rbac_service_config_parser.cc
Go to the documentation of this file.
1 //
2 // Copyright 2021 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include <grpc/support/port_platform.h>
18 
19 #include "src/core/ext/filters/rbac/rbac_service_config_parser.h"
20 
21 #include <stdint.h>
22 
23 #include <map>
24 #include <string>
25 
26 #include "absl/memory/memory.h"
27 #include "absl/status/status.h"
28 #include "absl/status/statusor.h"
29 #include "absl/strings/str_format.h"
30 
31 #include <grpc/support/log.h>
32 
33 #include "src/core/lib/channel/channel_args.h"
34 #include "src/core/lib/json/json_util.h"
35 #include "src/core/lib/matchers/matchers.h"
36 #include "src/core/lib/transport/error_utils.h"
37 
38 namespace grpc_core {
39 
40 namespace {
41 
42 std::string ParseRegexMatcher(const Json::Object& regex_matcher_json,
43  std::vector<grpc_error_handle>* error_list) {
44  std::string regex;
45  ParseJsonObjectField(regex_matcher_json, "regex", &regex, error_list);
46  return regex;
47 }
48 
49 absl::StatusOr<HeaderMatcher> ParseHeaderMatcher(
50  const Json::Object& header_matcher_json,
51  std::vector<grpc_error_handle>* error_list) {
52  std::string name;
53  ParseJsonObjectField(header_matcher_json, "name", &name, error_list);
54  std::string match;
55  HeaderMatcher::Type type = HeaderMatcher::Type();
56  const Json::Object* inner_json;
57  int64_t start = 0;
58  int64_t end = 0;
59  bool present_match = false;
60  bool invert_match = false;
61  ParseJsonObjectField(header_matcher_json, "invertMatch", &invert_match,
62  error_list, /*required=*/false);
63  if (ParseJsonObjectField(header_matcher_json, "exactMatch", &match,
64  error_list, /*required=*/false)) {
65  type = HeaderMatcher::Type::kExact;
66  } else if (ParseJsonObjectField(header_matcher_json, "safeRegexMatch",
67  &inner_json, error_list,
68  /*required=*/false)) {
69  type = HeaderMatcher::Type::kSafeRegex;
70  std::vector<grpc_error_handle> safe_regex_matcher_error_list;
71  match = ParseRegexMatcher(*inner_json, &safe_regex_matcher_error_list);
72  if (!safe_regex_matcher_error_list.empty()) {
73  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
74  "safeRegexMatch", &safe_regex_matcher_error_list));
75  }
76  } else if (ParseJsonObjectField(header_matcher_json, "rangeMatch",
77  &inner_json, error_list,
78  /*required=*/false)) {
79  type = HeaderMatcher::Type::kRange;
80  std::vector<grpc_error_handle> range_error_list;
81  ParseJsonObjectField(*inner_json, "start", &start, &range_error_list);
82  ParseJsonObjectField(*inner_json, "end", &end, &range_error_list);
83  if (!range_error_list.empty()) {
84  error_list->push_back(
85  GRPC_ERROR_CREATE_FROM_VECTOR("rangeMatch", &range_error_list));
86  }
87  } else if (ParseJsonObjectField(header_matcher_json, "presentMatch",
88  &present_match, error_list,
89  /*required=*/false)) {
90  type = HeaderMatcher::Type::kPresent;
91  } else if (ParseJsonObjectField(header_matcher_json, "prefixMatch", &match,
92  error_list, /*required=*/false)) {
93  type = HeaderMatcher::Type::kPrefix;
94  } else if (ParseJsonObjectField(header_matcher_json, "suffixMatch", &match,
95  error_list, /*required=*/false)) {
96  type = HeaderMatcher::Type::kSuffix;
97  } else if (ParseJsonObjectField(header_matcher_json, "containsMatch", &match,
98  error_list, /*required=*/false)) {
99  type = HeaderMatcher::Type::kContains;
100  } else {
101  return absl::InvalidArgumentError("No valid matcher found");
102  }
103  return HeaderMatcher::Create(name, type, match, start, end, present_match,
104  invert_match);
105 }
106 
107 absl::StatusOr<StringMatcher> ParseStringMatcher(
108  const Json::Object& string_matcher_json,
109  std::vector<grpc_error_handle>* error_list) {
110  std::string match;
111  StringMatcher::Type type = StringMatcher::Type();
112  const Json::Object* inner_json;
113  bool ignore_case = false;
114  ParseJsonObjectField(string_matcher_json, "ignoreCase", &ignore_case,
115  error_list, /*required=*/false);
116  if (ParseJsonObjectField(string_matcher_json, "exact", &match, error_list,
117  /*required=*/false)) {
118  type = StringMatcher::Type::kExact;
119  } else if (ParseJsonObjectField(string_matcher_json, "prefix", &match,
120  error_list, /*required=*/false)) {
121  type = StringMatcher::Type::kPrefix;
122  } else if (ParseJsonObjectField(string_matcher_json, "suffix", &match,
123  error_list, /*required=*/false)) {
