1 // Copyright 2020 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <grpc/support/port_platform.h>
16
17 #include "absl/memory/memory.h"
18
19 #include "src/core/lib/security/authorization/cel_authorization_engine.h"
20
21 namespace grpc_core {
22
23 namespace {
24
25 // Symbols for traversing Envoy Attributes
26 constexpr char kUrlPath[] = "url_path";
27 constexpr char kHost[] = "host";
28 constexpr char kMethod[] = "method";
29 constexpr char kHeaders[] = "headers";
30 constexpr char kSourceAddress[] = "source_address";
31 constexpr char kSourcePort[] = "source_port";
32 constexpr char kDestinationAddress[] = "destination_address";
33 constexpr char kDestinationPort[] = "destination_port";
34 constexpr char kSpiffeId[] = "spiffe_id";
35 constexpr char kCertServerName[] = "cert_server_name";
36
37 } // namespace
38
39 std::unique_ptr<CelAuthorizationEngine>
CreateCelAuthorizationEngine(const std::vector<envoy_config_rbac_v3_RBAC * > & rbac_policies)40 CelAuthorizationEngine::CreateCelAuthorizationEngine(
41 const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies) {
42 if (rbac_policies.empty() || rbac_policies.size() > 2) {
43 gpr_log(GPR_ERROR,
44 "Invalid rbac policies vector. Must contain either one or two rbac "
45 "policies.");
46 return nullptr;
47 } else if (rbac_policies.size() == 2 &&
48 (envoy_config_rbac_v3_RBAC_action(rbac_policies[0]) != kDeny ||
49 envoy_config_rbac_v3_RBAC_action(rbac_policies[1]) != kAllow)) {
50 gpr_log(GPR_ERROR,
51 "Invalid rbac policies vector. Must contain one deny \
52 policy and one allow policy, in that order.");
53 return nullptr;
54 } else {
55 return absl::make_unique<CelAuthorizationEngine>(rbac_policies);
56 }
57 }
58
CelAuthorizationEngine(const std::vector<envoy_config_rbac_v3_RBAC * > & rbac_policies)59 CelAuthorizationEngine::CelAuthorizationEngine(
60 const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies) {
61 for (const auto& rbac_policy : rbac_policies) {
62 // Extract array of policies and store their condition fields in either
63 // allow_if_matched_ or deny_if_matched_, depending on the policy action.
64 upb::Arena temp_arena;
65 size_t policy_num = UPB_MAP_BEGIN;
66 const envoy_config_rbac_v3_RBAC_PoliciesEntry* policy_entry;
67 while ((policy_entry = envoy_config_rbac_v3_RBAC_policies_next(
68 rbac_policy, &policy_num)) != nullptr) {
69 const upb_strview policy_name_strview =
70 envoy_config_rbac_v3_RBAC_PoliciesEntry_key(policy_entry);
71 const std::string policy_name(policy_name_strview.data,
72 policy_name_strview.size);
73 const envoy_config_rbac_v3_Policy* policy =
74 envoy_config_rbac_v3_RBAC_PoliciesEntry_value(policy_entry);
75 const google_api_expr_v1alpha1_Expr* condition =
76 envoy_config_rbac_v3_Policy_condition(policy);
77 // Parse condition to make a pointer tied to the lifetime of arena_.
78 size_t serial_len;
79 const char* serialized = google_api_expr_v1alpha1_Expr_serialize(
80 condition, temp_arena.ptr(), &serial_len);
81 const google_api_expr_v1alpha1_Expr* parsed_condition =
82 google_api_expr_v1alpha1_Expr_parse(serialized, serial_len,
83 arena_.ptr());
84 if (envoy_config_rbac_v3_RBAC_action(rbac_policy) == kAllow) {
85 allow_if_matched_.insert(std::make_pair(policy_name, parsed_condition));
86 } else {
87 deny_if_matched_.insert(std::make_pair(policy_name, parsed_condition));
88 }
89 }
90 }
91 }
92
CreateActivation(const EvaluateArgs & args)93 std::unique_ptr<mock_cel::Activation> CelAuthorizationEngine::CreateActivation(
94 const EvaluateArgs& args) {
95 std::unique_ptr<mock_cel::Activation> activation;
96 for (const auto& elem : envoy_attributes_) {
97 if (elem == kUrlPath) {
98 absl::string_view url_path(args.GetPath());
99 if (!url_path.empty()) {
100 activation->InsertValue(kUrlPath,
101 mock_cel::CelValue::CreateStringView(url_path));
102 }
103 } else if (elem == kHost) {
104 absl::string_view host(args.GetHost());
105 if (!host.empty()) {
106 activation->InsertValue(kHost,
107 mock_cel::CelValue::CreateStringView(host));
108 }
109 } else if (elem == kMethod) {
110 absl::string_view method(args.GetMethod());
111 if (!method.empty()) {
112 activation->InsertValue(kMethod,
113 mock_cel::CelValue::CreateStringView(method));
114 }
115 } else if (elem == kHeaders) {
116 std::multimap<absl::string_view, absl::string_view> headers =
117 args.GetHeaders();
118 std::vector<std::pair<mock_cel::CelValue, mock_cel::CelValue>>
119 header_items;
120 for (const auto& header_key : header_keys_) {
121 auto header_item = headers.find(header_key);
122 if (header_item != headers.end()) {
123 header_items.push_back(
124 std::pair<mock_cel::CelValue, mock_cel::CelValue>(
125 mock_cel::CelValue::CreateStringView(header_key),
126 mock_cel::CelValue::CreateStringView(header_item->second)));
127 }
128 }
129 headers_ = mock_cel::ContainerBackedMapImpl::Create(
130 absl::Span<std::pair<mock_cel::CelValue, mock_cel::CelValue>>(
131 header_items));
132 activation->InsertValue(kHeaders,
133 mock_cel::CelValue::CreateMap(headers_.get()));
134 } else if (elem == kSourceAddress) {
135 absl::string_view source_address(args.GetPeerAddress());
136 if (!source_address.empty()) {
137 activation->InsertValue(
138 kSourceAddress,
139 mock_cel::CelValue::CreateStringView(source_address));
140 }
141 } else if (elem == kSourcePort) {
142 activation->InsertValue(
143 kSourcePort, mock_cel::CelValue::CreateInt64(args.GetPeerPort()));
144 } else if (elem == kDestinationAddress) {
145 absl::string_view destination_address(args.GetLocalAddress());
146 if (!destination_address.empty()) {
147 activation->InsertValue(
148 kDestinationAddress,
149 mock_cel::CelValue::CreateStringView(destination_address));
150 }
151 } else if (elem == kDestinationPort) {
152 activation->InsertValue(kDestinationPort, mock_cel::CelValue::CreateInt64(
153 args.GetLocalPort()));
154 } else if (elem == kSpiffeId) {
155 absl::string_view spiffe_id(args.GetSpiffeId());
156 if (!spiffe_id.empty()) {
157 activation->InsertValue(
158 kSpiffeId, mock_cel::CelValue::CreateStringView(spiffe_id));
159 }
160 } else if (elem == kCertServerName) {
161 absl::string_view cert_server_name(args.GetCommonName());
162 if (!cert_server_name.empty()) {
163 activation->InsertValue(
164 kCertServerName,
165 mock_cel::CelValue::CreateStringView(cert_server_name));
166 }
167 } else {
168 gpr_log(GPR_ERROR,
169 "Error: Authorization engine does not support evaluating "
170 "attribute %s.",
171 elem.c_str());
172 }
173 }
174 return activation;
175 }
176
177 } // namespace grpc_core
178