grpc 1.55.3 → 1.56.0.pre3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +100 -70
- data/include/grpc/event_engine/event_engine.h +4 -3
- data/include/grpc/grpc_audit_logging.h +96 -0
- data/include/grpc/module.modulemap +2 -0
- data/include/grpc/support/json.h +218 -0
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +5 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +2 -0
- data/src/core/ext/filters/client_channel/channel_connectivity.cc +4 -4
- data/src/core/ext/filters/client_channel/client_channel.cc +82 -98
- data/src/core/ext/filters/client_channel/client_channel.h +4 -0
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +19 -18
- data/src/core/ext/filters/client_channel/client_channel_internal.h +16 -21
- data/src/core/ext/filters/client_channel/config_selector.h +9 -24
- data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +3 -0
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +5 -4
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client.cc +455 -0
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client.h +54 -0
- data/src/core/ext/filters/client_channel/lb_policy/health_check_client_internal.h +186 -0
- data/src/core/ext/filters/client_channel/lb_policy/oob_backend_metric.cc +2 -7
- data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.cc +52 -20
- data/src/core/ext/filters/client_channel/lb_policy/outlier_detection/outlier_detection.h +23 -2
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +19 -6
- data/src/core/ext/filters/client_channel/lb_policy/priority/priority.cc +1 -9
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +16 -7
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.h +18 -1
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +12 -9
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +6 -4
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +36 -13
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/static_stride_scheduler.cc +76 -6
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +32 -39
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +4 -10
- data/src/core/ext/filters/client_channel/lb_policy/xds/cds.cc +52 -47
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +1 -9
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +14 -16
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc +40 -43
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +7 -12
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_wrr_locality.cc +12 -19
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +35 -33
- data/src/core/ext/filters/client_channel/resolver/dns/event_engine/event_engine_client_channel_resolver.cc +29 -4
- data/src/core/ext/filters/client_channel/resolver/dns/event_engine/service_config_helper.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +28 -27
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +163 -46
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.h +16 -1
- data/src/core/ext/filters/client_channel/retry_service_config.cc +1 -0
- data/src/core/ext/filters/client_channel/service_config_channel_arg_filter.cc +10 -40
- data/src/core/ext/filters/client_channel/subchannel.cc +10 -196
- data/src/core/ext/filters/client_channel/subchannel.h +3 -43
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +5 -5
- data/src/core/ext/filters/rbac/rbac_service_config_parser.cc +100 -6
- data/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc +6 -8
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +3 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.h +16 -1
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +46 -95
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +543 -567
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +9 -150
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.cc +32 -46
- data/src/core/ext/transport/chttp2/transport/hpack_parser_table.h +5 -18
- data/src/core/ext/transport/chttp2/transport/internal.h +1 -15
- data/src/core/ext/transport/chttp2/transport/parsing.cc +12 -12
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +11 -2
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +15 -0
- data/src/core/ext/xds/certificate_provider_store.cc +4 -9
- data/src/core/ext/xds/certificate_provider_store.h +1 -1
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.cc +30 -42
- data/src/core/ext/xds/file_watcher_certificate_provider_factory.h +14 -9
- data/src/core/ext/xds/xds_api.cc +9 -6
- data/src/core/ext/xds/xds_api.h +3 -2
- data/src/core/ext/xds/xds_audit_logger_registry.cc +122 -0
- data/src/core/ext/xds/xds_audit_logger_registry.h +68 -0
- data/src/core/ext/xds/xds_bootstrap_grpc.cc +21 -9
- data/src/core/ext/xds/xds_bootstrap_grpc.h +5 -0
- data/src/core/ext/xds/xds_client.cc +5 -4
- data/src/core/ext/xds/xds_client_stats.h +1 -1
- data/src/core/ext/xds/xds_cluster.cc +20 -19
- data/src/core/ext/xds/xds_cluster_specifier_plugin.cc +11 -8
- data/src/core/ext/xds/xds_common_types.cc +3 -1
- data/src/core/ext/xds/xds_http_fault_filter.cc +16 -13
- data/src/core/ext/xds/xds_http_fault_filter.h +2 -1
- data/src/core/ext/xds/xds_http_filters.h +4 -2
- data/src/core/ext/xds/xds_http_rbac_filter.cc +154 -67
- data/src/core/ext/xds/xds_http_rbac_filter.h +2 -1
- data/src/core/ext/xds/xds_http_stateful_session_filter.cc +15 -11
- data/src/core/ext/xds/xds_http_stateful_session_filter.h +2 -1
- data/src/core/ext/xds/xds_lb_policy_registry.cc +22 -16
- data/src/core/ext/xds/xds_listener.cc +1 -0
- data/src/core/ext/xds/xds_route_config.cc +40 -3
- data/src/core/ext/xds/xds_routing.cc +2 -2
- data/src/core/ext/xds/xds_transport_grpc.cc +3 -1
- data/src/core/lib/avl/avl.h +5 -0
- data/src/core/lib/backoff/random_early_detection.h +0 -5
- data/src/core/lib/channel/channel_args.cc +80 -22
- data/src/core/lib/channel/channel_args.h +34 -1
- data/src/core/lib/channel/channel_trace.cc +16 -12
- data/src/core/lib/channel/channelz.cc +159 -132
- data/src/core/lib/channel/channelz.h +42 -35
- data/src/core/lib/channel/channelz_registry.cc +23 -20
- data/src/core/lib/channel/connected_channel.cc +17 -6
- data/src/core/lib/channel/promise_based_filter.cc +0 -4
- data/src/core/lib/channel/promise_based_filter.h +2 -0
- data/src/core/lib/compression/compression_internal.cc +2 -5
- data/src/core/lib/config/config_vars.cc +20 -18
- data/src/core/lib/config/config_vars.h +4 -4
- data/src/core/lib/config/load_config.cc +13 -0
- data/src/core/lib/config/load_config.h +6 -0
- data/src/core/lib/debug/event_log.h +1 -1
- data/src/core/lib/debug/stats_data.h +1 -1
- data/src/core/lib/debug/trace.cc +24 -55
- data/src/core/lib/debug/trace.h +3 -1
- data/src/core/lib/event_engine/cf_engine/cf_engine.cc +211 -0
- data/src/core/lib/event_engine/cf_engine/cf_engine.h +86 -0
- data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.cc +354 -0
- data/src/core/lib/event_engine/cf_engine/cfstream_endpoint.h +146 -0
- data/src/core/lib/event_engine/cf_engine/cftype_unique_ref.h +79 -0
- data/src/core/lib/event_engine/default_event_engine.cc +13 -1
- data/src/core/lib/event_engine/default_event_engine_factory.cc +14 -2
- data/src/core/lib/event_engine/poller.h +2 -2
- data/src/core/lib/event_engine/posix.h +4 -0
- data/src/core/lib/event_engine/posix_engine/ev_epoll1_linux.cc +1 -1
- data/src/core/lib/event_engine/posix_engine/lockfree_event.cc +7 -18
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +9 -0
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +3 -2
- data/src/core/lib/event_engine/posix_engine/posix_engine.h +1 -2
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +4 -33
