diff options
Diffstat (limited to 'grpc/src/core/lib/security/authorization/grpc_authorization_policy_provider.h')
-rw-r--r-- | grpc/src/core/lib/security/authorization/grpc_authorization_policy_provider.h | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/grpc/src/core/lib/security/authorization/grpc_authorization_policy_provider.h b/grpc/src/core/lib/security/authorization/grpc_authorization_policy_provider.h new file mode 100644 index 00000000..1d59252c --- /dev/null +++ b/grpc/src/core/lib/security/authorization/grpc_authorization_policy_provider.h @@ -0,0 +1,103 @@ +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_POLICY_PROVIDER_H +#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_POLICY_PROVIDER_H + +#include <grpc/support/port_platform.h> + +#include <memory> + +#include "absl/status/statusor.h" + +#include "src/core/lib/gprpp/sync.h" +#include "src/core/lib/gprpp/thd.h" +#include "src/core/lib/security/authorization/authorization_policy_provider.h" +#include "src/core/lib/security/authorization/rbac_translator.h" + +namespace grpc_core { + +// Provider class will get gRPC Authorization policy from string during +// initialization. This policy will be translated to Envoy RBAC policies and +// used to initialize allow and deny AuthorizationEngine objects. This provider +// will return the same authorization engines everytime. +class StaticDataAuthorizationPolicyProvider + : public grpc_authorization_policy_provider { + public: + static absl::StatusOr<RefCountedPtr<grpc_authorization_policy_provider>> + Create(absl::string_view authz_policy); + + // Use factory method "Create" to create an instance of + // StaticDataAuthorizationPolicyProvider. + explicit StaticDataAuthorizationPolicyProvider(RbacPolicies policies); + + AuthorizationEngines engines() override { + return {allow_engine_, deny_engine_}; + } + + void Orphan() override {} + + private: + RefCountedPtr<AuthorizationEngine> allow_engine_; + RefCountedPtr<AuthorizationEngine> deny_engine_; +}; + +// Provider class will get gRPC Authorization policy from provided file path. +// This policy will be translated to Envoy RBAC policies and used to initialize +// allow and deny AuthorizationEngine objects. This provider will periodically +// load file contents in specified path, and upon modification update the engine +// instances with new policy configuration. During reload if the file contents +// are invalid or there are I/O errors, we will skip that particular update and +// log error status. The authorization decisions will be made using the latest +// valid policy. +class FileWatcherAuthorizationPolicyProvider + : public grpc_authorization_policy_provider { + public: + static absl::StatusOr<RefCountedPtr<grpc_authorization_policy_provider>> + Create(absl::string_view authz_policy_path, + unsigned int refresh_interval_sec); + + // Use factory method "Create" to create an instance of + // FileWatcherAuthorizationPolicyProvider. + FileWatcherAuthorizationPolicyProvider(absl::string_view authz_policy_path, + unsigned int refresh_interval_sec, + absl::Status* status); + + void Orphan() override; + + AuthorizationEngines engines() override { + MutexLock lock(&mu_); + return {allow_engine_, deny_engine_}; + } + + private: + // Force an update from the file system regardless of the interval. + absl::Status ForceUpdate(); + + std::string authz_policy_path_; + std::string file_contents_; + unsigned int refresh_interval_sec_; + + std::unique_ptr<Thread> refresh_thread_; + gpr_event shutdown_event_; + + Mutex mu_; + // Engines created using authz_policy_. + RefCountedPtr<AuthorizationEngine> allow_engine_ ABSL_GUARDED_BY(mu_); + RefCountedPtr<AuthorizationEngine> deny_engine_ ABSL_GUARDED_BY(mu_); +}; + +} // namespace grpc_core + +#endif // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_AUTHORIZATION_POLICY_PROVIDER_H |