124  type = StringMatcher::Type::kSuffix;
125  } else if (ParseJsonObjectField(string_matcher_json, "safeRegex", &inner_json,
126  error_list, /*required=*/false)) {
127  type = StringMatcher::Type::kSafeRegex;
128  std::vector<grpc_error_handle> safe_regex_matcher_error_list;
129  match = ParseRegexMatcher(*inner_json, &safe_regex_matcher_error_list);
130  if (!safe_regex_matcher_error_list.empty()) {
131  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
132  "safeRegex", &safe_regex_matcher_error_list));
133  }
134  } else if (ParseJsonObjectField(string_matcher_json, "contains", &match,
135  error_list, /*required=*/false)) {
136  type = StringMatcher::Type::kContains;
137  } else {
138  return absl::InvalidArgumentError("No valid matcher found");
139  }
140  return StringMatcher::Create(type, match, ignore_case);
141 }
142 
143 absl::StatusOr<StringMatcher> ParsePathMatcher(
144  const Json::Object& path_matcher_json,
145  std::vector<grpc_error_handle>* error_list) {
146  const Json::Object* string_matcher_json;
147  if (ParseJsonObjectField(path_matcher_json, "path", &string_matcher_json,
148  error_list)) {
149  std::vector<grpc_error_handle> sub_error_list;
150  auto matcher = ParseStringMatcher(*string_matcher_json, &sub_error_list);
151  if (!sub_error_list.empty()) {
152  error_list->push_back(
153  GRPC_ERROR_CREATE_FROM_VECTOR("path", &sub_error_list));
154  }
155  return matcher;
156  }
157  return absl::InvalidArgumentError("No path found");
158 }
159 
160 Rbac::CidrRange ParseCidrRange(const Json::Object& cidr_range_json,
161  std::vector<grpc_error_handle>* error_list) {
162  std::string address_prefix;
163  ParseJsonObjectField(cidr_range_json, "addressPrefix", &address_prefix,
164  error_list);
165  const Json::Object* uint32_json;
166  uint32_t prefix_len = 0; // default value
167  if (ParseJsonObjectField(cidr_range_json, "prefixLen", &uint32_json,
168  error_list, /*required=*/false)) {
169  std::vector<grpc_error_handle> sub_error_list;
170  ParseJsonObjectField(*uint32_json, "value", &prefix_len, &sub_error_list);
171  if (!sub_error_list.empty()) {
172  error_list->push_back(
173  GRPC_ERROR_CREATE_FROM_VECTOR("prefixLen", &sub_error_list));
174  }
175  }
176  return Rbac::CidrRange(std::move(address_prefix), prefix_len);
177 }
178 
179 Rbac::Permission ParsePermission(const Json::Object& permission_json,
180  std::vector<grpc_error_handle>* error_list) {
181  auto parse_permission_set = [](const Json::Object& permission_set_json,
182  std::vector<grpc_error_handle>* error_list) {
183  const Json::Array* rules_json;
184  std::vector<std::unique_ptr<Rbac::Permission>> permissions;
185  if (ParseJsonObjectField(permission_set_json, "rules", &rules_json,
186  error_list)) {
187  for (size_t i = 0; i < rules_json->size(); ++i) {
188  const Json::Object* permission_json;
189  if (!ExtractJsonType((*rules_json)[i],
190  absl::StrFormat("rules[%d]", i).c_str(),
191  &permission_json, error_list)) {
192  continue;
193  }
194  std::vector<grpc_error_handle> permission_error_list;
195  permissions.emplace_back(absl::make_unique<Rbac::Permission>(
196  ParsePermission(*permission_json, &permission_error_list)));
197  if (!permission_error_list.empty()) {
198  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING(
199  absl::StrFormat("rules[%d]", i), &permission_error_list));
200  }
201  }
202  }
203  return permissions;
204  };
205  Rbac::Permission permission;
206  const Json::Object* inner_json;
207  bool any;
208  int port;
209  if (ParseJsonObjectField(permission_json, "andRules", &inner_json, error_list,
210  /*required=*/false)) {
211  std::vector<grpc_error_handle> and_rules_error_list;
212  permission = Rbac::Permission::MakeAndPermission(
213  parse_permission_set(*inner_json, &and_rules_error_list));
214  if (!and_rules_error_list.empty()) {
215  error_list->push_back(
216  GRPC_ERROR_CREATE_FROM_VECTOR("andRules", &and_rules_error_list));
217  }
218  } else if (ParseJsonObjectField(permission_json, "orRules", &inner_json,
219  error_list, /*required=*/false)) {
220  std::vector<grpc_error_handle> or_rules_error_list;
221  permission = Rbac::Permission::MakeOrPermission(
222  parse_permission_set(*inner_json, &or_rules_error_list));
223  if (!or_rules_error_list.empty()) {
224  error_list->push_back(
225  GRPC_ERROR_CREATE_FROM_VECTOR("orRules", &or_rules_error_list));
226  }
227  } else if (ParseJsonObjectField(permission_json, "any", &any, error_list,
