Add checked expr as oneof RBAC policy condition (#11902)

Add CheckedExpr as oneof expression in RBAC proto Additional Description: CheckedExpr is type check CEL expression. It is future proof and offers better evaluation performance (not for C++ yet, but for other languages). There will be a separate PR to plumb checked expr to RBAC filter. Risk Level: low Testing: existing tests Signed-off-by: jiangtaoli2016 <jiangtao@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 3b8c61b5e5eb4dfddf3c4c0cae9e04eafe1ac61a
4 years ago · 55611f26db
parent 23106d3503
commit 55611f26db
6 changed files with 39 additions and 7 deletions
--- a/bazel/api_build_system.bzl
+++ b/bazel/api_build_system.bzl
@ -80,6 +80,10 @@ def py_proto_library(name, deps = [], plugin = None):
    if name == "annotations_py_proto":
        proto_deps = proto_deps + [":http_py_proto"]

+    # checked.proto depends on syntax.proto, we have to add this dependency manually as well.
+    if name == "checked_py_proto":
+        proto_deps = proto_deps + [":syntax_py_proto"]
+
    # py_proto_library does not support plugin as an argument yet at gRPC v1.25.0:
    # https://github.com/grpc/grpc/blob/v1.25.0/bazel/python_rules.bzl#L72.
    # plugin should also be passed in here when gRPC version is greater than v1.25.x.
@ -172,13 +176,16 @@ def api_proto_package(
    if has_services:
        compilers = ["@io_bazel_rules_go//proto:go_grpc", "@envoy_api//bazel:pgv_plugin_go"]

+    # Because RBAC proro depends on googleapis syntax.proto and checked.proto,
+    # which share the same go proto library, it causes duplicative dependencies.
+    # Thus, we use depset().to_list() to remove duplicated depenencies.
    go_proto_library(
        name = name + _GO_PROTO_SUFFIX,
        compilers = compilers,
        importpath = _GO_IMPORTPATH_PREFIX + native.package_name(),
        proto = name,
        visibility = ["//visibility:public"],
-        deps = [_go_proto_mapping(dep) for dep in deps] + [
+        deps = depset([_go_proto_mapping(dep) for dep in deps] + [
            "@com_github_golang_protobuf//ptypes:go_default_library",
            "@com_github_golang_protobuf//ptypes/any:go_default_library",
            "@com_github_golang_protobuf//ptypes/duration:go_default_library",
@ -188,5 +195,5 @@ def api_proto_package(
            "@com_envoyproxy_protoc_gen_validate//validate:go_default_library",
            "@com_google_googleapis//google/api:annotations_go_proto",
            "@com_google_googleapis//google/rpc:status_go_proto",
-        ],
+        ]).to_list(),
    )
--- a/bazel/external_proto_deps.bzl
+++ b/bazel/external_proto_deps.bzl
@ -9,6 +9,7 @@
 # external dependencies. Since BUILD files are generated, this is the canonical
 # place to define this mapping.
 EXTERNAL_PROTO_IMPORT_BAZEL_DEP_MAP = {
+    "google/api/expr/v1alpha1/checked.proto": "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto",
    "google/api/expr/v1alpha1/syntax.proto": "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto",
    "metrics.proto": "@prometheus_metrics_model//:client_model",
    "opencensus/proto/trace/v1/trace.proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_proto",
@ -17,6 +18,7 @@ EXTERNAL_PROTO_IMPORT_BAZEL_DEP_MAP = {

 # This maps from the Bazel proto_library target to the Go language binding target for external dependencies.
 EXTERNAL_PROTO_GO_BAZEL_DEP_MAP = {
+    "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto",
    "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto",
    "@opencensus_proto//opencensus/proto/trace/v1:trace_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_proto_go",
    "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_and_config_proto_go",
@ -24,6 +26,7 @@ EXTERNAL_PROTO_GO_BAZEL_DEP_MAP = {

 # This maps from the Bazel proto_library target to the C++ language binding target for external dependencies.
 EXTERNAL_PROTO_CC_BAZEL_DEP_MAP = {
+    "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@com_google_googleapis//google/api/expr/v1alpha1:checked_cc_proto",
    "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@com_google_googleapis//google/api/expr/v1alpha1:syntax_cc_proto",
    "@opencensus_proto//opencensus/proto/trace/v1:trace_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_proto_cc",
    "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto_cc",
@ -31,6 +34,7 @@ EXTERNAL_PROTO_CC_BAZEL_DEP_MAP = {

