grpc 1.55.3 → 1.56.0.pre3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (385) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +100 -70
  3. data/include/grpc/event_engine/event_engine.h +4 -3
  4. data/include/grpc/grpc_audit_logging.h +96 -0
  5. data/include/grpc/module.modulemap +2 -0
  6. data/include/grpc/support/json.h +218 -0
  7. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +5 -0
  8. data/src/core/ext/filters/client_channel/backend_metric.cc +2 -0
  9. data/src/core/ext/filters/client_channel/channel_connectivity.cc +4 -4
  10. data/src/core/ext/filters/client_channel/client_channel.cc +82 -98
  11. data/src/core/ext/filters/client_channel/client_channel.h +4 -0
  12. data/src/core/ext/filters/client_channel/client_channel_channelz.cc +19 -18
  13. data/src/core/ext/filters/client_channel/client_channel_internal.h +16 -21
  14. data/src/core/ext/filters/client_channel/config_selector.h +9 -24
  15. data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +3 -0
  16. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +5 -4
  17. data/src/core/ext/filters/client_channel/lb_policy/health_check_client.cc +455 -0
  18. data/src/core/ext/filters/client_channel/lb_policy/health_check_client.h +54 -0
  19. data/src/core/ext/filters/client_channel/lb_policy/health_check_client_internal.h +186 -0
  20. data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric.cc +2 -7
  21. data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.cc +52 -20
  22. data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.h +23 -2
  23. data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +19 -6
  24. data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +1 -9
  25. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +16 -7
  26. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +18 -1
  27. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +12 -9
  28. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +6 -4
  29. data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +36 -13
  30. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/static_stride_scheduler.cc +76 -6
  31. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +32 -39
  32. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +4 -10
  33. data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +52 -47
  34. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -9
  35. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +14 -16
  36. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +40 -43
  37. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +7 -12
  38. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_wrr_locality.cc +12 -19
  39. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +35 -33
  40. data/src/core/ext/filters/client_channel/resolver/dns/event_engine/event_engine_client_channel_resolver.cc +29 -4
  41. data/src/core/ext/filters/client_channel/resolver/dns/event_engine/service_config_helper.cc +1 -1
  42. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +28 -27
  43. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +163 -46
  44. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.h +16 -1
  45. data/src/core/ext/filters/client_channel/retry_service_config.cc +1 -0
  46. data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +10 -40
  47. data/src/core/ext/filters/client_channel/subchannel.cc +10 -196
  48. data/src/core/ext/filters/client_channel/subchannel.h +3 -43
  49. data/src/core/ext/filters/http/message_compress/compression_filter.cc +5 -5
  50. data/src/core/ext/filters/rbac/rbac_service_config_parser.cc +100 -6
  51. data/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc +6 -8
  52. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +3 -3
  53. data/src/core/ext/filters/stateful_session/stateful_session_filter.h +16 -1
  54. data/src/core/ext/transport/chttp2/transport/flow_control.cc +46 -95
  55. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +543 -567
  56. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +9 -150
  57. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +32 -46
  58. data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +5 -18
  59. data/src/core/ext/transport/chttp2/transport/internal.h +1 -15
  60. data/src/core/ext/transport/chttp2/transport/parsing.cc +12 -12
  61. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +11 -2
  62. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +15 -0
  63. data/src/core/ext/xds/certificate_provider_store.cc +4 -9
  64. data/src/core/ext/xds/certificate_provider_store.h +1 -1
  65. data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +30 -42
  66. data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +14 -9
  67. data/src/core/ext/xds/xds_api.cc +9 -6
  68. data/src/core/ext/xds/xds_api.h +3 -2
  69. data/src/core/ext/xds/xds_audit_logger_registry.cc +122 -0
  70. data/src/core/ext/xds/xds_audit_logger_registry.h +68 -0
  71. data/src/core/ext/xds/xds_bootstrap_grpc.cc +21 -9
  72. data/src/core/ext/xds/xds_bootstrap_grpc.h +5 -0
  73. data/src/core/ext/xds/xds_client.cc +5 -4
  74. data/src/core/ext/xds/xds_client_stats.h +1 -1
  75. data/src/core/ext/xds/xds_cluster.cc +20 -19
  76. data/src/core/ext/xds/xds_cluster_specifier_plugin.cc +11 -8
  77. data/src/core/ext/xds/xds_common_types.cc +3 -1
  78. data/src/core/ext/xds/xds_http_fault_filter.cc +16 -13
  79. data/src/core/ext/xds/xds_http_fault_filter.h +2 -1
  80. data/src/core/ext/xds/xds_http_filters.h +4 -2
  81. data/src/core/ext/xds/xds_http_rbac_filter.cc +154 -67
  82. data/src/core/ext/xds/xds_http_rbac_filter.h +2 -1
  83. data/src/core/ext/xds/xds_http_stateful_session_filter.cc +15 -11
  84. data/src/core/ext/xds/xds_http_stateful_session_filter.h +2 -1
  85. data/src/core/ext/xds/xds_lb_policy_registry.cc +22 -16
  86. data/src/core/ext/xds/xds_listener.cc +1 -0
  87. data/src/core/ext/xds/xds_route_config.cc +40 -3
  88. data/src/core/ext/xds/xds_routing.cc +2 -2
  89. data/src/core/ext/xds/xds_transport_grpc.cc +3 -1
  90. data/src/core/lib/avl/avl.h +5 -0
  91. data/src/core/lib/backoff/random_early_detection.h +0 -5
  92. data/src/core/lib/channel/channel_args.cc +80 -22
  93. data/src/core/lib/channel/channel_args.h +34 -1
  94. data/src/core/lib/channel/channel_trace.cc +16 -12
  95. data/src/core/lib/channel/channelz.cc +159 -132
  96. data/src/core/lib/channel/channelz.h +42 -35
  97. data/src/core/lib/channel/channelz_registry.cc +23 -20
  98. data/src/core/lib/channel/connected_channel.cc +17 -6
  99. data/src/core/lib/channel/promise_based_filter.cc +0 -4
  100. data/src/core/lib/channel/promise_based_filter.h +2 -0
  101. data/src/core/lib/compression/compression_internal.cc +2 -5
  102. data/src/core/lib/config/config_vars.cc +20 -18
  103. data/src/core/lib/config/config_vars.h +4 -4
  104. data/src/core/lib/config/load_config.cc +13 -0
  105. data/src/core/lib/config/load_config.h +6 -0
  106. data/src/core/lib/debug/event_log.h +1 -1
  107. data/src/core/lib/debug/stats_data.h +1 -1
  108. data/src/core/lib/debug/trace.cc +24 -55
  109. data/src/core/lib/debug/trace.h +3 -1
  110. data/src/core/lib/event_engine/cf_engine/cf_engine.cc +211 -0
  111. data/src/core/lib/event_engine/cf_engine/cf_engine.h +86 -0
  112. data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.cc +354 -0
  113. data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.h +146 -0
  114. data/src/core/lib/event_engine/cf_engine/cftype_unique_ref.h +79 -0
  115. data/src/core/lib/event_engine/default_event_engine.cc +13 -1
  116. data/src/core/lib/event_engine/default_event_engine_factory.cc +14 -2
  117. data/src/core/lib/event_engine/poller.h +2 -2
  118. data/src/core/lib/event_engine/posix.h +4 -0
  119. data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +1 -1
  120. data/src/core/lib/event_engine/posix_engine/lockfree_event.cc +7 -18
  121. data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +9 -0
  122. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +3 -2
  123. data/src/core/lib/event_engine/posix_engine/posix_engine.h +1 -2
  124. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +4 -33
  125. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +7 -11
  126. data/src/core/lib/event_engine/posix_engine/timer_manager.h +1 -1
  127. data/src/core/lib/event_engine/shim.cc +7 -1
  128. data/src/core/lib/event_engine/{thread_pool.cc → thread_pool/original_thread_pool.cc} +28 -25
  129. data/src/core/lib/event_engine/{thread_pool.h → thread_pool/original_thread_pool.h} +11 -15
  130. data/src/core/lib/event_engine/thread_pool/thread_pool.h +50 -0
