From 6ea821487923e63b3654990f4b30efe3a71c18ad Mon Sep 17 00:00:00 2001 From: Yash Tibrewal Date: Thu, 23 Dec 2021 20:46:36 -0800 Subject: [PATCH] xDS: Add support for RBAC HTTP filter (#28309) * xDS: ADD RBAC HTTP filter support * sanity, upb regenerate files * Revert PerChannelArg changes * Reviewer comments * Reviewer comments * Reviewer comments * Remove unnecessary header * Fix sanity * Add RBAC service config parsing tests * Don't make a copy of the metadata batch * Revert expr_proto changes * Some more tests * Reviewer comments * Reviewer comments * No metadata changes needed * Fix leak of DynamicXdsServerConfigSelectorProvider * Fix deadlock issues * Fix test compilation --- BUILD | 36 + CMakeLists.txt | 112 +- Makefile | 28 + build_autogenerated.yaml | 101 +- config.m4 | 19 + config.w32 | 23 + gRPC-C++.podspec | 28 + gRPC-Core.podspec | 50 +- grpc.gemspec | 28 + grpc.gyp | 17 +- package.xml | 28 + src/core/ext/filters/rbac/rbac_filter.cc | 157 +++ src/core/ext/filters/rbac/rbac_filter.h | 74 ++ .../rbac/rbac_service_config_parser.cc | 604 +++++++++ .../filters/rbac/rbac_service_config_parser.h | 70 + .../server_config_selector.h | 3 +- .../server_config_selector_filter.cc | 15 +- .../transport/chttp2/server/chttp2_server.cc | 31 +- .../filters/http/rbac/v3/rbac.upb.c | 61 + .../filters/http/rbac/v3/rbac.upb.h | 146 +++ .../filters/http/rbac/v3/rbac.upbdefs.c | 56 + .../filters/http/rbac/v3/rbac.upbdefs.h | 40 + .../api/expr/v1alpha1/checked.upbdefs.c | 154 +++ .../api/expr/v1alpha1/checked.upbdefs.h | 95 ++ .../google/api/expr/v1alpha1/eval.upbdefs.c | 58 + .../google/api/expr/v1alpha1/eval.upbdefs.h | 55 + .../api/expr/v1alpha1/explain.upbdefs.c | 44 + .../api/expr/v1alpha1/explain.upbdefs.h | 40 + .../google/api/expr/v1alpha1/syntax.upbdefs.c | 153 +++ .../google/api/expr/v1alpha1/syntax.upbdefs.h | 100 ++ .../google/api/expr/v1alpha1/value.upbdefs.c | 75 ++ .../google/api/expr/v1alpha1/value.upbdefs.h | 55 + src/core/ext/xds/xds_http_filters.cc | 5 + src/core/ext/xds/xds_http_rbac_filter.cc | 551 ++++++++ src/core/ext/xds/xds_http_rbac_filter.h | 54 + src/core/ext/xds/xds_listener.cc | 15 +- src/core/ext/xds/xds_route_config.cc | 2 +- src/core/ext/xds/xds_server_config_fetcher.cc | 82 +- src/core/lib/gprpp/status_helper.cc | 2 +- src/core/lib/gprpp/status_helper.h | 2 +- .../grpc_authorization_engine.cc | 11 + .../authorization/grpc_authorization_engine.h | 8 +- .../lib/security/authorization/rbac_policy.h | 4 +- .../plugin_registry/grpc_plugin_registry.cc | 4 + src/proto/grpc/testing/xds/v3/BUILD | 62 + src/proto/grpc/testing/xds/v3/expr.proto | 23 + .../xds/v3/http_connection_manager.proto | 27 + .../testing/xds/v3/http_filter_rbac.proto | 41 + src/proto/grpc/testing/xds/v3/metadata.proto | 84 ++ src/proto/grpc/testing/xds/v3/path.proto | 35 + src/proto/grpc/testing/xds/v3/range.proto | 10 + src/proto/grpc/testing/xds/v3/rbac.proto | 293 +++++ src/python/grpcio/grpc_core_dependencies.py | 14 + test/core/ext/filters/rbac/BUILD | 33 + .../rbac/rbac_service_config_parser_test.cc | 652 ++++++++++ .../server_config_selector_test.cc | 2 + test/cpp/end2end/xds/BUILD | 1 + test/cpp/end2end/xds/xds_end2end_test.cc | 1141 ++++++++++++++++- tools/codegen/core/gen_upb_api.sh | 1 + tools/doxygen/Doxyfile.c++.internal | 28 + tools/doxygen/Doxyfile.core.internal | 28 + tools/run_tests/generated/tests.json | 24 + 62 files changed, 5647 insertions(+), 148 deletions(-) create mode 100644 src/core/ext/filters/rbac/rbac_filter.cc create mode 100644 src/core/ext/filters/rbac/rbac_filter.h create mode 100644 src/core/ext/filters/rbac/rbac_service_config_parser.cc create mode 100644 src/core/ext/filters/rbac/rbac_service_config_parser.h create mode 100644 src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c create mode 100644 src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h create mode 100644 src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c create mode 100644 src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h create mode 100644 src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c create mode 100644 src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h create mode 100644 src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c create mode 100644 src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h create mode 100644 src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c create mode 100644 src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h create mode 100644 src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c create mode 100644 src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h create mode 100644 src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c create mode 100644 src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h create mode 100644 src/core/ext/xds/xds_http_rbac_filter.cc create mode 100644 src/core/ext/xds/xds_http_rbac_filter.h create mode 100644 src/proto/grpc/testing/xds/v3/expr.proto create mode 100644 src/proto/grpc/testing/xds/v3/http_filter_rbac.proto create mode 100644 src/proto/grpc/testing/xds/v3/metadata.proto create mode 100644 src/proto/grpc/testing/xds/v3/path.proto create mode 100644 src/proto/grpc/testing/xds/v3/rbac.proto create mode 100644 test/core/ext/filters/rbac/BUILD create mode 100644 test/core/ext/filters/rbac/rbac_service_config_parser_test.cc diff --git a/BUILD b/BUILD index 9e687fb05de..4dd7d777065 100644 --- a/BUILD +++ b/BUILD @@ -2414,6 +2414,27 @@ grpc_cc_library( ], ) +grpc_cc_library( + name = "grpc_rbac_filter", + srcs = [ + "src/core/ext/filters/rbac/rbac_filter.cc", + "src/core/ext/filters/rbac/rbac_service_config_parser.cc", + ], + hdrs = [ + "src/core/ext/filters/rbac/rbac_filter.h", + "src/core/ext/filters/rbac/rbac_service_config_parser.h", + ], + external_deps = ["absl/strings:str_format"], + language = "c++", + deps = [ + "gpr_base", + "grpc_base", + "grpc_rbac_engine", + "grpc_service_config", + "json_util", + ], +) + grpc_cc_library( name = "grpc_http_filters", srcs = [ @@ -2616,6 +2637,7 @@ grpc_cc_library( "src/core/ext/xds/xds_endpoint.cc", "src/core/ext/xds/xds_http_fault_filter.cc", "src/core/ext/xds/xds_http_filters.cc", + "src/core/ext/xds/xds_http_rbac_filter.cc", "src/core/ext/xds/xds_listener.cc", "src/core/ext/xds/xds_resource_type.cc", "src/core/ext/xds/xds_route_config.cc", @@ -2639,6 +2661,7 @@ grpc_cc_library( "src/core/ext/xds/xds_endpoint.h", "src/core/ext/xds/xds_http_fault_filter.h", "src/core/ext/xds/xds_http_filters.h", + "src/core/ext/xds/xds_http_rbac_filter.h", "src/core/ext/xds/xds_listener.h", "src/core/ext/xds/xds_resource_type.h", "src/core/ext/xds/xds_resource_type_impl.h", @@ -2676,6 +2699,7 @@ grpc_cc_library( "grpc_fault_injection_filter", "grpc_lb_xds_channel_args", "grpc_matchers", + "grpc_rbac_filter", "grpc_secure", "grpc_transport_chttp2_client_secure", "json", @@ -4430,6 +4454,7 @@ grpc_cc_library( "src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c", "src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c", "src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c", + "src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c", "src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c", "src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c", "src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c", @@ -4475,6 +4500,7 @@ grpc_cc_library( "src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h", "src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h", "src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h", + "src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h", "src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h", "src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h", "src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.h", @@ -4538,6 +4564,7 @@ grpc_cc_library( "src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c", "src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c", "src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c", + "src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c", "src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c", "src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c", "src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.c", @@ -4545,6 +4572,7 @@ grpc_cc_library( "src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c", "src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c", "src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c", + "src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c", "src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c", "src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c", "src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c", @@ -4582,6 +4610,7 @@ grpc_cc_library( "src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.h", "src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h", "src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h", + "src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h", "src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h", "src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h", "src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.h", @@ -4589,6 +4618,7 @@ grpc_cc_library( "src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h", "src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h", "src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h", + "src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h", "src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h", "src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h", "src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.h", @@ -4620,6 +4650,7 @@ grpc_cc_library( "envoy_core_upbdefs", "envoy_type_upbdefs", "google_api_annotations_upbdefs", + "google_api_expr_upbdefs", "google_rpc_status_upbdefs", "proto_gen_validate_upbdefs", "protobuf_any_upbdefs", @@ -5182,6 +5213,11 @@ grpc_upb_proto_library( deps = ["@com_google_googleapis//google/api/expr/v1alpha1:expr_proto"], ) +grpc_upb_proto_reflection_library( + name = "google_api_expr_upbdefs", + deps = ["@com_google_googleapis//google/api/expr/v1alpha1:expr_proto"], +) + grpc_upb_proto_library( name = "google_rpc_status_upb", deps = ["@com_google_googleapis//google/rpc:status_proto"], diff --git a/CMakeLists.txt b/CMakeLists.txt index 5f275b33c5b..408e906246c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -530,6 +530,9 @@ protobuf_generate_grpc_cpp( protobuf_generate_grpc_cpp( src/proto/grpc/testing/xds/v3/endpoint.proto ) +protobuf_generate_grpc_cpp( + src/proto/grpc/testing/xds/v3/expr.proto +) protobuf_generate_grpc_cpp( src/proto/grpc/testing/xds/v3/extension.proto ) @@ -542,6 +545,9 @@ protobuf_generate_grpc_cpp( protobuf_generate_grpc_cpp( src/proto/grpc/testing/xds/v3/http_connection_manager.proto ) +protobuf_generate_grpc_cpp( + src/proto/grpc/testing/xds/v3/http_filter_rbac.proto +) protobuf_generate_grpc_cpp( src/proto/grpc/testing/xds/v3/listener.proto ) @@ -551,9 +557,15 @@ protobuf_generate_grpc_cpp( protobuf_generate_grpc_cpp( src/proto/grpc/testing/xds/v3/lrs.proto ) +protobuf_generate_grpc_cpp( + src/proto/grpc/testing/xds/v3/metadata.proto +) protobuf_generate_grpc_cpp( src/proto/grpc/testing/xds/v3/orca_load_report.proto ) +protobuf_generate_grpc_cpp( + src/proto/grpc/testing/xds/v3/path.proto +) protobuf_generate_grpc_cpp( src/proto/grpc/testing/xds/v3/percent.proto ) @@ -563,6 +575,9 @@ protobuf_generate_grpc_cpp( protobuf_generate_grpc_cpp( src/proto/grpc/testing/xds/v3/range.proto ) +protobuf_generate_grpc_cpp( + src/proto/grpc/testing/xds/v3/rbac.proto +) protobuf_generate_grpc_cpp( src/proto/grpc/testing/xds/v3/regex.proto ) @@ -924,6 +939,7 @@ if(gRPC_BUILD_TESTS) add_dependencies(buildtests_cxx qps_worker) add_dependencies(buildtests_cxx race_test) add_dependencies(buildtests_cxx raw_end2end_test) + add_dependencies(buildtests_cxx rbac_service_config_parser_test) add_dependencies(buildtests_cxx rbac_translator_test) add_dependencies(buildtests_cxx ref_counted_ptr_test) add_dependencies(buildtests_cxx ref_counted_test) @@ -1218,10 +1234,7 @@ endif() if(gRPC_BUILD_TESTS) add_library(end2end_tests - src/core/lib/security/authorization/grpc_authorization_engine.cc src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - src/core/lib/security/authorization/matchers.cc - src/core/lib/security/authorization/rbac_policy.cc src/core/lib/security/authorization/rbac_translator.cc test/core/compression/args_utils.cc test/core/end2end/cq_verifier.cc @@ -1596,6 +1609,8 @@ add_library(grpc src/core/ext/filters/http/server/http_server_filter.cc src/core/ext/filters/max_age/max_age_filter.cc src/core/ext/filters/message_size/message_size_filter.cc + src/core/ext/filters/rbac/rbac_filter.cc + src/core/ext/filters/rbac/rbac_service_config_parser.cc src/core/ext/filters/server_config_selector/server_config_selector.cc src/core/ext/filters/server_config_selector/server_config_selector_filter.cc src/core/ext/service_config/service_config.cc @@ -1677,6 +1692,7 @@ add_library(grpc src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c + src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c @@ -1777,6 +1793,7 @@ add_library(grpc src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c + src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.c @@ -1784,6 +1801,7 @@ add_library(grpc src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c + src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c @@ -1815,6 +1833,11 @@ add_library(grpc src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.c src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c src/core/ext/upbdefs-generated/google/api/http.upbdefs.c src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c @@ -1852,6 +1875,7 @@ add_library(grpc src/core/ext/xds/xds_endpoint.cc src/core/ext/xds/xds_http_fault_filter.cc src/core/ext/xds/xds_http_filters.cc + src/core/ext/xds/xds_http_rbac_filter.cc src/core/ext/xds/xds_listener.cc src/core/ext/xds/xds_resource_type.cc src/core/ext/xds/xds_route_config.cc @@ -1994,6 +2018,9 @@ add_library(grpc src/core/lib/resource_quota/trace.cc src/core/lib/security/authorization/authorization_policy_provider_vtable.cc src/core/lib/security/authorization/evaluate_args.cc + src/core/lib/security/authorization/grpc_authorization_engine.cc + src/core/lib/security/authorization/matchers.cc + src/core/lib/security/authorization/rbac_policy.cc src/core/lib/security/authorization/sdk_server_authz_filter.cc src/core/lib/security/context/security_context.cc src/core/lib/security/credentials/alts/alts_credentials.cc @@ -6427,10 +6454,7 @@ endif() if(gRPC_BUILD_TESTS) add_executable(public_headers_must_be_c89 - src/core/lib/security/authorization/grpc_authorization_engine.cc src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - src/core/lib/security/authorization/matchers.cc - src/core/lib/security/authorization/rbac_policy.cc src/core/lib/security/authorization/rbac_translator.cc test/core/surface/public_headers_must_be_c89.c ) @@ -7900,9 +7924,6 @@ endif() if(gRPC_BUILD_TESTS) add_executable(authorization_matchers_test - src/core/lib/security/authorization/grpc_authorization_engine.cc - src/core/lib/security/authorization/matchers.cc - src/core/lib/security/authorization/rbac_policy.cc test/core/security/authorization_matchers_test.cc third_party/googletest/googletest/src/gtest-all.cc third_party/googletest/googlemock/src/gmock-all.cc @@ -7938,10 +7959,7 @@ endif() if(gRPC_BUILD_TESTS) add_executable(authorization_policy_provider_test - src/core/lib/security/authorization/grpc_authorization_engine.cc src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - src/core/lib/security/authorization/matchers.cc - src/core/lib/security/authorization/rbac_policy.cc src/core/lib/security/authorization/rbac_translator.cc src/cpp/server/authorization_policy_provider.cc test/cpp/server/authorization_policy_provider_test.cc @@ -8548,9 +8566,6 @@ if(gRPC_BUILD_TESTS) add_executable(cel_authorization_engine_test src/core/lib/security/authorization/cel_authorization_engine.cc - src/core/lib/security/authorization/grpc_authorization_engine.cc - src/core/lib/security/authorization/matchers.cc - src/core/lib/security/authorization/rbac_policy.cc test/core/security/cel_authorization_engine_test.cc third_party/googletest/googletest/src/gtest-all.cc third_party/googletest/googlemock/src/gmock-all.cc @@ -10918,9 +10933,6 @@ endif() if(gRPC_BUILD_TESTS) add_executable(grpc_authorization_engine_test - src/core/lib/security/authorization/grpc_authorization_engine.cc - src/core/lib/security/authorization/matchers.cc - src/core/lib/security/authorization/rbac_policy.cc test/core/security/grpc_authorization_engine_test.cc third_party/googletest/googletest/src/gtest-all.cc third_party/googletest/googlemock/src/gmock-all.cc @@ -10956,10 +10968,7 @@ endif() if(gRPC_BUILD_TESTS) add_executable(grpc_authorization_policy_provider_test - src/core/lib/security/authorization/grpc_authorization_engine.cc src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - src/core/lib/security/authorization/matchers.cc - src/core/lib/security/authorization/rbac_policy.cc src/core/lib/security/authorization/rbac_translator.cc test/core/security/grpc_authorization_policy_provider_test.cc third_party/googletest/googletest/src/gtest-all.cc @@ -13991,14 +14000,46 @@ target_link_libraries(raw_end2end_test ) +endif() +if(gRPC_BUILD_TESTS) + +add_executable(rbac_service_config_parser_test + test/core/ext/filters/rbac/rbac_service_config_parser_test.cc + third_party/googletest/googletest/src/gtest-all.cc + third_party/googletest/googlemock/src/gmock-all.cc +) + +target_include_directories(rbac_service_config_parser_test + PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_SOURCE_DIR}/include + ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR} + ${_gRPC_RE2_INCLUDE_DIR} + ${_gRPC_SSL_INCLUDE_DIR} + ${_gRPC_UPB_GENERATED_DIR} + ${_gRPC_UPB_GRPC_GENERATED_DIR} + ${_gRPC_UPB_INCLUDE_DIR} + ${_gRPC_XXHASH_INCLUDE_DIR} + ${_gRPC_ZLIB_INCLUDE_DIR} + third_party/googletest/googletest/include + third_party/googletest/googletest + third_party/googletest/googlemock/include + third_party/googletest/googlemock + ${_gRPC_PROTO_GENS_DIR} +) + +target_link_libraries(rbac_service_config_parser_test + ${_gRPC_PROTOBUF_LIBRARIES} + ${_gRPC_ALLTARGETS_LIBRARIES} + grpc_test_util +) + + endif() if(gRPC_BUILD_TESTS) add_executable(rbac_translator_test - src/core/lib/security/authorization/grpc_authorization_engine.cc src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - src/core/lib/security/authorization/matchers.cc - src/core/lib/security/authorization/rbac_policy.cc src/core/lib/security/authorization/rbac_translator.cc test/core/security/rbac_translator_test.cc third_party/googletest/googletest/src/gtest-all.cc @@ -14409,10 +14450,7 @@ add_executable(sdk_authz_end2end_test ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.h ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.h - src/core/lib/security/authorization/grpc_authorization_engine.cc src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - src/core/lib/security/authorization/matchers.cc - src/core/lib/security/authorization/rbac_policy.cc src/core/lib/security/authorization/rbac_translator.cc src/cpp/server/authorization_policy_provider.cc test/cpp/end2end/sdk_authz_end2end_test.cc @@ -17010,6 +17048,10 @@ if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX) ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/endpoint.grpc.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/endpoint.pb.h ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/endpoint.grpc.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/expr.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/expr.grpc.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/expr.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/expr.grpc.pb.h ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/extension.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/extension.grpc.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/extension.pb.h @@ -17026,6 +17068,10 @@ if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX) ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/http_connection_manager.grpc.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/http_connection_manager.pb.h ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/http_connection_manager.grpc.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/http_filter_rbac.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/http_filter_rbac.grpc.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/http_filter_rbac.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/http_filter_rbac.grpc.pb.h ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/listener.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/listener.grpc.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/listener.pb.h @@ -17038,6 +17084,14 @@ if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX) ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/lrs.grpc.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/lrs.pb.h ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/lrs.grpc.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/metadata.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/metadata.grpc.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/metadata.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/metadata.grpc.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/path.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/path.grpc.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/path.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/path.grpc.pb.h ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/percent.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/percent.grpc.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/percent.pb.h @@ -17050,6 +17104,10 @@ if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX) ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/range.grpc.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/range.pb.h ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/range.grpc.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/rbac.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/rbac.grpc.pb.cc + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/rbac.pb.h + ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/rbac.grpc.pb.h ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/regex.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/regex.grpc.pb.cc ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/regex.pb.h diff --git a/Makefile b/Makefile index 8ac57541374..84b80a2392d 100644 --- a/Makefile +++ b/Makefile @@ -1096,6 +1096,8 @@ LIBGRPC_SRC = \ src/core/ext/filters/http/server/http_server_filter.cc \ src/core/ext/filters/max_age/max_age_filter.cc \ src/core/ext/filters/message_size/message_size_filter.cc \ + src/core/ext/filters/rbac/rbac_filter.cc \ + src/core/ext/filters/rbac/rbac_service_config_parser.cc \ src/core/ext/filters/server_config_selector/server_config_selector.cc \ src/core/ext/filters/server_config_selector/server_config_selector_filter.cc \ src/core/ext/service_config/service_config.cc \ @@ -1177,6 +1179,7 @@ LIBGRPC_SRC = \ src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c \ + src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c \ src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c \ @@ -1277,6 +1280,7 @@ LIBGRPC_SRC = \ src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c \ + src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.c \ @@ -1284,6 +1288,7 @@ LIBGRPC_SRC = \ src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c \ + src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c \ @@ -1315,6 +1320,11 @@ LIBGRPC_SRC = \ src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c \ src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c \ + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c \ + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c \ + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c \ + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c \ + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c \ src/core/ext/upbdefs-generated/google/api/http.upbdefs.c \ src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c \ src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c \ @@ -1352,6 +1362,7 @@ LIBGRPC_SRC = \ src/core/ext/xds/xds_endpoint.cc \ src/core/ext/xds/xds_http_fault_filter.cc \ src/core/ext/xds/xds_http_filters.cc \ + src/core/ext/xds/xds_http_rbac_filter.cc \ src/core/ext/xds/xds_listener.cc \ src/core/ext/xds/xds_resource_type.cc \ src/core/ext/xds/xds_route_config.cc \ @@ -1494,6 +1505,9 @@ LIBGRPC_SRC = \ src/core/lib/resource_quota/trace.cc \ src/core/lib/security/authorization/authorization_policy_provider_vtable.cc \ src/core/lib/security/authorization/evaluate_args.cc \ + src/core/lib/security/authorization/grpc_authorization_engine.cc \ + src/core/lib/security/authorization/matchers.cc \ + src/core/lib/security/authorization/rbac_policy.cc \ src/core/lib/security/authorization/sdk_server_authz_filter.cc \ src/core/lib/security/context/security_context.cc \ src/core/lib/security/credentials/alts/alts_credentials.cc \ @@ -2744,6 +2758,8 @@ src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc: $(OPEN src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_resolver.cc: $(OPENSSL_DEP) src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc: $(OPENSSL_DEP) src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc: $(OPENSSL_DEP) +src/core/ext/filters/rbac/rbac_filter.cc: $(OPENSSL_DEP) +src/core/ext/filters/rbac/rbac_service_config_parser.cc: $(OPENSSL_DEP) src/core/ext/filters/server_config_selector/server_config_selector.cc: $(OPENSSL_DEP) src/core/ext/filters/server_config_selector/server_config_selector_filter.cc: $(OPENSSL_DEP) src/core/ext/transport/chttp2/client/secure/secure_channel_create.cc: $(OPENSSL_DEP) @@ -2790,6 +2806,7 @@ src/core/ext/upb-generated/envoy/config/trace/v3/http_tracer.upb.c: $(OPENSSL_DE src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c: $(OPENSSL_DEP) src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c: $(OPENSSL_DEP) src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c: $(OPENSSL_DEP) +src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c: $(OPENSSL_DEP) src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c: $(OPENSSL_DEP) src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c: $(OPENSSL_DEP) src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c: $(OPENSSL_DEP) @@ -2881,6 +2898,7 @@ src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c: $ src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c: $(OPENSSL_DEP) +src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.c: $(OPENSSL_DEP) @@ -2888,6 +2906,7 @@ src/core/ext/upbdefs-generated/envoy/config/trace/v3/http_tracer.upbdefs.c: $(OP src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c: $(OPENSSL_DEP) +src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c: $(OPENSSL_DEP) @@ -2919,6 +2938,11 @@ src/core/ext/upbdefs-generated/envoy/type/v3/percent.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c: $(OPENSSL_DEP) +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c: $(OPENSSL_DEP) +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c: $(OPENSSL_DEP) +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c: $(OPENSSL_DEP) +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c: $(OPENSSL_DEP) +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/google/api/http.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c: $(OPENSSL_DEP) src/core/ext/upbdefs-generated/google/protobuf/duration.upbdefs.c: $(OPENSSL_DEP) @@ -2955,6 +2979,7 @@ src/core/ext/xds/xds_common_types.cc: $(OPENSSL_DEP) src/core/ext/xds/xds_endpoint.cc: $(OPENSSL_DEP) src/core/ext/xds/xds_http_fault_filter.cc: $(OPENSSL_DEP) src/core/ext/xds/xds_http_filters.cc: $(OPENSSL_DEP) +src/core/ext/xds/xds_http_rbac_filter.cc: $(OPENSSL_DEP) src/core/ext/xds/xds_listener.cc: $(OPENSSL_DEP) src/core/ext/xds/xds_resource_type.cc: $(OPENSSL_DEP) src/core/ext/xds/xds_route_config.cc: $(OPENSSL_DEP) @@ -2964,6 +2989,9 @@ src/core/lib/http/httpcli_security_connector.cc: $(OPENSSL_DEP) src/core/lib/matchers/matchers.cc: $(OPENSSL_DEP) src/core/lib/security/authorization/authorization_policy_provider_vtable.cc: $(OPENSSL_DEP) src/core/lib/security/authorization/evaluate_args.cc: $(OPENSSL_DEP) +src/core/lib/security/authorization/grpc_authorization_engine.cc: $(OPENSSL_DEP) +src/core/lib/security/authorization/matchers.cc: $(OPENSSL_DEP) +src/core/lib/security/authorization/rbac_policy.cc: $(OPENSSL_DEP) src/core/lib/security/authorization/sdk_server_authz_filter.cc: $(OPENSSL_DEP) src/core/lib/security/context/security_context.cc: $(OPENSSL_DEP) src/core/lib/security/credentials/alts/alts_credentials.cc: $(OPENSSL_DEP) diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml index 6e660f87924..25c32fe1af8 100644 --- a/build_autogenerated.yaml +++ b/build_autogenerated.yaml @@ -131,10 +131,7 @@ libs: language: c public_headers: [] headers: - - src/core/lib/security/authorization/grpc_authorization_engine.h - src/core/lib/security/authorization/grpc_authorization_policy_provider.h - - src/core/lib/security/authorization/matchers.h - - src/core/lib/security/authorization/rbac_policy.h - src/core/lib/security/authorization/rbac_translator.h - test/core/compression/args_utils.h - test/core/end2end/cq_verifier.h @@ -146,10 +143,7 @@ libs: - test/core/end2end/tests/cancel_test_helpers.h - test/core/util/test_lb_policies.h src: - - src/core/lib/security/authorization/grpc_authorization_engine.cc - src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - - src/core/lib/security/authorization/matchers.cc - - src/core/lib/security/authorization/rbac_policy.cc - src/core/lib/security/authorization/rbac_translator.cc - test/core/compression/args_utils.cc - test/core/end2end/cq_verifier.cc @@ -470,6 +464,8 @@ libs: - src/core/ext/filters/http/server/http_server_filter.h - src/core/ext/filters/max_age/max_age_filter.h - src/core/ext/filters/message_size/message_size_filter.h + - src/core/ext/filters/rbac/rbac_filter.h + - src/core/ext/filters/rbac/rbac_service_config_parser.h - src/core/ext/filters/server_config_selector/server_config_selector.h - src/core/ext/filters/server_config_selector/server_config_selector_filter.h - src/core/ext/service_config/service_config.h @@ -546,6 +542,7 @@ libs: - src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h - src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h - src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h + - src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h - src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h - src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h - src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.h @@ -646,6 +643,7 @@ libs: - src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.h - src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h - src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h + - src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h - src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h - src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h - src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.h @@ -653,6 +651,7 @@ libs: - src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h - src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h - src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h + - src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h - src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h - src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h - src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.h @@ -684,6 +683,11 @@ libs: - src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.h - src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.h - src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.h + - src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h + - src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h + - src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h + - src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h + - src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h - src/core/ext/upbdefs-generated/google/api/http.upbdefs.h - src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.h - src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.h @@ -724,6 +728,7 @@ libs: - src/core/ext/xds/xds_endpoint.h - src/core/ext/xds/xds_http_fault_filter.h - src/core/ext/xds/xds_http_filters.h + - src/core/ext/xds/xds_http_rbac_filter.h - src/core/ext/xds/xds_listener.h - src/core/ext/xds/xds_resource_type.h - src/core/ext/xds/xds_resource_type_impl.h @@ -872,6 +877,9 @@ libs: - src/core/lib/security/authorization/authorization_engine.h - src/core/lib/security/authorization/authorization_policy_provider.h - src/core/lib/security/authorization/evaluate_args.h + - src/core/lib/security/authorization/grpc_authorization_engine.h + - src/core/lib/security/authorization/matchers.h + - src/core/lib/security/authorization/rbac_policy.h - src/core/lib/security/authorization/sdk_server_authz_filter.h - src/core/lib/security/context/security_context.h - src/core/lib/security/credentials/alts/alts_credentials.h @@ -1059,6 +1067,8 @@ libs: - src/core/ext/filters/http/server/http_server_filter.cc - src/core/ext/filters/max_age/max_age_filter.cc - src/core/ext/filters/message_size/message_size_filter.cc + - src/core/ext/filters/rbac/rbac_filter.cc + - src/core/ext/filters/rbac/rbac_service_config_parser.cc - src/core/ext/filters/server_config_selector/server_config_selector.cc - src/core/ext/filters/server_config_selector/server_config_selector_filter.cc - src/core/ext/service_config/service_config.cc @@ -1140,6 +1150,7 @@ libs: - src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c - src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c - src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c + - src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c - src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c - src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c - src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c @@ -1240,6 +1251,7 @@ libs: - src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c - src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c - src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c + - src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c - src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c - src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c - src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.c @@ -1247,6 +1259,7 @@ libs: - src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c - src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c - src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c + - src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c - src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c - src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c - src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c @@ -1278,6 +1291,11 @@ libs: - src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.c - src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c - src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c + - src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c + - src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c + - src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c + - src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c + - src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c - src/core/ext/upbdefs-generated/google/api/http.upbdefs.c - src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c - src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c @@ -1315,6 +1333,7 @@ libs: - src/core/ext/xds/xds_endpoint.cc - src/core/ext/xds/xds_http_fault_filter.cc - src/core/ext/xds/xds_http_filters.cc + - src/core/ext/xds/xds_http_rbac_filter.cc - src/core/ext/xds/xds_listener.cc - src/core/ext/xds/xds_resource_type.cc - src/core/ext/xds/xds_route_config.cc @@ -1457,6 +1476,9 @@ libs: - src/core/lib/resource_quota/trace.cc - src/core/lib/security/authorization/authorization_policy_provider_vtable.cc - src/core/lib/security/authorization/evaluate_args.cc + - src/core/lib/security/authorization/grpc_authorization_engine.cc + - src/core/lib/security/authorization/matchers.cc + - src/core/lib/security/authorization/rbac_policy.cc - src/core/lib/security/authorization/sdk_server_authz_filter.cc - src/core/lib/security/context/security_context.cc - src/core/lib/security/credentials/alts/alts_credentials.cc @@ -3922,16 +3944,10 @@ targets: build: test language: c headers: - - src/core/lib/security/authorization/grpc_authorization_engine.h - src/core/lib/security/authorization/grpc_authorization_policy_provider.h - - src/core/lib/security/authorization/matchers.h - - src/core/lib/security/authorization/rbac_policy.h - src/core/lib/security/authorization/rbac_translator.h src: - - src/core/lib/security/authorization/grpc_authorization_engine.cc - src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - - src/core/lib/security/authorization/matchers.cc - - src/core/lib/security/authorization/rbac_policy.cc - src/core/lib/security/authorization/rbac_translator.cc - test/core/surface/public_headers_must_be_c89.c deps: @@ -4595,14 +4611,8 @@ targets: gtest: true build: test language: c++ - headers: - - src/core/lib/security/authorization/grpc_authorization_engine.h - - src/core/lib/security/authorization/matchers.h - - src/core/lib/security/authorization/rbac_policy.h + headers: [] src: - - src/core/lib/security/authorization/grpc_authorization_engine.cc - - src/core/lib/security/authorization/matchers.cc - - src/core/lib/security/authorization/rbac_policy.cc - test/core/security/authorization_matchers_test.cc deps: - grpc_test_util @@ -4611,16 +4621,10 @@ targets: build: test language: c++ headers: - - src/core/lib/security/authorization/grpc_authorization_engine.h - src/core/lib/security/authorization/grpc_authorization_policy_provider.h - - src/core/lib/security/authorization/matchers.h - - src/core/lib/security/authorization/rbac_policy.h - src/core/lib/security/authorization/rbac_translator.h src: - - src/core/lib/security/authorization/grpc_authorization_engine.cc - src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - - src/core/lib/security/authorization/matchers.cc - - src/core/lib/security/authorization/rbac_policy.cc - src/core/lib/security/authorization/rbac_translator.cc - src/cpp/server/authorization_policy_provider.cc - test/cpp/server/authorization_policy_provider_test.cc @@ -4877,20 +4881,14 @@ targets: language: c++ headers: - src/core/lib/security/authorization/cel_authorization_engine.h - - src/core/lib/security/authorization/grpc_authorization_engine.h - - src/core/lib/security/authorization/matchers.h - src/core/lib/security/authorization/mock_cel/activation.h - src/core/lib/security/authorization/mock_cel/cel_expr_builder_factory.h - src/core/lib/security/authorization/mock_cel/cel_expression.h - src/core/lib/security/authorization/mock_cel/cel_value.h - src/core/lib/security/authorization/mock_cel/evaluator_core.h - src/core/lib/security/authorization/mock_cel/flat_expr_builder.h - - src/core/lib/security/authorization/rbac_policy.h src: - src/core/lib/security/authorization/cel_authorization_engine.cc - - src/core/lib/security/authorization/grpc_authorization_engine.cc - - src/core/lib/security/authorization/matchers.cc - - src/core/lib/security/authorization/rbac_policy.cc - test/core/security/cel_authorization_engine_test.cc deps: - absl/container:flat_hash_set @@ -6009,14 +6007,8 @@ targets: gtest: true build: test language: c++ - headers: - - src/core/lib/security/authorization/grpc_authorization_engine.h - - src/core/lib/security/authorization/matchers.h - - src/core/lib/security/authorization/rbac_policy.h + headers: [] src: - - src/core/lib/security/authorization/grpc_authorization_engine.cc - - src/core/lib/security/authorization/matchers.cc - - src/core/lib/security/authorization/rbac_policy.cc - test/core/security/grpc_authorization_engine_test.cc deps: - grpc_test_util @@ -6025,16 +6017,10 @@ targets: build: test language: c++ headers: - - src/core/lib/security/authorization/grpc_authorization_engine.h - src/core/lib/security/authorization/grpc_authorization_policy_provider.h - - src/core/lib/security/authorization/matchers.h - - src/core/lib/security/authorization/rbac_policy.h - src/core/lib/security/authorization/rbac_translator.h src: - - src/core/lib/security/authorization/grpc_authorization_engine.cc - src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - - src/core/lib/security/authorization/matchers.cc - - src/core/lib/security/authorization/rbac_policy.cc - src/core/lib/security/authorization/rbac_translator.cc - test/core/security/grpc_authorization_policy_provider_test.cc deps: @@ -7313,21 +7299,25 @@ targets: - test/cpp/end2end/test_service_impl.cc deps: - grpc++_test_util +- name: rbac_service_config_parser_test + gtest: true + build: test + language: c++ + headers: [] + src: + - test/core/ext/filters/rbac/rbac_service_config_parser_test.cc + deps: + - grpc_test_util + uses_polling: false - name: rbac_translator_test gtest: true build: test language: c++ headers: - - src/core/lib/security/authorization/grpc_authorization_engine.h - src/core/lib/security/authorization/grpc_authorization_policy_provider.h - - src/core/lib/security/authorization/matchers.h - - src/core/lib/security/authorization/rbac_policy.h - src/core/lib/security/authorization/rbac_translator.h src: - - src/core/lib/security/authorization/grpc_authorization_engine.cc - src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - - src/core/lib/security/authorization/matchers.cc - - src/core/lib/security/authorization/rbac_policy.cc - src/core/lib/security/authorization/rbac_translator.cc - test/core/security/rbac_translator_test.cc deps: @@ -7497,20 +7487,14 @@ targets: build: test language: c++ headers: - - src/core/lib/security/authorization/grpc_authorization_engine.h - src/core/lib/security/authorization/grpc_authorization_policy_provider.h - - src/core/lib/security/authorization/matchers.h - - src/core/lib/security/authorization/rbac_policy.h - src/core/lib/security/authorization/rbac_translator.h - test/cpp/end2end/test_service_impl.h src: - src/proto/grpc/testing/echo.proto - src/proto/grpc/testing/echo_messages.proto - src/proto/grpc/testing/simple_messages.proto - - src/core/lib/security/authorization/grpc_authorization_engine.cc - src/core/lib/security/authorization/grpc_authorization_policy_provider.cc - - src/core/lib/security/authorization/matchers.cc - - src/core/lib/security/authorization/rbac_policy.cc - src/core/lib/security/authorization/rbac_translator.cc - src/cpp/server/authorization_policy_provider.cc - test/cpp/end2end/sdk_authz_end2end_test.cc @@ -8584,16 +8568,21 @@ targets: - src/proto/grpc/testing/xds/v3/csds.proto - src/proto/grpc/testing/xds/v3/discovery.proto - src/proto/grpc/testing/xds/v3/endpoint.proto + - src/proto/grpc/testing/xds/v3/expr.proto - src/proto/grpc/testing/xds/v3/extension.proto - src/proto/grpc/testing/xds/v3/fault.proto - src/proto/grpc/testing/xds/v3/fault_common.proto - src/proto/grpc/testing/xds/v3/http_connection_manager.proto + - src/proto/grpc/testing/xds/v3/http_filter_rbac.proto - src/proto/grpc/testing/xds/v3/listener.proto - src/proto/grpc/testing/xds/v3/load_report.proto - src/proto/grpc/testing/xds/v3/lrs.proto + - src/proto/grpc/testing/xds/v3/metadata.proto + - src/proto/grpc/testing/xds/v3/path.proto - src/proto/grpc/testing/xds/v3/percent.proto - src/proto/grpc/testing/xds/v3/protocol.proto - src/proto/grpc/testing/xds/v3/range.proto + - src/proto/grpc/testing/xds/v3/rbac.proto - src/proto/grpc/testing/xds/v3/regex.proto - src/proto/grpc/testing/xds/v3/route.proto - src/proto/grpc/testing/xds/v3/router.proto diff --git a/config.m4 b/config.m4 index 64fbba4e16c..38fa766c79e 100644 --- a/config.m4 +++ b/config.m4 @@ -114,6 +114,8 @@ if test "$PHP_GRPC" != "no"; then src/core/ext/filters/http/server/http_server_filter.cc \ src/core/ext/filters/max_age/max_age_filter.cc \ src/core/ext/filters/message_size/message_size_filter.cc \ + src/core/ext/filters/rbac/rbac_filter.cc \ + src/core/ext/filters/rbac/rbac_service_config_parser.cc \ src/core/ext/filters/server_config_selector/server_config_selector.cc \ src/core/ext/filters/server_config_selector/server_config_selector_filter.cc \ src/core/ext/service_config/service_config.cc \ @@ -195,6 +197,7 @@ if test "$PHP_GRPC" != "no"; then src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c \ + src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c \ src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c \ @@ -295,6 +298,7 @@ if test "$PHP_GRPC" != "no"; then src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c \ + src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.c \ @@ -302,6 +306,7 @@ if test "$PHP_GRPC" != "no"; then src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c \ + src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c \ @@ -333,6 +338,11 @@ if test "$PHP_GRPC" != "no"; then src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c \ src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c \ + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c \ + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c \ + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c \ + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c \ + src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c \ src/core/ext/upbdefs-generated/google/api/http.upbdefs.c \ src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c \ src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c \ @@ -370,6 +380,7 @@ if test "$PHP_GRPC" != "no"; then src/core/ext/xds/xds_endpoint.cc \ src/core/ext/xds/xds_http_fault_filter.cc \ src/core/ext/xds/xds_http_filters.cc \ + src/core/ext/xds/xds_http_rbac_filter.cc \ src/core/ext/xds/xds_listener.cc \ src/core/ext/xds/xds_resource_type.cc \ src/core/ext/xds/xds_route_config.cc \ @@ -556,6 +567,9 @@ if test "$PHP_GRPC" != "no"; then src/core/lib/resource_quota/trace.cc \ src/core/lib/security/authorization/authorization_policy_provider_vtable.cc \ src/core/lib/security/authorization/evaluate_args.cc \ + src/core/lib/security/authorization/grpc_authorization_engine.cc \ + src/core/lib/security/authorization/matchers.cc \ + src/core/lib/security/authorization/rbac_policy.cc \ src/core/lib/security/authorization/sdk_server_authz_filter.cc \ src/core/lib/security/context/security_context.cc \ src/core/lib/security/credentials/alts/alts_credentials.cc \ @@ -1126,6 +1140,7 @@ if test "$PHP_GRPC" != "no"; then PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/filters/http/server) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/filters/max_age) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/filters/message_size) + PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/filters/rbac) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/filters/server_config_selector) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/service_config) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/transport/chttp2/alpn) @@ -1153,6 +1168,7 @@ if test "$PHP_GRPC" != "no"; then PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3) + PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3) @@ -1192,11 +1208,13 @@ if test "$PHP_GRPC" != "no"; then PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/config/listener/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/config/metrics/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/config/overload/v3) + PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/config/rbac/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/config/route/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/config/trace/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3) + PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3) @@ -1213,6 +1231,7 @@ if test "$PHP_GRPC" != "no"; then PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/type/tracing/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/envoy/type/v3) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/google/api) + PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/google/protobuf) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/google/rpc) PHP_ADD_BUILD_DIR($ext_builddir/src/core/ext/upbdefs-generated/udpa/annotations) diff --git a/config.w32 b/config.w32 index de36ad51ae9..edfd3a99bae 100644 --- a/config.w32 +++ b/config.w32 @@ -80,6 +80,8 @@ if (PHP_GRPC != "no") { "src\\core\\ext\\filters\\http\\server\\http_server_filter.cc " + "src\\core\\ext\\filters\\max_age\\max_age_filter.cc " + "src\\core\\ext\\filters\\message_size\\message_size_filter.cc " + + "src\\core\\ext\\filters\\rbac\\rbac_filter.cc " + + "src\\core\\ext\\filters\\rbac\\rbac_service_config_parser.cc " + "src\\core\\ext\\filters\\server_config_selector\\server_config_selector.cc " + "src\\core\\ext\\filters\\server_config_selector\\server_config_selector_filter.cc " + "src\\core\\ext\\service_config\\service_config.cc " + @@ -161,6 +163,7 @@ if (PHP_GRPC != "no") { "src\\core\\ext\\upb-generated\\envoy\\extensions\\clusters\\aggregate\\v3\\cluster.upb.c " + "src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\common\\fault\\v3\\fault.upb.c " + "src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\http\\fault\\v3\\fault.upb.c " + + "src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\http\\rbac\\v3\\rbac.upb.c " + "src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\http\\router\\v3\\router.upb.c " + "src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\network\\http_connection_manager\\v3\\http_connection_manager.upb.c " + "src\\core\\ext\\upb-generated\\envoy\\extensions\\transport_sockets\\tls\\v3\\cert.upb.c " + @@ -261,6 +264,7 @@ if (PHP_GRPC != "no") { "src\\core\\ext\\upbdefs-generated\\envoy\\config\\listener\\v3\\udp_listener_config.