 # This maps from the Bazel proto_library target to the Python language binding target for external dependencies.
 EXTERNAL_PROTO_PY_BAZEL_DEP_MAP = {
+    "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@com_google_googleapis//google/api/expr/v1alpha1:checked_py_proto",
    "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@com_google_googleapis//google/api/expr/v1alpha1:syntax_py_proto",
    "@opencensus_proto//opencensus/proto/trace/v1:trace_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_proto_py",
    "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto_py",
--- a/envoy/config/rbac/v3/BUILD
+++ b/envoy/config/rbac/v3/BUILD
@ -11,6 +11,7 @@ api_proto_package(
        "//envoy/config/route/v3:pkg",
        "//envoy/type/matcher/v3:pkg",
        "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto",
        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto",
    ],
 )
--- a/envoy/config/rbac/v3/rbac.proto
+++ b/envoy/config/rbac/v3/rbac.proto
@ -8,8 +8,10 @@ import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/path.proto";
 import "envoy/type/matcher/v3/string.proto";

+import "google/api/expr/v1alpha1/checked.proto";
 import "google/api/expr/v1alpha1/syntax.proto";

+import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@ -104,7 +106,15 @@ message Policy {
  // An optional symbolic expression specifying an access control
  // :ref:`condition <arch_overview_condition>`. The condition is combined
  // with the permissions and the principals as a clause with AND semantics.
-  google.api.expr.v1alpha1.Expr condition = 3;
+  // Only be used when checked_condition is not used.
+  google.api.expr.v1alpha1.Expr condition = 3
+      [(udpa.annotations.field_migrate).oneof_promotion = "expression_specifier"];
+
+  // [#not-implemented-hide:]
+  // An optional symbolic expression that has been successfully type checked.
+  // Only be used when condition is not used.
+  google.api.expr.v1alpha1.CheckedExpr checked_condition = 4
+      [(udpa.annotations.field_migrate).oneof_promotion = "expression_specifier"];
 }

 // Permission defines an action (or actions) that a principal can take.
--- a/envoy/config/rbac/v4alpha/BUILD
+++ b/envoy/config/rbac/v4alpha/BUILD
@ -11,6 +11,7 @@ api_proto_package(
        "//envoy/config/route/v4alpha:pkg",
        "//envoy/type/matcher/v4alpha:pkg",
        "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto",
        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto",
    ],
 )
--- a/envoy/config/rbac/v4alpha/rbac.proto
+++ b/envoy/config/rbac/v4alpha/rbac.proto
@ -8,6 +8,7 @@ import "envoy/type/matcher/v4alpha/metadata.proto";
 import "envoy/type/matcher/v4alpha/path.proto";
 import "envoy/type/matcher/v4alpha/string.proto";

+import "google/api/expr/v1alpha1/checked.proto";
 import "google/api/expr/v1alpha1/syntax.proto";

 import "udpa/annotations/status.proto";
@ -101,10 +102,18 @@ message Policy {
  // Principal with the `any` field set to true should be used.
  repeated Principal principals = 2 [(validate.rules).repeated = {min_items: 1}];

-  // An optional symbolic expression specifying an access control
-  // :ref:`condition <arch_overview_condition>`. The condition is combined
-  // with the permissions and the principals as a clause with AND semantics.
-  google.api.expr.v1alpha1.Expr condition = 3;
+  oneof expression_specifier {
+    // An optional symbolic expression specifying an access control
+    // :ref:`condition <arch_overview_condition>`. The condition is combined
+    // with the permissions and the principals as a clause with AND semantics.
+    // Only be used when checked_condition is not used.
+    google.api.expr.v1alpha1.Expr condition = 3;
+
+    // [#not-implemented-hide:]
+    // An optional symbolic expression that has been successfully type checked.
+    // Only be used when condition is not used.
+    google.api.expr.v1alpha1.CheckedExpr checked_condition = 4;
+  }
 }

 // Permission defines an action (or actions) that a principal can take.