summaryrefslogtreecommitdiff
path: root/grpc/src/core/lib/security/authorization/rbac_translator.cc
diff options
context:
space:
mode:
Diffstat (limited to 'grpc/src/core/lib/security/authorization/rbac_translator.cc')
-rw-r--r--grpc/src/core/lib/security/authorization/rbac_translator.cc60
1 files changed, 39 insertions, 21 deletions
diff --git a/grpc/src/core/lib/security/authorization/rbac_translator.cc b/grpc/src/core/lib/security/authorization/rbac_translator.cc
index ea5599dd..01d9c0eb 100644
--- a/grpc/src/core/lib/security/authorization/rbac_translator.cc
+++ b/grpc/src/core/lib/security/authorization/rbac_translator.cc
@@ -20,6 +20,7 @@
#include "absl/strings/str_format.h"
#include "absl/strings/strip.h"
+#include "src/core/lib/gpr/useful.h"
#include "src/core/lib/matchers/matchers.h"
namespace grpc_core {
@@ -29,8 +30,9 @@ namespace {
absl::string_view GetMatcherType(absl::string_view value,
StringMatcher::Type* type) {
if (value == "*") {
- *type = StringMatcher::Type::kPrefix;
- return "";
+ *type = StringMatcher::Type::kSafeRegex;
+ // Presence match checks for non empty strings.
+ return ".+";
} else if (absl::StartsWith(value, "*")) {
*type = StringMatcher::Type::kSuffix;
return absl::StripPrefix(value, "*");
@@ -56,6 +58,24 @@ absl::StatusOr<HeaderMatcher> GetHeaderMatcher(absl::string_view name,
matcher);
}
+bool IsUnsupportedHeader(absl::string_view header_name) {
+ static const char* const kUnsupportedHeaders[] = {"host",
+ "connection",
+ "keep-alive",
+ "proxy-authenticate",
+ "proxy-authorization",
+ "te",
+ "trailer",
+ "transfer-encoding",
+ "upgrade"};
+ for (size_t i = 0; i < GPR_ARRAY_SIZE(kUnsupportedHeaders); ++i) {
+ if (absl::EqualsIgnoreCase(header_name, kUnsupportedHeaders[i])) {
+ return true;
+ }
+ }
+ return false;
+}
+
absl::StatusOr<Rbac::Principal> ParsePrincipalsArray(const Json& json) {
std::vector<std::unique_ptr<Rbac::Principal>> principal_names;
for (size_t i = 0; i < json.array_value().size(); ++i) {
@@ -71,11 +91,10 @@ absl::StatusOr<Rbac::Principal> ParsePrincipalsArray(const Json& json) {
matcher_or.status().message()));
}
principal_names.push_back(absl::make_unique<Rbac::Principal>(
- Rbac::Principal::RuleType::kPrincipalName,
- std::move(matcher_or.value())));
+ Rbac::Principal::MakeAuthenticatedPrincipal(
+ std::move(matcher_or.value()))));
}
- return Rbac::Principal(Rbac::Principal::RuleType::kOr,
- std::move(principal_names));
+ return Rbac::Principal::MakeOrPrincipal(std::move(principal_names));
}
absl::StatusOr<Rbac::Principal> ParsePeer(const Json& json) {
@@ -93,9 +112,9 @@ absl::StatusOr<Rbac::Principal> ParsePeer(const Json& json) {
}
}
if (peer.empty()) {
- return Rbac::Principal(Rbac::Principal::RuleType::kAny);
+ return Rbac::Principal::MakeAnyPrincipal();
}
- return Rbac::Principal(Rbac::Principal::RuleType::kAnd, std::move(peer));
+ return Rbac::Principal::MakeAndPrincipal(std::move(peer));
}
absl::StatusOr<Rbac::Permission> ParseHeaderValues(
@@ -117,9 +136,9 @@ absl::StatusOr<Rbac::Permission> ParseHeaderValues(
absl::StrCat("\"values\" ", i, ": ", matcher_or.status().message()));
}
values.push_back(absl::make_unique<Rbac::Permission>(
- Rbac::Permission::RuleType::kHeader, std::move(matcher_or.value())));
+ Rbac::Permission::MakeHeaderPermission(std::move(matcher_or.value()))));
}
- return Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(values));
+ return Rbac::Permission::MakeOrPermission(std::move(values));
}
absl::StatusOr<Rbac::Permission> ParseHeaders(const Json& json) {
@@ -131,10 +150,9 @@ absl::StatusOr<Rbac::Permission> ParseHeaders(const Json& json) {
return absl::InvalidArgumentError("\"key\" is not a string.");
}
absl::string_view header_name = it->second.string_value();
- // TODO(ashithasantosh): Add connection headers below.
