_service_config_parser.cc +118 -0
- data/src/core/ext/filters/fault_injection/{service_config_parser.h → fault_injection_service_config_parser.h} +20 -12
- data/src/core/ext/filters/http/client/http_client_filter.cc +16 -16
- data/src/core/ext/filters/http/client_authority_filter.cc +1 -1
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +13 -13
- data/src/core/ext/filters/http/message_compress/message_decompress_filter.cc +34 -34
- data/src/core/ext/filters/http/server/http_server_filter.cc +26 -25
- data/src/core/ext/filters/message_size/message_size_filter.cc +86 -117
- data/src/core/ext/filters/message_size/message_size_filter.h +22 -15
- data/src/core/ext/filters/rbac/rbac_filter.cc +12 -12
- data/src/core/ext/filters/rbac/rbac_service_config_parser.cc +728 -530
- data/src/core/ext/filters/rbac/rbac_service_config_parser.h +4 -3
- data/src/core/ext/filters/server_config_selector/server_config_selector.h +1 -1
- data/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc +6 -7
- data/src/core/ext/transport/chttp2/client/chttp2_connector.cc +17 -21
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +57 -72
- data/src/core/ext/transport/chttp2/transport/bin_decoder.cc +5 -5
- data/src/core/ext/transport/chttp2/transport/bin_encoder.h +1 -1
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +212 -253
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +42 -11
- data/src/core/ext/transport/chttp2/transport/flow_control.h +4 -3
- data/src/core/ext/transport/chttp2/transport/frame_data.cc +16 -15
- data/src/core/ext/transport/chttp2/transport/frame_data.h +1 -1
- data/src/core/ext/transport/chttp2/transport/frame_goaway.cc +13 -13
- data/src/core/ext/transport/chttp2/transport/frame_ping.cc +4 -3
- data/src/core/ext/transport/chttp2/transport/frame_rst_stream.cc +10 -7
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +15 -17
- data/src/core/ext/transport/chttp2/transport/frame_window_update.cc +5 -4
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +5 -6
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +1 -1
- data/src/core/ext/transport/chttp2/transport/hpack_encoder_table.cc +2 -1
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +31 -39
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +7 -6
- data/src/core/ext/transport/chttp2/transport/internal.h +24 -8
- data/src/core/ext/transport/chttp2/transport/parsing.cc +51 -52
- data/src/core/ext/transport/chttp2/transport/varint.cc +2 -3
- data/src/core/ext/transport/chttp2/transport/varint.h +11 -8
- data/src/core/ext/transport/chttp2/transport/writing.cc +16 -16
- data/src/core/ext/transport/inproc/inproc_transport.cc +97 -115
- data/src/core/ext/xds/certificate_provider_store.cc +4 -4
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +4 -7
- data/src/core/ext/xds/xds_api.cc +15 -68
- data/src/core/ext/xds/xds_api.h +3 -7
- data/src/core/ext/xds/xds_bootstrap.h +0 -1
- data/src/core/ext/xds/xds_bootstrap_grpc.cc +3 -12
- data/src/core/ext/xds/xds_bootstrap_grpc.h +16 -1
- data/src/core/ext/xds/xds_certificate_provider.cc +22 -25
- data/src/core/ext/xds/xds_channel_stack_modifier.cc +0 -1
- data/src/core/ext/xds/xds_client.cc +122 -90
- data/src/core/ext/xds/xds_client.h +7 -2
- data/src/core/ext/xds/xds_client_grpc.cc +5 -24
- data/src/core/ext/xds/xds_cluster.cc +291 -183
- data/src/core/ext/xds/xds_cluster.h +11 -15
- data/src/core/ext/xds/xds_cluster_specifier_plugin.cc +32 -29
- data/src/core/ext/xds/xds_cluster_specifier_plugin.h +35 -16
- data/src/core/ext/xds/xds_common_types.cc +208 -141
- data/src/core/ext/xds/xds_common_types.h +19 -13
- data/src/core/ext/xds/xds_endpoint.cc +214 -129
- data/src/core/ext/xds/xds_endpoint.h +4 -7
- data/src/core/ext/xds/xds_http_fault_filter.cc +56 -43
- data/src/core/ext/xds/xds_http_fault_filter.h +13 -21
- data/src/core/ext/xds/xds_http_filters.cc +60 -73
- data/src/core/ext/xds/xds_http_filters.h +67 -19
- data/src/core/ext/xds/xds_http_rbac_filter.cc +152 -207
- data/src/core/ext/xds/xds_http_rbac_filter.h +12 -15
- data/src/core/ext/xds/xds_lb_policy_registry.cc +122 -169
- data/src/core/ext/xds/xds_lb_policy_registry.h +10 -11
- data/src/core/ext/xds/xds_listener.cc +459 -417
- data/src/core/ext/xds/xds_listener.h +43 -47
- data/src/core/ext/xds/xds_resource_type.h +3 -11
- data/src/core/ext/xds/xds_resource_type_impl.h +8 -13
- data/src/core/ext/xds/xds_route_config.cc +94 -80
- data/src/core/ext/xds/xds_route_config.h +10 -10
- data/src/core/ext/xds/xds_routing.cc +2 -1
- data/src/core/ext/xds/xds_routing.h +2 -0
- data/src/core/ext/xds/xds_server_config_fetcher.cc +109 -94
- data/src/core/ext/xds/xds_transport_grpc.cc +4 -5
- data/src/core/lib/address_utils/parse_address.cc +11 -10
- data/src/core/lib/channel/channel_args.h +16 -1
- data/src/core/lib/channel/channel_stack.cc +23 -20
- data/src/core/lib/channel/channel_stack.h +17 -4
- data/src/core/lib/channel/channel_stack_builder.cc +4 -7
- data/src/core/lib/channel/channel_stack_builder.h +14 -6
- data/src/core/lib/channel/channel_stack_builder_impl.cc +25 -7
- data/src/core/lib/channel/channel_stack_builder_impl.h +2 -0
- data/src/core/lib/channel/channel_trace.cc +4 -5
- data/src/core/lib/channel/channelz.cc +1 -1
- data/src/core/lib/channel/connected_channel.cc +695 -35
- data/src/core/lib/channel/connected_channel.h +0 -4
- data/src/core/lib/channel/promise_based_filter.cc +1004 -140
- data/src/core/lib/channel/promise_based_filter.h +364 -87
- data/src/core/lib/compression/message_compress.cc +5 -5
- data/src/core/lib/debug/event_log.cc +88 -0
- data/src/core/lib/debug/event_log.h +81 -0
- data/src/core/lib/debug/histogram_view.cc +69 -0
- data/src/core/lib/{slice/slice_refcount.cc → debug/histogram_view.h} +15 -13
- data/src/core/lib/debug/stats.cc +22 -119
- data/src/core/lib/debug/stats.h +29 -35
- data/src/core/lib/debug/stats_data.cc +224 -73
- data/src/core/lib/debug/stats_data.h +263 -122
- data/src/core/lib/event_engine/common_closures.h +71 -0
- data/src/core/lib/event_engine/default_event_engine.cc +38 -15
- data/src/core/lib/event_engine/default_event_engine.h +15 -3
- data/src/core/lib/event_engine/default_event_engine_factory.cc +2 -4
- data/src/core/lib/event_engine/memory_allocator.cc +1 -1
- data/src/core/lib/event_engine/poller.h +10 -4
- data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +618 -0
- data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.h +129 -0
- data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +901 -0
- data/src/core/lib/event_engine/posix_engine/ev_poll_posix.h +97 -0
- data/src/core/lib/event_engine/posix_engine/event_poller.h +111 -0
- data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +74 -0
- data/src/core/lib/event_engine/{executor/threaded_executor.cc → posix_engine/event_poller_posix_default.h} +13 -16
- data/src/core/lib/event_engine/posix_engine/internal_errqueue.cc +77 -0
- data/src/core/lib/event_engine/posix_engine/internal_errqueue.h +179 -0
- data/src/core/lib/event_engine/posix_engine/lockfree_event.cc +267 -0
- data/src/core/lib/event_engine/posix_engine/lockfree_event.h +73 -0
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +1270 -0
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +682 -0
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +453 -18
- data/src/core/lib/event_engine/posix_engine/posix_engine.h +148 -24
- data/src/core/lib/event_engine/posix_engine/posix_engine_closure.h +80 -0
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +1081 -0
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +361 -0
- data/src/core/lib/event_engine/posix_engine/timer.h +9 -8
- data/src/core/lib/event_engine/posix_engine/timer_manager.cc +57 -194
- data/src/core/lib/event_engine/posix_engine/timer_manager.h +21 -49
- data/src/core/lib/event_engine/posix_engine/traced_buffer_list.cc +301 -0
- data/src/core/lib/event_engine/posix_engine/traced_buffer_list.h +179 -0
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_eventfd.cc +126 -0
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_eventfd.h +45 -0
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_pipe.cc +151 -0
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_pipe.h +45 -0
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_posix.h +76 -0
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_posix_default.cc +67 -0
- data/src/core/lib/event_engine/posix_engine/wakeup_fd_posix_default.h +37 -0
- data/src/core/lib/event_engine/slice.cc +7 -6
- data/src/core/lib/event_engine/slice_buffer.cc +2 -2
- data/src/core/lib/event_engine/thread_pool.cc +106 -25
- data/src/core/lib/event_engine/thread_pool.h +32 -9
- data/src/core/lib/event_engine/windows/win_socket.cc +7 -7
- data/src/core/lib/event_engine/windows/windows_engine.cc +18 -12
- data/src/core/lib/event_engine/windows/windows_engine.h +8 -4
- data/src/core/lib/experiments/config.cc +1 -1
- data/src/core/lib/experiments/experiments.cc +13 -2
- data/src/core/lib/experiments/experiments.h +8 -1
- data/src/core/lib/gpr/cpu_linux.cc +6 -2
- data/src/core/lib/gpr/log_linux.cc +3 -4
- data/src/core/lib/gpr/string.h +1 -1
- data/src/core/lib/gpr/tmpfile_posix.cc +3 -2
- data/src/core/lib/gprpp/load_file.cc +75 -0
- data/src/core/lib/gprpp/load_file.h +33 -0
- data/src/core/lib/gprpp/per_cpu.h +46 -0
- data/src/core/lib/gprpp/stat_posix.cc +5 -4
- data/src/core/lib/gprpp/stat_windows.cc +3 -2
- data/src/core/lib/gprpp/status_helper.h +1 -3
- data/src/core/lib/gprpp/strerror.cc +41 -0
- data/src/core/{ext/xds/xds_resource_type.cc → lib/gprpp/strerror.h} +9 -13
- data/src/core/lib/gprpp/thd_windows.cc +1 -2
- data/src/core/lib/gprpp/time.cc +3 -4
- data/src/core/lib/gprpp/time.h +13 -2
- data/src/core/lib/gprpp/validation_errors.h +18 -1
- data/src/core/lib/http/httpcli.cc +40 -44
- data/src/core/lib/http/httpcli.h +6 -5
- data/src/core/lib/http/httpcli_security_connector.cc +4 -6
- data/src/core/lib/http/parser.cc +54 -65
- data/src/core/lib/iomgr/buffer_list.cc +105 -116
- data/src/core/lib/iomgr/buffer_list.h +60 -44
