• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_ENGINE_H
16 #define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_ENGINE_H
17 
18 #include <grpc/support/port_platform.h>
19 
20 #include "src/core/lib/security/authorization/authorization_engine.h"
21 #include "src/core/lib/security/authorization/matchers.h"
22 #include "src/core/lib/security/authorization/rbac_policy.h"
23 
24 namespace grpc_core {
25 
26 // GrpcAuthorizationEngine can be either an Allow engine or Deny engine. This
27 // engine makes authorization decisions to Allow or Deny incoming RPC request
28 // based on permission and principal configs in the provided RBAC policy and the
29 // engine type. This engine ignores condition field in RBAC config. It is the
30 // caller's responsibility to provide RBAC policies that are compatible with
31 // this engine.
32 class GrpcAuthorizationEngine : public AuthorizationEngine {
33  public:
34   // Builds GrpcAuthorizationEngine without any policies.
GrpcAuthorizationEngine(Rbac::Action action)35   explicit GrpcAuthorizationEngine(Rbac::Action action) : action_(action) {}
36   // Builds GrpcAuthorizationEngine with allow/deny RBAC policy.
37   explicit GrpcAuthorizationEngine(Rbac policy);
38 
39   // Evaluates incoming request against RBAC policy and makes a decision to
40   // whether allow/deny this request.
41   Decision Evaluate(const EvaluateArgs& args) const override;
42 
43  private:
44   struct Policy {
45     std::string name;
46     std::unique_ptr<AuthorizationMatcher> matcher;
47   };
48 
49   Rbac::Action action_;
50   std::vector<Policy> policies_;
51 };
52 
53 }  // namespace grpc_core
54 
55 #endif  // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_ENGINE_H
56