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.h +7 -11
- data/src/core/lib/event_engine/posix_engine/timer_manager.h +1 -1
- data/src/core/lib/event_engine/shim.cc +7 -1
- data/src/core/lib/event_engine/{thread_pool.cc → thread_pool/original_thread_pool.cc} +28 -25
- data/src/core/lib/event_engine/{thread_pool.h → thread_pool/original_thread_pool.h} +11 -15
- data/src/core/lib/event_engine/thread_pool/thread_pool.h +50 -0
- data/src/core/lib/event_engine/{executor/executor.h → thread_pool/thread_pool_factory.cc} +17 -15
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.cc +489 -0
- data/src/core/lib/event_engine/thread_pool/work_stealing_thread_pool.h +249 -0
- data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.cc +166 -0
- data/src/core/lib/event_engine/thready_event_engine/thready_event_engine.h +108 -0
- data/src/core/lib/event_engine/windows/iocp.cc +4 -3
- data/src/core/lib/event_engine/windows/iocp.h +3 -3
- data/src/core/lib/event_engine/windows/win_socket.cc +6 -6
- data/src/core/lib/event_engine/windows/win_socket.h +4 -4
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +11 -10
- data/src/core/lib/event_engine/windows/windows_endpoint.h +3 -2
- data/src/core/lib/event_engine/windows/windows_engine.cc +19 -17
- data/src/core/lib/event_engine/windows/windows_engine.h +6 -6
- data/src/core/lib/event_engine/windows/windows_listener.cc +3 -3
- data/src/core/lib/event_engine/windows/windows_listener.h +3 -2
- data/src/core/lib/event_engine/work_queue/basic_work_queue.cc +63 -0
- data/src/core/lib/event_engine/work_queue/basic_work_queue.h +71 -0
- data/src/core/lib/event_engine/work_queue/work_queue.h +62 -0
- data/src/core/lib/experiments/config.cc +38 -7
- data/src/core/lib/experiments/config.h +16 -0
- data/src/core/lib/experiments/experiments.cc +67 -20
- data/src/core/lib/experiments/experiments.h +27 -21
- data/src/core/lib/gpr/log_internal.h +55 -0
- data/src/core/lib/gprpp/crash.cc +10 -0
- data/src/core/lib/gprpp/crash.h +3 -0
- data/src/core/lib/gprpp/per_cpu.cc +33 -0
- data/src/core/lib/gprpp/per_cpu.h +29 -6
- data/src/core/lib/gprpp/time.cc +1 -0
- data/src/core/lib/iomgr/cfstream_handle.cc +1 -1
- data/src/core/lib/iomgr/endpoint_cfstream.cc +10 -8
- data/src/core/lib/iomgr/ev_apple.cc +12 -12
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +10 -3
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +15 -1
- data/src/core/lib/iomgr/iocp_windows.cc +24 -3
- data/src/core/lib/iomgr/iocp_windows.h +11 -0
- data/src/core/lib/iomgr/iomgr_posix_cfstream.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +4 -2
- data/src/core/lib/iomgr/socket_windows.cc +61 -7
- data/src/core/lib/iomgr/socket_windows.h +9 -2
- data/src/core/lib/iomgr/tcp_client_cfstream.cc +14 -3
- data/src/core/lib/iomgr/tcp_server_posix.cc +156 -140
- data/src/core/lib/iomgr/tcp_server_utils_posix.h +1 -13
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +0 -21
- data/src/core/lib/iomgr/tcp_server_windows.cc +1 -1
- data/src/core/lib/json/json.h +2 -166
- data/src/core/lib/json/json_object_loader.cc +8 -9
- data/src/core/lib/json/json_object_loader.h +25 -18
- data/src/core/lib/json/json_reader.cc +13 -6
- data/src/core/lib/json/json_util.cc +6 -11
- data/src/core/lib/json/json_writer.cc +7 -8
- data/src/core/lib/load_balancing/lb_policy.h +13 -0
- data/src/core/lib/load_balancing/lb_policy_registry.cc +2 -1
- data/src/core/lib/matchers/matchers.cc +3 -4
- data/src/core/lib/matchers/matchers.h +2 -1
- data/src/core/lib/promise/activity.cc +5 -0
- data/src/core/lib/promise/activity.h +10 -0
- data/src/core/lib/promise/detail/promise_factory.h +1 -1
- data/src/core/lib/promise/party.cc +31 -13
- data/src/core/lib/promise/party.h +11 -2
- data/src/core/lib/promise/pipe.h +9 -2
- data/src/core/lib/promise/prioritized_race.h +95 -0
- data/src/core/lib/promise/sleep.cc +2 -1
- data/src/core/lib/resolver/server_address.cc +0 -8
- data/src/core/lib/resolver/server_address.h +0 -6
- data/src/core/lib/resource_quota/memory_quota.cc +7 -7
- data/src/core/lib/resource_quota/memory_quota.h +1 -2
- data/src/core/lib/security/authorization/audit_logging.cc +98 -0
- data/src/core/lib/security/authorization/audit_logging.h +73 -0
- data/src/core/lib/security/authorization/grpc_authorization_engine.cc +47 -2
- data/src/core/lib/security/authorization/grpc_authorization_engine.h +18 -1
- data/src/core/lib/security/authorization/rbac_policy.cc +36 -4
- data/src/core/lib/security/authorization/rbac_policy.h +19 -2
- data/src/core/lib/security/authorization/stdout_logger.cc +75 -0
- data/src/core/lib/security/authorization/stdout_logger.h +61 -0
- data/src/core/lib/security/certificate_provider/certificate_provider_factory.h +8 -4
- data/src/core/lib/security/certificate_provider/certificate_provider_registry.cc +8 -18
- data/src/core/lib/security/certificate_provider/certificate_provider_registry.h +14 -8
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +19 -12
- data/src/core/lib/security/credentials/external/external_account_credentials.cc +4 -2
- data/src/core/lib/security/credentials/external/file_external_account_credentials.cc +1 -0
- data/src/core/lib/security/credentials/external/url_external_account_credentials.cc +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +1 -0
- data/src/core/lib/security/credentials/jwt/json_token.cc +15 -14
- data/src/core/lib/security/credentials/jwt/jwt_credentials.cc +4 -2
- data/src/core/lib/security/credentials/jwt/jwt_verifier.cc +1 -0
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +1 -0
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +1 -5
- data/src/core/lib/security/util/json_util.cc +1 -0
- data/src/core/lib/service_config/service_config_call_data.h +49 -20
- data/src/core/lib/service_config/service_config_impl.cc +2 -1
- data/src/core/lib/surface/call.cc +38 -23
- data/src/core/lib/surface/completion_queue.cc +6 -2
- data/src/core/lib/surface/validate_metadata.cc +22 -37
- data/src/core/lib/surface/validate_metadata.h +3 -13
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/batch_builder.cc +15 -12
- data/src/core/lib/transport/batch_builder.h +39 -35
- data/src/core/plugin_registry/grpc_plugin_registry.cc +0 -2
- data/src/core/plugin_registry/grpc_plugin_registry_extra.cc +2 -0
- data/src/ruby/ext/grpc/extconf.rb +8 -9
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +10 -6
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +7 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +5 -9
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +31 -22
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/tls_cbc.c +189 -13
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_openbsd.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_openbsd.c +31 -0
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519_tables.h +795 -795
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/internal.h +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +18 -6
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +15 -7
- data/third_party/boringssl-with-bazel/src/crypto/ecdh_extra/ecdh_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +24 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +7 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +74 -74
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +11 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256-nistz.c +12 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +14 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256_table.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +10 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +23 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +13 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/{hkdf → fipsmodule/hkdf}/hkdf.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +2 -10