- data/src/core/lib/iomgr/call_combiner.cc +11 -10
- data/src/core/lib/iomgr/call_combiner.h +3 -4
- data/src/core/lib/iomgr/cfstream_handle.cc +13 -16
- data/src/core/lib/iomgr/closure.h +49 -5
- data/src/core/lib/iomgr/combiner.cc +2 -2
- data/src/core/lib/iomgr/endpoint.h +1 -1
- data/src/core/lib/iomgr/endpoint_cfstream.cc +26 -25
- data/src/core/lib/iomgr/endpoint_pair_posix.cc +2 -2
- data/src/core/lib/iomgr/error.cc +27 -42
- data/src/core/lib/iomgr/error.h +22 -152
- data/src/core/lib/iomgr/ev_apple.cc +4 -4
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +26 -25
- data/src/core/lib/iomgr/ev_poll_posix.cc +27 -31
- data/src/core/lib/iomgr/exec_ctx.cc +3 -4
- data/src/core/lib/iomgr/exec_ctx.h +2 -3
- data/src/core/lib/iomgr/executor.cc +1 -2
- data/src/core/lib/iomgr/internal_errqueue.cc +3 -1
- data/src/core/lib/iomgr/iocp_windows.cc +1 -0
- data/src/core/lib/iomgr/iomgr_posix.cc +2 -2
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +2 -1
- data/src/core/lib/iomgr/iomgr_windows.cc +2 -1
- data/src/core/lib/iomgr/load_file.cc +5 -9
- data/src/core/lib/iomgr/lockfree_event.cc +10 -10
- data/src/core/lib/iomgr/pollset_windows.cc +4 -4
- data/src/core/lib/iomgr/python_util.h +2 -2
- data/src/core/lib/iomgr/resolve_address.cc +8 -3
- data/src/core/lib/iomgr/resolve_address.h +3 -4
- data/src/core/lib/iomgr/resolve_address_impl.h +1 -1
- data/src/core/lib/iomgr/resolve_address_posix.cc +14 -25
- data/src/core/lib/iomgr/resolve_address_posix.h +1 -2
- data/src/core/lib/iomgr/resolve_address_windows.cc +14 -17
- data/src/core/lib/iomgr/resolve_address_windows.h +1 -2
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +30 -29
- data/src/core/lib/iomgr/socket_utils_posix.cc +1 -0
- data/src/core/lib/iomgr/socket_utils_posix.h +2 -2
- data/src/core/lib/iomgr/socket_windows.cc +2 -2
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +6 -10
- data/src/core/lib/iomgr/tcp_client_posix.cc +31 -35
- data/src/core/lib/iomgr/tcp_client_windows.cc +8 -12
- data/src/core/lib/iomgr/tcp_posix.cc +92 -108
- data/src/core/lib/iomgr/tcp_server_posix.cc +34 -34
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +1 -1
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +18 -21
- data/src/core/lib/iomgr/tcp_server_utils_posix_ifaddrs.cc +12 -13
- data/src/core/lib/iomgr/tcp_server_utils_posix_noifaddrs.cc +1 -1
- data/src/core/lib/iomgr/tcp_server_windows.cc +26 -29
- data/src/core/lib/iomgr/tcp_windows.cc +27 -34
- data/src/core/lib/iomgr/timer.h +8 -8
- data/src/core/lib/iomgr/timer_generic.cc +9 -15
- data/src/core/lib/iomgr/unix_sockets_posix.cc +2 -4
- data/src/core/lib/iomgr/wakeup_fd_eventfd.cc +4 -3
- data/src/core/lib/iomgr/wakeup_fd_pipe.cc +10 -8
- data/src/core/lib/json/json_channel_args.h +42 -0
- data/src/core/lib/json/json_object_loader.cc +7 -2
- data/src/core/lib/json/json_object_loader.h +22 -0
- data/src/core/lib/json/json_util.cc +5 -5
- data/src/core/lib/json/json_util.h +4 -4
- data/src/core/lib/load_balancing/lb_policy.cc +1 -1
- data/src/core/lib/load_balancing/lb_policy.h +4 -0
- data/src/core/lib/load_balancing/subchannel_interface.h +0 -7
- data/src/core/lib/matchers/matchers.cc +3 -4
- data/src/core/lib/promise/activity.cc +16 -2
- data/src/core/lib/promise/activity.h +38 -15
- data/src/core/lib/promise/arena_promise.h +80 -51
- data/src/core/lib/promise/context.h +13 -6
- data/src/core/lib/promise/detail/basic_seq.h +9 -28
- data/src/core/lib/promise/detail/promise_factory.h +58 -10
- data/src/core/lib/promise/detail/status.h +28 -0
- data/src/core/lib/promise/detail/switch.h +1455 -0
- data/src/core/lib/promise/exec_ctx_wakeup_scheduler.h +3 -1
- data/src/core/lib/promise/for_each.h +129 -0
- data/src/core/lib/promise/loop.h +7 -5
- data/src/core/lib/promise/map_pipe.h +87 -0
- data/src/core/lib/promise/pipe.cc +19 -0
- data/src/core/lib/promise/pipe.h +505 -0
- data/src/core/lib/promise/poll.h +13 -0
- data/src/core/lib/promise/seq.h +3 -5
- data/src/core/lib/promise/sleep.cc +5 -4
- data/src/core/lib/promise/sleep.h +1 -2
- data/src/core/lib/promise/try_concurrently.h +341 -0
- data/src/core/lib/promise/try_seq.h +10 -13
- data/src/core/lib/resolver/server_address.cc +1 -0
- data/src/core/lib/resolver/server_address.h +1 -3
- data/src/core/lib/resource_quota/api.cc +0 -1
- data/src/core/lib/resource_quota/arena.cc +19 -0
- data/src/core/lib/resource_quota/arena.h +89 -0
- data/src/core/lib/resource_quota/memory_quota.cc +1 -0
- data/src/core/lib/security/authorization/grpc_authorization_engine.cc +1 -3
- data/src/core/lib/security/authorization/grpc_server_authz_filter.cc +4 -2
- data/src/core/lib/security/authorization/matchers.cc +25 -22
- data/src/core/lib/security/authorization/rbac_policy.cc +2 -3
- data/src/core/lib/security/context/security_context.h +10 -0
- data/src/core/lib/security/credentials/channel_creds_registry_init.cc +3 -4
- data/src/core/lib/security/credentials/composite/composite_credentials.cc +1 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +77 -55
- data/src/core/lib/security/credentials/external/aws_request_signer.cc +4 -3
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +40 -51
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +17 -21
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +21 -25
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +27 -24
- data/src/core/lib/security/credentials/iam/iam_credentials.cc +1 -0
- data/src/core/lib/security/credentials/jwt/json_token.cc +1 -2
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +1 -1
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +5 -5
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +24 -30
- data/src/core/lib/security/credentials/plugin/plugin_credentials.cc +6 -5
- data/src/core/lib/security/credentials/plugin/plugin_credentials.h +3 -3
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc +19 -27
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h +4 -11
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +29 -41
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc +1 -1
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +6 -11
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +8 -15
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc +2 -2
- data/src/core/lib/security/security_connector/insecure/insecure_security_connector.h +2 -6
- data/src/core/lib/security/security_connector/load_system_roots_supported.cc +1 -4
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +7 -11
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +9 -14
- data/src/core/lib/security/security_connector/ssl_utils.cc +5 -7
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +21 -27
- data/src/core/lib/security/transport/client_auth_filter.cc +1 -1
- data/src/core/lib/security/transport/secure_endpoint.cc +26 -28
- data/src/core/lib/security/transport/security_handshaker.cc +53 -53
- data/src/core/lib/security/transport/server_auth_filter.cc +21 -21
- data/src/core/lib/security/transport/tsi_error.cc +6 -3
- data/src/core/lib/security/util/json_util.cc +4 -5
- data/src/core/lib/service_config/service_config.h +1 -1
- data/src/core/lib/service_config/service_config_impl.cc +111 -158
- data/src/core/lib/service_config/service_config_impl.h +14 -17
- data/src/core/lib/service_config/service_config_parser.cc +14 -31
- data/src/core/lib/service_config/service_config_parser.h +14 -10
- data/src/core/lib/slice/b64.cc +2 -2
- data/src/core/lib/slice/slice.cc +7 -1
- data/src/core/lib/slice/slice.h +19 -6
- data/src/core/lib/slice/slice_buffer.cc +13 -14
- data/src/core/lib/slice/slice_internal.h +13 -21
- data/src/core/lib/slice/slice_refcount.h +34 -19
- data/src/core/lib/surface/byte_buffer.cc +3 -4
- data/src/core/lib/surface/byte_buffer_reader.cc +4 -4
- data/src/core/lib/surface/call.cc +1366 -239
- data/src/core/lib/surface/call.h +44 -0
- data/src/core/lib/surface/call_details.cc +3 -3
- data/src/core/lib/surface/call_trace.cc +113 -0
- data/src/core/lib/surface/call_trace.h +30 -0
- data/src/core/lib/surface/channel.cc +44 -49
- data/src/core/lib/surface/channel.h +9 -1
- data/src/core/lib/surface/channel_ping.cc +1 -1
- data/src/core/lib/surface/channel_stack_type.cc +4 -0
- data/src/core/lib/surface/channel_stack_type.h +2 -0
- data/src/core/lib/surface/completion_queue.cc +38 -52
- data/src/core/lib/surface/init.cc +8 -39
- data/src/core/lib/surface/init_internally.h +8 -0
- data/src/core/lib/surface/lame_client.cc +10 -8
- data/src/core/lib/surface/server.cc +48 -70
- data/src/core/lib/surface/server.h +3 -4
- data/src/core/lib/surface/validate_metadata.cc +11 -12
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/connectivity_state.cc +2 -2
- data/src/core/lib/transport/error_utils.cc +34 -28
- data/src/core/lib/transport/error_utils.h +3 -3
- data/src/core/lib/transport/handshaker.cc +14 -14
- data/src/core/lib/transport/handshaker.h +1 -1
- data/src/core/lib/transport/handshaker_factory.h +26 -0
- data/src/core/lib/transport/handshaker_registry.cc +8 -2
- data/src/core/lib/transport/handshaker_registry.h +3 -4
- data/src/core/lib/transport/http_connect_handshaker.cc +23 -24
- data/src/core/lib/transport/metadata_batch.h +17 -1
- data/src/core/lib/transport/parsed_metadata.cc +2 -6
- data/src/core/lib/transport/tcp_connect_handshaker.cc +15 -20
- data/src/core/lib/transport/transport.cc +63 -17
- data/src/core/lib/transport/transport.h +64 -68
- data/src/core/lib/transport/transport_impl.h +1 -1
- data/src/core/lib/transport/transport_op_string.cc +7 -6
- data/src/core/plugin_registry/grpc_plugin_registry.cc +6 -10
- data/src/core/plugin_registry/grpc_plugin_registry_extra.cc +2 -14
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +10 -10
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +8 -8
- data/src/core/tsi/alts/handshaker/alts_tsi_utils.cc +2 -1
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_integrity_only_record_protocol.cc +7 -7
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_privacy_integrity_record_protocol.cc +7 -6
