grpc 1.55.0 → 1.56.0

data/src/core/lib/promise/party.h

@@ -27,8 +27,10 @@
 #include "absl/base/thread_annotations.h"
 #include "absl/strings/string_view.h"
 
+#include <grpc/event_engine/event_engine.h>
 #include <grpc/support/log.h>
 
+#include "src/core/lib/debug/trace.h"
 #include "src/core/lib/gprpp/construct_destruct.h"
 #include "src/core/lib/gprpp/crash.h"
 #include "src/core/lib/gprpp/ref_counted.h"
@@ -37,6 +39,7 @@
 #include "src/core/lib/promise/activity.h"
 #include "src/core/lib/promise/context.h"
 #include "src/core/lib/promise/detail/promise_factory.h"
+#include "src/core/lib/promise/trace.h"
 #include "src/core/lib/resource_quota/arena.h"
 
 // Two implementations of party synchronization are provided: one using a single
@@ -453,13 +456,15 @@ class Party : public Activity, private Wakeable {
 
   // Wakeable implementation
   void Wakeup(WakeupMask wakeup_mask) final;
+  void WakeupAsync(WakeupMask wakeup_mask) final;
   void Drop(WakeupMask wakeup_mask) final;
 
-  // Organize to wake up some participants.
-  void ScheduleWakeup(WakeupMask mask);
   // Add a participant (backs Spawn, after type erasure to ParticipantFactory).
   void AddParticipants(Participant** participant, size_t count);
 
+  virtual grpc_event_engine::experimental::EventEngine* event_engine()
+      const = 0;
+
   // Sentinal value for currently_polling_ when no participant is being polled.
   static constexpr uint8_t kNotPolling = 255;
 
@@ -482,6 +487,10 @@ class Party : public Activity, private Wakeable {
 template <typename Factory, typename OnComplete>
 void Party::BulkSpawner::Spawn(absl::string_view name, Factory promise_factory,
                                OnComplete on_complete) {
+  if (grpc_trace_promise_primitives.enabled()) {
+    gpr_log(GPR_DEBUG, "%s[bulk_spawn] On %p queue %s",
+            party_->DebugTag().c_str(), this, std::string(name).c_str());
+  }
   participants_[num_participants_++] =
       party_->arena_->NewPooled<ParticipantImpl<Factory, OnComplete>>(
           name, std::move(promise_factory), std::move(on_complete));

data/src/core/lib/promise/pipe.h

@@ -377,8 +377,8 @@ class Center : public InterceptorList<T> {
 
   std::string DebugTag() {
     if (auto* activity = Activity::current()) {
-      return absl::StrCat(activity->DebugTag(), " PIPE[0x",
-                          reinterpret_cast<uintptr_t>(this), "]: ");
+      return absl::StrCat(activity->DebugTag(), " PIPE[0x", absl::Hex(this),
+                          "]: ");
     } else {
       return absl::StrCat("PIPE[0x", reinterpret_cast<uintptr_t>(this), "]: ");
     }
@@ -610,6 +610,13 @@ class PipeReceiver {
     return [center = center_]() { return center->PollEmpty(); };
   }
 
+  void CloseWithError() {
+    if (center_ != nullptr) {
+      center_->MarkCancelled();
+      center_.reset();
+    }
+  }
+
   // Interject PromiseFactory f into the pipeline.
   // f will be called with the current value traversing the pipe, and should
   // return a value to replace it with.

