1 // Copyright 2020 gRPC authors.
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
7 // http://www.apache.org/licenses/LICENSE-2.0
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
15 #include <grpc/support/port_platform.h>
17 #include "src/core/lib/security/authorization/cel_authorization_engine.h"
19 #include "absl/memory/memory.h"
21 #include "src/core/lib/address_utils/sockaddr_utils.h"
27 // Symbols for traversing Envoy Attributes
28 constexpr char kUrlPath[] = "url_path";
29 constexpr char kHost[] = "host";
30 constexpr char kMethod[] = "method";
31 constexpr char kHeaders[] = "headers";
32 constexpr char kSourceAddress[] = "source_address";
33 constexpr char kSourcePort[] = "source_port";
34 constexpr char kDestinationAddress[] = "destination_address";
35 constexpr char kDestinationPort[] = "destination_port";
36 constexpr char kSpiffeId[] = "spiffe_id";
37 constexpr char kCertServerName[] = "cert_server_name";
41 std::unique_ptr<CelAuthorizationEngine>
42 CelAuthorizationEngine::CreateCelAuthorizationEngine(
43 const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies) {
44 if (rbac_policies.empty() || rbac_policies.size() > 2) {
46 "Invalid rbac policies vector. Must contain either one or two rbac "
49 } else if (rbac_policies.size() == 2 &&
50 (envoy_config_rbac_v3_RBAC_action(rbac_policies[0]) != kDeny ||
51 envoy_config_rbac_v3_RBAC_action(rbac_policies[1]) != kAllow)) {
53 "Invalid rbac policies vector. Must contain one deny \
54 policy and one allow policy, in that order.");
57 return absl::make_unique<CelAuthorizationEngine>(rbac_policies);
61 CelAuthorizationEngine::CelAuthorizationEngine(
62 const std::vector<envoy_config_rbac_v3_RBAC*>& rbac_policies) {
63 for (const auto& rbac_policy : rbac_policies) {
64 // Extract array of policies and store their condition fields in either
65 // allow_if_matched_ or deny_if_matched_, depending on the policy action.
66 upb::Arena temp_arena;
67 size_t policy_num = UPB_MAP_BEGIN;
68 const envoy_config_rbac_v3_RBAC_PoliciesEntry* policy_entry;
69 while ((policy_entry = envoy_config_rbac_v3_RBAC_policies_next(
70 rbac_policy, &policy_num)) != nullptr) {
71 const upb_strview policy_name_strview =
72 envoy_config_rbac_v3_RBAC_PoliciesEntry_key(policy_entry);
73 const std::string policy_name(policy_name_strview.data,
74 policy_name_strview.size);
75 const envoy_config_rbac_v3_Policy* policy =
76 envoy_config_rbac_v3_RBAC_PoliciesEntry_value(policy_entry);
77 const google_api_expr_v1alpha1_Expr* condition =
78 envoy_config_rbac_v3_Policy_condition(policy);
79 // Parse condition to make a pointer tied to the lifetime of arena_.
81 const char* serialized = google_api_expr_v1alpha1_Expr_serialize(
82 condition, temp_arena.ptr(), &serial_len);
83 const google_api_expr_v1alpha1_Expr* parsed_condition =
84 google_api_expr_v1alpha1_Expr_parse(serialized, serial_len,
86 if (envoy_config_rbac_v3_RBAC_action(rbac_policy) == kAllow) {
87 allow_if_matched_.insert(std::make_pair(policy_name, parsed_condition));
89 deny_if_matched_.insert(std::make_pair(policy_name, parsed_condition));
95 std::unique_ptr<mock_cel::Activation> CelAuthorizationEngine::CreateActivation(
96 const EvaluateArgs& args) {
97 std::unique_ptr<mock_cel::Activation> activation;
98 for (const auto& elem : envoy_attributes_) {
99 if (elem == kUrlPath) {
100 absl::string_view url_path(args.GetPath());
101 if (!url_path.empty()) {
102 activation->InsertValue(kUrlPath,
103 mock_cel::CelValue::CreateStringView(url_path));
105 } else if (elem == kHost) {
106 absl::string_view host(args.GetHost());
108 activation->InsertValue(kHost,
109 mock_cel::CelValue::CreateStringView(host));
111 } else if (elem == kMethod) {
112 absl::string_view method(args.GetMethod());
113 if (!method.empty()) {
114 activation->InsertValue(kMethod,
115 mock_cel::CelValue::CreateStringView(method));
117 } else if (elem == kHeaders) {
118 std::multimap<absl::string_view, absl::string_view> headers =
120 std::vector<std::pair<mock_cel::CelValue, mock_cel::CelValue>>
122 for (const auto& header_key : header_keys_) {
123 auto header_item = headers.find(header_key);
124 if (header_item != headers.end()) {
125 header_items.push_back(
126 std::pair<mock_cel::CelValue, mock_cel::CelValue>(
127 mock_cel::CelValue::CreateStringView(header_key),
128 mock_cel::CelValue::CreateStringView(header_item->second)));
131 headers_ = mock_cel::ContainerBackedMapImpl::Create(
132 absl::Span<std::pair<mock_cel::CelValue, mock_cel::CelValue>>(
134 activation->InsertValue(kHeaders,
135 mock_cel::CelValue::CreateMap(headers_.get()));
136 } else if (elem == kSourceAddress) {
137 absl::string_view source_address(args.GetPeerAddressString());
138 if (!source_address.empty()) {
139 activation->InsertValue(
141 mock_cel::CelValue::CreateStringView(source_address));
143 } else if (elem == kSourcePort) {
144 activation->InsertValue(
145 kSourcePort, mock_cel::CelValue::CreateInt64(args.GetPeerPort()));
146 } else if (elem == kDestinationAddress) {
147 absl::string_view destination_address(args.GetLocalAddressString());
148 if (!destination_address.empty()) {
149 activation->InsertValue(
151 mock_cel::CelValue::CreateStringView(destination_address));
153 } else if (elem == kDestinationPort) {
154 activation->InsertValue(kDestinationPort, mock_cel::CelValue::CreateInt64(
155 args.GetLocalPort()));
156 } else if (elem == kSpiffeId) {
157 absl::string_view spiffe_id(args.GetSpiffeId());
158 if (!spiffe_id.empty()) {
159 activation->InsertValue(
160 kSpiffeId, mock_cel::CelValue::CreateStringView(spiffe_id));
162 } else if (elem == kCertServerName) {
163 absl::string_view cert_server_name(args.GetCommonName());
164 if (!cert_server_name.empty()) {
165 activation->InsertValue(
167 mock_cel::CelValue::CreateStringView(cert_server_name));
171 "Error: Authorization engine does not support evaluating "
179 } // namespace grpc_core