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.cc +1 -1
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +5 -5
- data/src/core/tsi/fake_transport_security.cc +3 -3
- data/src/core/tsi/ssl/key_logging/ssl_key_logging.cc +7 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +1 -1
- data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +6 -2
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +0 -2
- data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +0 -3
- data/src/ruby/lib/grpc/2.6/grpc_c.so +0 -0
- data/src/ruby/lib/grpc/2.7/grpc_c.so +0 -0
- data/src/ruby/lib/grpc/3.0/grpc_c.so +0 -0
- data/src/ruby/lib/grpc/3.1/grpc_c.so +0 -0
- data/src/ruby/lib/grpc/grpc_c.so +0 -0
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/spec/channel_spec.rb +0 -43
- data/src/ruby/spec/generic/active_call_spec.rb +12 -3
- data/third_party/abseil-cpp/absl/cleanup/cleanup.h +140 -0
- data/third_party/abseil-cpp/absl/cleanup/internal/cleanup.h +100 -0
- data/third_party/zlib/compress.c +3 -3
- data/third_party/zlib/crc32.c +21 -12
- data/third_party/zlib/deflate.c +112 -106
- data/third_party/zlib/deflate.h +2 -2
- data/third_party/zlib/gzlib.c +1 -1
- data/third_party/zlib/gzread.c +3 -5
- data/third_party/zlib/gzwrite.c +1 -1
- data/third_party/zlib/infback.c +10 -7
- data/third_party/zlib/inflate.c +5 -2
- data/third_party/zlib/inftrees.c +2 -2
- data/third_party/zlib/inftrees.h +1 -1
- data/third_party/zlib/trees.c +61 -62
- data/third_party/zlib/uncompr.c +2 -2
- data/third_party/zlib/zconf.h +16 -3
- data/third_party/zlib/zlib.h +10 -10
- data/third_party/zlib/zutil.c +9 -7
- data/third_party/zlib/zutil.h +1 -0
- metadata +55 -18
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +0 -188
- data/src/core/ext/filters/fault_injection/service_config_parser.cc +0 -187
- data/src/core/lib/event_engine/executor/threaded_executor.h +0 -44
- data/src/core/lib/gpr/murmur_hash.cc +0 -82
- data/src/core/lib/gpr/murmur_hash.h +0 -29
- data/src/core/lib/gpr/tls.h +0 -156
- data/src/core/lib/promise/call_push_pull.h +0 -148
- data/src/core/lib/slice/slice_api.cc +0 -39
- data/src/core/lib/slice/slice_buffer_api.cc +0 -35
- data/src/core/lib/slice/slice_refcount_base.h +0 -60
|
@@ -18,599 +18,797 @@
|
|
|
18
18
|
|
|
19
19
|
#include "src/core/ext/filters/rbac/rbac_service_config_parser.h"
|
|
20
20
|
|
|
21
|
-
#include <
|
|
22
|
-
|
|
21
|
+
#include <cstdint>
|
|
23
22
|
#include <map>
|
|
24
23
|
#include <string>
|
|
25
24
|
|
|
26
|
-
#include "absl/memory/memory.h"
|
|
27
25
|
#include "absl/status/status.h"
|
|
28
26
|
#include "absl/status/statusor.h"
|
|
29
|
-
#include "absl/strings/str_cat.h"
|
|
30
|
-
#include "absl/strings/str_format.h"
|
|
31
27
|
#include "absl/types/optional.h"
|
|
32
28
|
|
|
33
29
|
#include "src/core/lib/channel/channel_args.h"
|
|
34
|
-
#include "src/core/lib/
|
|
35
|
-
#include "src/core/lib/json/
|
|
30
|
+
#include "src/core/lib/json/json_args.h"
|
|
31
|
+
#include "src/core/lib/json/json_object_loader.h"
|
|
36
32
|
#include "src/core/lib/matchers/matchers.h"
|
|
37
|
-
#include "src/core/lib/transport/error_utils.h"
|
|
38
33
|
|
|
39
34
|
namespace grpc_core {
|
|
40
35
|
|
|
41
36
|
namespace {
|
|
42
37
|
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
38
|
+
// RbacConfig: one or more RbacPolicy structs
|
|
39
|
+
struct RbacConfig {
|
|
40
|
+
// RbacPolicy: optional Rules
|
|
41
|
+
struct RbacPolicy {
|
|
42
|
+
// Rules: an action, plus a map of policy names to Policy structs
|
|
43
|
+
struct Rules {
|
|
44
|
+
// Policy: a list of Permissions and a list of Principals
|
|
45
|
+
struct Policy {
|
|
46
|
+
// CidrRange: represents an IP range
|
|
47
|
+
struct CidrRange {
|
|
48
|
+
Rbac::CidrRange cidr_range;
|
|
49
|
+
|
|
50
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
51
|
+
void JsonPostLoad(const Json& json, const JsonArgs& args,
|
|
52
|
+
ValidationErrors* errors);
|
|
53
|
+
};
|
|
54
|
+
|
|
55
|
+
// SafeRegexMatch: a regex matcher
|
|
56
|
+
struct SafeRegexMatch {
|
|
57
|
+
std::string regex;
|
|
58
|
+
|
|
59
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
60
|
+
};
|
|
61
|
+
|
|
62
|
+
// HeaderMatch: a matcher for HTTP headers
|
|
63
|
+
struct HeaderMatch {
|
|
64
|
+
// RangeMatch: matches a range of numerical values
|
|
65
|
+
struct RangeMatch {
|
|
66
|
+
int64_t start;
|
|
67
|
+
int64_t end;
|
|
68
|
+
|
|
69
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
70
|
+
};
|
|
71
|
+
|
|
72
|
+
HeaderMatcher matcher;
|
|
73
|
+
|
|
74
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
75
|
+
void JsonPostLoad(const Json& json, const JsonArgs& args,
|
|
76
|
+
ValidationErrors* errors);
|
|
77
|
+
};
|
|
78
|
+
|
|
79
|
+
// StringMatch: a matcher for strings
|
|
80
|
+
struct StringMatch {
|
|
81
|
+
StringMatcher matcher;
|
|
82
|
+
|
|
83
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
84
|
+
void JsonPostLoad(const Json& json, const JsonArgs& args,
|
|
85
|
+
ValidationErrors* errors);
|
|
86
|
+
};
|
|
87
|
+
|
|
88
|
+
// PathMatch: a matcher for paths
|
|
89
|
+
struct PathMatch {
|
|
90
|
+
StringMatch path;
|
|
91
|
+
|
|
92
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
93
|
+
};
|
|
94
|
+
|
|
95
|
+
// Metadata: a matcher for Envoy metadata (not really applicable
|
|
96
|
+
// to gRPC; we use only the invert field for proper match semantics)
|
|
97
|
+
struct Metadata {
|
|
98
|
+
bool invert = false;
|
|
99
|
+
|
|
100
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
101
|
+
};
|
|
102
|
+
|
|
103
|
+
// Permission: a matcher for request attributes
|
|
104
|
+
struct Permission {
|
|
105
|
+
// PermissionList: a list used for "and" and "or" matchers
|
|
106
|
+
struct PermissionList {
|
|
107
|
+
std::vector<Permission> rules;
|
|
108
|
+
|
|
109
|
+
PermissionList() = default;
|
|
110
|
+
PermissionList(const PermissionList&) = delete;
|
|
111
|
+
PermissionList& operator=(const PermissionList&) = delete;
|
|
112
|
+
PermissionList(PermissionList&&) = default;
|
|
113
|
+
PermissionList& operator=(PermissionList&&) = default;
|
|
114
|
+
|
|
115
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
116
|
+
};
|
|
117
|
+
|
|
118
|
+
std::unique_ptr<Rbac::Permission> permission;
|
|
119
|
+
|
|
120
|
+
Permission() = default;
|
|
121
|
+
Permission(const Permission&) = delete;
|
|
122
|
+
Permission& operator=(const Permission&) = delete;
|
|
123
|
+
Permission(Permission&&) = default;
|
|
124
|
+
Permission& operator=(Permission&&) = default;
|
|
125
|
+
|
|
126
|
+
static std::vector<std::unique_ptr<Rbac::Permission>>
|
|
127
|
+
MakeRbacPermissionList(std::vector<Permission> permission_list);
|
|
128
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
129
|
+
void JsonPostLoad(const Json& json, const JsonArgs& args,
|
|
130
|
+
ValidationErrors* errors);
|
|
131
|
+
};
|
|
132
|
+
|
|
133
|
+
// Principal: a matcher for client identity
|
|
134
|
+
struct Principal {
|
|
135
|
+
// PrincipalList: a list used for "and" and "or" matchers
|
|
136
|
+
struct PrincipalList {
|
|
137
|
+
std::vector<Principal> ids;
|
|
138
|
+
|
|
139
|
+
PrincipalList() = default;
|
|
140
|
+
PrincipalList(const PrincipalList&) = delete;
|
|
141
|
+
PrincipalList& operator=(const PrincipalList&) = delete;
|
|
142
|
+
PrincipalList(PrincipalList&&) = default;
|
|
143
|
+
PrincipalList& operator=(PrincipalList&&) = default;
|
|
144
|
+
|
|
145
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
146
|
+
};
|
|
147
|
+
|
|
148
|
+
struct Authenticated {
|
|
149
|
+
absl::optional<StringMatch> principal_name;
|
|
150
|
+
|
|
151
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
152
|
+
};
|
|
153
|
+
|
|
154
|
+
std::unique_ptr<Rbac::Principal> principal;
|
|
155
|
+
|
|
156
|
+
Principal() = default;
|
|
157
|
+
Principal(const Principal&) = delete;
|
|
158
|
+
Principal& operator=(const Principal&) = delete;
|
|
159
|
+
Principal(Principal&&) = default;
|
|
160
|
+
Principal& operator=(Principal&&) = default;
|
|
161
|
+
|
|
162
|
+
static std::vector<std::unique_ptr<Rbac::Principal>>
|
|
163
|
+
MakeRbacPrincipalList(std::vector<Principal> principal_list);
|
|
164
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
165
|
+
void JsonPostLoad(const Json& json, const JsonArgs& args,
|
|
166
|
+
ValidationErrors* errors);
|
|
167
|
+
};
|
|
168
|
+
|
|
169
|
+
std::vector<Permission> permissions;
|
|
170
|
+
std::vector<Principal> principals;
|
|
171
|
+
|
|
172
|
+
Policy() = default;
|
|
173
|
+
Policy(const Policy&) = delete;
|
|
174
|
+
Policy& operator=(const Policy&) = delete;
|
|
175
|
+
Policy(Policy&&) = default;
|
|
176
|
+
Policy& operator=(Policy&&) = default;
|
|
177
|
+
|
|
178
|
+
Rbac::Policy TakeAsRbacPolicy();
|
|
179
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
180
|
+
};
|
|
181
|
+
|
|
182
|
+
int action;
|
|
183
|
+
std::map<std::string, Policy> policies;
|
|
184
|
+
|
|
185
|
+
Rules() = default;
|
|
186
|
+
Rules(const Rules&) = delete;
|
|
187
|
+
Rules& operator=(const Rules&) = delete;
|
|
188
|
+
Rules(Rules&&) = default;
|
|
189
|
+
Rules& operator=(Rules&&) = default;
|
|
190
|
+
|
|
191
|
+
Rbac TakeAsRbac();
|
|
192
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
193
|
+
void JsonPostLoad(const Json&, const JsonArgs&, ValidationErrors* errors);
|
|
194
|
+
};
|
|
195
|
+
|
|
196
|
+
absl::optional<Rules> rules;
|
|
197
|
+
|
|
198
|
+
Rbac TakeAsRbac();
|
|
199
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
200
|
+
};
|
|
201
|
+
|
|
202
|
+
std::vector<RbacPolicy> rbac_policies;
|
|
203
|
+
|
|
204
|
+
std::vector<Rbac> TakeAsRbacList();
|
|
205
|
+
static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
|
|
206
|
+
};
|
|
207
|
+
|
|
208
|
+
//
|
|
209
|
+
// RbacConfig::RbacPolicy::Rules::Policy::CidrRange
|
|
210
|
+
//
|
|
211
|
+
|
|
212
|
+
const JsonLoaderInterface*
|
|
213
|
+
RbacConfig::RbacPolicy::Rules::Policy::CidrRange::JsonLoader(const JsonArgs&) {
|
|
214
|
+
// All fields handled in JsonPostLoad().
