1 // Copyright 2021 gRPC authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_MATCHERS_H 16 #define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_MATCHERS_H 17 18 #include <grpc/support/port_platform.h> 19 #include <stdint.h> 20 21 #include <memory> 22 #include <utility> 23 #include <vector> 24 25 #include "absl/types/optional.h" 26 #include "src/core/lib/iomgr/resolved_address.h" 27 #include "src/core/lib/security/authorization/evaluate_args.h" 28 #include "src/core/lib/security/authorization/rbac_policy.h" 29 #include "src/core/util/matchers.h" 30 31 namespace grpc_core { 32 33 // Describes the rules for matching permission or principal. 34 class AuthorizationMatcher { 35 public: 36 virtual ~AuthorizationMatcher() = default; 37 38 // Returns whether or not the permission/principal matches the rules of the 39 // matcher. 40 virtual bool Matches(const EvaluateArgs& args) const = 0; 41 42 // Creates an instance of a matcher based off the rules defined in Permission 43 // config. 44 static std::unique_ptr<AuthorizationMatcher> Create( 45 Rbac::Permission permission); 46 47 // Creates an instance of a matcher based off the rules defined in Principal 48 // config. 49 static std::unique_ptr<AuthorizationMatcher> Create( 50 Rbac::Principal principal); 51 }; 52 53 class AlwaysAuthorizationMatcher : public AuthorizationMatcher { 54 public: 55 explicit AlwaysAuthorizationMatcher() = default; 56 Matches(const EvaluateArgs &)57 bool Matches(const EvaluateArgs&) const override { return true; } 58 }; 59 60 class AndAuthorizationMatcher : public AuthorizationMatcher { 61 public: AndAuthorizationMatcher(std::vector<std::unique_ptr<AuthorizationMatcher>> matchers)62 explicit AndAuthorizationMatcher( 63 std::vector<std::unique_ptr<AuthorizationMatcher>> matchers) 64 : matchers_(std::move(matchers)) {} 65 66 bool Matches(const EvaluateArgs& args) const override; 67 68 private: 69 std::vector<std::unique_ptr<AuthorizationMatcher>> matchers_; 70 }; 71 72 class OrAuthorizationMatcher : public AuthorizationMatcher { 73 public: OrAuthorizationMatcher(std::vector<std::unique_ptr<AuthorizationMatcher>> matchers)74 explicit OrAuthorizationMatcher( 75 std::vector<std::unique_ptr<AuthorizationMatcher>> matchers) 76 : matchers_(std::move(matchers)) {} 77 78 bool Matches(const EvaluateArgs& args) const override; 79 80 private: 81 std::vector<std::unique_ptr<AuthorizationMatcher>> matchers_; 82 }; 83 84 // Negates matching the provided permission/principal. 85 class NotAuthorizationMatcher : public AuthorizationMatcher { 86 public: NotAuthorizationMatcher(std::unique_ptr<AuthorizationMatcher> matcher)87 explicit NotAuthorizationMatcher( 88 std::unique_ptr<AuthorizationMatcher> matcher) 89 : matcher_(std::move(matcher)) {} 90 91 bool Matches(const EvaluateArgs& args) const override; 92 93 private: 94 std::unique_ptr<AuthorizationMatcher> matcher_; 95 }; 96 97 class MetadataAuthorizationMatcher : public AuthorizationMatcher { 98 public: MetadataAuthorizationMatcher(bool invert)99 explicit MetadataAuthorizationMatcher(bool invert) : invert_(invert) {} 100 101 // In RBAC, metadata refers to the Envoy metadata which has no relation to 102 // gRPC metadata. Envoy metadata is a generic state shared between filters, 103 // which has no gRPC equivalent. RBAC implementations in gRPC will treat Envoy 104 // metadata as an empty map. Since ValueMatcher can only match if a value is 105 // present (even NullMatch), the metadata matcher will not match unless invert 106 // is set to true. Matches(const EvaluateArgs &)107 bool Matches(const EvaluateArgs&) const override { return invert_; } 108 109 private: 110 const bool invert_; 111 }; 112 113 // Perform a match against HTTP headers. 