  131. data/src/core/lib/event_engine/{executor/executor.h → thread_pool/thread_pool_factory.cc} +17 -15
  132. data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +489 -0
  133. data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.h +249 -0
  134. data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.cc +166 -0
  135. data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.h +108 -0
  136. data/src/core/lib/event_engine/windows/iocp.cc +4 -3
  137. data/src/core/lib/event_engine/windows/iocp.h +3 -3
  138. data/src/core/lib/event_engine/windows/win_socket.cc +6 -6
  139. data/src/core/lib/event_engine/windows/win_socket.h +4 -4
  140. data/src/core/lib/event_engine/windows/windows_endpoint.cc +11 -10
  141. data/src/core/lib/event_engine/windows/windows_endpoint.h +3 -2
  142. data/src/core/lib/event_engine/windows/windows_engine.cc +19 -17
  143. data/src/core/lib/event_engine/windows/windows_engine.h +6 -6
  144. data/src/core/lib/event_engine/windows/windows_listener.cc +3 -3
  145. data/src/core/lib/event_engine/windows/windows_listener.h +3 -2
  146. data/src/core/lib/event_engine/work_queue/basic_work_queue.cc +63 -0
  147. data/src/core/lib/event_engine/work_queue/basic_work_queue.h +71 -0
  148. data/src/core/lib/event_engine/work_queue/work_queue.h +62 -0
  149. data/src/core/lib/experiments/config.cc +38 -7
  150. data/src/core/lib/experiments/config.h +16 -0
  151. data/src/core/lib/experiments/experiments.cc +67 -20
  152. data/src/core/lib/experiments/experiments.h +27 -21
  153. data/src/core/lib/gpr/log_internal.h +55 -0
  154. data/src/core/lib/gprpp/crash.cc +10 -0
  155. data/src/core/lib/gprpp/crash.h +3 -0
  156. data/src/core/lib/gprpp/per_cpu.cc +33 -0
  157. data/src/core/lib/gprpp/per_cpu.h +29 -6
  158. data/src/core/lib/gprpp/time.cc +1 -0
  159. data/src/core/lib/iomgr/cfstream_handle.cc +1 -1
  160. data/src/core/lib/iomgr/endpoint_cfstream.cc +10 -8
  161. data/src/core/lib/iomgr/ev_apple.cc +12 -12
  162. data/src/core/lib/iomgr/ev_epoll1_linux.cc +10 -3
  163. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +15 -1
  164. data/src/core/lib/iomgr/iocp_windows.cc +24 -3
  165. data/src/core/lib/iomgr/iocp_windows.h +11 -0
  166. data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +1 -1
  167. data/src/core/lib/iomgr/socket_utils_common_posix.cc +4 -2
  168. data/src/core/lib/iomgr/socket_windows.cc +61 -7
  169. data/src/core/lib/iomgr/socket_windows.h +9 -2
  170. data/src/core/lib/iomgr/tcp_client_cfstream.cc +14 -3
  171. data/src/core/lib/iomgr/tcp_server_posix.cc +156 -140
  172. data/src/core/lib/iomgr/tcp_server_utils_posix.h +1 -13
  173. data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +0 -21
  174. data/src/core/lib/iomgr/tcp_server_windows.cc +1 -1
  175. data/src/core/lib/json/json.h +2 -166
  176. data/src/core/lib/json/json_object_loader.cc +8 -9
  177. data/src/core/lib/json/json_object_loader.h +25 -18
  178. data/src/core/lib/json/json_reader.cc +13 -6
  179. data/src/core/lib/json/json_util.cc +6 -11
  180. data/src/core/lib/json/json_writer.cc +7 -8
  181. data/src/core/lib/load_balancing/lb_policy.h +13 -0
  182. data/src/core/lib/load_balancing/lb_policy_registry.cc +2 -1
  183. data/src/core/lib/matchers/matchers.cc +3 -4
  184. data/src/core/lib/matchers/matchers.h +2 -1
  185. data/src/core/lib/promise/activity.cc +5 -0
  186. data/src/core/lib/promise/activity.h +10 -0
  187. data/src/core/lib/promise/detail/promise_factory.h +1 -1
  188. data/src/core/lib/promise/party.cc +31 -13
  189. data/src/core/lib/promise/party.h +11 -2
  190. data/src/core/lib/promise/pipe.h +9 -2
  191. data/src/core/lib/promise/prioritized_race.h +95 -0
  192. data/src/core/lib/promise/sleep.cc +2 -1
  193. data/src/core/lib/resolver/server_address.cc +0 -8
  194. data/src/core/lib/resolver/server_address.h +0 -6
  195. data/src/core/lib/resource_quota/memory_quota.cc +7 -7
  196. data/src/core/lib/resource_quota/memory_quota.h +1 -2
  197. data/src/core/lib/security/authorization/audit_logging.cc +98 -0
  198. data/src/core/lib/security/authorization/audit_logging.h +73 -0
  199. data/src/core/lib/security/authorization/grpc_authorization_engine.cc +47 -2
  200. data/src/core/lib/security/authorization/grpc_authorization_engine.h +18 -1
  201. data/src/core/lib/security/authorization/rbac_policy.cc +36 -4
  202. data/src/core/lib/security/authorization/rbac_policy.h +19 -2
  203. data/src/core/lib/security/authorization/stdout_logger.cc +75 -0
  204. data/src/core/lib/security/authorization/stdout_logger.h +61 -0
  205. data/src/core/lib/security/certificate_provider/certificate_provider_factory.h +8 -4
  206. data/src/core/lib/security/certificate_provider/certificate_provider_registry.cc +8 -18
  207. data/src/core/lib/security/certificate_provider/certificate_provider_registry.h +14 -8
  208. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +19 -12
  209. data/src/core/lib/security/credentials/external/external_account_credentials.cc +4 -2
  210. data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -0
  211. data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -0
  212. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +1 -0
  213. data/src/core/lib/security/credentials/jwt/json_token.cc +15 -14
  214. data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +4 -2
  215. data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +1 -0
  216. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +1 -0
  217. data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +1 -5
  218. data/src/core/lib/security/util/json_util.cc +1 -0
  219. data/src/core/lib/service_config/service_config_call_data.h +49 -20
  220. data/src/core/lib/service_config/service_config_impl.cc +2 -1
  221. data/src/core/lib/surface/call.cc +38 -23
  222. data/src/core/lib/surface/completion_queue.cc +6 -2
  223. data/src/core/lib/surface/validate_metadata.cc +22 -37
  224. data/src/core/lib/surface/validate_metadata.h +3 -13
  225. data/src/core/lib/surface/version.cc +2 -2
  226. data/src/core/lib/transport/batch_builder.cc +15 -12
  227. data/src/core/lib/transport/batch_builder.h +39 -35
  228. data/src/core/plugin_registry/grpc_plugin_registry.cc +0 -2
  229. data/src/core/plugin_registry/grpc_plugin_registry_extra.cc +2 -0
  230. data/src/ruby/ext/grpc/extconf.rb +8 -9
  231. data/src/ruby/lib/grpc/version.rb +1 -1
  232. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +9 -8
  233. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +1 -1
  234. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +3 -3
  235. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +10 -6
  236. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +7 -4
  237. data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +6 -4
  238. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +2 -1
  239. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +5 -9
  240. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +4 -2
  241. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +31 -22
  242. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +29 -26
  243. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +8 -0
  244. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +189 -13
  245. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_openbsd.c +62 -0
  246. data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_openbsd.c +31 -0
  247. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +6 -4
  248. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_tables.h +795 -795
  249. data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -5
  250. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +4 -0
  251. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +18 -6
  252. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +15 -7
  253. data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +1 -1
  254. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +1 -1
  255. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +1 -0
  256. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +3 -0
  257. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +24 -24
  258. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +1 -1
  259. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +7 -7
  260. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +74 -74
  261. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +1 -2
  262. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +11 -11
  263. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +12 -12
  264. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +14 -15
