• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_POLICY_PROVIDER_H
16 #define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_POLICY_PROVIDER_H
17 
18 #include <grpc/grpc_security.h>
19 #include <grpc/support/port_platform.h>
20 #include <grpc/support/sync.h>
21 
22 #include <functional>
23 #include <memory>
24 #include <string>
25 
26 #include "absl/base/thread_annotations.h"
27 #include "absl/status/status.h"
28 #include "absl/status/statusor.h"
29 #include "absl/strings/string_view.h"
30 #include "src/core/lib/security/authorization/authorization_engine.h"
31 #include "src/core/lib/security/authorization/authorization_policy_provider.h"
32 #include "src/core/lib/security/authorization/rbac_translator.h"
33 #include "src/core/util/ref_counted_ptr.h"
34 #include "src/core/util/sync.h"
35 #include "src/core/util/thd.h"
36 
37 namespace grpc_core {
38 
39 // Provider class will get gRPC Authorization policy from string during
40 // initialization. This policy will be translated to Envoy RBAC policies and
41 // used to initialize allow and deny AuthorizationEngine objects. This provider
42 // will return the same authorization engines everytime.
43 class StaticDataAuthorizationPolicyProvider
44     : public grpc_authorization_policy_provider {
45  public:
46   static absl::StatusOr<RefCountedPtr<grpc_authorization_policy_provider>>
47   Create(absl::string_view authz_policy);
48 
49   // Use factory method "Create" to create an instance of
50   // StaticDataAuthorizationPolicyProvider.
51   explicit StaticDataAuthorizationPolicyProvider(RbacPolicies policies);
52 
engines()53   AuthorizationEngines engines() override {
54     return {allow_engine_, deny_engine_};
55   }
56 
Orphaned()57   void Orphaned() override {}
58 
59  private:
60   RefCountedPtr<AuthorizationEngine> allow_engine_;
61   RefCountedPtr<AuthorizationEngine> deny_engine_;
62 };
63 
64 // Provider class will get gRPC Authorization policy from provided file path.
65 // This policy will be translated to Envoy RBAC policies and used to initialize
66 // allow and deny AuthorizationEngine objects. This provider will periodically
67 // load file contents in specified path, and upon modification update the engine
68 // instances with new policy configuration. During reload if the file contents
69 // are invalid or there are I/O errors, we will skip that particular update and
70 // log error status. The authorization decisions will be made using the latest
71 // valid policy.
72 class FileWatcherAuthorizationPolicyProvider
73     : public grpc_authorization_policy_provider {
74  public:
75   static absl::StatusOr<RefCountedPtr<grpc_authorization_policy_provider>>
76   Create(absl::string_view authz_policy_path,
77          unsigned int refresh_interval_sec);
78 
79   // Use factory method "Create" to create an instance of
80   // FileWatcherAuthorizationPolicyProvider.
81   FileWatcherAuthorizationPolicyProvider(absl::string_view authz_policy_path,
82                                          unsigned int refresh_interval_sec,
83                                          absl::Status* status);
84 
85   void SetCallbackForTesting(
86       std::function<void(bool contents_changed, absl::Status Status)> cb);
87 
88   void Orphaned() override;
89 
engines()90   AuthorizationEngines engines() override {
91     MutexLock lock(&mu_);
92     return {allow_engine_, deny_engine_};
93   }
94 
95  private:
96   // Force an update from the file system regardless of the interval.
97   absl::Status ForceUpdate();
98 
99   std::string authz_policy_path_;
100   std::string file_contents_;
101   unsigned int refresh_interval_sec_;
102 
103   std::unique_ptr<Thread> refresh_thread_;
104   gpr_event shutdown_event_;
105 
106   Mutex mu_;
107   // Callback is executed on every reload. This is useful for testing purpose.
108   std::function<void(bool contents_changed, absl::Status status)> cb_
109       ABSL_GUARDED_BY(mu_) = nullptr;
110   // Engines created using authz_policy_.
111   RefCountedPtr<AuthorizationEngine> allow_engine_ ABSL_GUARDED_BY(mu_);
112   RefCountedPtr<AuthorizationEngine> deny_engine_ ABSL_GUARDED_BY(mu_);
113 };
114 
115 }  // namespace grpc_core
116 
117 #endif  // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_POLICY_PROVIDER_H
118