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\config\\metrics\\v3\\stats.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\config\\overload\\v3\\overload.upbdefs.c " + + "src\\core\\ext\\upbdefs-generated\\envoy\\config\\rbac\\v3\\rbac.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\config\\route\\v3\\route.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\config\\route\\v3\\route_components.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\config\\route\\v3\\scoped_route.upbdefs.c " + @@ -268,6 +272,7 @@ if (PHP_GRPC != "no") { "src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\clusters\\aggregate\\v3\\cluster.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\common\\fault\\v3\\fault.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\http\\fault\\v3\\fault.upbdefs.c " + + "src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\http\\rbac\\v3\\rbac.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\http\\router\\v3\\router.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\network\\http_connection_manager\\v3\\http_connection_manager.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\transport_sockets\\tls\\v3\\cert.upbdefs.c " + @@ -299,6 +304,11 @@ if (PHP_GRPC != "no") { "src\\core\\ext\\upbdefs-generated\\envoy\\type\\v3\\range.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\envoy\\type\\v3\\semantic_version.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\google\\api\\annotations.upbdefs.c " + + "src\\core\\ext\\upbdefs-generated\\google\\api\\expr\\v1alpha1\\checked.upbdefs.c " + + "src\\core\\ext\\upbdefs-generated\\google\\api\\expr\\v1alpha1\\eval.upbdefs.c " + + "src\\core\\ext\\upbdefs-generated\\google\\api\\expr\\v1alpha1\\explain.upbdefs.c " + + "src\\core\\ext\\upbdefs-generated\\google\\api\\expr\\v1alpha1\\syntax.upbdefs.c " + + "src\\core\\ext\\upbdefs-generated\\google\\api\\expr\\v1alpha1\\value.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\google\\api\\http.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\google\\protobuf\\any.upbdefs.c " + "src\\core\\ext\\upbdefs-generated\\google\\protobuf\\descriptor.upbdefs.c " + @@ -336,6 +346,7 @@ if (PHP_GRPC != "no") { "src\\core\\ext\\xds\\xds_endpoint.cc " + "src\\core\\ext\\xds\\xds_http_fault_filter.cc " + "src\\core\\ext\\xds\\xds_http_filters.cc " + + "src\\core\\ext\\xds\\xds_http_rbac_filter.cc " + "src\\core\\ext\\xds\\xds_listener.cc " + "src\\core\\ext\\xds\\xds_resource_type.cc " + "src\\core\\ext\\xds\\xds_route_config.cc " + @@ -522,6 +533,9 @@ if (PHP_GRPC != "no") { "src\\core\\lib\\resource_quota\\trace.cc " + "src\\core\\lib\\security\\authorization\\authorization_policy_provider_vtable.cc " + "src\\core\\lib\\security\\authorization\\evaluate_args.cc " + + "src\\core\\lib\\security\\authorization\\grpc_authorization_engine.cc " + + "src\\core\\lib\\security\\authorization\\matchers.cc " + + "src\\core\\lib\\security\\authorization\\rbac_policy.cc " + "src\\core\\lib\\security\\authorization\\sdk_server_authz_filter.cc " + "src\\core\\lib\\security\\context\\security_context.cc " + "src\\core\\lib\\security\\credentials\\alts\\alts_credentials.cc " + @@ -1125,6 +1139,7 @@ if (PHP_GRPC != "no") { FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\filters\\http\\server"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\filters\\max_age"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\filters\\message_size"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\filters\\rbac"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\filters\\server_config_selector"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\service_config"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\transport"); @@ -1177,6 +1192,8 @@ if (PHP_GRPC != "no") { FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\http"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\http\\fault"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\http\\fault\\v3"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\http\\rbac"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\http\\rbac\\v3"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\http\\router"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\http\\router\\v3"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upb-generated\\envoy\\extensions\\filters\\network"); @@ -1261,6 +1278,8 @@ if (PHP_GRPC != "no") { FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\config\\metrics\\v3"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\config\\overload"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\config\\overload\\v3"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\config\\rbac"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\config\\rbac\\v3"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\config\\route"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\config\\route\\v3"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\config\\trace"); @@ -1276,6 +1295,8 @@ if (PHP_GRPC != "no") { FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\http"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\http\\fault"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\http\\fault\\v3"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\http\\rbac"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\http\\rbac\\v3"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\http\\router"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\http\\router\\v3"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\extensions\\filters\\network"); @@ -1311,6 +1332,8 @@ if (PHP_GRPC != "no") { FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\envoy\\type\\v3"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\google"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\google\\api"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\google\\api\\expr"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\google\\api\\expr\\v1alpha1"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\google\\protobuf"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\google\\rpc"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\ext\\upbdefs-generated\\udpa"); diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec index c2d92b5c9bc..b30706c098c 100644 --- a/gRPC-C++.podspec +++ b/gRPC-C++.podspec @@ -271,6 +271,8 @@ Pod::Spec.new do |s| 'src/core/ext/filters/http/server/http_server_filter.h', 'src/core/ext/filters/max_age/max_age_filter.h', 'src/core/ext/filters/message_size/message_size_filter.h', + 'src/core/ext/filters/rbac/rbac_filter.h', + 'src/core/ext/filters/rbac/rbac_service_config_parser.h', 'src/core/ext/filters/server_config_selector/server_config_selector.h', 'src/core/ext/filters/server_config_selector/server_config_selector_filter.h', 'src/core/ext/service_config/service_config.h', @@ -385,6 +387,7 @@ Pod::Spec.new do |s| 'src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h', + 'src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h', 'src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.h', @@ -485,6 +488,7 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h', + 'src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.h', @@ -492,6 +496,7 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h', + 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.h', @@ -523,6 +528,11 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.h', 'src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h', 'src/core/ext/upbdefs-generated/google/api/http.upbdefs.h', 'src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.h', 