|
|
215
|
+
static const auto* loader = JsonObjectLoader<CidrRange>().Finish();
|
|
216
|
+
return loader;
|
|
48
217
|
}
|
|
49
218
|
|
|
50
|
-
|
|
51
|
-
const Json
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
int64_t end = 0;
|
|
60
|
-
bool present_match = false;
|
|
61
|
-
bool invert_match = false;
|
|
62
|
-
ParseJsonObjectField(header_matcher_json, "invertMatch", &invert_match,
|
|
63
|
-
error_list, /*required=*/false);
|
|
64
|
-
if (ParseJsonObjectField(header_matcher_json, "exactMatch", &match,
|
|
65
|
-
error_list, /*required=*/false)) {
|
|
66
|
-
type = HeaderMatcher::Type::kExact;
|
|
67
|
-
} else if (ParseJsonObjectField(header_matcher_json, "safeRegexMatch",
|
|
68
|
-
&inner_json, error_list,
|
|
69
|
-
/*required=*/false)) {
|
|
70
|
-
type = HeaderMatcher::Type::kSafeRegex;
|
|
71
|
-
std::vector<grpc_error_handle> safe_regex_matcher_error_list;
|
|
72
|
-
match = ParseRegexMatcher(*inner_json, &safe_regex_matcher_error_list);
|
|
73
|
-
if (!safe_regex_matcher_error_list.empty()) {
|
|
74
|
-
error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
|
|
75
|
-
"safeRegexMatch", &safe_regex_matcher_error_list));
|
|
76
|
-
}
|
|
77
|
-
} else if (ParseJsonObjectField(header_matcher_json, "rangeMatch",
|
|
78
|
-
&inner_json, error_list,
|
|
79
|
-
/*required=*/false)) {
|
|
80
|
-
type = HeaderMatcher::Type::kRange;
|
|
81
|
-
std::vector<grpc_error_handle> range_error_list;
|
|
82
|
-
ParseJsonObjectField(*inner_json, "start", &start, &range_error_list);
|
|
83
|
-
ParseJsonObjectField(*inner_json, "end", &end, &range_error_list);
|
|
84
|
-
if (!range_error_list.empty()) {
|
|
85
|
-
error_list->push_back(
|
|
86
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("rangeMatch", &range_error_list));
|
|
87
|
-
}
|
|
88
|
-
} else if (ParseJsonObjectField(header_matcher_json, "presentMatch",
|
|
89
|
-
&present_match, error_list,
|
|
90
|
-
/*required=*/false)) {
|
|
91
|
-
type = HeaderMatcher::Type::kPresent;
|
|
92
|
-
} else if (ParseJsonObjectField(header_matcher_json, "prefixMatch", &match,
|
|
93
|
-
error_list, /*required=*/false)) {
|
|
94
|
-
type = HeaderMatcher::Type::kPrefix;
|
|
95
|
-
} else if (ParseJsonObjectField(header_matcher_json, "suffixMatch", &match,
|
|
96
|
-
error_list, /*required=*/false)) {
|
|
97
|
-
type = HeaderMatcher::Type::kSuffix;
|
|
98
|
-
} else if (ParseJsonObjectField(header_matcher_json, "containsMatch", &match,
|
|
99
|
-
error_list, /*required=*/false)) {
|
|
100
|
-
type = HeaderMatcher::Type::kContains;
|
|
101
|
-
} else {
|
|
102
|
-
return absl::InvalidArgumentError("No valid matcher found");
|
|
103
|
-
}
|
|
104
|
-
return HeaderMatcher::Create(name, type, match, start, end, present_match,
|
|
105
|
-
invert_match);
|
|
219
|
+
void RbacConfig::RbacPolicy::Rules::Policy::CidrRange::JsonPostLoad(
|
|
220
|
+
const Json& json, const JsonArgs& args, ValidationErrors* errors) {
|
|
221
|
+
auto address_prefix = LoadJsonObjectField<std::string>(
|
|
222
|
+
json.object_value(), args, "addressPrefix", errors);
|
|
223
|
+
auto prefix_len = LoadJsonObjectField<uint32_t>(json.object_value(), args,
|
|
224
|
+
"prefixLen", errors,
|
|
225
|
+
/*required=*/false);
|
|
226
|
+
cidr_range =
|
|
227
|
+
Rbac::CidrRange(address_prefix.value_or(""), prefix_len.value_or(0));
|
|
106
228
|
}
|
|
107
229
|
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
type = StringMatcher::Type::kExact;
|
|
120
|
-
} else if (ParseJsonObjectField(string_matcher_json, "prefix", &match,
|
|
121
|
-
error_list, /*required=*/false)) {
|
|
122
|
-
type = StringMatcher::Type::kPrefix;
|
|
123
|
-
} else if (ParseJsonObjectField(string_matcher_json, "suffix", &match,
|
|
124
|
-
error_list, /*required=*/false)) {
|
|
125
|
-
type = StringMatcher::Type::kSuffix;
|
|
126
|
-
} else if (ParseJsonObjectField(string_matcher_json, "safeRegex", &inner_json,
|
|
127
|
-
error_list, /*required=*/false)) {
|
|
128
|
-
type = StringMatcher::Type::kSafeRegex;
|
|
129
|
-
std::vector<grpc_error_handle> safe_regex_matcher_error_list;
|
|
130
|
-
match = ParseRegexMatcher(*inner_json, &safe_regex_matcher_error_list);
|
|
131
|
-
if (!safe_regex_matcher_error_list.empty()) {
|
|
132
|
-
error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
|
|
133
|
-
"safeRegex", &safe_regex_matcher_error_list));
|
|
134
|
-
}
|
|
135
|
-
} else if (ParseJsonObjectField(string_matcher_json, "contains", &match,
|
|
136
|
-
error_list, /*required=*/false)) {
|
|
137
|
-
type = StringMatcher::Type::kContains;
|
|
138
|
-
} else {
|
|
139
|
-
return absl::InvalidArgumentError("No valid matcher found");
|
|
140
|
-
}
|
|
141
|
-
return StringMatcher::Create(type, match, ignore_case);
|
|
230
|
+
//
|
|
231
|
+
// RbacConfig::RbacPolicy::Rules::Policy::SafeRegexMatch
|
|
232
|
+
//
|
|
233
|
+
|
|
234
|
+
const JsonLoaderInterface*
|
|
235
|
+
RbacConfig::RbacPolicy::Rules::Policy::SafeRegexMatch::JsonLoader(
|
|
236
|
+
const JsonArgs&) {
|
|
237
|
+
static const auto* loader = JsonObjectLoader<SafeRegexMatch>()
|
|
238
|
+
.Field("regex", &SafeRegexMatch::regex)
|
|
239
|
+
.Finish();
|
|
240
|
+
return loader;
|
|
142
241
|
}
|
|
143
242
|
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
return matcher;
|
|
157
|
-
}
|
|
158
|
-
return absl::InvalidArgumentError("No path found");
|
|
243
|
+
//
|
|
244
|
+
// RbacConfig::RbacPolicy::Rules::Policy::HeaderMatch::RangeMatch
|
|
245
|
+
//
|
|
246
|
+
|
|
247
|
+
const JsonLoaderInterface*
|
|
248
|
+
RbacConfig::RbacPolicy::Rules::Policy::HeaderMatch::RangeMatch::JsonLoader(
|
|
249
|
+
const JsonArgs&) {
|
|
250
|
+
static const auto* loader = JsonObjectLoader<RangeMatch>()
|
|
251
|
+
.Field("start", &RangeMatch::start)
|
|
252
|
+
.Field("end", &RangeMatch::end)
|
|
253
|
+
.Finish();
|
|
254
|
+
return loader;
|
|
159
255
|
}
|
|
160
256
|
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
ParseJsonObjectField(*uint32_json, "value", &prefix_len, &sub_error_list);
|
|
172
|
-
if (!sub_error_list.empty()) {
|
|
173
|
-
error_list->push_back(
|
|
174
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("prefixLen", &sub_error_list));
|
|
175
|
-
}
|
|
176
|
-
}
|
|
177
|
-
return Rbac::CidrRange(std::move(address_prefix), prefix_len);
|
|
257
|
+
//
|
|
258
|
+
// RbacConfig::RbacPolicy::Rules::Policy::HeaderMatch
|
|
259
|
+
//
|
|
260
|
+
|
|
261
|
+
const JsonLoaderInterface*
|
|
262
|
+
RbacConfig::RbacPolicy::Rules::Policy::HeaderMatch::JsonLoader(
|
|
263
|
+
const JsonArgs&) {
|
|
264
|
+
// All fields handled in JsonPostLoad().
