1 2 // Copyright 2020 gRPC authors. 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 16 #ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_AUTHORIZATION_ENGINE_H 17 #define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_AUTHORIZATION_ENGINE_H 18 19 #include <grpc/support/port_platform.h> 20 21 #include <grpc/support/log.h> 22 #include <map> 23 #include <memory> 24 #include <string> 25 #include <vector> 26 27 #include "absl/container/flat_hash_set.h" 28 #include "envoy/config/rbac/v3/rbac.upb.h" 29 #include "google/api/expr/v1alpha1/syntax.upb.h" 30 #include "upb/upb.hpp" 31 32 #include "src/core/lib/security/authorization/evaluate_args.h" 33 #include "src/core/lib/security/authorization/mock_cel/activation.h" 34 35 namespace grpc_core { 36 37 // AuthorizationEngine makes an AuthorizationDecision to ALLOW or DENY the 38 // current action based on the condition fields in provided RBAC policies. 39 // The engine may be constructed with one or two policies. If two polcies, 40 // the first policy is deny-if-matched and the second is allow-if-matched. 41 // The engine returns UNDECIDED decision if it fails to find a match in any 42 // policy. This engine ignores the principal and permission fields in RBAC 43 // policies. It is the caller's responsibility to provide RBAC policies that 44 // are compatible with this engine. 45 // 46 // Example: 47 // AuthorizationEngine* 48 // auth_engine = AuthorizationEngine::CreateAuthorizationEngine(rbac_policies); 49 // auth_engine->Evaluate(evaluate_args); // returns authorization decision. 50 class AuthorizationEngine { 51 public: 52 // rbac_policies must be a vector containing either a single policy of any 53 // kind, or one deny policy and one allow policy, in that order. 54 static std::unique_ptr<AuthorizationEngine> CreateAuthorizationEngine( 55 const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies); 56 57 // Users should use the CreateAuthorizationEngine factory function 58 // instead of calling the AuthorizationEngine constructor directly. 59 explicit AuthorizationEngine( 60 const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies); 61 // TODO(mywang@google.com): add an Evaluate member function. 62 63 private: 64 enum Action { 65 kAllow, 66 kDeny, 67 }; 68 69 std::unique_ptr<mock_cel::Activation> CreateActivation( 70 const EvaluateArgs& args); 71 72 std::map<const std::string, const google_api_expr_v1alpha1_Expr*> 73 deny_if_matched_; 74 std::map<const std::string, const google_api_expr_v1alpha1_Expr*> 75 allow_if_matched_; 76 upb::Arena arena_; 77 absl::flat_hash_set<std::string> envoy_attributes_; 78 absl::flat_hash_set<std::string> header_keys_; 79 std::unique_ptr<mock_cel::CelMap> headers_; 80 }; 81 82 } // namespace grpc_core 83 84 #endif /* GRPC_CORE_LIB_SECURITY_AUTHORIZATION_AUTHORIZATION_ENGINE_H */ 85