  265. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +1 -1
  266. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +10 -10
  267. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +23 -23
  268. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +13 -13
  269. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +1 -1
  270. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +2 -2
  271. data/third_party/boringssl-with-bazel/src/crypto/{hkdf → fipsmodule/hkdf}/hkdf.c +1 -1
  272. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +2 -10
  273. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +1 -4
  274. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +115 -133
  275. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +12 -14
  276. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +57 -47
  277. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -8
  278. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/polyval.c +27 -28
  279. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -23
  280. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +21 -16
  281. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +5 -288
  282. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +143 -83
  283. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +95 -183
  284. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +71 -0
  285. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/internal.h +8 -0
  286. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +33 -0
  287. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +162 -6
  288. data/third_party/boringssl-with-bazel/src/crypto/internal.h +18 -0
  289. data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +18 -11
  290. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +6 -13
  291. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +18 -14
  292. data/third_party/boringssl-with-bazel/src/crypto/{refcount_lock.c → refcount_no_threads.c} +3 -13
  293. data/third_party/boringssl-with-bazel/src/crypto/refcount_win.c +89 -0
  294. data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/internal.h +77 -0
  295. data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_crypt.c +568 -0
  296. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +62 -0
  297. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +218 -44
  298. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +35 -0
  299. data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +588 -39
  300. data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +27 -18
  301. data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +1 -1
  302. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +17 -39
  303. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +39 -48
  304. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +0 -140
  305. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +72 -23
  306. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +11 -14
  307. data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +1 -1
  308. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
  309. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +1 -1
  310. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +33 -46
  311. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +1 -0
  312. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +3 -5
  313. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +14 -46
  314. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +14 -26
  315. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +17 -10
  316. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1 -1
  317. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +5 -7
  318. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +6 -4
  319. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +32 -1
  320. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +0 -4
  321. data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +1 -4
  322. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +3 -3
  323. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +28 -0
  324. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +2 -11
  325. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -3
  326. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +91 -1
  327. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +5 -0
  328. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +149 -20
  329. data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +4 -0
  330. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +4 -0
  331. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +8 -0
  332. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +774 -615
  333. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +42 -10
  334. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +11 -6
  335. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +2 -4
  336. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +24 -16
  337. data/third_party/boringssl-with-bazel/src/ssl/internal.h +65 -18
  338. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +37 -18
  339. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +187 -193
  340. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +13 -129
  341. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +85 -10
  342. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +17 -4
  343. data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +27 -19
  344. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +1 -1
  345. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +5 -21
  346. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +5 -2
  347. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64_msvc.h +1281 -0
  348. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64_msvc.h +2002 -0
  349. data/third_party/cares/cares/include/ares.h +23 -1
  350. data/third_party/cares/cares/{src/lib → include}/ares_nameser.h +9 -7
  351. data/third_party/cares/cares/include/ares_rules.h +2 -2
  352. data/third_party/cares/cares/include/ares_version.h +3 -3
  353. data/third_party/cares/cares/src/lib/ares__addrinfo2hostent.c +266 -0
  354. data/third_party/cares/cares/src/lib/ares__addrinfo_localhost.c +240 -0
  355. data/third_party/cares/cares/src/lib/ares__parse_into_addrinfo.c +49 -80
  356. data/third_party/cares/cares/src/lib/ares__readaddrinfo.c +37 -43
  357. data/third_party/cares/cares/src/lib/ares__sortaddrinfo.c +12 -4
  358. data/third_party/cares/cares/src/lib/ares_data.c +16 -0
  359. data/third_party/cares/cares/src/lib/ares_data.h +7 -0
  360. data/third_party/cares/cares/src/lib/ares_destroy.c +8 -0
  361. data/third_party/cares/cares/src/lib/ares_expand_name.c +17 -6
  362. data/third_party/cares/cares/src/lib/ares_freeaddrinfo.c +1 -0
  363. data/third_party/cares/cares/src/lib/ares_getaddrinfo.c +156 -78
  364. data/third_party/cares/cares/src/lib/ares_gethostbyname.c +130 -326
  365. data/third_party/cares/cares/src/lib/ares_init.c +97 -485
  366. data/third_party/cares/cares/src/lib/ares_library_init.c +2 -89
  367. data/third_party/cares/cares/src/lib/ares_parse_a_reply.c +23 -142
  368. data/third_party/cares/cares/src/lib/ares_parse_aaaa_reply.c +22 -142
  369. data/third_party/cares/cares/src/lib/ares_parse_uri_reply.c +184 -0
  370. data/third_party/cares/cares/src/lib/ares_private.h +30 -16
  371. data/third_party/cares/cares/src/lib/ares_process.c +55 -16
  372. data/third_party/cares/cares/src/lib/ares_query.c +1 -35
  373. data/third_party/cares/cares/src/lib/ares_rand.c +279 -0
  374. data/third_party/cares/cares/src/lib/ares_send.c +5 -7
  375. data/third_party/cares/cares/src/lib/ares_strdup.c +12 -19
  376. data/third_party/cares/cares/src/lib/ares_strsplit.c +44 -128
  377. data/third_party/cares/cares/src/lib/ares_strsplit.h +9 -10
  378. data/third_party/cares/cares/src/lib/inet_net_pton.c +78 -116
  379. data/third_party/cares/cares/src/tools/ares_getopt.h +53 -0
  380. metadata +50 -16
  381. data/src/core/ext/filters/client_channel/health/health_check_client.cc +0 -175
  382. data/src/core/ext/filters/client_channel/health/health_check_client.h +0 -43
  383. data/src/core/ext/transport/chttp2/transport/hpack_parse_result.cc +0 -176
  384. data/src/core/ext/transport/chttp2/transport/hpack_parse_result.h +0 -325
  385. data/third_party/cares/cares/src/lib/ares_library_init.h +0 -43
@@ -57,14 +57,6 @@ ServerAddress::ServerAddress(
57
57
  std::map<const char*, std::unique_ptr<AttributeInterface>> attributes)
58
58
  : address_(address), args_(args), attributes_(std::move(attributes)) {}
59
59
 