data/src/core/lib/promise/prioritized_race.h

@@ -0,0 +1,95 @@
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPC_SRC_CORE_LIB_PROMISE_PRIORITIZED_RACE_H
+#define GRPC_SRC_CORE_LIB_PROMISE_PRIORITIZED_RACE_H
+
+#include <grpc/support/port_platform.h>
+
+#include <type_traits>
+#include <utility>
+
+namespace grpc_core {
+
+namespace promise_detail {
+
+template <typename A, typename B>
+class TwoPartyPrioritizedRace {
+ public:
+  using Result = decltype(std::declval<A>()());
+
+  explicit TwoPartyPrioritizedRace(A a, B b)
+      : a_(std::move(a)), b_(std::move(b)) {}
+
+  Result operator()() {
+    // Check the priority promise.
+    auto p = a_();
+    if (p.ready()) return p;
+    // Check the other promise.
+    p = b_();
+    if (p.ready()) {
+      // re-poll a to see if it's also completed.
+      auto q = a_();
+      if (q.ready()) {
+        // both are ready, but a is prioritized
+        return q;
+      }
+    }
+    return p;
+  }
+
+ private:
+  A a_;
+  B b_;
+};
+
+template <typename... Promises>
+class PrioritizedRace;
+
+template <typename Promise, typename... Promises>
+class PrioritizedRace<Promise, Promises...>
+    : public TwoPartyPrioritizedRace<Promise, PrioritizedRace<Promises...>> {
+ public:
+  using Result = decltype(std::declval<Promise>()());
+  explicit PrioritizedRace(Promise promise, Promises... promises)
+      : TwoPartyPrioritizedRace<Promise, PrioritizedRace<Promises...>>(
+            std::move(promise),
+            PrioritizedRace<Promises...>(std::move(promises)...)) {}
+};
+
+template <typename Promise>
+class PrioritizedRace<Promise> {
+ public:
+  using Result = decltype(std::declval<Promise>()());
+  explicit PrioritizedRace(Promise promise) : promise_(std::move(promise)) {}
+  Result operator()() { return promise_(); }
+
+ private:
+  Promise promise_;
+};
+
+}  // namespace promise_detail
+
+/// Run all the promises until one is non-pending.
+/// Once there's a non-pending promise, repoll all the promises before that.
+/// Return the result from the lexically first non-pending promise.
+template <typename... Promises>
+promise_detail::PrioritizedRace<Promises...> PrioritizedRace(
+    Promises... promises) {
+  return promise_detail::PrioritizedRace<Promises...>(std::move(promises)...);
+}
+
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_LIB_PROMISE_PRIORITIZED_RACE_H

data/src/core/lib/promise/sleep.cc

@@ -41,8 +41,9 @@ Poll<absl::Status> Sleep::operator()() {
   // Invalidate now so that we see a fresh version of the time.
   // TODO(ctiller): the following can be safely removed when we remove ExecCtx.
   ExecCtx::Get()->InvalidateNow();
+  const auto now = Timestamp::Now();
   // If the deadline is earlier than now we can just return.
-  if (deadline_ <= Timestamp::Now()) return absl::OkStatus();
+  if (deadline_ <= now) return absl::OkStatus();
   if (closure_ == nullptr) {
     // TODO(ctiller): it's likely we'll want a pool of closures - probably per
     // cpu? - to avoid allocating/deallocating on fast paths.

data/src/core/lib/resolver/server_address.cc

@@ -57,14 +57,6 @@ ServerAddress::ServerAddress(
     std::map<const char*, std::unique_ptr<AttributeInterface>> attributes)
     : address_(address), args_(args), attributes_(std::move(attributes)) {}
 
-ServerAddress::ServerAddress(
-    const void* address, size_t address_len, const ChannelArgs& args,
-    std::map<const char*, std::unique_ptr<AttributeInterface>> attributes)
-    : args_(args), attributes_(std::move(attributes)) {
-  memcpy(address_.addr, address, address_len);
-  address_.len = static_cast<socklen_t>(address_len);
-}
-
 ServerAddress::ServerAddress(const ServerAddress& other)
     : address_(other.address_), args_(other.args_) {
   for (const auto& p : other.attributes_) {

data/src/core/lib/resolver/server_address.h

@@ -21,7 +21,6 @@
 
 #include <grpc/support/port_platform.h>
 
-#include <stddef.h>
 #include <stdint.h>
 
 #include <map>
@@ -65,14 +64,9 @@ class ServerAddress {
     virtual std::string ToString() const = 0;
   };
 
-  // Takes ownership of args.
   ServerAddress(const grpc_resolved_address& address, const ChannelArgs& args,
                 std::map<const char*, std::unique_ptr<AttributeInterface>>
                     attributes = {});
-  ServerAddress(const void* address, size_t address_len,
-                const ChannelArgs& args,
-                std::map<const char*, std::unique_ptr<AttributeInterface>>
-                    attributes = {});
 