|
|
265
|
+
static const auto* loader = JsonObjectLoader<HeaderMatch>().Finish();
|
|
266
|
+
return loader;
|
|
178
267
|
}
|
|
179
268
|
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
continue;
|
|
194
|
-
}
|
|
195
|
-
std::vector<grpc_error_handle> permission_error_list;
|
|
196
|
-
permissions.emplace_back(absl::make_unique<Rbac::Permission>(
|
|
197
|
-
ParsePermission(*permission_json, &permission_error_list)));
|
|
198
|
-
if (!permission_error_list.empty()) {
|
|
199
|
-
error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING(
|
|
200
|
-
absl::StrFormat("rules[%d]", i), &permission_error_list));
|
|
201
|
-
}
|
|
202
|
-
}
|
|
203
|
-
}
|
|
204
|
-
return permissions;
|
|
205
|
-
};
|
|
206
|
-
Rbac::Permission permission;
|
|
207
|
-
const Json::Object* inner_json;
|
|
208
|
-
bool any;
|
|
209
|
-
int port;
|
|
210
|
-
if (ParseJsonObjectField(permission_json, "andRules", &inner_json, error_list,
|
|
211
|
-
/*required=*/false)) {
|
|
212
|
-
std::vector<grpc_error_handle> and_rules_error_list;
|
|
213
|
-
permission = Rbac::Permission::MakeAndPermission(
|
|
214
|
-
parse_permission_set(*inner_json, &and_rules_error_list));
|
|
215
|
-
if (!and_rules_error_list.empty()) {
|
|
216
|
-
error_list->push_back(
|
|
217
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("andRules", &and_rules_error_list));
|
|
218
|
-
}
|
|
219
|
-
} else if (ParseJsonObjectField(permission_json, "orRules", &inner_json,
|
|
220
|
-
error_list, /*required=*/false)) {
|
|
221
|
-
std::vector<grpc_error_handle> or_rules_error_list;
|
|
222
|
-
permission = Rbac::Permission::MakeOrPermission(
|
|
223
|
-
parse_permission_set(*inner_json, &or_rules_error_list));
|
|
224
|
-
if (!or_rules_error_list.empty()) {
|
|
225
|
-
error_list->push_back(
|
|
226
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("orRules", &or_rules_error_list));
|
|
227
|
-
}
|
|
228
|
-
} else if (ParseJsonObjectField(permission_json, "any", &any, error_list,
|
|
229
|
-
/*required=*/false) &&
|
|
230
|
-
any) {
|
|
231
|
-
permission = Rbac::Permission::MakeAnyPermission();
|
|
232
|
-
} else if (ParseJsonObjectField(permission_json, "header", &inner_json,
|
|
233
|
-
error_list,
|
|
234
|
-
/*required=*/false)) {
|
|
235
|
-
std::vector<grpc_error_handle> header_error_list;
|
|
236
|
-
auto matcher = ParseHeaderMatcher(*inner_json, &header_error_list);
|
|
237
|
-
if (matcher.ok()) {
|
|
238
|
-
permission = Rbac::Permission::MakeHeaderPermission(*matcher);
|
|
269
|
+
void RbacConfig::RbacPolicy::Rules::Policy::HeaderMatch::JsonPostLoad(
|
|
270
|
+
const Json& json, const JsonArgs& args, ValidationErrors* errors) {
|
|
271
|
+
const size_t original_error_size = errors->size();
|
|
272
|
+
std::string name = LoadJsonObjectField<std::string>(json.object_value(), args,
|
|
273
|
+
"name", errors)
|
|
274
|
+
.value_or("");
|
|
275
|
+
bool invert_match = LoadJsonObjectField<bool>(json.object_value(), args,
|
|
276
|
+
"invertMatch", errors,
|
|
277
|
+
/*required=*/false)
|
|
278
|
+
.value_or(false);
|
|
279
|
+
auto set_header_matcher = [&](absl::StatusOr<HeaderMatcher> header_matcher) {
|
|
280
|
+
if (header_matcher.ok()) {
|
|
281
|
+
matcher = *header_matcher;
|
|
239
282
|
} else {
|
|
240
|
-
|
|
241
|
-
}
|
|
242
|
-
if (!header_error_list.empty()) {
|
|
243
|
-
error_list->push_back(
|
|
244
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("header", &header_error_list));
|
|
245
|
-
}
|
|
246
|
-
} else if (ParseJsonObjectField(permission_json, "urlPath", &inner_json,
|
|
247
|
-
error_list,
|
|
248
|
-
/*required=*/false)) {
|
|
249
|
-
std::vector<grpc_error_handle> url_path_error_list;
|
|
250
|
-
auto matcher = ParsePathMatcher(*inner_json, &url_path_error_list);
|
|
251
|
-
if (matcher.ok()) {
|
|
252
|
-
permission = Rbac::Permission::MakePathPermission(*matcher);
|
|
253
|
-
} else {
|
|
254
|
-
url_path_error_list.push_back(
|
|
255
|
-
absl_status_to_grpc_error(matcher.status()));
|
|
256
|
-
}
|
|
257
|
-
if (!url_path_error_list.empty()) {
|
|
258
|
-
error_list->push_back(
|
|
259
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("urlPath", &url_path_error_list));
|
|
283
|
+
errors->AddError(header_matcher.status().message());
|
|
260
284
|
}
|
|
261
|
-
}
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
}
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
|
|
286
|
-
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
} else {
|
|
310
|
-
error_list->push_back(
|
|
311
|
-
GRPC_ERROR_CREATE_FROM_STATIC_STRING("No valid rule found"));
|
|
285
|
+
};
|
|
286
|
+
auto check_match = [&](absl::string_view field_name,
|
|
287
|
+
HeaderMatcher::Type type) {
|
|
288
|
+
auto match = LoadJsonObjectField<std::string>(json.object_value(), args,
|
|
289
|
+
field_name, errors,
|
|
290
|
+
/*required=*/false);
|
|
291
|
+
if (match.has_value()) {
|
|
292
|
+
set_header_matcher(
|
|
293
|
+
HeaderMatcher::Create(name, type, *match, 0, 0, false, invert_match));
|
|
294
|
+
return true;
|
|
295
|
+
}
|
|
296
|
+
return false;
|
|
297
|
+
};
|
|
298
|
+
if (check_match("exactMatch", HeaderMatcher::Type::kExact) ||
|
|
299
|
+
check_match("prefixMatch", HeaderMatcher::Type::kPrefix) ||
|
|
300
|
+
check_match("suffixMatch", HeaderMatcher::Type::kSuffix) ||
|
|
301
|
+
check_match("containsMatch", HeaderMatcher::Type::kContains)) {
|
|
302
|
+
return;
|
|
303
|
+
}
|
|
304
|
+
auto present_match = LoadJsonObjectField<bool>(json.object_value(), args,
|
|
305
|
+
"presentMatch", errors,
|
|
306
|
+
/*required=*/false);
|
|
307
|
+
if (present_match.has_value()) {
|
|
308
|
+
set_header_matcher(
|
|
309
|
+
HeaderMatcher::Create(name, HeaderMatcher::Type::kPresent, "", 0, 0,
|
|
310
|
+
*present_match, invert_match));
|
|
311
|
+
return;
|
|
312
|
+
}
|
|
313
|
+
auto regex_match = LoadJsonObjectField<SafeRegexMatch>(
|
|
314
|
+
json.object_value(), args, "safeRegexMatch", errors,
|
|
315
|
+
/*required=*/false);
|
|
316
|
+
if (regex_match.has_value()) {
|
|
317
|
+
set_header_matcher(
|
|
318
|
+
HeaderMatcher::Create(name, HeaderMatcher::Type::kSafeRegex,
|
|
319
|
+
regex_match->regex, 0, 0, false, invert_match));
|
|
320
|
+
return;
|
|
321
|
+
}
|
|
322
|
+
auto range_match = LoadJsonObjectField<RangeMatch>(json.object_value(), args,
|
|
323
|
+
"rangeMatch", errors,
|
|
324
|
+
/*required=*/false);
|
|
325
|
+
if (range_match.has_value()) {
|
|
326
|
+
set_header_matcher(HeaderMatcher::Create(name, HeaderMatcher::Type::kRange,
|
|
327
|
+
"", range_match->start,
|
|
328
|
+
range_match->end, invert_match));
|
|
329
|
+
return;
|
|
330
|
+
}
|
|
331
|
+
if (errors->size() == original_error_size) {
|
|
332
|
+
errors->AddError("no valid matcher found");
|
|
312
333
|
}
|
|
313
|
-
return permission;
|
|
314
334
|
}
|
|
315
335
|
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
}
|
|
339
|
-
}
|
|
340
|
-
return principals;
|
|
341
|
-
};
|
|
342
|
-
Rbac::Principal principal;
|
|
343
|
-
const Json::Object* inner_json;
|
|
344
|
-
bool any;
|
|
345
|
-
if (ParseJsonObjectField(principal_json, "andIds", &inner_json, error_list,
|
|
346
|
-
/*required=*/false)) {
|
|
347
|
-
std::vector<grpc_error_handle> and_rules_error_list;
|
|
348
|
-
principal = Rbac::Principal::MakeAndPrincipal(
|
|
349
|
-
parse_principal_set(*inner_json, &and_rules_error_list));
|
|
350
|
-
if (!and_rules_error_list.empty()) {
|
|
351
|
-
error_list->push_back(
|
|
352
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("andIds", &and_rules_error_list));
|
|
353
|
-
}
|
|
354
|
-
} else if (ParseJsonObjectField(principal_json, "orIds", &inner_json,
|
|
355
|
-
error_list, /*required=*/false)) {
|
|
356
|
-
std::vector<grpc_error_handle> or_rules_error_list;
|
|
357
|
-
principal = Rbac::Principal::MakeOrPrincipal(
|
|
358
|
-
parse_principal_set(*inner_json, &or_rules_error_list));
|
|
359
|
-
if (!or_rules_error_list.empty()) {
|
|
360
|
-
error_list->push_back(
|
|
361
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("orIds", &or_rules_error_list));
|
|
362
|
-
}
|
|
363
|
-
} else if (ParseJsonObjectField(principal_json, "any", &any, error_list,
|
|
364
|
-
/*required=*/false) &&
|
|
365
|
-
any) {
|
|
366
|
-
principal = Rbac::Principal::MakeAnyPrincipal();
|
|
367
|
-
} else if (ParseJsonObjectField(principal_json, "authenticated", &inner_json,
|
|
368
|
-
error_list, /*required=*/false)) {
|
|
369
|
-
std::vector<grpc_error_handle> authenticated_error_list;
|
|
370
|
-
const Json::Object* principal_name_json;
|
|
371
|
-
if (ParseJsonObjectField(*inner_json, "principalName", &principal_name_json,
|
|
372
|
-
&authenticated_error_list, /*required=*/false)) {
|
|
373
|
-
std::vector<grpc_error_handle> principal_name_error_list;
|
|
374
|
-
auto matcher =
|
|
375
|
-
ParseStringMatcher(*principal_name_json, &principal_name_error_list);
|
|
376
|
-
if (matcher.ok()) {
|
|
377
|
-
principal = Rbac::Principal::MakeAuthenticatedPrincipal(*matcher);
|
|
378
|
-
} else {
|
|
379
|
-
principal_name_error_list.push_back(
|
|
380
|
-
absl_status_to_grpc_error(matcher.status()));
|
|
381
|
-
}
|
|
382
|
-
if (!principal_name_error_list.empty()) {
|
|
383
|
-
authenticated_error_list.push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
|
|
384
|
-
"principalName", &principal_name_error_list));
|
|
385
|
-
}
|
|
386
|
-
} else if (authenticated_error_list.empty()) {
|
|
387
|
-
// No principalName found. Match for all users.
|
|
388
|
-
principal = Rbac::Principal::MakeAnyPrincipal();
|
|
389
|
-
} else {
|
|
390
|
-
error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
|
|
391
|
-
"authenticated", &authenticated_error_list));
|
|
392
|
-
}
|
|
393
|
-
} else if (ParseJsonObjectField(principal_json, "sourceIp", &inner_json,
|
|
394
|
-
error_list, /*required=*/false)) {
|
|
395
|
-
std::vector<grpc_error_handle> source_ip_error_list;
|
|
396
|
-
principal = Rbac::Principal::MakeSourceIpPrincipal(
|
|
397
|
-
ParseCidrRange(*inner_json, &source_ip_error_list));
|
|
398
|
-
if (!source_ip_error_list.empty()) {
|
|
399
|
-
error_list->push_back(
|
|
400
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("sourceIp", &source_ip_error_list));
|
|
401
|
-
}
|
|
402
|
-
} else if (ParseJsonObjectField(principal_json, "directRemoteIp", &inner_json,
|
|
403
|
-
error_list, /*required=*/false)) {
|
|
404
|
-
std::vector<grpc_error_handle> direct_remote_ip_error_list;
|
|
405
|
-
principal = Rbac::Principal::MakeDirectRemoteIpPrincipal(
|
|
406
|
-
ParseCidrRange(*inner_json, &direct_remote_ip_error_list));
|
|
407
|
-
if (!direct_remote_ip_error_list.empty()) {
|
|
408
|
-
error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
|
|
409
|
-
"directRemoteIp", &direct_remote_ip_error_list));
|
|
410
|
-
}
|
|
411
|
-
} else if (ParseJsonObjectField(principal_json, "remoteIp", &inner_json,
|
|
412
|
-
error_list, /*required=*/false)) {
|
|
413
|
-
std::vector<grpc_error_handle> remote_ip_error_list;
|
|
414
|
-
principal = Rbac::Principal::MakeRemoteIpPrincipal(
|
|
415
|
-
ParseCidrRange(*inner_json, &remote_ip_error_list));
|
|
416
|
-
if (!remote_ip_error_list.empty()) {
|
|
417
|
-
error_list->push_back(
|
|
418
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("remoteIp", &remote_ip_error_list));
|
|
419
|
-
}
|
|
420
|
-
} else if (ParseJsonObjectField(principal_json, "header", &inner_json,
|
|
421
|
-
error_list,
|
|
422
|
-
/*required=*/false)) {
|
|
423
|
-
std::vector<grpc_error_handle> header_error_list;
|
|
424
|
-
auto matcher = ParseHeaderMatcher(*inner_json, &header_error_list);
|
|
425
|
-
if (matcher.ok()) {
|
|
426
|
-
principal = Rbac::Principal::MakeHeaderPrincipal(*matcher);
|
|
427
|
-
} else {
|
|
428
|
-
header_error_list.push_back(absl_status_to_grpc_error(matcher.status()));
|
|
429
|
-
}
|
|
430
|
-
if (!header_error_list.empty()) {
|
|
431
|
-
error_list->push_back(
|
|
432
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("header", &header_error_list));
|
|
433
|
-
}
|
|
434
|
-
} else if (ParseJsonObjectField(principal_json, "urlPath", &inner_json,
|
|
435
|
-
error_list,
|
|
436
|
-
/*required=*/false)) {
|
|
437
|
-
std::vector<grpc_error_handle> url_path_error_list;
|
|
438
|
-
auto matcher = ParsePathMatcher(*inner_json, &url_path_error_list);
|
|
439
|
-
if (matcher.ok()) {
|
|
440
|
-
principal = Rbac::Principal::MakePathPrincipal(*matcher);
|
|
441
|
-
} else {
|
|
442
|
-
url_path_error_list.push_back(
|
|
443
|
-
absl_status_to_grpc_error(matcher.status()));
|
|
444
|
-
}
|
|
445
|
-
if (!url_path_error_list.empty()) {
|
|
446
|
-
error_list->push_back(
|
|
447
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("urlPath", &url_path_error_list));
|
|
448
|
-
}
|
|
449
|
-
} else if (ParseJsonObjectField(principal_json, "metadata", &inner_json,
|
|
450
|
-
error_list, /*required=*/false)) {
|
|
451
|
-
std::vector<grpc_error_handle> metadata_error_list;
|
|
452
|
-
bool invert = false;
|
|
453
|
-
ParseJsonObjectField(*inner_json, "invert", &invert, &metadata_error_list,
|
|
454
|
-
/*required=*/false);
|
|
455
|
-
if (metadata_error_list.empty()) {
|
|
456
|
-
principal = Rbac::Principal::MakeMetadataPrincipal(invert);
|
|
336
|
+
//
|
|
337
|
+
// RbacConfig::RbacPolicy::Rules::Policy::StringMatch
|
|
338
|
+
//
|
|
339
|
+
|
|
340
|
+
const JsonLoaderInterface*
|
|
341
|
+
RbacConfig::RbacPolicy::Rules::Policy::StringMatch::JsonLoader(
|
|
342
|
+
const JsonArgs&) {
|
|
343
|
+
// All fields handled in JsonPostLoad().
