rbac_filter.cc
Go to the documentation of this file.
1 //
2 // Copyright 2021 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include <grpc/support/port_platform.h>
18 
19 #include "src/core/ext/filters/rbac/rbac_filter.h"
20 
21 #include <new>
22 #include <utility>
23 
24 #include <grpc/status.h>
25 #include <grpc/support/log.h>
26 
27 #include "src/core/ext/filters/rbac/rbac_service_config_parser.h"
28 #include "src/core/lib/channel/channel_args.h"
29 #include "src/core/lib/config/core_configuration.h"
30 #include "src/core/lib/gprpp/debug_location.h"
31 #include "src/core/lib/security/authorization/authorization_engine.h"
32 #include "src/core/lib/security/authorization/grpc_authorization_engine.h"
33 #include "src/core/lib/security/context/security_context.h"
34 #include "src/core/lib/service_config/service_config_call_data.h"
35 #include "src/core/lib/transport/transport_fwd.h"
36 
37 namespace grpc_core {
38 
39 //
40 // RbacFilter::CallData
41 //
42 
43 // CallData
44 
45 grpc_error_handle RbacFilter::CallData::Init(
46  grpc_call_element* elem, const grpc_call_element_args* args) {
47  new (elem->call_data) CallData(elem, *args);
48  return GRPC_ERROR_NONE;
49 }
50 
51 void RbacFilter::CallData::Destroy(grpc_call_element* elem,
52  const grpc_call_final_info* /*final_info*/,
53  grpc_closure* /*then_schedule_closure*/) {
54  auto* calld = static_cast<CallData*>(elem->call_data);
55  calld->~CallData();
56 }
57 
58 void RbacFilter::CallData::StartTransportStreamOpBatch(
59  grpc_call_element* elem, grpc_transport_stream_op_batch* op) {
60  CallData* calld = static_cast<CallData*>(elem->call_data);
61  if (op->recv_initial_metadata) {
62  calld->recv_initial_metadata_ =
63  op->payload->recv_initial_metadata.recv_initial_metadata;
64  calld->original_recv_initial_metadata_ready_ =
65  op->payload->recv_initial_metadata.recv_initial_metadata_ready;
66  op->payload->recv_initial_metadata.recv_initial_metadata_ready =
67  &calld->recv_initial_metadata_ready_;
68  }
69  // Chain to the next filter.
70  grpc_call_next_op(elem, op);
71 }
72 
73 RbacFilter::CallData::CallData(grpc_call_element* elem,
74  const grpc_call_element_args& args)
75  : call_context_(args.context) {
76  GRPC_CLOSURE_INIT(&recv_initial_metadata_ready_, RecvInitialMetadataReady,
77  elem, grpc_schedule_on_exec_ctx);
78 }
79 
80 void RbacFilter::CallData::RecvInitialMetadataReady(void* user_data,
81  grpc_error_handle error) {
82  grpc_call_element* elem = static_cast<grpc_call_element*>(user_data);
83  CallData* calld = static_cast<CallData*>(elem->call_data);
84  RbacFilter* filter = static_cast<RbacFilter*>(elem->channel_data);
85  if (GRPC_ERROR_IS_NONE(error)) {
86  // Fetch and apply the rbac policy from the service config.