   // Copyable.
   ServerAddress(const ServerAddress& other);

data/src/core/lib/resource_quota/memory_quota.cc

@@ -453,7 +453,7 @@ void BasicMemoryQuota::AddNewAllocator(GrpcMemoryAllocatorImpl* allocator) {
   AllocatorBucket::Shard& shard = small_allocators_.SelectShard(allocator);
 
   {
-    absl::MutexLock l(&shard.shard_mu);
+    MutexLock l(&shard.shard_mu);
     shard.allocators.emplace(allocator);
   }
 }
@@ -467,7 +467,7 @@ void BasicMemoryQuota::RemoveAllocator(GrpcMemoryAllocatorImpl* allocator) {
       small_allocators_.SelectShard(allocator);
 
   {
-    absl::MutexLock l(&small_shard.shard_mu);
+    MutexLock l(&small_shard.shard_mu);
     if (small_shard.allocators.erase(allocator) == 1) {
       return;
     }
@@ -476,7 +476,7 @@ void BasicMemoryQuota::RemoveAllocator(GrpcMemoryAllocatorImpl* allocator) {
   AllocatorBucket::Shard& big_shard = big_allocators_.SelectShard(allocator);
 
   {
-    absl::MutexLock l(&big_shard.shard_mu);
+    MutexLock l(&big_shard.shard_mu);
     big_shard.allocators.erase(allocator);
   }
 }
@@ -513,14 +513,14 @@ void BasicMemoryQuota::MaybeMoveAllocatorBigToSmall(
   AllocatorBucket::Shard& old_shard = big_allocators_.SelectShard(allocator);
 
   {
-    absl::MutexLock l(&old_shard.shard_mu);
+    MutexLock l(&old_shard.shard_mu);
     if (old_shard.allocators.erase(allocator) == 0) return;
   }
 
   AllocatorBucket::Shard& new_shard = small_allocators_.SelectShard(allocator);
 
   {
-    absl::MutexLock l(&new_shard.shard_mu);
+    MutexLock l(&new_shard.shard_mu);
     new_shard.allocators.emplace(allocator);
   }
 }
@@ -534,14 +534,14 @@ void BasicMemoryQuota::MaybeMoveAllocatorSmallToBig(
   AllocatorBucket::Shard& old_shard = small_allocators_.SelectShard(allocator);
 
   {
-    absl::MutexLock l(&old_shard.shard_mu);
+    MutexLock l(&old_shard.shard_mu);
     if (old_shard.allocators.erase(allocator) == 0) return;
   }
 
   AllocatorBucket::Shard& new_shard = big_allocators_.SelectShard(allocator);
 
   {
-    absl::MutexLock l(&new_shard.shard_mu);
+    MutexLock l(&new_shard.shard_mu);
     new_shard.allocators.emplace(allocator);
   }
 }

data/src/core/lib/resource_quota/memory_quota.h

@@ -30,7 +30,6 @@
 #include "absl/base/thread_annotations.h"
 #include "absl/container/flat_hash_set.h"
 #include "absl/strings/string_view.h"
-#include "absl/synchronization/mutex.h"
 #include "absl/types/optional.h"
 
 #include <grpc/event_engine/memory_allocator.h>
@@ -340,7 +339,7 @@ class BasicMemoryQuota final
     struct Shard {
       absl::flat_hash_set<GrpcMemoryAllocatorImpl*> allocators
           ABSL_GUARDED_BY(shard_mu);
-      absl::Mutex shard_mu;
+      Mutex shard_mu;
     };
 