|
|
344
|
+
static const auto* loader = JsonObjectLoader<StringMatch>().Finish();
|
|
345
|
+
return loader;
|
|
346
|
+
}
|
|
347
|
+
|
|
348
|
+
void RbacConfig::RbacPolicy::Rules::Policy::StringMatch::JsonPostLoad(
|
|
349
|
+
const Json& json, const JsonArgs& args, ValidationErrors* errors) {
|
|
350
|
+
const size_t original_error_size = errors->size();
|
|
351
|
+
bool ignore_case =
|
|
352
|
+
LoadJsonObjectField<bool>(json.object_value(), args, "ignoreCase", errors,
|
|
353
|
+
/*required=*/false)
|
|
354
|
+
.value_or(false);
|
|
355
|
+
auto set_string_matcher = [&](absl::StatusOr<StringMatcher> string_matcher) {
|
|
356
|
+
if (string_matcher.ok()) {
|
|
357
|
+
matcher = *string_matcher;
|
|
457
358
|
} else {
|
|
458
|
-
|
|
459
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("metadata", &metadata_error_list));
|
|
460
|
-
}
|
|
461
|
-
} else if (ParseJsonObjectField(principal_json, "notId", &inner_json,
|
|
462
|
-
error_list, /*required=*/false)) {
|
|
463
|
-
std::vector<grpc_error_handle> not_rule_error_list;
|
|
464
|
-
principal = Rbac::Principal::MakeNotPrincipal(
|
|
465
|
-
ParsePrincipal(*inner_json, ¬_rule_error_list));
|
|
466
|
-
if (!not_rule_error_list.empty()) {
|
|
467
|
-
error_list->push_back(
|
|
468
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("notId", ¬_rule_error_list));
|
|
359
|
+
errors->AddError(string_matcher.status().message());
|
|
469
360
|
}
|
|
470
|
-
}
|
|
471
|
-
|
|
472
|
-
|
|
361
|
+
};
|
|
362
|
+
auto check_match = [&](absl::string_view field_name,
|
|
363
|
+
StringMatcher::Type type) {
|
|
364
|
+
auto match = LoadJsonObjectField<std::string>(json.object_value(), args,
|
|
365
|
+
field_name, errors,
|
|
366
|
+
/*required=*/false);
|
|
367
|
+
if (match.has_value()) {
|
|
368
|
+
set_string_matcher(StringMatcher::Create(type, *match, ignore_case));
|
|
369
|
+
return true;
|
|
370
|
+
}
|
|
371
|
+
return false;
|
|
372
|
+
};
|
|
373
|
+
if (check_match("exact", StringMatcher::Type::kExact) ||
|
|
374
|
+
check_match("prefix", StringMatcher::Type::kPrefix) ||
|
|
375
|
+
check_match("suffix", StringMatcher::Type::kSuffix) ||
|
|
376
|
+
check_match("contains", StringMatcher::Type::kContains)) {
|
|
377
|
+
return;
|
|
378
|
+
}
|
|
379
|
+
auto regex_match = LoadJsonObjectField<SafeRegexMatch>(
|
|
380
|
+
json.object_value(), args, "safeRegex", errors,
|
|
381
|
+
/*required=*/false);
|
|
382
|
+
if (regex_match.has_value()) {
|
|
383
|
+
set_string_matcher(StringMatcher::Create(StringMatcher::Type::kSafeRegex,
|
|
384
|
+
regex_match->regex, ignore_case));
|
|
385
|
+
return;
|
|
386
|
+
}
|
|
387
|
+
if (errors->size() == original_error_size) {
|
|
388
|
+
errors->AddError("no valid matcher found");
|
|
473
389
|
}
|
|
474
|
-
return principal;
|
|
475
390
|
}
|
|
476
391
|
|
|
477
|
-
|
|
478
|
-
|
|
479
|
-
|
|
480
|
-
|
|
392
|
+
//
|
|
393
|
+
// RbacConfig::RbacPolicy::Rules::Policy::PathMatch
|
|
394
|
+
//
|
|
395
|
+
|
|
396
|
+
const JsonLoaderInterface*
|
|
397
|
+
RbacConfig::RbacPolicy::Rules::Policy::PathMatch::JsonLoader(const JsonArgs&) {
|
|
398
|
+
static const auto* loader =
|
|
399
|
+
JsonObjectLoader<PathMatch>().Field("path", &PathMatch::path).Finish();
|
|
400
|
+
return loader;
|
|
401
|
+
}
|
|
402
|
+
|
|
403
|
+
//
|
|
404
|
+
// RbacConfig::RbacPolicy::Rules::Policy::Metadata
|
|
405
|
+
//
|
|
406
|
+
|
|
407
|
+
const JsonLoaderInterface*
|
|
408
|
+
RbacConfig::RbacPolicy::Rules::Policy::Metadata::JsonLoader(const JsonArgs&) {
|
|
409
|
+
static const auto* loader = JsonObjectLoader<Metadata>()
|
|
410
|
+
.OptionalField("invert", &Metadata::invert)
|
|
411
|
+
.Finish();
|
|
412
|
+
return loader;
|
|
413
|
+
}
|
|
414
|
+
|
|
415
|
+
//
|
|
416
|
+
// RbacConfig::RbacPolicy::Rules::Policy::Permission::PermissionList
|
|
417
|
+
//
|
|
418
|
+
|
|
419
|
+
const JsonLoaderInterface*
|
|
420
|
+
RbacConfig::RbacPolicy::Rules::Policy::Permission::PermissionList::JsonLoader(
|
|
421
|
+
const JsonArgs&) {
|
|
422
|
+
static const auto* loader = JsonObjectLoader<PermissionList>()
|
|
423
|
+
.Field("rules", &PermissionList::rules)
|
|
424
|
+
.Finish();
|
|
425
|
+
return loader;
|
|
426
|
+
}
|
|
427
|
+
|
|
428
|
+
//
|
|
429
|
+
// RbacConfig::RbacPolicy::Rules::Policy::Permission
|
|
430
|
+
//
|
|
431
|
+
|
|
432
|
+
std::vector<std::unique_ptr<Rbac::Permission>>
|
|
433
|
+
RbacConfig::RbacPolicy::Rules::Policy::Permission::MakeRbacPermissionList(
|
|
434
|
+
std::vector<Permission> permission_list) {
|
|
481
435
|
std::vector<std::unique_ptr<Rbac::Permission>> permissions;
|
|
482
|
-
|
|
483
|
-
|
|
484
|
-
|
|
485
|
-
|
|
486
|
-
|
|
487
|
-
|
|
488
|
-
|
|
489
|
-
|
|
490
|
-
|
|
491
|
-
|
|
492
|
-
|
|
493
|
-
|
|
494
|
-
|
|
495
|
-
|
|
496
|
-
|
|
497
|
-
|
|
498
|
-
|
|
436
|
+
permissions.reserve(permission_list.size());
|
|
437
|
+
for (auto& rule : permission_list) {
|
|
438
|
+
permissions.emplace_back(std::move(rule.permission));
|
|
439
|
+
}
|
|
440
|
+
return permissions;
|
|
441
|
+
}
|
|
442
|
+
|
|
443
|
+
const JsonLoaderInterface*
|
|
444
|
+
RbacConfig::RbacPolicy::Rules::Policy::Permission::JsonLoader(const JsonArgs&) {
|
|
445
|
+
// All fields handled in JsonPostLoad().