87  auto* service_config_call_data = static_cast<ServiceConfigCallData*>(
88  calld->call_context_[GRPC_CONTEXT_SERVICE_CONFIG_CALL_DATA].value);
89  auto* method_params = static_cast<RbacMethodParsedConfig*>(
90  service_config_call_data->GetMethodParsedConfig(
91  filter->service_config_parser_index_));
92  if (method_params == nullptr) {
93  error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("No RBAC policy found.");
94  } else {
95  RbacFilter* chand = static_cast<RbacFilter*>(elem->channel_data);
96  auto* authorization_engine =
97  method_params->authorization_engine(chand->index_);
98  if (authorization_engine
99  ->Evaluate(EvaluateArgs(calld->recv_initial_metadata_,
100  &chand->per_channel_evaluate_args_))
101  .type == AuthorizationEngine::Decision::Type::kDeny) {
102  error =
103  GRPC_ERROR_CREATE_FROM_STATIC_STRING("Unauthorized RPC rejected");
104  }
105  }
106  if (!GRPC_ERROR_IS_NONE(error)) {
107  error = grpc_error_set_int(error, GRPC_ERROR_INT_GRPC_STATUS,
108  GRPC_STATUS_PERMISSION_DENIED);
109  }
110  } else {
111  (void)GRPC_ERROR_REF(error);
112  }
113  grpc_closure* closure = calld->original_recv_initial_metadata_ready_;
114  calld->original_recv_initial_metadata_ready_ = nullptr;
115  Closure::Run(DEBUG_LOCATION, closure, error);
116 }
117 
118 //
119 // RbacFilter
120 //
121 
122 const grpc_channel_filter RbacFilter::kFilterVtable = {
123  RbacFilter::CallData::StartTransportStreamOpBatch,
124  nullptr,
125  grpc_channel_next_op,
126  sizeof(RbacFilter::CallData),
127  RbacFilter::CallData::Init,
128  grpc_call_stack_ignore_set_pollset_or_pollset_set,
129  RbacFilter::CallData::Destroy,
130  sizeof(RbacFilter),
131  RbacFilter::Init,
132  grpc_channel_stack_no_post_init,
133  RbacFilter::Destroy,
134  grpc_channel_next_get_info,
135  "rbac_filter",
136 };
137 
138 RbacFilter::RbacFilter(size_t index,
139  EvaluateArgs::PerChannelArgs per_channel_evaluate_args)
140  : index_(index),
141  service_config_parser_index_(RbacServiceConfigParser::ParserIndex()),
142  per_channel_evaluate_args_(std::move(per_channel_evaluate_args)) {}
143 
144 grpc_error_handle RbacFilter::Init(grpc_channel_element* elem,
145  grpc_channel_element_args* args) {
146  GPR_ASSERT(elem->filter == &kFilterVtable);
147  auto* auth_context = grpc_find_auth_context_in_args(args->channel_args);
148  if (auth_context == nullptr) {
149  return GRPC_ERROR_CREATE_FROM_STATIC_STRING("No auth context found");
150  }
151  auto* transport = grpc_channel_args_find_pointer<grpc_transport>(
152  args->channel_args, GRPC_ARG_TRANSPORT);
153  if (transport == nullptr) {
154  // This should never happen since the transport is always set on the server
155  // side.
156  return GRPC_ERROR_CREATE_FROM_STATIC_STRING("No transport configured");
157  }
158  new (elem->channel_data) RbacFilter(
159  grpc_channel_stack_filter_instance_number(args->channel_stack, elem),
160  EvaluateArgs::PerChannelArgs(auth_context,
161  grpc_transport_get_endpoint(transport)));
162  return GRPC_ERROR_NONE;
163 }
164 
165 void RbacFilter::Destroy(grpc_channel_element* elem) {
166  auto* chand = static_cast<RbacFilter*>(elem->channel_data);
167  chand->~RbacFilter();
168 }
169 
170 void RbacFilterRegister(CoreConfiguration::Builder* builder) {
171  RbacServiceConfigParser::Register(builder);
172 }
173 
174 } // namespace grpc_core
GRPC_CLOSURE_INIT
#define GRPC_CLOSURE_INIT(closure, cb, cb_arg, scheduler)
Definition: closure.h:115
grpc_core::RbacFilter::Init
static grpc_error_handle Init(grpc_channel_element *elem, grpc_channel_element_args *args)