228  /*required=*/false) &&
229  any) {
230  permission = Rbac::Permission::MakeAnyPermission();
231  } else if (ParseJsonObjectField(permission_json, "header", &inner_json,
232  error_list,
233  /*required=*/false)) {
234  std::vector<grpc_error_handle> header_error_list;
235  auto matcher = ParseHeaderMatcher(*inner_json, &header_error_list);
236  if (matcher.ok()) {
237  permission = Rbac::Permission::MakeHeaderPermission(*matcher);
238  } else {
239  header_error_list.push_back(absl_status_to_grpc_error(matcher.status()));
240  }
241  if (!header_error_list.empty()) {
242  error_list->push_back(
243  GRPC_ERROR_CREATE_FROM_VECTOR("header", &header_error_list));
244  }
245  } else if (ParseJsonObjectField(permission_json, "urlPath", &inner_json,
246  error_list,
247  /*required=*/false)) {
248  std::vector<grpc_error_handle> url_path_error_list;
249  auto matcher = ParsePathMatcher(*inner_json, &url_path_error_list);
250  if (matcher.ok()) {
251  permission = Rbac::Permission::MakePathPermission(*matcher);
252  } else {
253  url_path_error_list.push_back(
254  absl_status_to_grpc_error(matcher.status()));
255  }
256  if (!url_path_error_list.empty()) {
257  error_list->push_back(
258  GRPC_ERROR_CREATE_FROM_VECTOR("urlPath", &url_path_error_list));
259  }
260  } else if (ParseJsonObjectField(permission_json, "destinationIp", &inner_json,
261  error_list, /*required=*/false)) {
262  std::vector<grpc_error_handle> destination_ip_error_list;
263  permission = Rbac::Permission::MakeDestIpPermission(
264  ParseCidrRange(*inner_json, &destination_ip_error_list));
265  if (!destination_ip_error_list.empty()) {
266  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
267  "destinationIp", &destination_ip_error_list));
268  }
269  } else if (ParseJsonObjectField(permission_json, "destinationPort", &port,
270  error_list, /*required=*/false)) {
271  permission = Rbac::Permission::MakeDestPortPermission(port);
272  } else if (ParseJsonObjectField(permission_json, "metadata", &inner_json,
273  error_list, /*required=*/false)) {
274  std::vector<grpc_error_handle> metadata_error_list;
275  bool invert = false;
276  ParseJsonObjectField(*inner_json, "invert", &invert, &metadata_error_list,
277  /*required=*/false);
278  if (metadata_error_list.empty()) {
279  permission = Rbac::Permission::MakeMetadataPermission(invert);
280  } else {
281  error_list->push_back(
282  GRPC_ERROR_CREATE_FROM_VECTOR("metadata", &metadata_error_list));
283  }
284  } else if (ParseJsonObjectField(permission_json, "notRule", &inner_json,
285  error_list, /*required=*/false)) {
286  std::vector<grpc_error_handle> not_rule_error_list;
287  permission = Rbac::Permission::MakeNotPermission(
288  ParsePermission(*inner_json, &not_rule_error_list));
289  if (!not_rule_error_list.empty()) {
290  error_list->push_back(
291  GRPC_ERROR_CREATE_FROM_VECTOR("notRule", &not_rule_error_list));
292  }
293  } else if (ParseJsonObjectField(permission_json, "requestedServerName",
294  &inner_json, error_list,
295  /*required=*/false)) {
296  std::vector<grpc_error_handle> req_server_name_error_list;
297  auto matcher = ParseStringMatcher(*inner_json, &req_server_name_error_list);
298  if (matcher.ok()) {
299  permission = Rbac::Permission::MakeReqServerNamePermission(*matcher);
300  } else {
301  req_server_name_error_list.push_back(
302  absl_status_to_grpc_error(matcher.status()));
303  }
304  if (!req_server_name_error_list.empty()) {
305  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
306  "requestedServerName", &req_server_name_error_list));
307  }
308  } else {
309  error_list->push_back(
310  GRPC_ERROR_CREATE_FROM_STATIC_STRING("No valid rule found"));
311  }
312  return permission;
313 }
314 
315 Rbac::Principal ParsePrincipal(const Json::Object& principal_json,
316  std::vector<grpc_error_handle>* error_list) {
317  auto parse_principal_set = [](const Json::Object& principal_set_json,
318  std::vector<grpc_error_handle>* error_list) {
319  const Json::Array* rules_json;
320  std::vector<std::unique_ptr<Rbac::Principal>> principals;
321  if (ParseJsonObjectField(principal_set_json, "ids", &rules_json,
322  error_list)) {
323  for (size_t i = 0; i < rules_json->size(); ++i) {
324  const Json::Object* principal_json;
325  if (!ExtractJsonType((*rules_json)[i],
326  absl::StrFormat("ids[%d]", i).c_str(),
327  &principal_json, error_list)) {