|
|
446
|
+
static const auto* loader = JsonObjectLoader<Permission>().Finish();
|
|
447
|
+
return loader;
|
|
448
|
+
}
|
|
449
|
+
|
|
450
|
+
void RbacConfig::RbacPolicy::Rules::Policy::Permission::JsonPostLoad(
|
|
451
|
+
const Json& json, const JsonArgs& args, ValidationErrors* errors) {
|
|
452
|
+
const size_t original_error_size = errors->size();
|
|
453
|
+
auto any = LoadJsonObjectField<bool>(json.object_value(), args, "any", errors,
|
|
454
|
+
/*required=*/false);
|
|
455
|
+
if (any.has_value()) {
|
|
456
|
+
permission = std::make_unique<Rbac::Permission>(
|
|
457
|
+
Rbac::Permission::MakeAnyPermission());
|
|
458
|
+
return;
|
|
459
|
+
}
|
|
460
|
+
auto header = LoadJsonObjectField<HeaderMatch>(json.object_value(), args,
|
|
461
|
+
"header", errors,
|
|
462
|
+
/*required=*/false);
|
|
463
|
+
if (header.has_value()) {
|
|
464
|
+
permission = std::make_unique<Rbac::Permission>(
|
|
465
|
+
Rbac::Permission::MakeHeaderPermission(std::move(header->matcher)));
|
|
466
|
+
return;
|
|
467
|
+
}
|
|
468
|
+
auto url_path = LoadJsonObjectField<PathMatch>(json.object_value(), args,
|
|
469
|
+
"urlPath", errors,
|
|
470
|
+
/*required=*/false);
|
|
471
|
+
if (url_path.has_value()) {
|
|
472
|
+
permission = std::make_unique<Rbac::Permission>(
|
|
473
|
+
Rbac::Permission::MakePathPermission(url_path->path.matcher));
|
|
474
|
+
return;
|
|
499
475
|
}
|
|
500
|
-
|
|
476
|
+
auto destination_ip = LoadJsonObjectField<CidrRange>(
|
|
477
|
+
json.object_value(), args, "destinationIp", errors,
|
|
478
|
+
/*required=*/false);
|
|
479
|
+
if (destination_ip.has_value()) {
|
|
480
|
+
permission = std::make_unique<Rbac::Permission>(
|
|
481
|
+
Rbac::Permission::MakeDestIpPermission(
|
|
482
|
+
std::move(destination_ip->cidr_range)));
|
|
483
|
+
return;
|
|
484
|
+
}
|
|
485
|
+
auto destination_port = LoadJsonObjectField<uint32_t>(
|
|
486
|
+
json.object_value(), args, "destinationPort", errors,
|
|
487
|
+
/*required=*/false);
|
|
488
|
+
if (destination_port.has_value()) {
|
|
489
|
+
permission = std::make_unique<Rbac::Permission>(
|
|
490
|
+
Rbac::Permission::MakeDestPortPermission(*destination_port));
|
|
491
|
+
return;
|
|
492
|
+
}
|
|
493
|
+
auto metadata = LoadJsonObjectField<Metadata>(json.object_value(), args,
|
|
494
|
+
"metadata", errors,
|
|
495
|
+
/*required=*/false);
|
|
496
|
+
if (metadata.has_value()) {
|
|
497
|
+
permission = std::make_unique<Rbac::Permission>(
|
|
498
|
+
Rbac::Permission::MakeMetadataPermission(metadata->invert));
|
|
499
|
+
return;
|
|
500
|
+
}
|
|
501
|
+
auto requested_server_name = LoadJsonObjectField<StringMatch>(
|
|
502
|
+
json.object_value(), args, "requestedServerName", errors,
|
|
503
|
+
/*required=*/false);
|
|
504
|
+
if (requested_server_name.has_value()) {
|
|
505
|
+
permission = std::make_unique<Rbac::Permission>(
|
|
506
|
+
Rbac::Permission::MakeReqServerNamePermission(
|
|
507
|
+
std::move(requested_server_name->matcher)));
|
|
508
|
+
return;
|
|
509
|
+
}
|
|
510
|
+
auto rules = LoadJsonObjectField<PermissionList>(json.object_value(), args,
|
|
511
|
+
"andRules", errors,
|
|
512
|
+
/*required=*/false);
|
|
513
|
+
if (rules.has_value()) {
|
|
514
|
+
permission =
|
|
515
|
+
std::make_unique<Rbac::Permission>(Rbac::Permission::MakeAndPermission(
|
|
516
|
+
MakeRbacPermissionList(std::move(rules->rules))));
|
|
517
|
+
return;
|
|
518
|
+
}
|
|
519
|
+
rules = LoadJsonObjectField<PermissionList>(json.object_value(), args,
|
|
520
|
+
"orRules", errors,
|
|
521
|
+
/*required=*/false);
|
|
522
|
+
if (rules.has_value()) {
|
|
523
|
+
permission =
|
|
524
|
+
std::make_unique<Rbac::Permission>(Rbac::Permission::MakeOrPermission(
|
|
525
|
+
MakeRbacPermissionList(std::move(rules->rules))));
|
|
526
|
+
return;
|
|
527
|
+
}
|
|
528
|
+
auto not_rule = LoadJsonObjectField<Permission>(json.object_value(), args,
|
|
529
|
+
"notRule", errors,
|
|
530
|
+
/*required=*/false);
|
|
531
|
+
if (not_rule.has_value()) {
|
|
532
|
+
permission = std::make_unique<Rbac::Permission>(
|
|
533
|
+
Rbac::Permission::MakeNotPermission(std::move(*not_rule->permission)));
|
|
534
|
+
return;
|
|
535
|
+
}
|
|
536
|
+
if (errors->size() == original_error_size) {
|
|
537
|
+
errors->AddError("no valid rule found");
|
|
538
|
+
}
|
|
539
|
+
}
|
|
540
|
+
|
|
541
|
+
//
|
|
542
|
+
// RbacConfig::RbacPolicy::Rules::Policy::Principal::PrincipalList
|
|
543
|
+
//
|
|
544
|
+
|
|
545
|
+
const JsonLoaderInterface*
|
|
546
|
+
RbacConfig::RbacPolicy::Rules::Policy::Principal::PrincipalList::JsonLoader(
|
|
547
|
+
const JsonArgs&) {
|
|
548
|
+
static const auto* loader = JsonObjectLoader<PrincipalList>()
|
|
549
|
+
.Field("ids", &PrincipalList::ids)
|
|
550
|
+
.Finish();
|
|
551
|
+
return loader;
|
|
552
|
+
}
|
|
553
|
+
|
|
554
|
+
//
|
|
555
|
+
// RbacConfig::RbacPolicy::Rules::Policy::Principal::Authenticated
|
|
556
|
+
//
|
|
557
|
+
|
|
558
|
+
const JsonLoaderInterface*
|
|
559
|
+
RbacConfig::RbacPolicy::Rules::Policy::Principal::Authenticated::JsonLoader(
|
|
560
|
+
const JsonArgs&) {
|
|
561
|
+
static const auto* loader =
|
|
562
|
+
JsonObjectLoader<Authenticated>()
|
|
563
|
+
.OptionalField("principalName", &Authenticated::principal_name)
|
|
564
|
+
.Finish();
|
|
565
|
+
return loader;
|
|
566
|
+
}
|
|
567
|
+
|
|
568
|
+
//
|
|
569
|
+
// RbacConfig::RbacPolicy::Rules::Policy::Principal
|
|
570
|
+
//
|
|
571
|
+
|
|
572
|
+
std::vector<std::unique_ptr<Rbac::Principal>>
|
|
573
|
+
RbacConfig::RbacPolicy::Rules::Policy::Principal::MakeRbacPrincipalList(
|
|
574
|
+
std::vector<Principal> principal_list) {
|
|
501
575
|
std::vector<std::unique_ptr<Rbac::Principal>> principals;
|
|
502
|
-
|
|
503
|
-
|
|
504
|
-
|
|
505
|
-
const Json::Object* principal_json;
|
|
506
|
-
if (!ExtractJsonType((*principals_json_array)[i],
|
|
507
|
-
absl::StrFormat("principals[%d]", i),
|
|
508
|
-
&principal_json, error_list)) {
|
|
509
|
-
continue;
|
|
510
|
-
}
|
|
511
|
-
std::vector<grpc_error_handle> principal_error_list;
|
|
512
|
-
principals.emplace_back(absl::make_unique<Rbac::Principal>(
|
|
513
|
-
ParsePrincipal(*principal_json, &principal_error_list)));
|
|
514
|
-
if (!principal_error_list.empty()) {
|
|
515
|
-
error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING(
|
|
516
|
-
absl::StrFormat("principals[%d]", i), &principal_error_list));
|
|
517
|
-
}
|
|
518
|
-
}
|
|
576
|
+
principals.reserve(principal_list.size());
|
|
577
|
+
for (auto& id : principal_list) {
|
|
578
|
+
principals.emplace_back(std::move(id.principal));
|
|
519
579
|
}
|
|
520
|
-
|
|
521
|
-
Rbac::Permission::MakeOrPermission(std::move(permissions));
|
|
522
|
-
policy.principals = Rbac::Principal::MakeOrPrincipal(std::move(principals));
|
|
523
|
-
return policy;
|
|
580
|
+
return principals;
|
|
524
581
|
}
|
|
525
582
|
|
|
526
|
-
|
|
527
|
-
|
|
528
|
-
|
|
529
|
-
const
|
|
530
|
-
|
|
531
|
-
|
|
532
|
-
|
|
533
|
-
|
|
534
|
-
|
|
583
|
+
const JsonLoaderInterface*
|
|
584
|
+
RbacConfig::RbacPolicy::Rules::Policy::Principal::JsonLoader(const JsonArgs&) {
|
|
585
|
+
// All fields handled in JsonPostLoad().
|
|
586
|
+
static const auto* loader = JsonObjectLoader<Principal>().Finish();
|
|
587
|
+
return loader;
|
|
588
|
+
}
|
|
589
|
+
|
|
590
|
+
void RbacConfig::RbacPolicy::Rules::Policy::Principal::JsonPostLoad(
|
|
591
|
+
const Json& json, const JsonArgs& args, ValidationErrors* errors) {
|
|
592
|
+
const size_t original_error_size = errors->size();
|
|
593
|
+
auto any = LoadJsonObjectField<bool>(json.object_value(), args, "any", errors,
|
|
594
|
+
/*required=*/false);
|
|
595
|
+
if (any.has_value()) {
|
|
596
|
+
principal =
|
|
597
|
+
std::make_unique<Rbac::Principal>(Rbac::Principal::MakeAnyPrincipal());
|
|
598
|
+
return;
|
|
535
599
|
}
|
|
536
|
-
|
|
537
|
-
|
|
538
|
-
|
|
539
|
-
|
|
540
|
-
|
|
600
|
+
auto authenticated = LoadJsonObjectField<Authenticated>(
|
|
601
|
+
json.object_value(), args, "authenticated", errors,
|
|
602
|
+
/*required=*/false);
|
|
603
|
+
if (authenticated.has_value()) {
|
|
604
|
+
if (authenticated->principal_name.has_value()) {
|
|
605
|
+
principal = std::make_unique<Rbac::Principal>(
|
|
606
|
+
Rbac::Principal::MakeAuthenticatedPrincipal(
|
|
607
|
+
std::move(authenticated->principal_name->matcher)));
|
|
608
|
+
} else {
|
|
609
|
+
// No principalName found. Match for all users.
