1 // Copyright 2021 gRPC authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H 16 #define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H 17 18 #include <grpc/support/port_platform.h> 19 20 #include <stdint.h> 21 22 #include <map> 23 #include <memory> 24 #include <string> 25 #include <vector> 26 27 #include "absl/types/optional.h" 28 29 #include <grpc/grpc_audit_logging.h> 30 31 #include "src/core/lib/matchers/matchers.h" 32 33 namespace grpc_core { 34 35 // Represents Envoy RBAC Proto. [See 36 // https://github.com/envoyproxy/envoy/blob/release/v1.26/api/envoy/config/rbac/v3/rbac.proto] 37 struct Rbac { 38 enum class Action { 39 kAllow, 40 kDeny, 41 }; 42 43 enum class AuditCondition { 44 kNone, 45 kOnDeny, 46 kOnAllow, 47 kOnDenyAndAllow, 48 }; 49 50 struct CidrRange { 51 CidrRange() = default; 52 CidrRange(std::string address_prefix, uint32_t prefix_len); 53 54 CidrRange(CidrRange&& other) noexcept; 55 CidrRange& operator=(CidrRange&& other) noexcept; 56 57 std::string ToString() const; 58 59 std::string address_prefix; 60 uint32_t prefix_len; 61 }; 62 63 // TODO(ashithasantosh): Support for destination_port_range. 64 struct Permission { 65 enum class RuleType { 66 kAnd, 67 kOr, 68 kNot, 69 kAny, 70 kHeader, 71 kPath, 72 kDestIp, 73 kDestPort, 74 kMetadata, 75 kReqServerName, 76 }; 77 78 static Permission MakeAndPermission( 79 std::vector<std::unique_ptr<Permission>> permissions); 80 static Permission MakeOrPermission( 81 std::vector<std::unique_ptr<Permission>> permissions); 82 static Permission MakeNotPermission(Permission permission); 83 static Permission MakeAnyPermission(); 84 static Permission MakeHeaderPermission(HeaderMatcher header_matcher); 85 static Permission MakePathPermission(StringMatcher string_matcher); 86 static Permission MakeDestIpPermission(CidrRange ip); 87 static Permission MakeDestPortPermission(int port); 88 // All the other fields in MetadataMatcher are ignored except invert. 89 static Permission MakeMetadataPermission(bool invert); 90 static Permission MakeReqServerNamePermission(StringMatcher string_matcher); 91 92 Permission() = default; 93 94 Permission(Permission&& other) noexcept; 95 Permission& operator=(Permission&& other) noexcept; 96 97 std::string ToString() const; 98 99 RuleType type = RuleType::kAnd; 100 HeaderMatcher header_matcher; 101 StringMatcher string_matcher; 102 CidrRange ip; 103 int port; 104 // For type kAnd/kOr/kNot. For kNot type, the vector will have only one 105 // element. 106 std::vector<std::unique_ptr<Permission>> permissions; 107 // For kMetadata 108 bool invert = false; 109 }; 110 111 struct Principal { 112 enum class RuleType { 113 kAnd, 114 kOr, 115 kNot, 116 kAny, 117 kPrincipalName, 118 kSourceIp, 119 kDirectRemoteIp, 120 kRemoteIp, 121 kHeader, 122 kPath, 123 kMetadata, 124 }; 125 126 static Principal MakeAndPrincipal( 127 std::vector<std::unique_ptr<Principal>> principals); 128 static Principal MakeOrPrincipal( 129 std::vector<std::unique_ptr<Principal>> principals); 130 static Principal MakeNotPrincipal(Principal principal); 131 static Principal MakeAnyPrincipal(); 132 static Principal MakeAuthenticatedPrincipal( 133 absl::optional<StringMatcher> string_matcher); 134 static Principal MakeSourceIpPrincipal(CidrRange ip); 135 static Principal MakeDirectRemoteIpPrincipal(CidrRange ip); 136 static Principal MakeRemoteIpPrincipal(CidrRange ip); 137 static Principal MakeHeaderPrincipal(HeaderMatcher header_matcher); 138 static Principal MakePathPrincipal(StringMatcher string_matcher); 139 // All the other fields in MetadataMatcher are ignored except invert. 140 static Principal MakeMetadataPrincipal(bool invert); 141 142 Principal() = default; 143 144 Principal(Principal&& other) noexcept; 145 Principal& operator=(Principal&& other) noexcept; 146 147 std::string ToString() const; 148 149 RuleType type = RuleType::kAnd; 150 HeaderMatcher header_matcher; 151 absl::optional<StringMatcher> string_matcher; 152 CidrRange ip; 153 // For type kAnd/kOr/kNot. For kNot type, the vector will have only one 154 // element. 155 std::vector<std::unique_ptr<Principal>> principals; 156 // For kMetadata 157 bool invert = false; 158 }; 159 160 struct Policy { 161 Policy() = default; 162 Policy(Permission permissions, Principal principals); 163 164 Policy(Policy&& other) noexcept; 165 Policy& operator=(Policy&& other) noexcept; 166 167 std::string ToString() const; 168 169 Permission permissions; 170 Principal principals; 171 }; 172 173 Rbac() = default; 174 Rbac(std::string name, Rbac::Action action, 175 std::map<std::string, Policy> policies); 176 177 Rbac(Rbac&& other) noexcept; 178 Rbac& operator=(Rbac&& other) noexcept; 179 180 std::string ToString() const; 181 182 // The authorization policy name or the HTTP RBAC filter name. 183 std::string name; 184 185 Action action; 186 std::map<std::string, Policy> policies; 187 188 AuditCondition audit_condition; 189 std::vector<std::unique_ptr<experimental::AuditLoggerFactory::Config>> 190 logger_configs; 191 }; 192 193 } // namespace grpc_core 194 195 #endif // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H 196