60
- ServerAddress::ServerAddress(
61
- const void* address, size_t address_len, const ChannelArgs& args,
62
- std::map<const char*, std::unique_ptr<AttributeInterface>> attributes)
63
- : args_(args), attributes_(std::move(attributes)) {
64
- memcpy(address_.addr, address, address_len);
65
- address_.len = static_cast<socklen_t>(address_len);
66
- }
67
-
68
60
  ServerAddress::ServerAddress(const ServerAddress& other)
69
61
  : address_(other.address_), args_(other.args_) {
70
62
  for (const auto& p : other.attributes_) {
@@ -21,7 +21,6 @@
21
21
 
22
22
  #include <grpc/support/port_platform.h>
23
23
 
24
- #include <stddef.h>
25
24
  #include <stdint.h>
26
25
 
27
26
  #include <map>
@@ -65,14 +64,9 @@ class ServerAddress {
65
64
  virtual std::string ToString() const = 0;
66
65
  };
67
66
 
68
- // Takes ownership of args.
69
67
  ServerAddress(const grpc_resolved_address& address, const ChannelArgs& args,
70
68
  std::map<const char*, std::unique_ptr<AttributeInterface>>
71
69
  attributes = {});
72
- ServerAddress(const void* address, size_t address_len,
73
- const ChannelArgs& args,
74
- std::map<const char*, std::unique_ptr<AttributeInterface>>
75
- attributes = {});
76
70
 
77
71
  // Copyable.
78
72
  ServerAddress(const ServerAddress& other);
@@ -453,7 +453,7 @@ void BasicMemoryQuota::AddNewAllocator(GrpcMemoryAllocatorImpl* allocator) {
453
453
  AllocatorBucket::Shard& shard = small_allocators_.SelectShard(allocator);
454
454
 
455
455
  {
456
- absl::MutexLock l(&shard.shard_mu);
456
+ MutexLock l(&shard.shard_mu);
457
457
  shard.allocators.emplace(allocator);
458
458
  }
459
459
  }
@@ -467,7 +467,7 @@ void BasicMemoryQuota::RemoveAllocator(GrpcMemoryAllocatorImpl* allocator) {
467
467
  small_allocators_.SelectShard(allocator);
468
468
 
469
469
  {
470
- absl::MutexLock l(&small_shard.shard_mu);
470
+ MutexLock l(&small_shard.shard_mu);
471
471
  if (small_shard.allocators.erase(allocator) == 1) {
472
472
  return;
473
473
  }
@@ -476,7 +476,7 @@ void BasicMemoryQuota::RemoveAllocator(GrpcMemoryAllocatorImpl* allocator) {
476
476
  AllocatorBucket::Shard& big_shard = big_allocators_.SelectShard(allocator);
477
477
 
478
478
  {
479
- absl::MutexLock l(&big_shard.shard_mu);
479
+ MutexLock l(&big_shard.shard_mu);
480
480
  big_shard.allocators.erase(allocator);
481
481
  }
482
482
  }
@@ -513,14 +513,14 @@ void BasicMemoryQuota::MaybeMoveAllocatorBigToSmall(
513
513
  AllocatorBucket::Shard& old_shard = big_allocators_.SelectShard(allocator);
514
514
 
515
515
  {
516
- absl::MutexLock l(&old_shard.shard_mu);
516
+ MutexLock l(&old_shard.shard_mu);
517
517
  if (old_shard.allocators.erase(allocator) == 0) return;
518
518
  }
519
519
 
520
520
  AllocatorBucket::Shard& new_shard = small_allocators_.SelectShard(allocator);
521
521
 