|
|
610
|
+
principal = std::make_unique<Rbac::Principal>(
|
|
611
|
+
Rbac::Principal::MakeAnyPrincipal());
|
|
541
612
|
}
|
|
613
|
+
return;
|
|
614
|
+
}
|
|
615
|
+
auto cidr_range = LoadJsonObjectField<CidrRange>(json.object_value(), args,
|
|
616
|
+
"sourceIp", errors,
|
|
617
|
+
/*required=*/false);
|
|
618
|
+
if (cidr_range.has_value()) {
|
|
619
|
+
principal = std::make_unique<Rbac::Principal>(
|
|
620
|
+
Rbac::Principal::MakeSourceIpPrincipal(
|
|
621
|
+
std::move(cidr_range->cidr_range)));
|
|
622
|
+
return;
|
|
623
|
+
}
|
|
624
|
+
cidr_range = LoadJsonObjectField<CidrRange>(json.object_value(), args,
|
|
625
|
+
"directRemoteIp", errors,
|
|
626
|
+
/*required=*/false);
|
|
627
|
+
if (cidr_range.has_value()) {
|
|
628
|
+
principal = std::make_unique<Rbac::Principal>(
|
|
629
|
+
Rbac::Principal::MakeDirectRemoteIpPrincipal(
|
|
630
|
+
std::move(cidr_range->cidr_range)));
|
|
631
|
+
return;
|
|
632
|
+
}
|
|
633
|
+
cidr_range = LoadJsonObjectField<CidrRange>(json.object_value(), args,
|
|
634
|
+
"remoteIp", errors,
|
|
635
|
+
/*required=*/false);
|
|
636
|
+
if (cidr_range.has_value()) {
|
|
637
|
+
principal = std::make_unique<Rbac::Principal>(
|
|
638
|
+
Rbac::Principal::MakeRemoteIpPrincipal(
|
|
639
|
+
std::move(cidr_range->cidr_range)));
|
|
640
|
+
return;
|
|
641
|
+
}
|
|
642
|
+
auto header = LoadJsonObjectField<HeaderMatch>(json.object_value(), args,
|
|
643
|
+
"header", errors,
|
|
644
|
+
/*required=*/false);
|
|
645
|
+
if (header.has_value()) {
|
|
646
|
+
principal = std::make_unique<Rbac::Principal>(
|
|
647
|
+
Rbac::Principal::MakeHeaderPrincipal(std::move(header->matcher)));
|
|
648
|
+
return;
|
|
649
|
+
}
|
|
650
|
+
auto url_path = LoadJsonObjectField<PathMatch>(json.object_value(), args,
|
|
651
|
+
"urlPath", errors,
|
|
652
|
+
/*required=*/false);
|
|
653
|
+
if (url_path.has_value()) {
|
|
654
|
+
principal = std::make_unique<Rbac::Principal>(
|
|
655
|
+
Rbac::Principal::MakePathPrincipal(std::move(url_path->path.matcher)));
|
|
656
|
+
return;
|
|
657
|
+
}
|
|
658
|
+
auto metadata = LoadJsonObjectField<Metadata>(json.object_value(), args,
|
|
659
|
+
"metadata", errors,
|
|
660
|
+
/*required=*/false);
|
|
661
|
+
if (metadata.has_value()) {
|
|
662
|
+
principal = std::make_unique<Rbac::Principal>(
|
|
663
|
+
Rbac::Principal::MakeMetadataPrincipal(metadata->invert));
|
|
664
|
+
return;
|
|
665
|
+
}
|
|
666
|
+
auto ids = LoadJsonObjectField<PrincipalList>(json.object_value(), args,
|
|
667
|
+
"andIds", errors,
|
|
668
|
+
/*required=*/false);
|
|
669
|
+
if (ids.has_value()) {
|
|
670
|
+
principal =
|
|
671
|
+
std::make_unique<Rbac::Principal>(Rbac::Principal::MakeAndPrincipal(
|
|
672
|
+
MakeRbacPrincipalList(std::move(ids->ids))));
|
|
673
|
+
return;
|
|
674
|
+
}
|
|
675
|
+
ids = LoadJsonObjectField<PrincipalList>(json.object_value(), args, "orIds",
|
|
676
|
+
errors,
|
|
677
|
+
/*required=*/false);
|
|
678
|
+
if (ids.has_value()) {
|
|
679
|
+
principal =
|
|
680
|
+
std::make_unique<Rbac::Principal>(Rbac::Principal::MakeOrPrincipal(
|
|
681
|
+
MakeRbacPrincipalList(std::move(ids->ids))));
|
|
682
|
+
return;
|
|
683
|
+
}
|
|
684
|
+
auto not_rule =
|
|
685
|
+
LoadJsonObjectField<Principal>(json.object_value(), args, "notId", errors,
|
|
686
|
+
/*required=*/false);
|
|
687
|
+
if (not_rule.has_value()) {
|
|
688
|
+
principal = std::make_unique<Rbac::Principal>(
|
|
689
|
+
Rbac::Principal::MakeNotPrincipal(std::move(*not_rule->principal)));
|
|
690
|
+
return;
|
|
542
691
|
}
|
|
692
|
+
if (errors->size() == original_error_size) {
|
|
693
|
+
errors->AddError("no valid id found");
|
|
694
|
+
}
|
|
695
|
+
}
|
|
696
|
+
|
|
697
|
+
//
|
|
698
|
+
// RbacConfig::RbacPolicy::Rules::Policy
|
|
699
|
+
//
|
|
700
|
+
|
|
701
|
+
Rbac::Policy RbacConfig::RbacPolicy::Rules::Policy::TakeAsRbacPolicy() {
|
|
702
|
+
Rbac::Policy policy;
|
|
703
|
+
policy.permissions = Rbac::Permission::MakeOrPermission(
|
|
704
|
+
Permission::MakeRbacPermissionList(std::move(permissions)));
|
|
705
|
+
policy.principals = Rbac::Principal::MakeOrPrincipal(
|
|
706
|
+
Principal::MakeRbacPrincipalList(std::move(principals)));
|
|
707
|
+
return policy;
|
|
708
|
+
}
|
|
709
|
+
|
|
710
|
+
const JsonLoaderInterface* RbacConfig::RbacPolicy::Rules::Policy::JsonLoader(
|
|
711
|
+
const JsonArgs&) {
|
|
712
|
+
static const auto* loader = JsonObjectLoader<Policy>()
|
|
713
|
+
.Field("permissions", &Policy::permissions)
|
|
714
|
+
.Field("principals", &Policy::principals)
|
|
715
|
+
.Finish();
|
|
716
|
+
return loader;
|
|
717
|
+
}
|
|
718
|
+
|
|
719
|
+
//
|
|
720
|
+
// RbacConfig::RbacPolicy::Rules
|
|
721
|
+
//
|
|
722
|
+
|
|
723
|
+
Rbac RbacConfig::RbacPolicy::Rules::TakeAsRbac() {
|
|
724
|
+
Rbac rbac;
|
|
543
725
|
rbac.action = static_cast<Rbac::Action>(action);
|
|
544
|
-
|
|
545
|
-
|
|
546
|
-
/*required=*/false)) {
|
|
547
|
-
for (const auto& entry : *policies_json) {
|
|
548
|
-
std::vector<grpc_error_handle> policy_error_list;
|
|
549
|
-
rbac.policies.emplace(
|
|
550
|
-
entry.first,
|
|
551
|
-
ParsePolicy(entry.second.object_value(), &policy_error_list));
|
|
552
|
-
if (!policy_error_list.empty()) {
|
|
553
|
-
error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING(
|
|
554
|
-
absl::StrFormat("policies key:'%s'", entry.first.c_str()),
|
|
555
|
-
&policy_error_list));
|
|
556
|
-
}
|
|
557
|
-
}
|
|
726
|
+
for (auto& p : policies) {
|
|
727
|
+
rbac.policies.emplace(p.first, p.second.TakeAsRbacPolicy());
|
|
558
728
|
}
|
|
559
729
|
return rbac;
|
|
560
730
|
}
|
|
561
731
|
|
|
562
|
-
|
|
563
|
-
|
|
564
|
-
|
|
565
|
-
|
|
566
|
-
|
|
567
|
-
|
|
568
|
-
|
|
569
|
-
|
|
570
|
-
|
|
571
|
-
|
|
572
|
-
|
|
573
|
-
|
|
574
|
-
|
|
575
|
-
|
|
576
|
-
|
|
577
|
-
|
|
732
|
+
const JsonLoaderInterface* RbacConfig::RbacPolicy::Rules::JsonLoader(
|
|
733
|
+
const JsonArgs&) {
|
|
734
|
+
static const auto* loader = JsonObjectLoader<Rules>()
|
|
735
|
+
.Field("action", &Rules::action)
|
|
736
|
+
.OptionalField("policies", &Rules::policies)
|
|
737
|
+
.Finish();
|
|
738
|
+
return loader;
|
|
739
|
+
}
|
|
740
|
+
|
|
741
|
+
void RbacConfig::RbacPolicy::Rules::JsonPostLoad(const Json&, const JsonArgs&,
|
|
742
|
+
ValidationErrors* errors) {
|
|
743
|
+
// Validate action field.
|
|
744
|
+
auto rbac_action = static_cast<Rbac::Action>(action);
|
|
745
|
+
if (rbac_action != Rbac::Action::kAllow &&
|
|
746
|
+
rbac_action != Rbac::Action::kDeny) {
|
|
747
|
+
ValidationErrors::ScopedField field(errors, ".action");
|
|
748
|
+
errors->AddError("unknown action");
|
|
749
|
+
}
|
|
750
|
+
}
|
|
751
|
+
|
|
752
|
+
//
|
|
753
|
+
// RbacConfig::RbacPolicy
|
|
754
|
+
//
|
|
755
|
+
|
|
756
|
+
Rbac RbacConfig::RbacPolicy::TakeAsRbac() {
|
|
757
|
+
if (!rules.has_value()) {
|
|
758
|
+
// No enforcing to be applied. An empty deny policy with an empty map
|
|
759
|
+
// is equivalent to no enforcing.
|
|
760
|
+
return Rbac(Rbac::Action::kDeny, {});
|
|
578
761
|
}
|
|
579
|
-
return
|
|
762
|
+
return rules->TakeAsRbac();
|
|
763
|
+
}
|
|
764
|
+
|
|
765
|
+
const JsonLoaderInterface* RbacConfig::RbacPolicy::JsonLoader(const JsonArgs&) {
|
|
766
|
+
static const auto* loader = JsonObjectLoader<RbacPolicy>()
|
|
767
|
+
.OptionalField("rules", &RbacPolicy::rules)
|
|
768
|
+
.Finish();
|
|
769
|
+
return loader;
|
|
770
|
+
}
|
|
771
|
+
|
|
772
|
+
//
|
|
773
|
+
// RbacConfig
|
|
774
|
+
//
|
|
775
|
+
|
|
776
|
+
std::vector<Rbac> RbacConfig::TakeAsRbacList() {
|
|
777
|
+
std::vector<Rbac> rbac_list;
|
|
778
|
+
rbac_list.reserve(rbac_policies.size());
|
|
779
|
+
for (auto& rbac_policy : rbac_policies) {
|
|
780
|
+
rbac_list.emplace_back(rbac_policy.TakeAsRbac());
|
|
781
|
+
}
|
|
782
|
+
return rbac_list;
|
|
783
|
+
}
|
|
784
|
+
|
|
785
|
+
const JsonLoaderInterface* RbacConfig::JsonLoader(const JsonArgs&) {
|
|
786
|
+
static const auto* loader =
|
|
787
|
+
JsonObjectLoader<RbacConfig>()
|
|
788
|
+
.Field("rbacPolicy", &RbacConfig::rbac_policies)
|
|
789
|
+
.Finish();
|
|
790
|
+
return loader;
|
|
580
791
|
}
|
|
581
792
|
|
|
582
793
|
} // namespace
|
|
583
794
|
|
|
584
|
-
|
|
795
|
+
std::unique_ptr<ServiceConfigParser::ParsedConfig>
|
|
585
796
|
RbacServiceConfigParser::ParsePerMethodParams(const ChannelArgs& args,
|
|
586
|
-
const Json& json
|
|
797
|
+
const Json& json,
|
|
798
|
+
ValidationErrors* errors) {
|
|
587
799
|
// Only parse rbac policy if the channel arg is present
|
|
588
800
|
if (!args.GetBool(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG).value_or(false)) {
|
|
589
801
|
return nullptr;
|
|
590
802
|
}
|
|
591
|
-
|
|
592
|
-
std::vector<
|
|
593
|
-
const Json::Array* policies_json_array;
|
|
594
|
-
if (ParseJsonObjectField(json.object_value(), "rbacPolicy",
|
|
595
|
-
&policies_json_array, &error_list)) {
|
|
596
|
-
rbac_policies = ParseRbacArray(*policies_json_array, &error_list);
|
|
597
|
-
}
|
|
598
|
-
grpc_error_handle error =
|
|
599
|
-
GRPC_ERROR_CREATE_FROM_VECTOR("Rbac parser", &error_list);
|
|
600
|
-
if (!GRPC_ERROR_IS_NONE(error)) {
|
|
601
|
-
absl::Status status = absl::InvalidArgumentError(
|
|
602
|
-
absl::StrCat("error parsing RBAC method parameters: ",
|
|
603
|
-
grpc_error_std_string(error)));
|
|
604
|
-
GRPC_ERROR_UNREF(error);
|
|
605
|
-
return status;
|
|
606
|
-
}
|
|
803
|
+
auto rbac_config = LoadFromJson<RbacConfig>(json, JsonArgs(), errors);
|
|
804
|
+
std::vector<Rbac> rbac_policies = rbac_config.TakeAsRbacList();
|
|
607
805
|
if (rbac_policies.empty()) return nullptr;
|
|
608
|
-
return
|
|
806
|
+
return std::make_unique<RbacMethodParsedConfig>(std::move(rbac_policies));
|
|
609
807
|
}
|
|
610
808
|
|
|
611
809
|
void RbacServiceConfigParser::Register(CoreConfiguration::Builder* builder) {
|
|
612
810
|
builder->service_config_parser()->RegisterParser(
|
|
613
|
-
|
|
811
|
+
std::make_unique<RbacServiceConfigParser>());
|
|
614
812
|
}
|
|
615
813
|
|
|
616
814
|
size_t RbacServiceConfigParser::ParserIndex() {
|