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +115 -133
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +12 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +57 -47
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/polyval.c +27 -28
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +21 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +5 -288
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +143 -83
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +95 -183
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +71 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/internal.h +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +33 -0
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +162 -6
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +18 -0
- data/third_party/boringssl-with-bazel/src/crypto/kyber/kyber.c +18 -11
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +6 -13
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +18 -14
- data/third_party/boringssl-with-bazel/src/crypto/{refcount_lock.c → refcount_no_threads.c} +3 -13
- data/third_party/boringssl-with-bazel/src/crypto/refcount_win.c +89 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/internal.h +77 -0
- data/third_party/boringssl-with-bazel/src/crypto/rsa_extra/rsa_crypt.c +568 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +218 -44
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +35 -0
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +588 -39
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +27 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +17 -39
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +39 -48
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +0 -140
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +72 -23
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +11 -14
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +33 -46
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +3 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +14 -46
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +14 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +17 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +5 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +6 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +32 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +0 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/blake2.h +1 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +28 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +2 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +91 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +149 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +8 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +774 -615
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +42 -10
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +11 -6
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +2 -4
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +24 -16
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +65 -18
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +37 -18
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +187 -193
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +13 -129
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +85 -10
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +17 -4
- data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc +27 -19
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +1 -1
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +5 -21
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +5 -2
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64_msvc.h +1281 -0
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64_msvc.h +2002 -0
- data/third_party/cares/cares/include/ares.h +23 -1
- data/third_party/cares/cares/{src/lib → include}/ares_nameser.h +9 -7
- data/third_party/cares/cares/include/ares_rules.h +2 -2
- data/third_party/cares/cares/include/ares_version.h +3 -3
- data/third_party/cares/cares/src/lib/ares__addrinfo2hostent.c +266 -0
- data/third_party/cares/cares/src/lib/ares__addrinfo_localhost.c +240 -0
- data/third_party/cares/cares/src/lib/ares__parse_into_addrinfo.c +49 -80
- data/third_party/cares/cares/src/lib/ares__readaddrinfo.c +37 -43
- data/third_party/cares/cares/src/lib/ares__sortaddrinfo.c +12 -4
- data/third_party/cares/cares/src/lib/ares_data.c +16 -0
- data/third_party/cares/cares/src/lib/ares_data.h +7 -0
- data/third_party/cares/cares/src/lib/ares_destroy.c +8 -0
- data/third_party/cares/cares/src/lib/ares_expand_name.c +17 -6
- data/third_party/cares/cares/src/lib/ares_freeaddrinfo.c +1 -0
- data/third_party/cares/cares/src/lib/ares_getaddrinfo.c +156 -78
- data/third_party/cares/cares/src/lib/ares_gethostbyname.c +130 -326
- data/third_party/cares/cares/src/lib/ares_init.c +97 -485
- data/third_party/cares/cares/src/lib/ares_library_init.c +2 -89
- data/third_party/cares/cares/src/lib/ares_parse_a_reply.c +23 -142
- data/third_party/cares/cares/src/lib/ares_parse_aaaa_reply.c +22 -142
- data/third_party/cares/cares/src/lib/ares_parse_uri_reply.c +184 -0
- data/third_party/cares/cares/src/lib/ares_private.h +30 -16
- data/third_party/cares/cares/src/lib/ares_process.c +55 -16
- data/third_party/cares/cares/src/lib/ares_query.c +1 -35
- data/third_party/cares/cares/src/lib/ares_rand.c +279 -0
- data/third_party/cares/cares/src/lib/ares_send.c +5 -7
- data/third_party/cares/cares/src/lib/ares_strdup.c +12 -19
- data/third_party/cares/cares/src/lib/ares_strsplit.c +44 -128
- data/third_party/cares/cares/src/lib/ares_strsplit.h +9 -10
- data/third_party/cares/cares/src/lib/inet_net_pton.c +78 -116
- data/third_party/cares/cares/src/tools/ares_getopt.h +53 -0
- metadata +50 -16
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +0 -175
- data/src/core/ext/filters/client_channel/health/health_check_client.h +0 -43
- data/src/core/ext/transport/chttp2/transport/hpack_parse_result.cc +0 -176
- data/src/core/ext/transport/chttp2/transport/hpack_parse_result.h +0 -325
- data/third_party/cares/cares/src/lib/ares_library_init.h +0 -43
@@ -57,14 +57,6 @@ ServerAddress::ServerAddress(
|
|
57
57
|
std::map<const char*, std::unique_ptr<AttributeInterface>> attributes)
|
58
58
|
: address_(address), args_(args), attributes_(std::move(attributes)) {}
|
59
59
|
|
60
|
-
ServerAddress::ServerAddress(
|
61
|
-
const void* address, size_t address_len, const ChannelArgs& args,
|
62
|
-
std::map<const char*, std::unique_ptr<AttributeInterface>> attributes)
|
63
|
-
: args_(args), attributes_(std::move(attributes)) {
|
64
|
-
memcpy(address_.addr, address, address_len);
|
65
|
-
address_.len = static_cast<socklen_t>(address_len);
|
66
|
-
}
|
67
|
-
|
68
60
|
ServerAddress::ServerAddress(const ServerAddress& other)
|
69
61
|
: address_(other.address_), args_(other.args_) {
|
70
62
|
for (const auto& p : other.attributes_) {
|
@@ -21,7 +21,6 @@
|
|
21
21
|
|
22
22
|
#include <grpc/support/port_platform.h>
|
23
23
|
|
24
|
-
#include <stddef.h>
|
25
24
|
#include <stdint.h>
|
26
25
|
|
27
26
|
#include <map>
|
@@ -65,14 +64,9 @@ class ServerAddress {
|
|
65
64
|
virtual std::string ToString() const = 0;
|
66
65
|
};
|
67
66
|
|
68
|
-
// Takes ownership of args.