if (absl::StartsWith(header_name, ":") ||
- absl::StartsWith(header_name, "grpc-") || header_name == "host" ||
- header_name == "Host") {
+ absl::StartsWith(header_name, "grpc-") ||
+ IsUnsupportedHeader(header_name)) {
return absl::InvalidArgumentError(
absl::StrFormat("Unsupported \"key\" %s.", header_name));
}
@@ -165,7 +183,7 @@ absl::StatusOr<Rbac::Permission> ParseHeadersArray(const Json& json) {
headers.push_back(
absl::make_unique<Rbac::Permission>(std::move(headers_or.value())));
}
- return Rbac::Permission(Rbac::Permission::RuleType::kAnd, std::move(headers));
+ return Rbac::Permission::MakeAndPermission(std::move(headers));
}
absl::StatusOr<Rbac::Permission> ParsePathsArray(const Json& json) {
@@ -183,9 +201,9 @@ absl::StatusOr<Rbac::Permission> ParsePathsArray(const Json& json) {
absl::StrCat("\"paths\" ", i, ": ", matcher_or.status().message()));
}
paths.push_back(absl::make_unique<Rbac::Permission>(
- Rbac::Permission::RuleType::kPath, std::move(matcher_or.value())));
+ Rbac::Permission::MakePathPermission(std::move(matcher_or.value()))));
}
- return Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(paths));
+ return Rbac::Permission::MakeOrPermission(std::move(paths));
}
absl::StatusOr<Rbac::Permission> ParseRequest(const Json& json) {
@@ -215,9 +233,9 @@ absl::StatusOr<Rbac::Permission> ParseRequest(const Json& json) {
}
}
if (request.empty()) {
- return Rbac::Permission(Rbac::Permission::RuleType::kAny);
+ return Rbac::Permission::MakeAnyPermission();
}
- return Rbac::Permission(Rbac::Permission::RuleType::kAnd, std::move(request));
+ return Rbac::Permission::MakeAndPermission(std::move(request));
}
absl::StatusOr<Rbac::Policy> ParseRules(const Json& json) {
@@ -231,7 +249,7 @@ absl::StatusOr<Rbac::Policy> ParseRules(const Json& json) {
if (!peer_or.ok()) return peer_or.status();
principals = std::move(peer_or.value());
} else {
- principals = Rbac::Principal(Rbac::Principal::RuleType::kAny);
+ principals = Rbac::Principal::MakeAnyPrincipal();
}
Rbac::Permission permissions;
it = json.object_value().find("request");
@@ -243,7 +261,7 @@ absl::StatusOr<Rbac::Policy> ParseRules(const Json& json) {
if (!request_or.ok()) return request_or.status();
permissions = std::move(request_or.value());
} else {
- permissions = Rbac::Permission(Rbac::Permission::RuleType::kAny);
+ permissions = Rbac::Permission::MakeAnyPermission();
}
return Rbac::Policy(std::move(permissions), std::move(principals));
}
@@ -301,7 +319,7 @@ absl::StatusOr<RbacPolicies> GenerateRbacPolicies(
Json json = Json::Parse(authz_policy, &error);
if (error != GRPC_ERROR_NONE) {
absl::Status status = absl::InvalidArgumentError(
- absl::StrCat("Failed to parse SDK authorization policy. Error: ",
+ absl::StrCat("Failed to parse gRPC authorization policy. Error: ",
grpc_error_std_string(error)));
GRPC_ERROR_UNREF(error);
return status;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-14 23:39:00 +0000