diff options
Diffstat (limited to 'grpc/src/core/lib/security/authorization/rbac_translator.cc')
-rw-r--r-- | grpc/src/core/lib/security/authorization/rbac_translator.cc | 60 |
1 files changed, 39 insertions, 21 deletions
diff --git a/grpc/src/core/lib/security/authorization/rbac_translator.cc b/grpc/src/core/lib/security/authorization/rbac_translator.cc index ea5599dd..01d9c0eb 100644 --- a/grpc/src/core/lib/security/authorization/rbac_translator.cc +++ b/grpc/src/core/lib/security/authorization/rbac_translator.cc @@ -20,6 +20,7 @@ #include "absl/strings/str_format.h" #include "absl/strings/strip.h" +#include "src/core/lib/gpr/useful.h" #include "src/core/lib/matchers/matchers.h" namespace grpc_core { @@ -29,8 +30,9 @@ namespace { absl::string_view GetMatcherType(absl::string_view value, StringMatcher::Type* type) { if (value == "*") { - *type = StringMatcher::Type::kPrefix; - return ""; + *type = StringMatcher::Type::kSafeRegex; + // Presence match checks for non empty strings. + return ".+"; } else if (absl::StartsWith(value, "*")) { *type = StringMatcher::Type::kSuffix; return absl::StripPrefix(value, "*"); @@ -56,6 +58,24 @@ absl::StatusOr<HeaderMatcher> GetHeaderMatcher(absl::string_view name, matcher); } +bool IsUnsupportedHeader(absl::string_view header_name) { + static const char* const kUnsupportedHeaders[] = {"host", + "connection", + "keep-alive", + "proxy-authenticate", + "proxy-authorization", + "te", + "trailer", + "transfer-encoding", + "upgrade"}; + for (size_t i = 0; i < GPR_ARRAY_SIZE(kUnsupportedHeaders); ++i) { + if (absl::EqualsIgnoreCase(header_name, kUnsupportedHeaders[i])) { + return true; + } + } + return false; +} + absl::StatusOr<Rbac::Principal> ParsePrincipalsArray(const Json& json) { std::vector<std::unique_ptr<Rbac::Principal>> principal_names; for (size_t i = 0; i < json.array_value().size(); ++i) { @@ -71,11 +91,10 @@ absl::StatusOr<Rbac::Principal> ParsePrincipalsArray(const Json& json) { matcher_or.status().message())); } principal_names.push_back(absl::make_unique<Rbac::Principal>( - Rbac::Principal::RuleType::kPrincipalName, - std::move(matcher_or.value()))); + Rbac::Principal::MakeAuthenticatedPrincipal( + std::move(matcher_or.value())))); } - return Rbac::Principal(Rbac::Principal::RuleType::kOr, - std::move(principal_names)); + return Rbac::Principal::MakeOrPrincipal(std::move(principal_names)); } absl::StatusOr<Rbac::Principal> ParsePeer(const Json& json) { @@ -93,9 +112,9 @@ absl::StatusOr<Rbac::Principal> ParsePeer(const Json& json) { } } if (peer.empty()) { - return Rbac::Principal(Rbac::Principal::RuleType::kAny); + return Rbac::Principal::MakeAnyPrincipal(); } - return Rbac::Principal(Rbac::Principal::RuleType::kAnd, std::move(peer)); + return Rbac::Principal::MakeAndPrincipal(std::move(peer)); } absl::StatusOr<Rbac::Permission> ParseHeaderValues( @@ -117,9 +136,9 @@ absl::StatusOr<Rbac::Permission> ParseHeaderValues( absl::StrCat("\"values\" ", i, ": ", matcher_or.status().message())); } values.push_back(absl::make_unique<Rbac::Permission>( - Rbac::Permission::RuleType::kHeader, std::move(matcher_or.value()))); + Rbac::Permission::MakeHeaderPermission(std::move(matcher_or.value())))); } - return Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(values)); + return Rbac::Permission::MakeOrPermission(std::move(values)); } absl::StatusOr<Rbac::Permission> ParseHeaders(const Json& json) { @@ -131,10 +150,9 @@ absl::StatusOr<Rbac::Permission> ParseHeaders(const Json& json) { return absl::InvalidArgumentError("\"key\" is not a string."); } absl::string_view header_name = it->second.string_value(); - // TODO(ashithasantosh): Add connection headers below. if (absl::StartsWith(header_name, ":") || - absl::StartsWith(header_name, "grpc-") || header_name == "host" || - header_name == "Host") { + absl::StartsWith(header_name, "grpc-") || + IsUnsupportedHeader(header_name)) { return absl::InvalidArgumentError( absl::StrFormat("Unsupported \"key\" %s.", header_name)); } @@ -165,7 +183,7 @@ absl::StatusOr<Rbac::Permission> ParseHeadersArray(const Json& json) { headers.push_back( absl::make_unique<Rbac::Permission>(std::move(headers_or.value()))); } - return Rbac::Permission(Rbac::Permission::RuleType::kAnd, std::move(headers)); + return Rbac::Permission::MakeAndPermission(std::move(headers)); } absl::StatusOr<Rbac::Permission> ParsePathsArray(const Json& json) { @@ -183,9 +201,9 @@ absl::StatusOr<Rbac::Permission> ParsePathsArray(const Json& json) { absl::StrCat("\"paths\" ", i, ": ", matcher_or.status().message())); } paths.push_back(absl::make_unique<Rbac::Permission>( - Rbac::Permission::RuleType::kPath, std::move(matcher_or.value()))); + Rbac::Permission::MakePathPermission(std::move(matcher_or.value())))); } - return Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(paths)); + return Rbac::Permission::MakeOrPermission(std::move(paths)); } absl::StatusOr<Rbac::Permission> ParseRequest(const Json& json) { @@ -215,9 +233,9 @@ absl::StatusOr<Rbac::Permission> ParseRequest(const Json& json) { } } if (request.empty()) { - return Rbac::Permission(Rbac::Permission::RuleType::kAny); + return Rbac::Permission::MakeAnyPermission(); } - return Rbac::Permission(Rbac::Permission::RuleType::kAnd, std::move(request)); + return Rbac::Permission::MakeAndPermission(std::move(request)); } absl::StatusOr<Rbac::Policy> ParseRules(const Json& json) { @@ -231,7 +249,7 @@ absl::StatusOr<Rbac::Policy> ParseRules(const Json& json) { if (!peer_or.ok()) return peer_or.status(); principals = std::move(peer_or.value()); } else { - principals = Rbac::Principal(Rbac::Principal::RuleType::kAny); + principals = Rbac::Principal::MakeAnyPrincipal(); } Rbac::Permission permissions; it = json.object_value().find("request"); @@ -243,7 +261,7 @@ absl::StatusOr<Rbac::Policy> ParseRules(const Json& json) { if (!request_or.ok()) return request_or.status(); permissions = std::move(request_or.value()); } else { - permissions = Rbac::Permission(Rbac::Permission::RuleType::kAny); + permissions = Rbac::Permission::MakeAnyPermission(); } return Rbac::Policy(std::move(permissions), std::move(principals)); } @@ -301,7 +319,7 @@ absl::StatusOr<RbacPolicies> GenerateRbacPolicies( Json json = Json::Parse(authz_policy, &error); if (error != GRPC_ERROR_NONE) { absl::Status status = absl::InvalidArgumentError( - absl::StrCat("Failed to parse SDK authorization policy. Error: ", + absl::StrCat("Failed to parse gRPC authorization policy. Error: ", grpc_error_std_string(error))); GRPC_ERROR_UNREF(error); return status; |