|
69
67
|
ServerAddress(const grpc_resolved_address& address, const ChannelArgs& args,
|
70
68
|
std::map<const char*, std::unique_ptr<AttributeInterface>>
|
71
69
|
attributes = {});
|
72
|
-
ServerAddress(const void* address, size_t address_len,
|
73
|
-
const ChannelArgs& args,
|
74
|
-
std::map<const char*, std::unique_ptr<AttributeInterface>>
|
75
|
-
attributes = {});
|
76
70
|
|
77
71
|
// Copyable.
|
78
72
|
ServerAddress(const ServerAddress& other);
|
@@ -453,7 +453,7 @@ void BasicMemoryQuota::AddNewAllocator(GrpcMemoryAllocatorImpl* allocator) {
|
|
453
453
|
AllocatorBucket::Shard& shard = small_allocators_.SelectShard(allocator);
|
454
454
|
|
455
455
|
{
|
456
|
-
|
456
|
+
MutexLock l(&shard.shard_mu);
|
457
457
|
shard.allocators.emplace(allocator);
|
458
458
|
}
|
459
459
|
}
|
@@ -467,7 +467,7 @@ void BasicMemoryQuota::RemoveAllocator(GrpcMemoryAllocatorImpl* allocator) {
|
|
467
467
|
small_allocators_.SelectShard(allocator);
|
468
468
|
|
469
469
|
{
|
470
|
-
|
470
|
+
MutexLock l(&small_shard.shard_mu);
|
471
471
|
if (small_shard.allocators.erase(allocator) == 1) {
|
472
472
|
return;
|
473
473
|
}
|
@@ -476,7 +476,7 @@ void BasicMemoryQuota::RemoveAllocator(GrpcMemoryAllocatorImpl* allocator) {
|
|
476
476
|
AllocatorBucket::Shard& big_shard = big_allocators_.SelectShard(allocator);
|
477
477
|
|
478
478
|
{
|
479
|
-
|
479
|
+
MutexLock l(&big_shard.shard_mu);
|
480
480
|
big_shard.allocators.erase(allocator);
|
481
481
|
}
|
482
482
|
}
|
@@ -513,14 +513,14 @@ void BasicMemoryQuota::MaybeMoveAllocatorBigToSmall(
|
|
513
513
|
AllocatorBucket::Shard& old_shard = big_allocators_.SelectShard(allocator);
|
514
514
|
|
515
515
|
{
|
516
|
-
|
516
|
+
MutexLock l(&old_shard.shard_mu);
|
517
517
|
if (old_shard.allocators.erase(allocator) == 0) return;
|
518
518
|
}
|
519
519
|
|
520
520
|
AllocatorBucket::Shard& new_shard = small_allocators_.SelectShard(allocator);
|
521
521
|
|
522
522
|
{
|
523
|
-
|
523
|
+
MutexLock l(&new_shard.shard_mu);
|
524
524
|
new_shard.allocators.emplace(allocator);
|
525
525
|
}
|
526
526
|
}
|
@@ -534,14 +534,14 @@ void BasicMemoryQuota::MaybeMoveAllocatorSmallToBig(
|
|
534
534
|
AllocatorBucket::Shard& old_shard = small_allocators_.SelectShard(allocator);
|
535
535
|
|
536
536
|
{
|
537
|
-
|
537
|
+
MutexLock l(&old_shard.shard_mu);
|
538
538
|
if (old_shard.allocators.erase(allocator) == 0) return;
|
539
539
|
}
|
540
540
|
|
541
541
|
AllocatorBucket::Shard& new_shard = big_allocators_.SelectShard(allocator);
|
542
542
|
|
543
543
|
{
|
544
|
-
|
544
|
+
MutexLock l(&new_shard.shard_mu);
|
545
545
|
new_shard.allocators.emplace(allocator);
|
546
546
|
}
|
547
547
|
}
|
@@ -30,7 +30,6 @@
|
|
30
30
|
#include "absl/base/thread_annotations.h"
|
31
31
|
#include "absl/container/flat_hash_set.h"
|
32
32
|
#include "absl/strings/string_view.h"
|
33
|
-
#include "absl/synchronization/mutex.h"
|
34
33
|
#include "absl/types/optional.h"
|
35
34
|
|
36
35
|
#include <grpc/event_engine/memory_allocator.h>
|
@@ -340,7 +339,7 @@ class BasicMemoryQuota final
|
|
340
339
|
struct Shard {
|
341
340
|
absl::flat_hash_set<GrpcMemoryAllocatorImpl*> allocators
|
342
341
|
ABSL_GUARDED_BY(shard_mu);
|
343
|
-
|
342
|
+
Mutex shard_mu;
|
344
343
|
};
|
345
344
|
|
346
345
|
Shard& SelectShard(void* key) {
|
@@ -0,0 +1,98 @@
|
|
1
|
+
//
|
2
|
+
//
|
3
|
+
// Copyright 2023 gRPC authors.
|
4
|
+
//
|
5
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
// you may not use this file except in compliance with the License.
|
7
|
+
// You may obtain a copy of the License at
|
8
|
+
//
|
9
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
//
|
11
|
+
// Unless required by applicable law or agreed to in writing, software
|
12
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
// See the License for the specific language governing permissions and
|
15
|
+
// limitations under the License.