Definition: rbac_filter.cc:144
grpc_core::EvaluateArgs
Definition: evaluate_args.h:34
GRPC_ERROR_NONE
#define GRPC_ERROR_NONE
Definition: error.h:234
log.h
core_configuration.h
grpc_core::RbacFilter::CallData::Init
static grpc_error_handle Init(grpc_call_element *elem, const grpc_call_element_args *args)
Definition: rbac_filter.cc:45
grpc_core::RbacFilter::CallData::recv_initial_metadata_
grpc_metadata_batch * recv_initial_metadata_
Definition: rbac_filter.h:63
grpc_channel_next_op
void grpc_channel_next_op(grpc_channel_element *elem, grpc_transport_op *op)
Definition: channel_stack.cc:264
grpc_core
Definition: call_metric_recorder.h:31
grpc_core::CoreConfiguration::Builder
Definition: core_configuration.h:41
grpc_core::ServiceConfigCallData
Definition: service_config_call_data.h:41
GRPC_STATUS_PERMISSION_DENIED
@ GRPC_STATUS_PERMISSION_DENIED
Definition: include/grpc/impl/codegen/status.h:68
grpc_core::RbacFilter::per_channel_evaluate_args_
EvaluateArgs::PerChannelArgs per_channel_evaluate_args_
Definition: rbac_filter.h:79
grpc_channel_element
Definition: channel_stack.h:186
elem
Timer elem
Definition: event_engine/iomgr_event_engine/timer_heap_test.cc:109
error
grpc_error_handle error
Definition: retry_filter.cc:499
grpc_core::AuthorizationEngine::Decision::Type::kDeny
@ kDeny
grpc_core::RbacFilter::Destroy
static void Destroy(grpc_channel_element *elem)
Definition: rbac_filter.cc:165
authorization_engine.h
grpc_core::RbacFilter::CallData::recv_initial_metadata_ready_
grpc_closure recv_initial_metadata_ready_
Definition: rbac_filter.h:65
grpc_core::RbacFilter::index_
size_t index_
Definition: rbac_filter.h:75
grpc_core::RbacFilter::CallData::Destroy
static void Destroy(grpc_call_element *elem, const grpc_call_final_info *, grpc_closure *)
Definition: rbac_filter.cc:51
grpc_core::RbacMethodParsedConfig
Definition: rbac_service_config_parser.h:46
grpc_call_stack_ignore_set_pollset_or_pollset_set
void grpc_call_stack_ignore_set_pollset_or_pollset_set(grpc_call_element *, grpc_polling_entity *)
Definition: channel_stack.cc:233
grpc_call_element
Definition: channel_stack.h:194
grpc_core::RbacFilterRegister
void RbacFilterRegister(CoreConfiguration::Builder *builder)
Definition: rbac_filter.cc:170
status.h
DEBUG_LOCATION
#define DEBUG_LOCATION
Definition: debug_location.h:41
grpc_transport_get_endpoint
grpc_endpoint * grpc_transport_get_endpoint(grpc_transport *transport)
Definition: transport.cc:140
profile_analyzer.builder
builder
Definition: profile_analyzer.py:159
asyncio_get_stats.args
args
Definition: asyncio_get_stats.py:40
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
GPR_ASSERT
#define GPR_ASSERT(x)
Definition: include/grpc/impl/codegen/log.h:94
grpc_core::RbacServiceConfigParser::Register
static void Register(CoreConfiguration::Builder *builder)
Definition: rbac_service_config_parser.cc:607
grpc_channel_stack_no_post_init
void grpc_channel_stack_no_post_init(grpc_channel_stack *, grpc_channel_element *)
Definition: channel_stack.cc:282
transport
grpc_transport transport
Definition: filter_fuzzer.cc:146
grpc_find_auth_context_in_args
grpc_auth_context * grpc_find_auth_context_in_args(const grpc_channel_args *args)
Definition: security_context.cc:321
grpc_channel_next_get_info
void grpc_channel_next_get_info(grpc_channel_element *elem, const grpc_channel_info *channel_info)
Definition: channel_stack.cc:258
rbac_filter.h
grpc_core::RbacFilter::CallData::RecvInitialMetadataReady
static void RecvInitialMetadataReady(void *user_data, grpc_error_handle error)
Definition: rbac_filter.cc:80
