1 // Copyright 2021 gRPC authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H 16 #define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H 17 18 #include <grpc/grpc_audit_logging.h> 19 #include <grpc/support/port_platform.h> 20 #include <stdint.h> 21 22 #include <map> 23 #include <memory> 24 #include <string> 25 #include <vector> 26 27 #include "absl/types/optional.h" 28 #include "src/core/util/matchers.h" 29 30 namespace grpc_core { 31 32 // Represents Envoy RBAC Proto. [See 33 // https://github.com/envoyproxy/envoy/blob/release/v1.26/api/envoy/config/rbac/v3/rbac.proto] 34 struct Rbac { 35 enum class Action { 36 kAllow, 37 kDeny, 38 }; 39 40 enum class AuditCondition { 41 kNone, 42 kOnDeny, 43 kOnAllow, 44 kOnDenyAndAllow, 45 }; 46 47 struct CidrRange { 48 CidrRange() = default; 49 CidrRange(std::string address_prefix, uint32_t prefix_len); 50 51 CidrRange(CidrRange&& other) noexcept; 52 CidrRange& operator=(CidrRange&& other) noexcept; 53 54 std::string ToString() const; 55 56 std::string address_prefix; 57 uint32_t prefix_len; 58 }; 59 60 // TODO(ashithasantosh): Support for destination_port_range. 61 struct Permission { 62 enum class RuleType { 63 kAnd, 64 kOr, 65 kNot, 66 kAny, 67 kHeader, 68 kPath, 69 kDestIp, 70 kDestPort, 71 kMetadata, 72 kReqServerName, 73 }; 74 75 static Permission MakeAndPermission( 76 std::vector<std::unique_ptr<Permission>> permissions); 77 static Permission MakeOrPermission( 78 std::vector<std::unique_ptr<Permission>> permissions); 79 static Permission MakeNotPermission(Permission permission); 80 static Permission MakeAnyPermission(); 81 static Permission MakeHeaderPermission(HeaderMatcher header_matcher); 82 static Permission MakePathPermission(StringMatcher string_matcher); 83 static Permission MakeDestIpPermission(CidrRange ip); 84 static Permission MakeDestPortPermission(int port); 85 // All the other fields in MetadataMatcher are ignored except invert. 86 static Permission MakeMetadataPermission(bool invert); 87 static Permission MakeReqServerNamePermission(StringMatcher string_matcher); 88 89 Permission() = default; 90 91 Permission(Permission&& other) noexcept; 92 Permission& operator=(Permission&& other) noexcept; 93 94 std::string ToString() const; 95 96 RuleType type = RuleType::kAnd; 97 HeaderMatcher header_matcher; 98 StringMatcher string_matcher; 99 CidrRange ip; 100 int port; 101 // For type kAnd/kOr/kNot. For kNot type, the vector will have only one 102 // element. 103 std::vector<std::unique_ptr<Permission>> permissions; 104 // For kMetadata 105 bool invert = false; 106 }; 107 108 struct Principal { 109 enum class RuleType { 110 kAnd, 111 kOr, 112 kNot, 113 kAny, 114 kPrincipalName, 115 kSourceIp, 116 kDirectRemoteIp, 117 kRemoteIp, 118 kHeader, 119 kPath, 120 kMetadata, 121 }; 122 123 static Principal MakeAndPrincipal( 124 std::vector<std::unique_ptr<Principal>> principals); 125 static Principal MakeOrPrincipal( 126 std::vector<std::unique_ptr<Principal>> principals); 127 static Principal MakeNotPrincipal(Principal principal); 128 static Principal MakeAnyPrincipal(); 129 static Principal MakeAuthenticatedPrincipal( 130 absl::optional<StringMatcher> string_matcher); 131 static Principal MakeSourceIpPrincipal(CidrRange ip); 132 static Principal MakeDirectRemoteIpPrincipal(CidrRange ip); 133 static Principal MakeRemoteIpPrincipal(CidrRange ip); 134 static Principal MakeHeaderPrincipal(HeaderMatcher header_matcher); 135 static Principal MakePathPrincipal(StringMatcher string_matcher); 136 // All the other fields in MetadataMatcher are ignored except invert. 137 static Principal MakeMetadataPrincipal(bool invert); 138 139 Principal() = default; 140 141 Principal(Principal&& other) noexcept; 142 Principal& operator=(Principal&& other) noexcept; 143 144 std::string ToString() const; 145 146 RuleType type = RuleType::kAnd; 147 HeaderMatcher header_matcher; 148 absl::optional<StringMatcher> string_matcher; 149 CidrRange ip; 150 // For type kAnd/kOr/kNot. For kNot type, the vector will have only one 151 // element. 152 std::vector<std::unique_ptr<Principal>> principals; 153 // For kMetadata 154 bool invert = false; 155 }; 156 157 struct Policy { 158 Policy() = default; 159 Policy(Permission permissions, Principal principals); 160 161 Policy(Policy&& other) noexcept; 162 Policy& operator=(Policy&& other) noexcept; 163 164 std::string ToString() const; 165 166 Permission permissions; 167 Principal principals; 168 }; 169 170 Rbac() = default; 171 Rbac(std::string name, Rbac::Action action, 172 std::map<std::string, Policy> policies); 173 174 Rbac(Rbac&& other) noexcept; 175 Rbac& operator=(Rbac&& other) noexcept; 176 177 std::string ToString() const; 178 179 // The authorization policy name or empty string in xDS case. 180 std::string name; 181 182 Action action; 183 std::map<std::string, Policy> policies; 184 185 AuditCondition audit_condition; 186 std::vector<std::unique_ptr<experimental::AuditLoggerFactory::Config>> 187 logger_configs; 188 }; 189 190 } // namespace grpc_core 191 192 #endif // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H 193