|
16
|
+
//
|
17
|
+
//
|
18
|
+
|
19
|
+
#include <grpc/support/port_platform.h>
|
20
|
+
|
21
|
+
#include "src/core/lib/security/authorization/audit_logging.h"
|
22
|
+
|
23
|
+
#include <initializer_list>
|
24
|
+
#include <map>
|
25
|
+
#include <memory>
|
26
|
+
#include <utility>
|
27
|
+
|
28
|
+
#include "absl/status/status.h"
|
29
|
+
#include "absl/status/statusor.h"
|
30
|
+
#include "absl/strings/str_format.h"
|
31
|
+
#include "absl/strings/string_view.h"
|
32
|
+
|
33
|
+
#include <grpc/grpc_audit_logging.h>
|
34
|
+
#include <grpc/support/json.h>
|
35
|
+
#include <grpc/support/log.h>
|
36
|
+
|
37
|
+
#include "src/core/lib/gprpp/sync.h"
|
38
|
+
#include "src/core/lib/security/authorization/stdout_logger.h"
|
39
|
+
|
40
|
+
namespace grpc_core {
|
41
|
+
namespace experimental {
|
42
|
+
|
43
|
+
Mutex* AuditLoggerRegistry::mu = new Mutex();
|
44
|
+
|
45
|
+
AuditLoggerRegistry* AuditLoggerRegistry::registry = new AuditLoggerRegistry();
|
46
|
+
|
47
|
+
AuditLoggerRegistry::AuditLoggerRegistry() {
|
48
|
+
auto factory = std::make_unique<StdoutAuditLoggerFactory>();
|
49
|
+
absl::string_view name = factory->name();
|
50
|
+
GPR_ASSERT(logger_factories_map_.emplace(name, std::move(factory)).second);
|
51
|
+
}
|
52
|
+
|
53
|
+
void AuditLoggerRegistry::RegisterFactory(
|
54
|
+
std::unique_ptr<AuditLoggerFactory> factory) {
|
55
|
+
GPR_ASSERT(factory != nullptr);
|
56
|
+
MutexLock lock(mu);
|
57
|
+
absl::string_view name = factory->name();
|
58
|
+
GPR_ASSERT(
|
59
|
+
registry->logger_factories_map_.emplace(name, std::move(factory)).second);
|
60
|
+
}
|
61
|
+
|
62
|
+
bool AuditLoggerRegistry::FactoryExists(absl::string_view name) {
|
63
|
+
MutexLock lock(mu);
|
64
|
+
return registry->logger_factories_map_.find(name) !=
|
65
|
+
registry->logger_factories_map_.end();
|
66
|
+
}
|
67
|
+
|
68
|
+
absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
|
69
|
+
AuditLoggerRegistry::ParseConfig(absl::string_view name, const Json& json) {
|
70
|
+
MutexLock lock(mu);
|
71
|
+
auto it = registry->logger_factories_map_.find(name);
|
72
|
+
if (it == registry->logger_factories_map_.end()) {
|
73
|
+
return absl::NotFoundError(
|
74
|
+
absl::StrFormat("audit logger factory for %s does not exist", name));
|
75
|
+
}
|
76
|
+
return it->second->ParseAuditLoggerConfig(json);
|
77
|
+
}
|
78
|
+
|
79
|
+
std::unique_ptr<AuditLogger> AuditLoggerRegistry::CreateAuditLogger(
|
80
|
+
std::unique_ptr<AuditLoggerFactory::Config> config) {
|
81
|
+
MutexLock lock(mu);
|
82
|
+
auto it = registry->logger_factories_map_.find(config->name());
|
83
|
+
GPR_ASSERT(it != registry->logger_factories_map_.end());
|
84
|
+
return it->second->CreateAuditLogger(std::move(config));
|
85
|
+
}
|
86
|
+
|
87
|
+
void AuditLoggerRegistry::TestOnlyResetRegistry() {
|
88
|
+
MutexLock lock(mu);
|
89
|
+
delete registry;
|
90
|
+
registry = new AuditLoggerRegistry();
|
91
|
+
}
|
92
|
+
|
93
|
+
void RegisterAuditLoggerFactory(std::unique_ptr<AuditLoggerFactory> factory) {
|
94
|
+
AuditLoggerRegistry::RegisterFactory(std::move(factory));
|
95
|
+
}
|
96
|
+
|
97
|
+
} // namespace experimental
|
98
|
+
} // namespace grpc_core
|
@@ -0,0 +1,73 @@
|
|
1
|
+
//
|
2
|
+
//
|
3
|
+
// Copyright 2023 gRPC authors.
|
4
|
+
//
|
5
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
// you may not use this file except in compliance with the License.
|
7
|
+
// You may obtain a copy of the License at
|
8
|
+
//
|
9
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
//
|
11
|
+
// Unless required by applicable law or agreed to in writing, software
|
12
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
// See the License for the specific language governing permissions and
|
15
|
+
// limitations under the License.
|
16
|
+
//
|
17
|
+
//
|
18
|
+
|
19
|
+
#ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H
|
20
|
+
#define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H
|
21
|
+
|
22
|
+
#include <grpc/support/port_platform.h>
|
23
|
+
|
24
|
+
#include <map>
|
25
|
+
#include <memory>
|
26
|
+
|
27
|
+
#include "absl/base/thread_annotations.h"
|
28
|
+
#include "absl/status/statusor.h"
|
29
|
+
#include "absl/strings/string_view.h"
|
30
|
+
|
31
|
+
#include <grpc/grpc_audit_logging.h>
|
32
|
+
#include <grpc/support/json.h>
|
33
|
+
|
34
|
+
#include "src/core/lib/gprpp/sync.h"
|
35
|
+
|
36
|
+
namespace grpc_core {
|
37
|
+
namespace experimental {
|
38
|
+
|
39
|
+
class AuditLoggerRegistry {
|
40
|
+
public:
|
41
|
+
static void RegisterFactory(std::unique_ptr<AuditLoggerFactory>);
|
42
|
+
|
43
|
+
static bool FactoryExists(absl::string_view name);
|
44
|
+
|
45
|
+
static absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
|
46
|
+
ParseConfig(absl::string_view name, const Json& json);
|
47
|
+
|
48
|
+
// This assume the given config is parsed and validated already.
|
49
|
+
// Therefore, it should always succeed in creating a logger.
|
50
|
+
static std::unique_ptr<AuditLogger> CreateAuditLogger(
|
51
|
+
std::unique_ptr<AuditLoggerFactory::Config>);
|
52
|
+
|
53
|
+
// Factories are registered during initialization. They should never be
|
54
|
+
// unregistered since they will be looked up at any time till the program
|
55
|
+
// exits. This function should only be used in tests to clear the registry.
|
56
|
+
static void TestOnlyResetRegistry();
|
57
|
+
|
58
|
+
private:
|
59
|
+
AuditLoggerRegistry();
|
60
|
+
|
61
|
+
static Mutex* mu;
|
62
|
+
|
63
|
+
static AuditLoggerRegistry* registry ABSL_GUARDED_BY(mu);
|
64
|
+
|
65
|
+
// The key is owned by the factory.
