• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H
16 #define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H
17 
18 #include <grpc/support/port_platform.h>
19 
20 #include <memory>
21 
22 #include "src/core/lib/matchers/matchers.h"
23 
24 namespace grpc_core {
25 
26 // Represents Envoy RBAC Proto. [See
27 // https://github.com/envoyproxy/envoy/blob/release/v1.17/api/envoy/config/rbac/v3/rbac.proto]
28 struct Rbac {
29   enum class Action {
30     kAllow,
31     kDeny,
32   };
33 
34   struct CidrRange {
35     CidrRange() = default;
36     CidrRange(std::string address_prefix, uint32_t prefix_len);
37 
38     CidrRange(CidrRange&& other) noexcept;
39     CidrRange& operator=(CidrRange&& other) noexcept;
40 
41     std::string ToString() const;
42 
43     std::string address_prefix;
44     uint32_t prefix_len;
45   };
46 
47   // TODO(ashithasantosh): Add metadata field to Permission and Principal.
48   struct Permission {
49     enum class RuleType {
50       kAnd,
51       kOr,
52       kAny,
53       kHeader,
54       kPath,
55       kDestIp,
56       kDestPort,
57       kReqServerName,
58     };
59 
60     Permission() = default;
61     // For AND/OR RuleType.
62     Permission(Permission::RuleType type,
63                std::vector<std::unique_ptr<Permission>> permissions,
64                bool not_rule = false);
65     // For ANY RuleType.
66     explicit Permission(Permission::RuleType type, bool not_rule = false);
67     // For HEADER RuleType.
68     Permission(Permission::RuleType type, HeaderMatcher header_matcher,
69                bool not_rule = false);
70     // For PATH/REQ_SERVER_NAME RuleType.
71     Permission(Permission::RuleType type, StringMatcher string_matcher,
72                bool not_rule = false);
73     // For DEST_IP RuleType.
74     Permission(Permission::RuleType type, CidrRange ip, bool not_rule = false);
75     // For DEST_PORT RuleType.
76     Permission(Permission::RuleType type, int port, bool not_rule = false);
77 
78     Permission(Permission&& other) noexcept;
79     Permission& operator=(Permission&& other) noexcept;
80 
81     std::string ToString() const;
82 
83     RuleType type;
84     HeaderMatcher header_matcher;
85     StringMatcher string_matcher;
86     CidrRange ip;
87     int port;
88     // For type AND/OR.
89     std::vector<std::unique_ptr<Permission>> permissions;
90     bool not_rule = false;
91   };
92 
93   struct Principal {
94     enum class RuleType {
95       kAnd,
96       kOr,
97       kAny,
98       kPrincipalName,
99       kSourceIp,
100       kDirectRemoteIp,
101       kRemoteIp,
102       kHeader,
103       kPath,
104     };
105 
106     Principal() = default;
107     // For AND/OR RuleType.
108     Principal(Principal::RuleType type,
109               std::vector<std::unique_ptr<Principal>> principals,
110               bool not_rule = false);
111     // For ANY RuleType.
112     explicit Principal(Principal::RuleType type, bool not_rule = false);
113     // For PRINCIPAL_NAME/PATH RuleType.
114     Principal(Principal::RuleType type, StringMatcher string_matcher,
115               bool not_rule = false);
116     // For SOURCE_IP/DIRECT_REMOTE_IP/REMOTE_IP RuleType.
117     Principal(Principal::RuleType type, CidrRange ip, bool not_rule = false);
118     // For HEADER RuleType.
119     Principal(Principal::RuleType type, HeaderMatcher header_matcher,
120               bool not_rule = false);
121 
122     Principal(Principal&& other) noexcept;
123     Principal& operator=(Principal&& other) noexcept;
124 
125     std::string ToString() const;
126 
127     RuleType type;
128     HeaderMatcher header_matcher;
129     StringMatcher string_matcher;
130     CidrRange ip;
131     // For type AND/OR.
132     std::vector<std::unique_ptr<Principal>> principals;
133     bool not_rule = false;
134   };
135 
136   struct Policy {
137     Policy() = default;
138     Policy(Permission permissions, Principal principals);
139 
140     Policy(Policy&& other) noexcept;
141     Policy& operator=(Policy&& other) noexcept;
142 
143     std::string ToString() const;
144 
145     Permission permissions;
146     Principal principals;
147   };
148 
149   Rbac() = default;
150   Rbac(Rbac::Action action, std::map<std::string, Policy> policies);
151 
152   Rbac(Rbac&& other) noexcept;
153   Rbac& operator=(Rbac&& other) noexcept;
154 
155   std::string ToString() const;
156 
157   Action action;
158   std::map<std::string, Policy> policies;
159 };
160 
161 }  // namespace grpc_core
162 
163 #endif /* GRPC_CORE_LIB_SECURITY_AUTHORIZATION_RBAC_POLICY_H */
164