service_config_call_data.h
grpc_call_next_op
void grpc_call_next_op(grpc_call_element *elem, grpc_transport_stream_op_batch *op)
Definition: channel_stack.cc:251
grpc_call_element_args
Definition: channel_stack.h:80
transport_fwd.h
grpc_channel_filter
Definition: channel_stack.h:111
grpc_core::RbacFilter::RbacFilter
RbacFilter(size_t index, EvaluateArgs::PerChannelArgs per_channel_evaluate_args)
Definition: rbac_filter.cc:138
grpc_core::RbacFilter::CallData::CallData
CallData(grpc_call_element *elem, const grpc_call_element_args &args)
Definition: rbac_filter.cc:73
GRPC_ERROR_CREATE_FROM_STATIC_STRING
#define GRPC_ERROR_CREATE_FROM_STATIC_STRING(desc)
Definition: error.h:291
grpc_call_context_element::value
void * value
Definition: core/lib/channel/context.h:52
grpc_core::RbacServiceConfigParser
Definition: rbac_service_config_parser.h:69
grpc_channel_stack_filter_instance_number
size_t grpc_channel_stack_filter_instance_number(grpc_channel_stack *channel_stack, grpc_channel_element *elem)
Definition: channel_stack.cc:88
security_context.h
grpc_authorization_engine.h
GRPC_ERROR_REF
#define GRPC_ERROR_REF(err)
Definition: error.h:261
debug_location.h
grpc_error_set_int
grpc_error_handle grpc_error_set_int(grpc_error_handle src, grpc_error_ints which, intptr_t value)
Definition: error.cc:613
GRPC_CONTEXT_SERVICE_CONFIG_CALL_DATA
@ GRPC_CONTEXT_SERVICE_CONFIG_CALL_DATA
Holds a pointer to ServiceConfigCallData associated with this call.
Definition: core/lib/channel/context.h:46
index
int index
Definition: bloaty/third_party/protobuf/php/ext/google/protobuf/protobuf.h:1184
call_context_
grpc_call_context_element * call_context_
Definition: client_channel.cc:394
std
Definition: grpcpp/impl/codegen/async_unary_call.h:407
grpc_core::EvaluateArgs::PerChannelArgs
Definition: evaluate_args.h:38
grpc_core::RbacFilter::CallData::call_context_
grpc_call_context_element * call_context_
Definition: rbac_filter.h:61
closure
Definition: proxy.cc:59
channel_args.h
grpc_core::RbacFilter::CallData
Definition: rbac_filter.h:46
grpc_channel_element_args
Definition: channel_stack.h:74
context
grpc::ClientContext context
Definition: istio_echo_server_lib.cc:61
grpc_call_final_info
Definition: channel_stack.h:95
grpc_core::RbacFilter::CallData::StartTransportStreamOpBatch
static void StartTransportStreamOpBatch(grpc_call_element *elem, grpc_transport_stream_op_batch *op)
Definition: rbac_filter.cc:58
grpc_error
Definition: error_internal.h:42
grpc_transport_stream_op_batch
Definition: transport.h:284
grpc_closure
Definition: closure.h:56
op
static grpc_op * op
Definition: test/core/fling/client.cc:47
grpc_core::Closure::Run
static void Run(const DebugLocation &location, grpc_closure *closure, grpc_error_handle error)
Definition: closure.h:250
grpc_core::RbacFilter
Definition: rbac_filter.h:37
grpc_core::RbacFilter::service_config_parser_index_
const size_t service_config_parser_index_
Definition: rbac_filter.h:77
grpc_core::RbacFilter::CallData::original_recv_initial_metadata_ready_
grpc_closure * original_recv_initial_metadata_ready_
Definition: rbac_filter.h:64
GRPC_ERROR_INT_GRPC_STATUS
@ GRPC_ERROR_INT_GRPC_STATUS
grpc status code representing this error
Definition: error.h:66
grpc_core::RbacFilter::kFilterVtable
static const grpc_channel_filter kFilterVtable
Definition: rbac_filter.h:43
rbac_service_config_parser.h
GRPC_ERROR_IS_NONE
#define GRPC_ERROR_IS_NONE(err)
Definition: error.h:241
GRPC_ARG_TRANSPORT
#define GRPC_ARG_TRANSPORT
Definition: transport.h:71
port_platform.h

grpc
Author(s):
autogenerated on Fri May 16 2025 02:59:59