522
522
  {
523
- absl::MutexLock l(&new_shard.shard_mu);
523
+ MutexLock l(&new_shard.shard_mu);
524
524
  new_shard.allocators.emplace(allocator);
525
525
  }
526
526
  }
@@ -534,14 +534,14 @@ void BasicMemoryQuota::MaybeMoveAllocatorSmallToBig(
534
534
  AllocatorBucket::Shard& old_shard = small_allocators_.SelectShard(allocator);
535
535
 
536
536
  {
537
- absl::MutexLock l(&old_shard.shard_mu);
537
+ MutexLock l(&old_shard.shard_mu);
538
538
  if (old_shard.allocators.erase(allocator) == 0) return;
539
539
  }
540
540
 
541
541
  AllocatorBucket::Shard& new_shard = big_allocators_.SelectShard(allocator);
542
542
 
543
543
  {
544
- absl::MutexLock l(&new_shard.shard_mu);
544
+ MutexLock l(&new_shard.shard_mu);
545
545
  new_shard.allocators.emplace(allocator);
546
546
  }
547
547
  }
@@ -30,7 +30,6 @@
30
30
  #include "absl/base/thread_annotations.h"
31
31
  #include "absl/container/flat_hash_set.h"
32
32
  #include "absl/strings/string_view.h"
33
- #include "absl/synchronization/mutex.h"
34
33
  #include "absl/types/optional.h"
35
34
 
36
35
  #include <grpc/event_engine/memory_allocator.h>
@@ -340,7 +339,7 @@ class BasicMemoryQuota final
340
339
  struct Shard {
341
340
  absl::flat_hash_set<GrpcMemoryAllocatorImpl*> allocators
342
341
  ABSL_GUARDED_BY(shard_mu);
343
- absl::Mutex shard_mu;
342
+ Mutex shard_mu;
344
343
  };
345
344
 
346
345
  Shard& SelectShard(void* key) {
@@ -0,0 +1,98 @@
1
+ //
2
+ //
3
+ // Copyright 2023 gRPC authors.
4
+ //
5
+ // Licensed under the Apache License, Version 2.0 (the "License");
6
+ // you may not use this file except in compliance with the License.
7
+ // You may obtain a copy of the License at
8
+ //
9
+ // http://www.apache.org/licenses/LICENSE-2.0
10
+ //
11
+ // Unless required by applicable law or agreed to in writing, software
12
+ // distributed under the License is distributed on an "AS IS" BASIS,
13
+ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ // See the License for the specific language governing permissions and
15
+ // limitations under the License.
16
+ //
17
+ //
18
+
19
+ #include <grpc/support/port_platform.h>
20
+
21
+ #include "src/core/lib/security/authorization/audit_logging.h"
22
+
23
+ #include <initializer_list>
24
+ #include <map>
25
+ #include <memory>
26
+ #include <utility>
27
+
28
+ #include "absl/status/status.h"
29
+ #include "absl/status/statusor.h"
30
+ #include "absl/strings/str_format.h"
31
+ #include "absl/strings/string_view.h"
32
+
33
+ #include <grpc/grpc_audit_logging.h>
34
+ #include <grpc/support/json.h>
35
+ #include <grpc/support/log.h>
36
+
37
+ #include "src/core/lib/gprpp/sync.h"
38
+ #include "src/core/lib/security/authorization/stdout_logger.h"
39
+
40
+ namespace grpc_core {
41
+ namespace experimental {
42
+
43
+ Mutex* AuditLoggerRegistry::mu = new Mutex();
44
+
45
+ AuditLoggerRegistry* AuditLoggerRegistry::registry = new AuditLoggerRegistry();
46
+
47
+ AuditLoggerRegistry::AuditLoggerRegistry() {
48
+ auto factory = std::make_unique<StdoutAuditLoggerFactory>();
49
+ absl::string_view name = factory->name();
50
+ GPR_ASSERT(logger_factories_map_.emplace(name, std::move(factory)).second);
51
+ }
52
+
53
+ void AuditLoggerRegistry::RegisterFactory(
54
+ std::unique_ptr<AuditLoggerFactory> factory) {
55
+ GPR_ASSERT(factory != nullptr);
56
+ MutexLock lock(mu);
57
+ absl::string_view name = factory->name();
58
+ GPR_ASSERT(
59
+ registry->logger_factories_map_.emplace(name, std::move(factory)).second);
60
+ }
61
+
62
+ bool AuditLoggerRegistry::FactoryExists(absl::string_view name) {
63
+ MutexLock lock(mu);
64
+ return registry->logger_factories_map_.find(name) !=
65
+ registry->logger_factories_map_.end();
66
+ }
67
+
68
+ absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
69
+ AuditLoggerRegistry::ParseConfig(absl::string_view name, const Json& json) {
70
+ MutexLock lock(mu);
71
+ auto it = registry->logger_factories_map_.find(name);
72
+ if (it == registry->logger_factories_map_.end()) {
73
+ return absl::NotFoundError(
74
+ absl::StrFormat("audit logger factory for %s does not exist", name));
75
+ }
76
+ return it->second->ParseAuditLoggerConfig(json);
77
+ }
78
+
79
+ std::unique_ptr<AuditLogger> AuditLoggerRegistry::CreateAuditLogger(
80
+ std::unique_ptr<AuditLoggerFactory::Config> config) {
81
+ MutexLock lock(mu);
82
+ auto it = registry->logger_factories_map_.find(config->name());
83
+ GPR_ASSERT(it != registry->logger_factories_map_.end());
84
+ return it->second->CreateAuditLogger(std::move(config));
85
+ }
86
+
87
+ void AuditLoggerRegistry::TestOnlyResetRegistry() {
88
+ MutexLock lock(mu);
89
+ delete registry;
90
+ registry = new AuditLoggerRegistry();
91
+ }
92
+
93
+ void RegisterAuditLoggerFactory(std::unique_ptr<AuditLoggerFactory> factory) {
94
+ AuditLoggerRegistry::RegisterFactory(std::move(factory));
95
+ }
96
+
97
+ } // namespace experimental
98
+ } // namespace grpc_core
@@ -0,0 +1,73 @@
1
+ //
2
+ //
3
+ // Copyright 2023 gRPC authors.
4
+ //
5
+ // Licensed under the Apache License, Version 2.0 (the "License");
6
+ // you may not use this file except in compliance with the License.
7
+ // You may obtain a copy of the License at
8
+ //
9
+ // http://www.apache.org/licenses/LICENSE-2.0
10
+ //
11
+ // Unless required by applicable law or agreed to in writing, software
12
+ // distributed under the License is distributed on an "AS IS" BASIS,
13
+ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ // See the License for the specific language governing permissions and
15
+ // limitations under the License.
16
+ //
17
+ //
18
+
19
+ #ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H
20
+ #define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H
21
+
22
+ #include <grpc/support/port_platform.h>
23
+
24
+ #include <map>
25
+ #include <memory>
26
+
27
+ #include "absl/base/thread_annotations.h"
28
+ #include "absl/status/statusor.h"
29
+ #include "absl/strings/string_view.h"
30
+
31
+ #include <grpc/grpc_audit_logging.h>
32
+ #include <grpc/support/json.h>
33
+
34
+ #include "src/core/lib/gprpp/sync.h"
35
+
36
+ namespace grpc_core {
37
+ namespace experimental {
38
+
39
+ class AuditLoggerRegistry {
40
+ public:
41
+ static void RegisterFactory(std::unique_ptr<AuditLoggerFactory>);
42
+
43
+ static bool FactoryExists(absl::string_view name);
44
+
45
+ static absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
46
+ ParseConfig(absl::string_view name, const Json& json);
47
+
48
+ // This assume the given config is parsed and validated already.
49
+ // Therefore, it should always succeed in creating a logger.
50
+ static std::unique_ptr<AuditLogger> CreateAuditLogger(
51
+ std::unique_ptr<AuditLoggerFactory::Config>);
52
+
53
+ // Factories are registered during initialization. They should never be
54
+ // unregistered since they will be looked up at any time till the program
55
+ // exits. This function should only be used in tests to clear the registry.
56
+ static void TestOnlyResetRegistry();
57
+
58
+ private:
59
+ AuditLoggerRegistry();
60
+
61
+ static Mutex* mu;
62
+
63
+ static AuditLoggerRegistry* registry ABSL_GUARDED_BY(mu);
64
+
65
+ // The key is owned by the factory.
66
+ std::map<absl::string_view, std::unique_ptr<AuditLoggerFactory>>
67
+ logger_factories_map_ ABSL_GUARDED_BY(mu);
68
+ };
69
+
70
+ } // namespace experimental
71
+ } // namespace grpc_core
72
+
73
+ #endif // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H
@@ -20,10 +20,35 @@
20
20
  #include <map>
21
21
  #include <utility>
22
22
 
