1 // Copyright 2020 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "src/core/lib/security/authorization/cel_authorization_engine.h"
16
17 #include <grpc/support/port_platform.h>
18 #include <stddef.h>
19
20 #include <algorithm>
21 #include <utility>
22
23 #include "absl/log/log.h"
24 #include "absl/strings/string_view.h"
25 #include "absl/types/optional.h"
26 #include "absl/types/span.h"
27 #include "upb/base/string_view.h"
28 #include "upb/message/map.h"
29
30 namespace grpc_core {
31
32 namespace {
33
34 // Symbols for traversing Envoy Attributes
35 constexpr char kUrlPath[] = "url_path";
36 constexpr char kHost[] = "host";
37 constexpr char kMethod[] = "method";
38 constexpr char kHeaders[] = "headers";
39 constexpr char kSourceAddress[] = "source_address";
40 constexpr char kSourcePort[] = "source_port";
41 constexpr char kDestinationAddress[] = "destination_address";
42 constexpr char kDestinationPort[] = "destination_port";
43 constexpr char kSpiffeId[] = "spiffe_id";
44 constexpr char kCertServerName[] = "cert_server_name";
45
46 } // namespace
47
48 std::unique_ptr<CelAuthorizationEngine>
CreateCelAuthorizationEngine(const std::vector<envoy_config_rbac_v3_RBAC * > & rbac_policies)49 CelAuthorizationEngine::CreateCelAuthorizationEngine(
50 const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies) {
51 if (rbac_policies.empty() || rbac_policies.size() > 2) {
52 LOG(ERROR) << "Invalid rbac policies vector. Must contain either one or "
53 "two rbac policies.";
54 return nullptr;
55 } else if (rbac_policies.size() == 2 &&
56 (envoy_config_rbac_v3_RBAC_action(rbac_policies[0]) != kDeny ||
57 envoy_config_rbac_v3_RBAC_action(rbac_policies[1]) != kAllow)) {
58 LOG(ERROR) << "Invalid rbac policies vector. Must contain one deny policy "
59 "and one allow policy, in that order.";
60 return nullptr;
61 } else {
62 return std::make_unique<CelAuthorizationEngine>(rbac_policies);
63 }
64 }
65
CelAuthorizationEngine(const std::vector<envoy_config_rbac_v3_RBAC * > & rbac_policies)66 CelAuthorizationEngine::CelAuthorizationEngine(
67 const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies) {
68 for (const auto& rbac_policy : rbac_policies) {
69 // Extract array of policies and store their condition fields in either
70 // allow_if_matched_ or deny_if_matched_, depending on the policy action.
71 upb::Arena temp_arena;
72 size_t policy_num = kUpb_Map_Begin;
73 const envoy_config_rbac_v3_RBAC_PoliciesEntry* policy_entry;
74 while ((policy_entry = envoy_config_rbac_v3_RBAC_policies_next(
75 rbac_policy, &policy_num)) != nullptr) {
76 const upb_StringView policy_name_strview =
77 envoy_config_rbac_v3_RBAC_PoliciesEntry_key(policy_entry);
78 const std::string policy_name(policy_name_strview.data,
79 policy_name_strview.size);
80 const envoy_config_rbac_v3_Policy* policy =
81 envoy_config_rbac_v3_RBAC_PoliciesEntry_value(policy_entry);
82 const google_api_expr_v1alpha1_Expr* condition =
83 envoy_config_rbac_v3_Policy_condition(policy);
84 // Parse condition to make a pointer tied to the lifetime of arena_.