328  continue;
329  }
330  std::vector<grpc_error_handle> principal_error_list;
331  principals.emplace_back(absl::make_unique<Rbac::Principal>(
332  ParsePrincipal(*principal_json, &principal_error_list)));
333  if (!principal_error_list.empty()) {
334  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING(
335  absl::StrFormat("ids[%d]", i), &principal_error_list));
336  }
337  }
338  }
339  return principals;
340  };
341  Rbac::Principal principal;
342  const Json::Object* inner_json;
343  bool any;
344  if (ParseJsonObjectField(principal_json, "andIds", &inner_json, error_list,
345  /*required=*/false)) {
346  std::vector<grpc_error_handle> and_rules_error_list;
347  principal = Rbac::Principal::MakeAndPrincipal(
348  parse_principal_set(*inner_json, &and_rules_error_list));
349  if (!and_rules_error_list.empty()) {
350  error_list->push_back(
351  GRPC_ERROR_CREATE_FROM_VECTOR("andIds", &and_rules_error_list));
352  }
353  } else if (ParseJsonObjectField(principal_json, "orIds", &inner_json,
354  error_list, /*required=*/false)) {
355  std::vector<grpc_error_handle> or_rules_error_list;
356  principal = Rbac::Principal::MakeOrPrincipal(
357  parse_principal_set(*inner_json, &or_rules_error_list));
358  if (!or_rules_error_list.empty()) {
359  error_list->push_back(
360  GRPC_ERROR_CREATE_FROM_VECTOR("orIds", &or_rules_error_list));
361  }
362  } else if (ParseJsonObjectField(principal_json, "any", &any, error_list,
363  /*required=*/false) &&
364  any) {
365  principal = Rbac::Principal::MakeAnyPrincipal();
366  } else if (ParseJsonObjectField(principal_json, "authenticated", &inner_json,
367  error_list, /*required=*/false)) {
368  std::vector<grpc_error_handle> authenticated_error_list;
369  const Json::Object* principal_name_json;
370  if (ParseJsonObjectField(*inner_json, "principalName", &principal_name_json,
371  &authenticated_error_list, /*required=*/false)) {
372  std::vector<grpc_error_handle> principal_name_error_list;
373  auto matcher =
374  ParseStringMatcher(*principal_name_json, &principal_name_error_list);
375  if (matcher.ok()) {
376  principal = Rbac::Principal::MakeAuthenticatedPrincipal(*matcher);
377  } else {
378  principal_name_error_list.push_back(
379  absl_status_to_grpc_error(matcher.status()));
380  }
381  if (!principal_name_error_list.empty()) {
382  authenticated_error_list.push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
383  "principalName", &principal_name_error_list));
384  }
385  } else if (authenticated_error_list.empty()) {
386  // No principalName found. Match for all users.
387  principal = Rbac::Principal::MakeAnyPrincipal();
388  } else {
389  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
390  "authenticated", &authenticated_error_list));
391  }
392  } else if (ParseJsonObjectField(principal_json, "sourceIp", &inner_json,
393  error_list, /*required=*/false)) {
394  std::vector<grpc_error_handle> source_ip_error_list;
395  principal = Rbac::Principal::MakeSourceIpPrincipal(
396  ParseCidrRange(*inner_json, &source_ip_error_list));
397  if (!source_ip_error_list.empty()) {
398  error_list->push_back(
399  GRPC_ERROR_CREATE_FROM_VECTOR("sourceIp", &source_ip_error_list));
400  }
401  } else if (ParseJsonObjectField(principal_json, "directRemoteIp", &inner_json,
402  error_list, /*required=*/false)) {
403  std::vector<grpc_error_handle> direct_remote_ip_error_list;
404  principal = Rbac::Principal::MakeDirectRemoteIpPrincipal(
405  ParseCidrRange(*inner_json, &direct_remote_ip_error_list));
406  if (!direct_remote_ip_error_list.empty()) {
407  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR(
408  "directRemoteIp", &direct_remote_ip_error_list));
409  }
410  } else if (ParseJsonObjectField(principal_json, "remoteIp", &inner_json,
411  error_list, /*required=*/false)) {
412  std::vector<grpc_error_handle> remote_ip_error_list;
413  principal = Rbac::Principal::MakeRemoteIpPrincipal(
414  ParseCidrRange(*inner_json, &remote_ip_error_list));
415  if (!remote_ip_error_list.empty()) {
416  error_list->push_back(
417  GRPC_ERROR_CREATE_FROM_VECTOR("remoteIp", &remote_ip_error_list));
418  }
419  } else if (ParseJsonObjectField(principal_json, "header", &inner_json,
420  error_list,
421  /*required=*/false)) {
422  std::vector<grpc_error_handle> header_error_list;
423  auto matcher = ParseHeaderMatcher(*inner_json, &header_error_list);
424  if (matcher.ok()) {