|
66
|
+
std::map<absl::string_view, std::unique_ptr<AuditLoggerFactory>>
|
67
|
+
logger_factories_map_ ABSL_GUARDED_BY(mu);
|
68
|
+
};
|
69
|
+
|
70
|
+
} // namespace experimental
|
71
|
+
} // namespace grpc_core
|
72
|
+
|
73
|
+
#endif // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H
|
@@ -20,10 +20,35 @@
|
|
20
20
|
#include <map>
|
21
21
|
#include <utility>
|
22
22
|
|
23
|
+
#include <grpc/support/log.h>
|
24
|
+
|
25
|
+
#include "src/core/lib/security/authorization/audit_logging.h"
|
26
|
+
#include "src/core/lib/security/authorization/authorization_engine.h"
|
27
|
+
|
23
28
|
namespace grpc_core {
|
24
29
|
|
30
|
+
using experimental::AuditContext;
|
31
|
+
using experimental::AuditLoggerRegistry;
|
32
|
+
|
33
|
+
namespace {
|
34
|
+
|
35
|
+
using Decision = AuthorizationEngine::Decision;
|
36
|
+
|
37
|
+
bool ShouldLog(const Decision& decision,
|
38
|
+
const Rbac::AuditCondition& condition) {
|
39
|
+
return condition == Rbac::AuditCondition::kOnDenyAndAllow ||
|
40
|
+
(decision.type == Decision::Type::kAllow &&
|
41
|
+
condition == Rbac::AuditCondition::kOnAllow) ||
|
42
|
+
(decision.type == Decision::Type::kDeny &&
|
43
|
+
condition == Rbac::AuditCondition::kOnDeny);
|
44
|
+
}
|
45
|
+
|
46
|
+
} // namespace
|
47
|
+
|
25
48
|
GrpcAuthorizationEngine::GrpcAuthorizationEngine(Rbac policy)
|
26
|
-
:
|
49
|
+
: name_(std::move(policy.name)),
|
50
|
+
action_(policy.action),
|
51
|
+
audit_condition_(policy.audit_condition) {
|
27
52
|
for (auto& sub_policy : policy.policies) {
|
28
53
|
Policy policy;
|
29
54
|
policy.name = sub_policy.first;
|
@@ -31,16 +56,29 @@ GrpcAuthorizationEngine::GrpcAuthorizationEngine(Rbac policy)
|
|
31
56
|
std::move(sub_policy.second));
|
32
57
|
policies_.push_back(std::move(policy));
|
33
58
|
}
|
59
|
+
for (auto& logger_config : policy.logger_configs) {
|
60
|
+
auto logger =
|
61
|
+
AuditLoggerRegistry::CreateAuditLogger(std::move(logger_config));
|
62
|
+
GPR_ASSERT(logger != nullptr);
|
63
|
+
audit_loggers_.push_back(std::move(logger));
|
64
|
+
}
|
34
65
|
}
|
35
66
|
|
36
67
|
GrpcAuthorizationEngine::GrpcAuthorizationEngine(
|
37
68
|
GrpcAuthorizationEngine&& other) noexcept
|
38
|
-
:
|
69
|
+
: name_(std::move(other.name_)),
|
70
|
+
action_(other.action_),
|
71
|
+
policies_(std::move(other.policies_)),
|
72
|
+
audit_condition_(other.audit_condition_),
|
73
|
+
audit_loggers_(std::move(other.audit_loggers_)) {}
|
39
74
|
|
40
75
|
GrpcAuthorizationEngine& GrpcAuthorizationEngine::operator=(
|
41
76
|
GrpcAuthorizationEngine&& other) noexcept {
|
77
|
+
name_ = std::move(other.name_);
|
42
78
|
action_ = other.action_;
|
43
79
|
policies_ = std::move(other.policies_);
|
80
|
+
audit_condition_ = other.audit_condition_;
|
81
|
+
audit_loggers_ = std::move(other.audit_loggers_);
|
44
82
|
return *this;
|
45
83
|
}
|
46
84
|
|
@@ -58,6 +96,13 @@ AuthorizationEngine::Decision GrpcAuthorizationEngine::Evaluate(
|
|
58
96
|
decision.type = (matches == (action_ == Rbac::Action::kAllow))
|
59
97
|
? Decision::Type::kAllow
|
60
98
|
: Decision::Type::kDeny;
|
99
|
+
if (ShouldLog(decision, audit_condition_)) {
|
100
|
+
for (auto& logger : audit_loggers_) {
|
101
|
+
logger->Log(AuditContext(args.GetPath(), args.GetSpiffeId(), name_,
|
102
|
+
decision.matching_policy_name,
|
103
|
+
decision.type == Decision::Type::kAllow));
|
104
|
+
}
|
105
|
+
}
|
61
106
|
return decision;
|
62
107
|
}
|
63
108
|
|
@@ -23,6 +23,8 @@
|
|
23
23
|
#include <string>
|
24
24
|
#include <vector>
|
25
25
|
|
26
|
+
#include <grpc/grpc_audit_logging.h>
|
27
|
+
|
26
28
|
#include "src/core/lib/security/authorization/authorization_engine.h"
|
27
29
|
#include "src/core/lib/security/authorization/evaluate_args.h"
|
28
30
|
#include "src/core/lib/security/authorization/matchers.h"
|
@@ -30,6 +32,8 @@
|
|
30
32
|
|
31
33
|
namespace grpc_core {
|
32
34
|
|
35
|
+
using experimental::AuditLogger;
|
36
|
+
|
33
37
|
// GrpcAuthorizationEngine can be either an Allow engine or Deny engine. This
|
34
38
|
// engine makes authorization decisions to Allow or Deny incoming RPC request
|
35
39
|
// based on permission and principal configs in the provided RBAC policy and the
|
@@ -39,7 +43,8 @@ namespace grpc_core {
|
|
39
43
|
class GrpcAuthorizationEngine : public AuthorizationEngine {
|
40
44
|
public:
|
41
45
|
// Builds GrpcAuthorizationEngine without any policies.
|
42
|
-
explicit GrpcAuthorizationEngine(Rbac::Action action)
|
46
|
+
explicit GrpcAuthorizationEngine(Rbac::Action action)
|
47
|
+
: action_(action), audit_condition_(Rbac::AuditCondition::kNone) {}
|
43
48
|
// Builds GrpcAuthorizationEngine with allow/deny RBAC policy.
|
44
49
|
explicit GrpcAuthorizationEngine(Rbac policy);
|
45
50
|
|
@@ -51,6 +56,14 @@ class GrpcAuthorizationEngine : public AuthorizationEngine {
|
|
51
56
|
// Required only for testing purpose.
|
52
57
|
size_t num_policies() const { return policies_.size(); }
|
53
58
|
|
59
|
+
// Required only for testing purpose.