     Shard& SelectShard(void* key) {

data/src/core/lib/security/authorization/audit_logging.cc

@@ -0,0 +1,98 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/authorization/audit_logging.h"
+
+#include <initializer_list>
+#include <map>
+#include <memory>
+#include <utility>
+
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/str_format.h"
+#include "absl/strings/string_view.h"
+
+#include <grpc/grpc_audit_logging.h>
+#include <grpc/support/json.h>
+#include <grpc/support/log.h>
+
+#include "src/core/lib/gprpp/sync.h"
+#include "src/core/lib/security/authorization/stdout_logger.h"
+
+namespace grpc_core {
+namespace experimental {
+
+Mutex* AuditLoggerRegistry::mu = new Mutex();
+
+AuditLoggerRegistry* AuditLoggerRegistry::registry = new AuditLoggerRegistry();
+
+AuditLoggerRegistry::AuditLoggerRegistry() {
+  auto factory = std::make_unique<StdoutAuditLoggerFactory>();
+  absl::string_view name = factory->name();
+  GPR_ASSERT(logger_factories_map_.emplace(name, std::move(factory)).second);
+}
+
+void AuditLoggerRegistry::RegisterFactory(
+    std::unique_ptr<AuditLoggerFactory> factory) {
+  GPR_ASSERT(factory != nullptr);
+  MutexLock lock(mu);
+  absl::string_view name = factory->name();
+  GPR_ASSERT(
+      registry->logger_factories_map_.emplace(name, std::move(factory)).second);
+}
+
+bool AuditLoggerRegistry::FactoryExists(absl::string_view name) {
+  MutexLock lock(mu);
+  return registry->logger_factories_map_.find(name) !=
+         registry->logger_factories_map_.end();
+}
+
+absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
+AuditLoggerRegistry::ParseConfig(absl::string_view name, const Json& json) {
+  MutexLock lock(mu);
+  auto it = registry->logger_factories_map_.find(name);
+  if (it == registry->logger_factories_map_.end()) {
+    return absl::NotFoundError(
+        absl::StrFormat("audit logger factory for %s does not exist", name));
+  }
+  return it->second->ParseAuditLoggerConfig(json);
+}
+
+std::unique_ptr<AuditLogger> AuditLoggerRegistry::CreateAuditLogger(
+    std::unique_ptr<AuditLoggerFactory::Config> config) {
+  MutexLock lock(mu);
+  auto it = registry->logger_factories_map_.find(config->name());
+  GPR_ASSERT(it != registry->logger_factories_map_.end());
+  return it->second->CreateAuditLogger(std::move(config));
+}
+
+void AuditLoggerRegistry::TestOnlyResetRegistry() {
+  MutexLock lock(mu);
+  delete registry;
+  registry = new AuditLoggerRegistry();
+}
+
+void RegisterAuditLoggerFactory(std::unique_ptr<AuditLoggerFactory> factory) {
+  AuditLoggerRegistry::RegisterFactory(std::move(factory));
+}
+
+}  // namespace experimental
+}  // namespace grpc_core

data/src/core/lib/security/authorization/audit_logging.h

@@ -0,0 +1,73 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H
+#define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H
+
+#include <grpc/support/port_platform.h>
+
+#include <map>
+#include <memory>
+
+#include "absl/base/thread_annotations.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+
+#include <grpc/grpc_audit_logging.h>
+#include <grpc/support/json.h>
+
+#include "src/core/lib/gprpp/sync.h"
+
+namespace grpc_core {
+namespace experimental {
+
+class AuditLoggerRegistry {
+ public:
+  static void RegisterFactory(std::unique_ptr<AuditLoggerFactory>);
+
+  static bool FactoryExists(absl::string_view name);
+
+  static absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
+  ParseConfig(absl::string_view name, const Json& json);
+
+  // This assume the given config is parsed and validated already.
+  // Therefore, it should always succeed in creating a logger.
+  static std::unique_ptr<AuditLogger> CreateAuditLogger(
+      std::unique_ptr<AuditLoggerFactory::Config>);
+
+  // Factories are registered during initialization. They should never be
+  // unregistered since they will be looked up at any time till the program
+  // exits. This function should only be used in tests to clear the registry.
+  static void TestOnlyResetRegistry();
+
+ private:
+  AuditLoggerRegistry();
+
+  static Mutex* mu;
+
+  static AuditLoggerRegistry* registry ABSL_GUARDED_BY(mu);
+
+  // The key is owned by the factory.
+  std::map<absl::string_view, std::unique_ptr<AuditLoggerFactory>>
+      logger_factories_map_ ABSL_GUARDED_BY(mu);
+};
+
+}  // namespace experimental
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H

data/src/core/lib/security/authorization/grpc_authorization_engine.cc

@@ -20,10 +20,35 @@
 #include <map>
 #include <utility>
 
+#include <grpc/support/log.h>
+
+#include "src/core/lib/security/authorization/audit_logging.h"
+#include "src/core/lib/security/authorization/authorization_engine.h"
+
 namespace grpc_core {
 