425  principal = Rbac::Principal::MakeHeaderPrincipal(*matcher);
426  } else {
427  header_error_list.push_back(absl_status_to_grpc_error(matcher.status()));
428  }
429  if (!header_error_list.empty()) {
430  error_list->push_back(
431  GRPC_ERROR_CREATE_FROM_VECTOR("header", &header_error_list));
432  }
433  } else if (ParseJsonObjectField(principal_json, "urlPath", &inner_json,
434  error_list,
435  /*required=*/false)) {
436  std::vector<grpc_error_handle> url_path_error_list;
437  auto matcher = ParsePathMatcher(*inner_json, &url_path_error_list);
438  if (matcher.ok()) {
439  principal = Rbac::Principal::MakePathPrincipal(*matcher);
440  } else {
441  url_path_error_list.push_back(
442  absl_status_to_grpc_error(matcher.status()));
443  }
444  if (!url_path_error_list.empty()) {
445  error_list->push_back(
446  GRPC_ERROR_CREATE_FROM_VECTOR("urlPath", &url_path_error_list));
447  }
448  } else if (ParseJsonObjectField(principal_json, "metadata", &inner_json,
449  error_list, /*required=*/false)) {
450  std::vector<grpc_error_handle> metadata_error_list;
451  bool invert = false;
452  ParseJsonObjectField(*inner_json, "invert", &invert, &metadata_error_list,
453  /*required=*/false);
454  if (metadata_error_list.empty()) {
455  principal = Rbac::Principal::MakeMetadataPrincipal(invert);
456  } else {
457  error_list->push_back(
458  GRPC_ERROR_CREATE_FROM_VECTOR("metadata", &metadata_error_list));
459  }
460  } else if (ParseJsonObjectField(principal_json, "notId", &inner_json,
461  error_list, /*required=*/false)) {
462  std::vector<grpc_error_handle> not_rule_error_list;
463  principal = Rbac::Principal::MakeNotPrincipal(
464  ParsePrincipal(*inner_json, &not_rule_error_list));
465  if (!not_rule_error_list.empty()) {
466  error_list->push_back(
467  GRPC_ERROR_CREATE_FROM_VECTOR("notId", &not_rule_error_list));
468  }
469  } else {
470  error_list->push_back(
471  GRPC_ERROR_CREATE_FROM_STATIC_STRING("No valid id found"));
472  }
473  return principal;
474 }
475 
476 Rbac::Policy ParsePolicy(const Json::Object& policy_json,
477  std::vector<grpc_error_handle>* error_list) {
478  Rbac::Policy policy;
479  const Json::Array* permissions_json_array;
480  std::vector<std::unique_ptr<Rbac::Permission>> permissions;
481  if (ParseJsonObjectField(policy_json, "permissions", &permissions_json_array,
482  error_list)) {
483  for (size_t i = 0; i < permissions_json_array->size(); ++i) {
484  const Json::Object* permission_json;
485  if (!ExtractJsonType((*permissions_json_array)[i],
486  absl::StrFormat("permissions[%d]", i),
487  &permission_json, error_list)) {
488  continue;
489  }
490  std::vector<grpc_error_handle> permission_error_list;
491  permissions.emplace_back(absl::make_unique<Rbac::Permission>(
492  ParsePermission(*permission_json, &permission_error_list)));
493  if (!permission_error_list.empty()) {
494  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING(
495  absl::StrFormat("permissions[%d]", i), &permission_error_list));
496  }
497  }
498  }
499  const Json::Array* principals_json_array;
500  std::vector<std::unique_ptr<Rbac::Principal>> principals;
501  if (ParseJsonObjectField(policy_json, "principals", &principals_json_array,
502  error_list)) {
503  for (size_t i = 0; i < principals_json_array->size(); ++i) {
504  const Json::Object* principal_json;
505  if (!ExtractJsonType((*principals_json_array)[i],
506  absl::StrFormat("principals[%d]", i),
507  &principal_json, error_list)) {
508  continue;
509  }
510  std::vector<grpc_error_handle> principal_error_list;
511  principals.emplace_back(absl::make_unique<Rbac::Principal>(
512  ParsePrincipal(*principal_json, &principal_error_list)));
513  if (!principal_error_list.empty()) {
514  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING(
515  absl::StrFormat("principals[%d]", i), &principal_error_list));
516  }
517  }
518  }
519  policy.permissions =
520  Rbac::Permission::MakeOrPermission(std::move(permissions));
521  policy.principals = Rbac::Principal::MakeOrPrincipal(std::move(principals));
522  return policy;
523 }
524 
525 Rbac ParseRbac(const Json::Object& rbac_json,
526  std::vector<grpc_error_handle>* error_list) {
527  Rbac rbac;
528  const Json::Object* rules_json;
529  if (!ParseJsonObjectField(rbac_json, "rules", &rules_json, error_list,
530  /*required=*/false)) {
531  // No enforcing to be applied. An empty deny policy with an empty map is
532  // equivalent to no enforcing.