|
60
|
+
Rbac::AuditCondition audit_condition() const { return audit_condition_; }
|
61
|
+
|
62
|
+
// Required only for testing purpose.
|
63
|
+
const std::vector<std::unique_ptr<AuditLogger>>& audit_loggers() const {
|
64
|
+
return audit_loggers_;
|
65
|
+
}
|
66
|
+
|
54
67
|
// Evaluates incoming request against RBAC policy and makes a decision to
|
55
68
|
// whether allow/deny this request.
|
56
69
|
Decision Evaluate(const EvaluateArgs& args) const override;
|
@@ -60,8 +73,12 @@ class GrpcAuthorizationEngine : public AuthorizationEngine {
|
|
60
73
|
std::string name;
|
61
74
|
std::unique_ptr<AuthorizationMatcher> matcher;
|
62
75
|
};
|
76
|
+
|
77
|
+
std::string name_;
|
63
78
|
Rbac::Action action_;
|
64
79
|
std::vector<Policy> policies_;
|
80
|
+
Rbac::AuditCondition audit_condition_;
|
81
|
+
std::vector<std::unique_ptr<AuditLogger>> audit_loggers_;
|
65
82
|
};
|
66
83
|
|
67
84
|
} // namespace grpc_core
|
@@ -22,6 +22,7 @@
|
|
22
22
|
|
23
23
|
#include "absl/strings/str_format.h"
|
24
24
|
#include "absl/strings/str_join.h"
|
25
|
+
#include "absl/strings/string_view.h"
|
25
26
|
|
26
27
|
namespace grpc_core {
|
27
28
|
|
@@ -29,26 +30,57 @@ namespace grpc_core {
|
|
29
30
|
// Rbac
|
30
31
|
//
|
31
32
|
|
32
|
-
Rbac::Rbac(Rbac::Action action,
|
33
|
-
|
33
|
+
Rbac::Rbac(std::string name, Rbac::Action action,
|
34
|
+
std::map<std::string, Policy> policies)
|
35
|
+
: name(std::move(name)),
|
36
|
+
action(action),
|
37
|
+
policies(std::move(policies)),
|
38
|
+
audit_condition(Rbac::AuditCondition::kNone) {}
|
34
39
|
|
35
40
|
Rbac::Rbac(Rbac&& other) noexcept
|
36
|
-
:
|
41
|
+
: name(std::move(other.name)),
|
42
|
+
action(other.action),
|
43
|
+
policies(std::move(other.policies)),
|
44
|
+
audit_condition(other.audit_condition),
|
45
|
+
logger_configs(std::move(other.logger_configs)) {}
|
37
46
|
|
38
47
|
Rbac& Rbac::operator=(Rbac&& other) noexcept {
|
48
|
+
name = std::move(other.name);
|
39
49
|
action = other.action;
|
40
50
|
policies = std::move(other.policies);
|
51
|
+
audit_condition = other.audit_condition;
|
52
|
+
logger_configs = std::move(other.logger_configs);
|
41
53
|
return *this;
|
42
54
|
}
|
43
55
|
|
44
56
|
std::string Rbac::ToString() const {
|
45
57
|
std::vector<std::string> contents;
|
58
|
+
absl::string_view condition_str;
|
59
|
+
switch (audit_condition) {
|
60
|
+
case Rbac::AuditCondition::kNone:
|
61
|
+
condition_str = "None";
|
62
|
+
break;
|
63
|
+
case AuditCondition::kOnDeny:
|
64
|
+
condition_str = "OnDeny";
|
65
|
+
break;
|
66
|
+
case AuditCondition::kOnAllow:
|
67
|
+
condition_str = "OnAllow";
|
68
|
+
break;
|
69
|
+
case AuditCondition::kOnDenyAndAllow:
|
70
|
+
condition_str = "OnDenyAndAllow";
|
71
|
+
break;
|
72
|
+
}
|
46
73
|
contents.push_back(absl::StrFormat(
|
47
|
-
"Rbac action=%s{",
|
74
|
+
"Rbac name=%s action=%s audit_condition=%s{", name,
|
75
|
+
action == Rbac::Action::kAllow ? "Allow" : "Deny", condition_str));
|
48
76
|
for (const auto& p : policies) {
|
49
77
|
contents.push_back(absl::StrFormat("{\n policy_name=%s\n%s\n}", p.first,
|
50
78
|
p.second.ToString()));
|
51
79
|
}
|
80
|
+
for (const auto& config : logger_configs) {
|
81
|
+
contents.push_back(absl::StrFormat("{\n audit_logger=%s\n%s\n}",
|
82
|
+
config->name(), config->ToString()));
|
83
|
+
}
|
52
84
|
contents.push_back("}");
|
53
85
|
return absl::StrJoin(contents, "\n");
|
54
86
|
}
|
@@ -26,18 +26,27 @@
|
|
26
26
|
|
27
27
|
#include "absl/types/optional.h"
|
28
28
|
|
29
|
+
#include <grpc/grpc_audit_logging.h>
|
30
|
+
|
29
31
|
#include "src/core/lib/matchers/matchers.h"
|
30
32
|
|
31
33
|
namespace grpc_core {
|
32
34
|
|
33
35
|
// Represents Envoy RBAC Proto. [See
|
34
|
-
// https://github.com/envoyproxy/envoy/blob/release/v1.
|
36
|
+
// https://github.com/envoyproxy/envoy/blob/release/v1.26/api/envoy/config/rbac/v3/rbac.proto]
|
35
37
|
struct Rbac {
|
36
38
|
enum class Action {
|
37
39
|
kAllow,
|
38
40
|
kDeny,
|
39
41
|
};
|
40
42
|
|
43
|
+
enum class AuditCondition {
|
44
|
+
kNone,
|
45
|
+
kOnDeny,
|
46
|
+
kOnAllow,
|
47
|
+
kOnDenyAndAllow,
|
48
|
+
};
|
49
|
+
|
41
50
|
struct CidrRange {
|
42
51
|
CidrRange() = default;
|
43
52
|
CidrRange(std::string address_prefix, uint32_t prefix_len);
|
@@ -162,15 +171,23 @@ struct Rbac {
|
|
162
171
|
};
|
163
172
|
|
164
173
|
Rbac() = default;
|
165
|
-
Rbac(Rbac::Action action,
|
174
|
+
Rbac(std::string name, Rbac::Action action,
|
175
|
+
std::map<std::string, Policy> policies);
|
166
176
|
|
167
177
|
Rbac(Rbac&& other) noexcept;
|
168
178
|
Rbac& operator=(Rbac&& other) noexcept;
|
169
179
|
|
170
180
|
std::string ToString() const;
|
171
181
|
|
182
|
+
// The authorization policy name or the HTTP RBAC filter name.