23
+ #include <grpc/support/log.h>
24
+
25
+ #include "src/core/lib/security/authorization/audit_logging.h"
26
+ #include "src/core/lib/security/authorization/authorization_engine.h"
27
+
23
28
  namespace grpc_core {
24
29
 
30
+ using experimental::AuditContext;
31
+ using experimental::AuditLoggerRegistry;
32
+
33
+ namespace {
34
+
35
+ using Decision = AuthorizationEngine::Decision;
36
+
37
+ bool ShouldLog(const Decision& decision,
38
+ const Rbac::AuditCondition& condition) {
39
+ return condition == Rbac::AuditCondition::kOnDenyAndAllow ||
40
+ (decision.type == Decision::Type::kAllow &&
41
+ condition == Rbac::AuditCondition::kOnAllow) ||
42
+ (decision.type == Decision::Type::kDeny &&
43
+ condition == Rbac::AuditCondition::kOnDeny);
44
+ }
45
+
46
+ } // namespace
47
+
25
48
  GrpcAuthorizationEngine::GrpcAuthorizationEngine(Rbac policy)
26
- : action_(policy.action) {
49
+ : name_(std::move(policy.name)),
50
+ action_(policy.action),
51
+ audit_condition_(policy.audit_condition) {
27
52
  for (auto& sub_policy : policy.policies) {
28
53
  Policy policy;
29
54
  policy.name = sub_policy.first;
@@ -31,16 +56,29 @@ GrpcAuthorizationEngine::GrpcAuthorizationEngine(Rbac policy)
31
56
  std::move(sub_policy.second));
32
57
  policies_.push_back(std::move(policy));
33
58
  }
59
+ for (auto& logger_config : policy.logger_configs) {
60
+ auto logger =
61
+ AuditLoggerRegistry::CreateAuditLogger(std::move(logger_config));
62
+ GPR_ASSERT(logger != nullptr);
63
+ audit_loggers_.push_back(std::move(logger));
64
+ }
34
65
  }
35
66
 
36
67
  GrpcAuthorizationEngine::GrpcAuthorizationEngine(
37
68
  GrpcAuthorizationEngine&& other) noexcept
38
- : action_(other.action_), policies_(std::move(other.policies_)) {}
69
+ : name_(std::move(other.name_)),
70
+ action_(other.action_),
71
+ policies_(std::move(other.policies_)),
72
+ audit_condition_(other.audit_condition_),
73
+ audit_loggers_(std::move(other.audit_loggers_)) {}
39
74
 
40
75
  GrpcAuthorizationEngine& GrpcAuthorizationEngine::operator=(
41
76
  GrpcAuthorizationEngine&& other) noexcept {
77
+ name_ = std::move(other.name_);
42
78
  action_ = other.action_;
43
79
  policies_ = std::move(other.policies_);
80
+ audit_condition_ = other.audit_condition_;
81
+ audit_loggers_ = std::move(other.audit_loggers_);
44
82
  return *this;
45
83
  }
46
84
 
@@ -58,6 +96,13 @@ AuthorizationEngine::Decision GrpcAuthorizationEngine::Evaluate(
58
96
  decision.type = (matches == (action_ == Rbac::Action::kAllow))
59
97
  ? Decision::Type::kAllow
60
98
  : Decision::Type::kDeny;
99
+ if (ShouldLog(decision, audit_condition_)) {
100
+ for (auto& logger : audit_loggers_) {
101
+ logger->Log(AuditContext(args.GetPath(), args.GetSpiffeId(), name_,
102
+ decision.matching_policy_name,
103
+ decision.type == Decision::Type::kAllow));
104
+ }
105
+ }
61
106
  return decision;
62
107
  }
63
108
 
@@ -23,6 +23,8 @@
23
23
  #include <string>
24
24
  #include <vector>
25
25
 
26
+ #include <grpc/grpc_audit_logging.h>
27
+
26
28
  #include "src/core/lib/security/authorization/authorization_engine.h"
27
29
  #include "src/core/lib/security/authorization/evaluate_args.h"
28
30
  #include "src/core/lib/security/authorization/matchers.h"
@@ -30,6 +32,8 @@
30
32
 