533  return Rbac(Rbac::Action::kDeny, {});
534  }
535  int action;
536  if (ParseJsonObjectField(*rules_json, "action", &action, error_list)) {
537  if (action > 1) {
538  error_list->push_back(
539  GRPC_ERROR_CREATE_FROM_STATIC_STRING("Unknown action"));
540  }
541  }
542  rbac.action = static_cast<Rbac::Action>(action);
543  const Json::Object* policies_json;
544  if (ParseJsonObjectField(*rules_json, "policies", &policies_json, error_list,
545  /*required=*/false)) {
546  for (const auto& entry : *policies_json) {
547  std::vector<grpc_error_handle> policy_error_list;
548  rbac.policies.emplace(
549  entry.first,
550  ParsePolicy(entry.second.object_value(), &policy_error_list));
551  if (!policy_error_list.empty()) {
552  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING(
553  absl::StrFormat("policies key:'%s'", entry.first.c_str()),
554  &policy_error_list));
555  }
556  }
557  }
558  return rbac;
559 }
560 
561 std::vector<Rbac> ParseRbacArray(const Json::Array& policies_json_array,
562  std::vector<grpc_error_handle>* error_list) {
563  std::vector<Rbac> policies;
564  for (size_t i = 0; i < policies_json_array.size(); ++i) {
565  const Json::Object* rbac_json;
566  if (!ExtractJsonType(policies_json_array[i],
567  absl::StrFormat("rbacPolicy[%d]", i), &rbac_json,
568  error_list)) {
569  continue;
570  }
571  std::vector<grpc_error_handle> rbac_policy_error_list;
572  policies.emplace_back(ParseRbac(*rbac_json, &rbac_policy_error_list));
573  if (!rbac_policy_error_list.empty()) {
574  error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING(
575  absl::StrFormat("rbacPolicy[%d]", i), &rbac_policy_error_list));
576  }
577  }
578  return policies;
579 }
580 
581 } // namespace
582 
583 std::unique_ptr<ServiceConfigParser::ParsedConfig>
584 RbacServiceConfigParser::ParsePerMethodParams(const grpc_channel_args* args,
585  const Json& json,
586  grpc_error_handle* error) {
587  GPR_DEBUG_ASSERT(error != nullptr && GRPC_ERROR_IS_NONE(*error));
588  // Only parse rbac policy if the channel arg is present
589  if (!grpc_channel_args_find_bool(args, GRPC_ARG_PARSE_RBAC_METHOD_CONFIG,
590  false)) {
591  return nullptr;
592  }
593  std::vector<Rbac> rbac_policies;
594  std::vector<grpc_error_handle> error_list;
595  const Json::Array* policies_json_array;
596  if (ParseJsonObjectField(json.object_value(), "rbacPolicy",
597  &policies_json_array, &error_list)) {
598  rbac_policies = ParseRbacArray(*policies_json_array, &error_list);
599  }
600  *error = GRPC_ERROR_CREATE_FROM_VECTOR("Rbac parser", &error_list);
601  if (!GRPC_ERROR_IS_NONE(*error) || rbac_policies.empty()) {
602  return nullptr;
603  }
604  return absl::make_unique<RbacMethodParsedConfig>(std::move(rbac_policies));
605 }
606 
607 void RbacServiceConfigParser::Register(CoreConfiguration::Builder* builder) {
608  builder->service_config_parser()->RegisterParser(
609  absl::make_unique<RbacServiceConfigParser>());
610 }
611 
612 size_t RbacServiceConfigParser::ParserIndex() {
613  return CoreConfiguration::Get().service_config_parser().GetParserIndex(
614  parser_name());
615 }
616 
617 } // namespace grpc_core
grpc_core::HeaderMatcher::Type::kSuffix
@ kSuffix
grpc_core::Json::Array
std::vector< Json > Array
Definition: src/core/lib/json/json.h:55
grpc_core::HeaderMatcher::Type::kContains
@ kContains
absl::InvalidArgumentError
Status InvalidArgumentError(absl::string_view message)
Definition: third_party/abseil-cpp/absl/status/status.cc:351
grpc_core::Rbac::Principal::MakeHeaderPrincipal
static Principal MakeHeaderPrincipal(HeaderMatcher header_matcher)
Definition: rbac_policy.cc:314
grpc_core::Rbac::Permission::MakePathPermission
static Permission MakePathPermission(StringMatcher string_matcher)
Definition: rbac_policy.cc:121
log.h
grpc_core::Rbac::Permission::MakeHeaderPermission
static Permission MakeHeaderPermission(HeaderMatcher header_matcher)
Definition: rbac_policy.cc:113
grpc_core::Rbac::Permission::MakeAnyPermission