+using experimental::AuditContext;
+using experimental::AuditLoggerRegistry;
+
+namespace {
+
+using Decision = AuthorizationEngine::Decision;
+
+bool ShouldLog(const Decision& decision,
+               const Rbac::AuditCondition& condition) {
+  return condition == Rbac::AuditCondition::kOnDenyAndAllow ||
+         (decision.type == Decision::Type::kAllow &&
+          condition == Rbac::AuditCondition::kOnAllow) ||
+         (decision.type == Decision::Type::kDeny &&
+          condition == Rbac::AuditCondition::kOnDeny);
+}
+
+}  // namespace
+
 GrpcAuthorizationEngine::GrpcAuthorizationEngine(Rbac policy)
-    : action_(policy.action) {
+    : name_(std::move(policy.name)),
+      action_(policy.action),
+      audit_condition_(policy.audit_condition) {
   for (auto& sub_policy : policy.policies) {
     Policy policy;
     policy.name = sub_policy.first;
@@ -31,16 +56,29 @@ GrpcAuthorizationEngine::GrpcAuthorizationEngine(Rbac policy)
         std::move(sub_policy.second));
     policies_.push_back(std::move(policy));
   }
+  for (auto& logger_config : policy.logger_configs) {
+    auto logger =
+        AuditLoggerRegistry::CreateAuditLogger(std::move(logger_config));
+    GPR_ASSERT(logger != nullptr);
+    audit_loggers_.push_back(std::move(logger));
+  }
 }
 
 GrpcAuthorizationEngine::GrpcAuthorizationEngine(
     GrpcAuthorizationEngine&& other) noexcept
-    : action_(other.action_), policies_(std::move(other.policies_)) {}
+    : name_(std::move(other.name_)),
+      action_(other.action_),
+      policies_(std::move(other.policies_)),
+      audit_condition_(other.audit_condition_),
+      audit_loggers_(std::move(other.audit_loggers_)) {}
 
 GrpcAuthorizationEngine& GrpcAuthorizationEngine::operator=(
     GrpcAuthorizationEngine&& other) noexcept {
+  name_ = std::move(other.name_);
   action_ = other.action_;
   policies_ = std::move(other.policies_);
+  audit_condition_ = other.audit_condition_;
+  audit_loggers_ = std::move(other.audit_loggers_);
   return *this;
 }
 
@@ -58,6 +96,13 @@ AuthorizationEngine::Decision GrpcAuthorizationEngine::Evaluate(
   decision.type = (matches == (action_ == Rbac::Action::kAllow))
                       ? Decision::Type::kAllow
                       : Decision::Type::kDeny;
+  if (ShouldLog(decision, audit_condition_)) {
+    for (auto& logger : audit_loggers_) {
+      logger->Log(AuditContext(args.GetPath(), args.GetSpiffeId(), name_,
+                               decision.matching_policy_name,
+                               decision.type == Decision::Type::kAllow));
+    }
+  }
   return decision;
 }
 

data/src/core/lib/security/authorization/grpc_authorization_engine.h

@@ -23,6 +23,8 @@
 #include <string>
 #include <vector>
 
+#include <grpc/grpc_audit_logging.h>
+
 #include "src/core/lib/security/authorization/authorization_engine.h"
 #include "src/core/lib/security/authorization/evaluate_args.h"
 #include "src/core/lib/security/authorization/matchers.h"
@@ -30,6 +32,8 @@
 
 namespace grpc_core {
 
+using experimental::AuditLogger;
+
 // GrpcAuthorizationEngine can be either an Allow engine or Deny engine. This
 // engine makes authorization decisions to Allow or Deny incoming RPC request
 // based on permission and principal configs in the provided RBAC policy and the
@@ -39,7 +43,8 @@ namespace grpc_core {
 class GrpcAuthorizationEngine : public AuthorizationEngine {
  public:
   // Builds GrpcAuthorizationEngine without any policies.
-  explicit GrpcAuthorizationEngine(Rbac::Action action) : action_(action) {}
+  explicit GrpcAuthorizationEngine(Rbac::Action action)
+      : action_(action), audit_condition_(Rbac::AuditCondition::kNone) {}
   // Builds GrpcAuthorizationEngine with allow/deny RBAC policy.
   explicit GrpcAuthorizationEngine(Rbac policy);
 