31
33
  namespace grpc_core {
32
34
 
35
+ using experimental::AuditLogger;
36
+
33
37
  // GrpcAuthorizationEngine can be either an Allow engine or Deny engine. This
34
38
  // engine makes authorization decisions to Allow or Deny incoming RPC request
35
39
  // based on permission and principal configs in the provided RBAC policy and the
@@ -39,7 +43,8 @@ namespace grpc_core {
39
43
  class GrpcAuthorizationEngine : public AuthorizationEngine {
40
44
  public:
41
45
  // Builds GrpcAuthorizationEngine without any policies.
42
- explicit GrpcAuthorizationEngine(Rbac::Action action) : action_(action) {}
46
+ explicit GrpcAuthorizationEngine(Rbac::Action action)
47
+ : action_(action), audit_condition_(Rbac::AuditCondition::kNone) {}
43
48
  // Builds GrpcAuthorizationEngine with allow/deny RBAC policy.
44
49
  explicit GrpcAuthorizationEngine(Rbac policy);
45
50
 
@@ -51,6 +56,14 @@ class GrpcAuthorizationEngine : public AuthorizationEngine {
51
56
  // Required only for testing purpose.
52
57
  size_t num_policies() const { return policies_.size(); }
53
58
 
59
+ // Required only for testing purpose.
60
+ Rbac::AuditCondition audit_condition() const { return audit_condition_; }
61
+
62
+ // Required only for testing purpose.
63
+ const std::vector<std::unique_ptr<AuditLogger>>& audit_loggers() const {
64
+ return audit_loggers_;
65
+ }
66
+
54
67
  // Evaluates incoming request against RBAC policy and makes a decision to
55
68
  // whether allow/deny this request.
56
69
  Decision Evaluate(const EvaluateArgs& args) const override;
@@ -60,8 +73,12 @@ class GrpcAuthorizationEngine : public AuthorizationEngine {
60
73
  std::string name;
61
74
  std::unique_ptr<AuthorizationMatcher> matcher;
62
75
  };
76
+
77
+ std::string name_;
63
78
  Rbac::Action action_;
64
79
  std::vector<Policy> policies_;
80
+ Rbac::AuditCondition audit_condition_;
81
+ std::vector<std::unique_ptr<AuditLogger>> audit_loggers_;
65
82
  };
66
83
 
67
84
  } // namespace grpc_core
@@ -22,6 +22,7 @@
22
22
 
23
23
  #include "absl/strings/str_format.h"
24
24
  #include "absl/strings/str_join.h"
25
+ #include "absl/strings/string_view.h"
25
26
 
26
27
  namespace grpc_core {
27
28
 
@@ -29,26 +30,57 @@ namespace grpc_core {
29
30
  // Rbac
30
31
  //
31
32
 
32
- Rbac::Rbac(Rbac::Action action, std::map<std::string, Policy> policies)
33
- : action(action), policies(std::move(policies)) {}
33
+ Rbac::Rbac(std::string name, Rbac::Action action,
34
+ std::map<std::string, Policy> policies)
35
+ : name(std::move(name)),
36
+ action(action),
37
+ policies(std::move(policies)),
38
+ audit_condition(Rbac::AuditCondition::kNone) {}
34
39
 
35
40
  Rbac::Rbac(Rbac&& other) noexcept
36
- : action(other.action), policies(std::move(other.policies)) {}
41
+ : name(std::move(other.name)),
42
+ action(other.action),
43
+ policies(std::move(other.policies)),
44
+ audit_condition(other.audit_condition),
45
+ logger_configs(std::move(other.logger_configs)) {}
37
46
 
38
47
  Rbac& Rbac::operator=(Rbac&& other) noexcept {
48
+ name = std::move(other.name);
39
49
  action = other.action;
40
50
  policies = std::move(other.policies);
51
+ audit_condition = other.audit_condition;
52
+ logger_configs = std::move(other.logger_configs);
41
53
  return *this;
42
54
  }
43
55
 
44
56
  std::string Rbac::ToString() const {
45
57
  std::vector<std::string> contents;
58
+ absl::string_view condition_str;
59
+ switch (audit_condition) {
60
+ case Rbac::AuditCondition::kNone:
61
+ condition_str = "None";
62
+ break;
63
+ case AuditCondition::kOnDeny:
64
+ condition_str = "OnDeny";
65
+ break;
66
+ case AuditCondition::kOnAllow:
67
+ condition_str = "OnAllow";
68
+ break;
69
+ case AuditCondition::kOnDenyAndAllow:
70
+ condition_str = "OnDenyAndAllow";
71
+ break;
72
+ }
46
73
  contents.push_back(absl::StrFormat(
47
- "Rbac action=%s{", action == Rbac::Action::kAllow ? "Allow" : "Deny"));
74
+ "Rbac name=%s action=%s audit_condition=%s{", name,
75
+ action == Rbac::Action::kAllow ? "Allow" : "Deny", condition_str));
48
76
  for (const auto& p : policies) {
49
77
  contents.push_back(absl::StrFormat("{\n policy_name=%s\n%s\n}", p.first,
50
78
  p.second.ToString()));
51
79
  }
80
+ for (const auto& config : logger_configs) {
81
+ contents.push_back(absl::StrFormat("{\n audit_logger=%s\n%s\n}",
82
+ config->name(), config->ToString()));
83
+ }
52
84
  contents.push_back("}");
53
85
  return absl::StrJoin(contents, "\n");
54
86
  }
@@ -26,18 +26,27 @@
26
26
 
27
27
  #include "absl/types/optional.h"
28
28
 
29
+ #include <grpc/grpc_audit_logging.h>
30
+
29
31
  #include "src/core/lib/matchers/matchers.h"
30
32
 
31
33
  namespace grpc_core {
32
34
 
33
35
  // Represents Envoy RBAC Proto. [See
34
- // https://github.com/envoyproxy/envoy/blob/release/v1.17/api/envoy/config/rbac/v3/rbac.proto]
36
+ // https://github.com/envoyproxy/envoy/blob/release/v1.26/api/envoy/config/rbac/v3/rbac.proto]
35
37
  struct Rbac {
36
38
  enum class Action {
37
39
  kAllow,
38
40
  kDeny,
39
41
  };
40
42
 
43
+ enum class AuditCondition {
44
+ kNone,
45
+ kOnDeny,
46
+ kOnAllow,
47
+ kOnDenyAndAllow,
48
+ };
49
+
41
50
  struct CidrRange {
42
51
  CidrRange() = default;
43
52
  CidrRange(std::string address_prefix, uint32_t prefix_len);
@@ -162,15 +171,23 @@ struct Rbac {
162
171
  };
163
172
 