static Permission MakeAnyPermission()
Definition: rbac_policy.cc:107
grpc_core::Rbac::Permission::MakeAndPermission
static Permission MakeAndPermission(std::vector< std::unique_ptr< Permission >> permissions)
Definition: rbac_policy.cc:83
grpc_core::Rbac::Principal::MakeAnyPrincipal
static Principal MakeAnyPrincipal()
Definition: rbac_policy.cc:279
absl::StrFormat
ABSL_MUST_USE_RESULT std::string StrFormat(const FormatSpec< Args... > &format, const Args &... args)
Definition: abseil-cpp/absl/strings/str_format.h:338
GPR_DEBUG_ASSERT
#define GPR_DEBUG_ASSERT(x)
Definition: include/grpc/impl/codegen/log.h:103
grpc_core::HeaderMatcher::Type::kExact
@ kExact
grpc_core::RbacServiceConfigParser::ParserIndex
static size_t ParserIndex()
Definition: rbac_service_config_parser.cc:612
grpc_core::CoreConfiguration::service_config_parser
const ServiceConfigParser & service_config_parser() const
Definition: core_configuration.h:153
grpc_core
Definition: call_metric_recorder.h:31
grpc_core::CoreConfiguration::Builder
Definition: core_configuration.h:41
match
unsigned char match[65280+2]
Definition: bloaty/third_party/zlib/examples/gun.c:165
grpc_core::Rbac::Action::kDeny
@ kDeny
testing::internal::string
::std::string string
Definition: bloaty/third_party/protobuf/third_party/googletest/googletest/include/gtest/internal/gtest-port.h:881
error
grpc_error_handle error
Definition: retry_filter.cc:499
grpc_core::Json::object_value
const Object & object_value() const
Definition: src/core/lib/json/json.h:177
grpc_core::Rbac::Permission::MakeNotPermission
static Permission MakeNotPermission(Permission permission)
Definition: rbac_policy.cc:99
grpc_core::StringMatcher::Create
static absl::StatusOr< StringMatcher > Create(Type type, absl::string_view matcher, bool case_sensitive=true)
Definition: matchers/matchers.cc:34
setup.name
name
Definition: setup.py:542
grpc_core::RbacServiceConfigParser::ParsePerMethodParams
std::unique_ptr< ServiceConfigParser::ParsedConfig > ParsePerMethodParams(const grpc_channel_args *args, const Json &json, grpc_error_handle *error) override
Definition: rbac_service_config_parser.cc:584
grpc_core::HeaderMatcher::Type::kPresent
@ kPresent
grpc_channel_args_find_bool
bool grpc_channel_args_find_bool(const grpc_channel_args *args, const char *name, bool default_value)
Definition: channel_args.cc:465
grpc_channel_args
Definition: grpc_types.h:132
grpc_core::Rbac::Principal::MakePathPrincipal
static Principal MakePathPrincipal(StringMatcher string_matcher)
Definition: rbac_policy.cc:322
GRPC_ERROR_CREATE_FROM_VECTOR
#define GRPC_ERROR_CREATE_FROM_VECTOR(desc, error_list)
Definition: error.h:314
grpc_core::StringMatcher::Type::kSuffix
@ kSuffix
grpc_core::Rbac::Principal::MakeNotPrincipal
static Principal MakeNotPrincipal(Principal principal)
Definition: rbac_policy.cc:271
uint32_t
unsigned int uint32_t
Definition: stdint-msvc2008.h:80
start
static uint64_t start
Definition: benchmark-pound.c:74
profile_analyzer.builder
builder
Definition: profile_analyzer.py:159
asyncio_get_stats.args
args
Definition: asyncio_get_stats.py:40
grpc_core::HeaderMatcher::Type
Type
Definition: matchers/matchers.h:81
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
end
char * end
Definition: abseil-cpp/absl/strings/internal/str_format/float_conversion.cc:1008
int64_t
signed __int64 int64_t
Definition: stdint-msvc2008.h:89
grpc_core::Rbac::Action
Action
Definition: rbac_policy.h:36
grpc_core::CoreConfiguration::Get
static const CoreConfiguration & Get()
Definition: core_configuration.h:82
grpc_core::Rbac::Principal::MakeAndPrincipal
static Principal MakeAndPrincipal(std::vector< std::unique_ptr< Principal >> principals)
Definition: rbac_policy.cc:255
gen_stats_data.c_str
def c_str(s, encoding='ascii')
Definition: gen_stats_data.py:38
grpc_core::RbacServiceConfigParser::Register
static void Register(CoreConfiguration::Builder *builder)
Definition: rbac_service_config_parser.cc:607
Json
JSON (JavaScript Object Notation).