@@ -51,6 +56,14 @@ class GrpcAuthorizationEngine : public AuthorizationEngine {
   // Required only for testing purpose.
   size_t num_policies() const { return policies_.size(); }
 
+  // Required only for testing purpose.
+  Rbac::AuditCondition audit_condition() const { return audit_condition_; }
+
+  // Required only for testing purpose.
+  const std::vector<std::unique_ptr<AuditLogger>>& audit_loggers() const {
+    return audit_loggers_;
+  }
+
   // Evaluates incoming request against RBAC policy and makes a decision to
   // whether allow/deny this request.
   Decision Evaluate(const EvaluateArgs& args) const override;
@@ -60,8 +73,12 @@ class GrpcAuthorizationEngine : public AuthorizationEngine {
     std::string name;
     std::unique_ptr<AuthorizationMatcher> matcher;
   };
+
+  std::string name_;
   Rbac::Action action_;
   std::vector<Policy> policies_;
+  Rbac::AuditCondition audit_condition_;
+  std::vector<std::unique_ptr<AuditLogger>> audit_loggers_;
 };
 
 }  // namespace grpc_core

data/src/core/lib/security/authorization/rbac_policy.cc

@@ -22,6 +22,7 @@
 
 #include "absl/strings/str_format.h"
 #include "absl/strings/str_join.h"
+#include "absl/strings/string_view.h"
 
 namespace grpc_core {
 
@@ -29,26 +30,57 @@ namespace grpc_core {
 // Rbac
 //
 
-Rbac::Rbac(Rbac::Action action, std::map<std::string, Policy> policies)
-    : action(action), policies(std::move(policies)) {}
+Rbac::Rbac(std::string name, Rbac::Action action,
+           std::map<std::string, Policy> policies)
+    : name(std::move(name)),
+      action(action),
+      policies(std::move(policies)),
+      audit_condition(Rbac::AuditCondition::kNone) {}
 
 Rbac::Rbac(Rbac&& other) noexcept
-    : action(other.action), policies(std::move(other.policies)) {}
+    : name(std::move(other.name)),
+      action(other.action),
+      policies(std::move(other.policies)),
+      audit_condition(other.audit_condition),
+      logger_configs(std::move(other.logger_configs)) {}
 
 Rbac& Rbac::operator=(Rbac&& other) noexcept {
+  name = std::move(other.name);
   action = other.action;
   policies = std::move(other.policies);
+  audit_condition = other.audit_condition;
+  logger_configs = std::move(other.logger_configs);
   return *this;
 }
 
 std::string Rbac::ToString() const {
   std::vector<std::string> contents;
+  absl::string_view condition_str;
+  switch (audit_condition) {
+    case Rbac::AuditCondition::kNone:
+      condition_str = "None";
+      break;
+    case AuditCondition::kOnDeny:
+      condition_str = "OnDeny";
+      break;
+    case AuditCondition::kOnAllow:
+      condition_str = "OnAllow";
+      break;
+    case AuditCondition::kOnDenyAndAllow:
+      condition_str = "OnDenyAndAllow";
+      break;
+  }
   contents.push_back(absl::StrFormat(
-      "Rbac action=%s{", action == Rbac::Action::kAllow ? "Allow" : "Deny"));
+      "Rbac name=%s action=%s audit_condition=%s{", name,
+      action == Rbac::Action::kAllow ? "Allow" : "Deny", condition_str));
   for (const auto& p : policies) {
     contents.push_back(absl::StrFormat("{\n  policy_name=%s\n%s\n}", p.first,
                                        p.second.ToString()));
   }
+  for (const auto& config : logger_configs) {
+    contents.push_back(absl::StrFormat("{\n  audit_logger=%s\n%s\n}",
+                                       config->name(), config->ToString()));
+  }
   contents.push_back("}");
   return absl::StrJoin(contents, "\n");
 }