|
183
|
+
std::string name;
|
184
|
+
|
172
185
|
Action action;
|
173
186
|
std::map<std::string, Policy> policies;
|
187
|
+
|
188
|
+
AuditCondition audit_condition;
|
189
|
+
std::vector<std::unique_ptr<experimental::AuditLoggerFactory::Config>>
|
190
|
+
logger_configs;
|
174
191
|
};
|
175
192
|
|
176
193
|
} // namespace grpc_core
|
@@ -0,0 +1,75 @@
|
|
1
|
+
// Copyright 2023 gRPC authors.
|
2
|
+
//
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
// you may not use this file except in compliance with the License.
|
5
|
+
// You may obtain a copy of the License at
|
6
|
+
//
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
//
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
// See the License for the specific language governing permissions and
|
13
|
+
// limitations under the License.
|
14
|
+
|
15
|
+
#include <grpc/support/port_platform.h>
|
16
|
+
|
17
|
+
#include "src/core/lib/security/authorization/stdout_logger.h"
|
18
|
+
|
19
|
+
#include <cstdio>
|
20
|
+
#include <initializer_list>
|
21
|
+
#include <memory>
|
22
|
+
#include <string>
|
23
|
+
|
24
|
+
#include "absl/status/statusor.h"
|
25
|
+
#include "absl/strings/str_format.h"
|
26
|
+
#include "absl/strings/string_view.h"
|
27
|
+
#include "absl/time/clock.h"
|
28
|
+
#include "absl/time/time.h"
|
29
|
+
|
30
|
+
#include <grpc/grpc_audit_logging.h>
|
31
|
+
#include <grpc/support/json.h>
|
32
|
+
#include <grpc/support/log.h>
|
33
|
+
|
34
|
+
namespace grpc_core {
|
35
|
+
namespace experimental {
|
36
|
+
|
37
|
+
namespace {
|
38
|
+
|
39
|
+
constexpr absl::string_view kName = "stdout_logger";
|
40
|
+
constexpr char kLogFormat[] =
|
41
|
+
"{\"grpc_audit_log\":{\"timestamp\":\"%s\",\"rpc_method\":\"%s\","
|
42
|
+
"\"principal\":\"%s\",\"policy_name\":\"%s\",\"matched_rule\":\"%s\","
|
43
|
+
"\"authorized\":%s}}\n";
|
44
|
+
|
45
|
+
} // namespace
|
46
|
+
|
47
|
+
void StdoutAuditLogger::Log(const AuditContext& context) {
|
48
|
+
absl::FPrintF(stdout, kLogFormat, absl::FormatTime(absl::Now()),
|
49
|
+
context.rpc_method(), context.principal(),
|
50
|
+
context.policy_name(), context.matched_rule(),
|
51
|
+
context.authorized() ? "true" : "false");
|
52
|
+
}
|
53
|
+
|
54
|
+
absl::string_view StdoutAuditLoggerFactory::Config::name() const {
|
55
|
+
return kName;
|
56
|
+
}
|
57
|
+
|
58
|
+
std::string StdoutAuditLoggerFactory::Config::ToString() const { return "{}"; }
|
59
|
+
|
60
|
+
absl::string_view StdoutAuditLoggerFactory::name() const { return kName; }
|
61
|
+
|
62
|
+
absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
|
63
|
+
StdoutAuditLoggerFactory::ParseAuditLoggerConfig(const Json&) {
|
64
|
+
return std::make_unique<StdoutAuditLoggerFactory::Config>();
|
65
|
+
}
|
66
|
+
|
67
|
+
std::unique_ptr<AuditLogger> StdoutAuditLoggerFactory::CreateAuditLogger(
|
68
|
+
std::unique_ptr<AuditLoggerFactory::Config> config) {
|
69
|
+
// Sanity check.
|
70
|
+
GPR_ASSERT(config != nullptr && config->name() == name());
|
71
|
+
return std::make_unique<StdoutAuditLogger>();
|
72
|
+
}
|
73
|
+
|
74
|
+
} // namespace experimental
|
75
|
+
} // namespace grpc_core
|
@@ -0,0 +1,61 @@
|
|
1
|
+
// Copyright 2023 gRPC authors.
|
2
|
+
//
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
// you may not use this file except in compliance with the License.
|
5
|
+
// You may obtain a copy of the License at
|
6
|
+
//
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
//
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
// See the License for the specific language governing permissions and
|
13
|
+
// limitations under the License.
|
14
|
+
|
15
|
+
#ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_STDOUT_LOGGER_H
|
16
|
+
#define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_STDOUT_LOGGER_H
|
17
|
+
|
18
|
+
#include <grpc/support/port_platform.h>
|
19
|
+
|
20
|
+
#include <memory>
|
21
|
+
#include <string>
|
22
|
+
|
23
|
+
#include "absl/status/statusor.h"
|
24
|
+
#include "absl/strings/string_view.h"
|
25
|
+
|
26
|
+
#include <grpc/grpc_audit_logging.h>
|
27
|
+
#include <grpc/support/json.h>
|
28
|
+
|
29
|
+
namespace grpc_core {
|
30
|
+
namespace experimental {
|
31
|
+
|
32
|
+
class StdoutAuditLogger : public AuditLogger {
|
33
|
+
public:
|
34
|
+
StdoutAuditLogger() = default;
|
35
|
+
absl::string_view name() const override { return "stdout_logger"; }
|
36
|
+
void Log(const AuditContext&) override;
|
37
|
+
};
|
38
|
+
|
39
|
+
class StdoutAuditLoggerFactory : public AuditLoggerFactory {
|
40
|
+
public:
|
41
|
+
class Config : public AuditLoggerFactory::Config {
|
42
|
+
public:
|
43
|
+
Config() = default;
|
44
|
+
absl::string_view name() const override;
|
45
|
+
std::string ToString() const override;
|
46
|
+
};
|
47
|
+
StdoutAuditLoggerFactory() = default;
|
48
|
+
|
49
|
+
absl::string_view name() const override;
|
50
|
+
|
51
|
+
absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>>
|
52
|
+
ParseAuditLoggerConfig(const Json& json) override;
|
53
|
+
|
54
|
+
std::unique_ptr<AuditLogger> CreateAuditLogger(
|
55
|
+
std::unique_ptr<AuditLoggerFactory::Config>) override;
|
56
|
+
};
|
57
|
+
|
58
|
+
} // namespace experimental
|
59
|
+
} // namespace grpc_core
|
60
|
+
|
61
|
+
#endif // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_STDOUT_LOGGER_H
|