85 size_t serial_len;
86 const char* serialized = google_api_expr_v1alpha1_Expr_serialize(
87 condition, temp_arena.ptr(), &serial_len);
88 const google_api_expr_v1alpha1_Expr* parsed_condition =
89 google_api_expr_v1alpha1_Expr_parse(serialized, serial_len,
90 arena_.ptr());
91 if (envoy_config_rbac_v3_RBAC_action(rbac_policy) == kAllow) {
92 allow_if_matched_.insert(std::make_pair(policy_name, parsed_condition));
93 } else {
94 deny_if_matched_.insert(std::make_pair(policy_name, parsed_condition));
95 }
96 }
97 }
98 }
99
CreateActivation(const EvaluateArgs & args)100 std::unique_ptr<mock_cel::Activation> CelAuthorizationEngine::CreateActivation(
101 const EvaluateArgs& args) {
102 std::unique_ptr<mock_cel::Activation> activation;
103 for (const auto& elem : envoy_attributes_) {
104 if (elem == kUrlPath) {
105 absl::string_view url_path(args.GetPath());
106 if (!url_path.empty()) {
107 activation->InsertValue(kUrlPath,
108 mock_cel::CelValue::CreateStringView(url_path));
109 }
110 } else if (elem == kHost) {
111 absl::string_view host(args.GetAuthority());
112 if (!host.empty()) {
113 activation->InsertValue(kHost,
114 mock_cel::CelValue::CreateStringView(host));
115 }
116 } else if (elem == kMethod) {
117 absl::string_view method(args.GetMethod());
118 if (!method.empty()) {
119 activation->InsertValue(kMethod,
120 mock_cel::CelValue::CreateStringView(method));
121 }
122 } else if (elem == kHeaders) {
123 std::vector<std::pair<mock_cel::CelValue, mock_cel::CelValue>>
124 header_items;
125 for (const auto& header_key : header_keys_) {
126 std::string temp_value;
127 absl::optional<absl::string_view> header_value =
128 args.GetHeaderValue(header_key, &temp_value);
129 if (header_value.has_value()) {
130 header_items.push_back(
131 std::pair<mock_cel::CelValue, mock_cel::CelValue>(
132 mock_cel::CelValue::CreateStringView(header_key),
133 mock_cel::CelValue::CreateStringView(*header_value)));
134 }
135 }
136 headers_ = mock_cel::ContainerBackedMapImpl::Create(
137 absl::Span<std::pair<mock_cel::CelValue, mock_cel::CelValue>>(
138 header_items));
139 activation->InsertValue(kHeaders,
140 mock_cel::CelValue::CreateMap(headers_.get()));
141 } else if (elem == kSourceAddress) {
142 absl::string_view source_address(args.GetPeerAddressString());
143 if (!source_address.empty()) {
144 activation->InsertValue(
145 kSourceAddress,
146 mock_cel::CelValue::CreateStringView(source_address));
147 }
148 } else if (elem == kSourcePort) {
149 activation->InsertValue(
150 kSourcePort, mock_cel::CelValue::CreateInt64(args.GetPeerPort()));
151 } else if (elem == kDestinationAddress) {
152 absl::string_view destination_address(args.GetLocalAddressString());
153 if (!destination_address.empty()) {
154 activation->InsertValue(
155 kDestinationAddress,
156 mock_cel::CelValue::CreateStringView(destination_address));
157 }
158 } else if (elem == kDestinationPort) {
159 activation->InsertValue(kDestinationPort, mock_cel::CelValue::CreateInt64(
160 args.GetLocalPort()));
161 } else if (elem == kSpiffeId) {
162 absl::string_view spiffe_id(args.GetSpiffeId());
163 if (!spiffe_id.empty()) {
164 activation->InsertValue(
165 kSpiffeId, mock_cel::CelValue::CreateStringView(spiffe_id));
166 }
167 } else if (elem == kCertServerName) {
168 absl::string_view cert_server_name(args.GetCommonName());
169 if (!cert_server_name.empty()) {
170 activation->InsertValue(
171 kCertServerName,
172 mock_cel::CelValue::CreateStringView(cert_server_name));
173 }
174 } else {
175 LOG(ERROR) << "Error: Authorization engine does not support evaluating "
176 "attribute "
177 << elem;
178 }
179 }
180 return activation;
181 }
182
183 } // namespace grpc_core
184