114 class HeaderAuthorizationMatcher : public AuthorizationMatcher { 115 public: HeaderAuthorizationMatcher(HeaderMatcher matcher)116 explicit HeaderAuthorizationMatcher(HeaderMatcher matcher) 117 : matcher_(std::move(matcher)) {} 118 119 bool Matches(const EvaluateArgs& args) const override; 120 121 private: 122 const HeaderMatcher matcher_; 123 }; 124 125 // Perform a match against IP Cidr Range. 126 class IpAuthorizationMatcher : public AuthorizationMatcher { 127 public: 128 enum class Type { 129 kDestIp, 130 kSourceIp, 131 kDirectRemoteIp, 132 kRemoteIp, 133 }; 134 135 IpAuthorizationMatcher(Type type, Rbac::CidrRange range); 136 137 bool Matches(const EvaluateArgs& args) const override; 138 139 private: 140 const Type type_; 141 // Subnet masked address. 142 grpc_resolved_address subnet_address_; 143 const uint32_t prefix_len_; 144 }; 145 146 // Perform a match against port number of the destination (local) address. 147 class PortAuthorizationMatcher : public AuthorizationMatcher { 148 public: PortAuthorizationMatcher(int port)149 explicit PortAuthorizationMatcher(int port) : port_(port) {} 150 151 bool Matches(const EvaluateArgs& args) const override; 152 153 private: 154 const int port_; 155 }; 156 157 // Matches the principal name as described in the peer certificate. Uses URI SAN 158 // or DNS SAN in that order, otherwise uses subject field. 159 class AuthenticatedAuthorizationMatcher : public AuthorizationMatcher { 160 public: AuthenticatedAuthorizationMatcher(absl::optional<StringMatcher> auth)161 explicit AuthenticatedAuthorizationMatcher(absl::optional<StringMatcher> auth) 162 : matcher_(std::move(auth)) {} 163 164 bool Matches(const EvaluateArgs& args) const override; 165 166 private: 167 const absl::optional<StringMatcher> matcher_; 168 }; 169 170 // Perform a match against the request server from the client's connection 171 // request. This is typically TLS SNI. Currently unsupported. 172 class ReqServerNameAuthorizationMatcher : public AuthorizationMatcher { 173 public: ReqServerNameAuthorizationMatcher(StringMatcher requested_server_name)174 explicit ReqServerNameAuthorizationMatcher( 175 StringMatcher requested_server_name) 176 : matcher_(std::move(requested_server_name)) {} 177 178 bool Matches(const EvaluateArgs&) const override; 179 180 private: 181 const StringMatcher matcher_; 182 }; 183 184 // Perform a match against the path header of HTTP request. 185 class PathAuthorizationMatcher : public AuthorizationMatcher { 186 public: PathAuthorizationMatcher(StringMatcher path)187 explicit PathAuthorizationMatcher(StringMatcher path) 188 : matcher_(std::move(path)) {} 189 190 bool Matches(const EvaluateArgs& args) const override; 191 192 private: 193 const StringMatcher matcher_; 194 }; 195 196 // Performs a match for policy field in RBAC, which is a collection of 197 // permission and principal matchers. Policy matches iff, we find a match in one 198 // of its permissions and a match in one of its principals. 199 class PolicyAuthorizationMatcher : public AuthorizationMatcher { 200 public: PolicyAuthorizationMatcher(Rbac::Policy policy)201 explicit PolicyAuthorizationMatcher(Rbac::Policy policy) 202 : permissions_( 203 AuthorizationMatcher::Create(std::move(policy.permissions))), 204 principals_( 205 AuthorizationMatcher::Create(std::move(policy.principals))) {} 206 207 bool Matches(const EvaluateArgs& args) const override; 208 209 private: 210 std::unique_ptr<AuthorizationMatcher> permissions_; 211 std::unique_ptr<AuthorizationMatcher> principals_; 212 }; 213 214 } // namespace grpc_core 215 216 #endif // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_MATCHERS_H 217