Definition: third_party/bloaty/third_party/protobuf/conformance/third_party/jsoncpp/json.h:227
GRPC_ARG_PARSE_RBAC_METHOD_CONFIG
#define GRPC_ARG_PARSE_RBAC_METHOD_CONFIG
Definition: rbac_service_config_parser.h:43
json_util.h
matchers.h
grpc_core::StringMatcher::Type
Type
Definition: matchers/matchers.h:34
grpc_core::ServiceConfigParser::GetParserIndex
size_t GetParserIndex(absl::string_view name) const
Definition: lib/service_config/service_config_parser.cc:92
stdint.h
grpc_core::HeaderMatcher::Type::kPrefix
@ kPrefix
GRPC_ERROR_CREATE_FROM_STATIC_STRING
#define GRPC_ERROR_CREATE_FROM_STATIC_STRING(desc)
Definition: error.h:291
grpc_core::ExtractJsonType
bool ExtractJsonType(const Json &json, absl::string_view field_name, NumericType *output, std::vector< grpc_error_handle > *error_list)
Definition: src/core/lib/json/json_util.h:99
tests.unit._exit_scenarios.port
port
Definition: _exit_scenarios.py:179
grpc_core::Json::Object
std::map< std::string, Json > Object
Definition: src/core/lib/json/json.h:54
absl_status_to_grpc_error
grpc_error_handle absl_status_to_grpc_error(absl::Status status)
Definition: error_utils.cc:167
client.action
action
Definition: examples/python/xds/client.py:49
grpc_core::Rbac::Principal::MakeAuthenticatedPrincipal
static Principal MakeAuthenticatedPrincipal(absl::optional< StringMatcher > string_matcher)
Definition: rbac_policy.cc:285
grpc_core::HeaderMatcher::Type::kSafeRegex
@ kSafeRegex
grpc_core::Rbac::Permission::MakeOrPermission
static Permission MakeOrPermission(std::vector< std::unique_ptr< Permission >> permissions)
Definition: rbac_policy.cc:91
grpc_core::HeaderMatcher::Create
static absl::StatusOr< HeaderMatcher > Create(absl::string_view name, Type type, absl::string_view matcher, int64_t range_start=0, int64_t range_end=0, bool present_match=false, bool invert_match=false)
Definition: matchers/matchers.cc:157
grpc_core::Rbac::Principal::MakeRemoteIpPrincipal
static Principal MakeRemoteIpPrincipal(CidrRange ip)
Definition: rbac_policy.cc:307
grpc_core::Rbac::Permission::MakeReqServerNamePermission
static Permission MakeReqServerNamePermission(StringMatcher string_matcher)
Definition: rbac_policy.cc:150
grpc_core::Rbac::Principal::MakeSourceIpPrincipal
static Principal MakeSourceIpPrincipal(CidrRange ip)
Definition: rbac_policy.cc:293
GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING
#define GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING(desc, error_list)
Definition: error.h:317
grpc_core::StringMatcher::Type::kExact
@ kExact
grpc_core::StringMatcher::Type::kSafeRegex
@ kSafeRegex
channel_args.h
grpc_core::Rbac::Permission::MakeDestIpPermission
static Permission MakeDestIpPermission(CidrRange ip)
Definition: rbac_policy.cc:129
grpc_core::Rbac::Principal::MakeMetadataPrincipal
static Principal MakeMetadataPrincipal(bool invert)
Definition: rbac_policy.cc:330
grpc_core::HeaderMatcher::Type::kRange
@ kRange
absl::StatusOr
Definition: abseil-cpp/absl/status/statusor.h:187
asyncio_get_stats.type
type
Definition: asyncio_get_stats.py:37
grpc_core::Rbac::Principal::MakeDirectRemoteIpPrincipal
static Principal MakeDirectRemoteIpPrincipal(CidrRange ip)
Definition: rbac_policy.cc:300
grpc_core::StringMatcher::Type::kContains
@ kContains
grpc_core::Rbac::Permission::MakeDestPortPermission
static Permission MakeDestPortPermission(int port)
Definition: rbac_policy.cc:136
grpc_core::Rbac::Principal::MakeOrPrincipal
static Principal MakeOrPrincipal(std::vector< std::unique_ptr< Principal >> principals)
Definition: rbac_policy.cc:263
grpc_error
Definition: error_internal.h:42
grpc_core::StringMatcher::Type::kPrefix
@ kPrefix
grpc_core::Rbac::Permission::MakeMetadataPermission
static Permission MakeMetadataPermission(bool invert)
Definition: rbac_policy.cc:143
grpc_core::RbacServiceConfigParser::parser_name
static absl::string_view parser_name()
Definition: rbac_service_config_parser.h:82
grpc_core::ParseJsonObjectField
bool ParseJsonObjectField(const Json::Object &object, absl::string_view field_name, T *output, std::vector< grpc_error_handle > *error_list, bool required=true)
Definition: src/core/lib/json/json_util.h:136
i
uint64_t i
Definition: abseil-cpp/absl/container/btree_benchmark.cc:230
error_utils.h
rbac_service_config_parser.h
GRPC_ERROR_IS_NONE
#define GRPC_ERROR_IS_NONE(err)
Definition: error.h:241
port_platform.h

grpc
Author(s):
autogenerated on Fri May 16 2025 02:59:59