164
173
  Rbac() = default;
165
- Rbac(Rbac::Action action, std::map<std::string, Policy> policies);
174
+ Rbac(std::string name, Rbac::Action action,
175
+ std::map<std::string, Policy> policies);
166
176
 
167
177
  Rbac(Rbac&& other) noexcept;
168
178
  Rbac& operator=(Rbac&& other) noexcept;
169
179
 
170
180
  std::string ToString() const;
171
181
 
182
+ // The authorization policy name or the HTTP RBAC filter name.
183
+ std::string name;
184
+
172
185
  Action action;
173
186
  std::map<std::string, Policy> policies;
187
+
188
+ AuditCondition audit_condition;
189
+ std::vector<std::unique_ptr<experimental::AuditLoggerFactory::Config>>
190
+ logger_configs;
174
191
  };
175
192
 
176
193
  } // namespace grpc_core
@@ -0,0 +1,75 @@
1
+ // Copyright 2023 gRPC authors.
2
+ //
3
+ // Licensed under the Apache License, Version 2.0 (the "License");
4
+ // you may not use this file except in compliance with the License.
5
+ // You may obtain a copy of the License at
6
+ //
7
+ // http://www.apache.org/licenses/LICENSE-2.0
8
+ //
9
+ // Unless required by applicable law or agreed to in writing, software
10
+ // distributed under the License is distributed on an "AS IS" BASIS,
11
+ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ // See the License for the specific language governing permissions and
13
+ // limitations under the License.
14
+
15
+ #include <grpc/support/port_platform.h>
16
+
17
+ #include "src/core/lib/security/authorization/stdout_logger.h"
18
+
19
+ #include <cstdio>
20
+ #include <initializer_list>
21
+ #include <memory>
22
+ #include <string>
23
+
24
+ #include "absl/status/statusor.h"
25
+ #include "absl/strings/str_format.h"
26
+ #include "absl/strings/string_view.h"
27
+ #include "absl/time/clock.h"
28
+ #include "absl/time/time.h"
29
+
30
+ #include <grpc/grpc_audit_logging.h>
31
+ #include <grpc/support/json.h>
32
+ #include <grpc/support/log.h>
33
+
34
+ namespace grpc_core {
35
+ namespace experimental {
36
+
37
+ namespace {
38
+
39
+ constexpr absl::string_view kName = "stdout_logger";
40
+ constexpr char kLogFormat[] =
41
+ "{\"grpc_audit_log\":{\"timestamp\":\"%s\",\"rpc_method\":\"%s\","
42
+ "\"principal\":\"%s\",\"policy_name\":\"%s\",\"matched_rule\":\"%s\","
43
+ "\"authorized\":%s}}\n";
44
+
45
+ } // namespace
46
+
47
+ void StdoutAuditLogger::Log(const AuditContext& context) {
48
+ absl::FPrintF(stdout, kLogFormat, absl::FormatTime(absl::Now()),
49
+ context.rpc_method(), context.principal(),
50
+ context.policy_name(), context.matched_rule(),
51
+ context.authorized() ? "true" : "false");
52
+ }
53
+
54
+ absl::string_view StdoutAuditLoggerFactory::Config::name() const {
55
+ return kName;
56
+ }
57
+
58
+ std::string StdoutAuditLoggerFactory::Config::ToString() const { return "{}"; }
59
+
60
+ absl::string_view StdoutAuditLoggerFactory::name() const { return kName; }
61
+
62
+ absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
63
+ StdoutAuditLoggerFactory::ParseAuditLoggerConfig(const Json&) {
64
+ return std::make_unique<StdoutAuditLoggerFactory::Config>();
65
+ }
66
+
67
+ std::unique_ptr<AuditLogger> StdoutAuditLoggerFactory::CreateAuditLogger(
68
+ std::unique_ptr<AuditLoggerFactory::Config> config) {
69
+ // Sanity check.
70
+ GPR_ASSERT(config != nullptr && config->name() == name());
71
+ return std::make_unique<StdoutAuditLogger>();
72
+ }
73
+
74
+ } // namespace experimental
75
+ } // namespace grpc_core
@@ -0,0 +1,61 @@
1
+ // Copyright 2023 gRPC authors.
2
+ //
3
+ // Licensed under the Apache License, Version 2.0 (the "License");
4
+ // you may not use this file except in compliance with the License.
5
+ // You may obtain a copy of the License at
6
+ //
7
+ // http://www.apache.org/licenses/LICENSE-2.0
8
+ //
9
+ // Unless required by applicable law or agreed to in writing, software
10
+ // distributed under the License is distributed on an "AS IS" BASIS,
11
+ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ // See the License for the specific language governing permissions and
13
+ // limitations under the License.
14
+
15
+ #ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_STDOUT_LOGGER_H
16
+ #define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_STDOUT_LOGGER_H
17
+
18
+ #include <grpc/support/port_platform.h>
19
+
20
+ #include <memory>
21
+ #include <string>
22
+
23
+ #include "absl/status/statusor.h"
24
+ #include "absl/strings/string_view.h"
25
+
26
+ #include <grpc/grpc_audit_logging.h>
27
+ #include <grpc/support/json.h>
28
+
29
+ namespace grpc_core {
30
+ namespace experimental {
31
+
32
+ class StdoutAuditLogger : public AuditLogger {
33
+ public:
34
+ StdoutAuditLogger() = default;
35
+ absl::string_view name() const override { return "stdout_logger"; }
36
+ void Log(const AuditContext&) override;
37
+ };
38
+
39
+ class StdoutAuditLoggerFactory : public AuditLoggerFactory {
40
+ public:
41
+ class Config : public AuditLoggerFactory::Config {
42
+ public:
43
+ Config() = default;
44
+ absl::string_view name() const override;
45
+ std::string ToString() const override;
46
+ };
47
+ StdoutAuditLoggerFactory() = default;
48
+
49
+ absl::string_view name() const override;
50
+
51
+ absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
52
+ ParseAuditLoggerConfig(const Json& json) override;
53
+
54
+ std::unique_ptr<AuditLogger> CreateAuditLogger(
55
+ std::unique_ptr<AuditLoggerFactory::Config>) override;
56
+ };
57
+
58
+ } // namespace experimental
59
+ } // namespace grpc_core
60
+
61
+ #endif // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_STDOUT_LOGGER_H