'src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.h', @@ -563,6 +573,7 @@ Pod::Spec.new do |s| 'src/core/ext/xds/xds_endpoint.h', 'src/core/ext/xds/xds_http_fault_filter.h', 'src/core/ext/xds/xds_http_filters.h', + 'src/core/ext/xds/xds_http_rbac_filter.h', 'src/core/ext/xds/xds_listener.h', 'src/core/ext/xds/xds_resource_type.h', 'src/core/ext/xds/xds_resource_type_impl.h', @@ -739,6 +750,9 @@ Pod::Spec.new do |s| 'src/core/lib/security/authorization/authorization_engine.h', 'src/core/lib/security/authorization/authorization_policy_provider.h', 'src/core/lib/security/authorization/evaluate_args.h', + 'src/core/lib/security/authorization/grpc_authorization_engine.h', + 'src/core/lib/security/authorization/matchers.h', + 'src/core/lib/security/authorization/rbac_policy.h', 'src/core/lib/security/authorization/sdk_server_authz_filter.h', 'src/core/lib/security/context/security_context.h', 'src/core/lib/security/credentials/alts/alts_credentials.h', @@ -1012,6 +1026,8 @@ Pod::Spec.new do |s| 'src/core/ext/filters/http/server/http_server_filter.h', 'src/core/ext/filters/max_age/max_age_filter.h', 'src/core/ext/filters/message_size/message_size_filter.h', + 'src/core/ext/filters/rbac/rbac_filter.h', + 'src/core/ext/filters/rbac/rbac_service_config_parser.h', 'src/core/ext/filters/server_config_selector/server_config_selector.h', 'src/core/ext/filters/server_config_selector/server_config_selector_filter.h', 'src/core/ext/service_config/service_config.h', @@ -1108,6 +1124,7 @@ Pod::Spec.new do |s| 'src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h', + 'src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h', 'src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.h', @@ -1208,6 +1225,7 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h', + 'src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.h', @@ -1215,6 +1233,7 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h', + 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.h', @@ -1246,6 +1265,11 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.h', 'src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h', 'src/core/ext/upbdefs-generated/google/api/http.upbdefs.h', 'src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.h', 'src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.h', @@ -1286,6 +1310,7 @@ Pod::Spec.new do |s| 'src/core/ext/xds/xds_endpoint.h', 'src/core/ext/xds/xds_http_fault_filter.h', 'src/core/ext/xds/xds_http_filters.h', + 'src/core/ext/xds/xds_http_rbac_filter.h', 'src/core/ext/xds/xds_listener.h', 'src/core/ext/xds/xds_resource_type.h', 'src/core/ext/xds/xds_resource_type_impl.h', @@ -1462,6 +1487,9 @@ Pod::Spec.new do |s| 'src/core/lib/security/authorization/authorization_engine.h', 'src/core/lib/security/authorization/authorization_policy_provider.h', 'src/core/lib/security/authorization/evaluate_args.h', + 'src/core/lib/security/authorization/grpc_authorization_engine.h', + 'src/core/lib/security/authorization/matchers.h', + 'src/core/lib/security/authorization/rbac_policy.h', 'src/core/lib/security/authorization/sdk_server_authz_filter.h', 'src/core/lib/security/context/security_context.h', 'src/core/lib/security/credentials/alts/alts_credentials.h', diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec index fe7db29be46..96fe52e7fe5 100644 --- a/gRPC-Core.podspec +++ b/gRPC-Core.podspec @@ -322,6 +322,10 @@ Pod::Spec.new do |s| 'src/core/ext/filters/max_age/max_age_filter.h', 'src/core/ext/filters/message_size/message_size_filter.cc', 'src/core/ext/filters/message_size/message_size_filter.h', + 'src/core/ext/filters/rbac/rbac_filter.cc', + 'src/core/ext/filters/rbac/rbac_filter.h', + 'src/core/ext/filters/rbac/rbac_service_config_parser.cc', + 'src/core/ext/filters/rbac/rbac_service_config_parser.h', 'src/core/ext/filters/server_config_selector/server_config_selector.cc', 'src/core/ext/filters/server_config_selector/server_config_selector.h', 'src/core/ext/filters/server_config_selector/server_config_selector_filter.cc', @@ -479,6 +483,8 @@ Pod::Spec.new do |s| 'src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c', 'src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h', + 'src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c', + 'src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c', 'src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c', @@ -679,6 +685,8 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h', + 'src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c', + 'src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c', @@ -693,6 +701,8 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h', + 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c', + 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c', @@ -755,6 +765,16 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.h', 'src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c', 'src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h', 'src/core/ext/upbdefs-generated/google/api/http.upbdefs.c', 'src/core/ext/upbdefs-generated/google/api/http.upbdefs.h', 'src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c', @@ -832,6 +852,8 @@ Pod::Spec.new do |s| 'src/core/ext/xds/xds_http_fault_filter.h', 'src/core/ext/xds/xds_http_filters.cc', 'src/core/ext/xds/xds_http_filters.h', + 'src/core/ext/xds/xds_http_rbac_filter.cc', + 'src/core/ext/xds/xds_http_rbac_filter.h', 'src/core/ext/xds/xds_listener.cc', 'src/core/ext/xds/xds_listener.h', 'src/core/ext/xds/xds_resource_type.cc', @@ -1194,6 +1216,12 @@ Pod::Spec.new do |s| 'src/core/lib/security/authorization/authorization_policy_provider_vtable.cc', 'src/core/lib/security/authorization/evaluate_args.cc', 'src/core/lib/security/authorization/evaluate_args.h', + 'src/core/lib/security/authorization/grpc_authorization_engine.cc', + 'src/core/lib/security/authorization/grpc_authorization_engine.h', + 'src/core/lib/security/authorization/matchers.cc', + 'src/core/lib/security/authorization/matchers.h', + 'src/core/lib/security/authorization/rbac_policy.cc', + 'src/core/lib/security/authorization/rbac_policy.h', 'src/core/lib/security/authorization/sdk_server_authz_filter.cc', 'src/core/lib/security/authorization/sdk_server_authz_filter.h', 'src/core/lib/security/context/security_context.cc', @@ -1565,6 +1593,8 @@ Pod::Spec.new do |s| 'src/core/ext/filters/http/server/http_server_filter.h', 'src/core/ext/filters/max_age/max_age_filter.h', 'src/core/ext/filters/message_size/message_size_filter.h', + 'src/core/ext/filters/rbac/rbac_filter.h', + 'src/core/ext/filters/rbac/rbac_service_config_parser.h', 'src/core/ext/filters/server_config_selector/server_config_selector.h', 'src/core/ext/filters/server_config_selector/server_config_selector_filter.h', 'src/core/ext/service_config/service_config.h', @@ -1641,6 +1671,7 @@ Pod::Spec.new do |s| 'src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h', + 'src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h', 'src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h', 'src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.h', @@ -1741,6 +1772,7 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h', + 'src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.h', @@ -1748,6 +1780,7 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h', + 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.h', @@ -1779,6 +1812,11 @@ Pod::Spec.new do |s| 'src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.h', 'src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.h', 'src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h', 'src/core/ext/upbdefs-generated/google/api/http.upbdefs.h', 'src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.h', 'src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.h', @@ -1819,6 +1857,7 @@ Pod::Spec.new do |s| 'src/core/ext/xds/xds_endpoint.h', 'src/core/ext/xds/xds_http_fault_filter.h', 'src/core/ext/xds/xds_http_filters.h', + 'src/core/ext/xds/xds_http_rbac_filter.h', 'src/core/ext/xds/xds_listener.h', 'src/core/ext/xds/xds_resource_type.h', 'src/core/ext/xds/xds_resource_type_impl.h', @@ -1995,6 +2034,9 @@ Pod::Spec.new do |s| 'src/core/lib/security/authorization/authorization_engine.h', 'src/core/lib/security/authorization/authorization_policy_provider.h', 'src/core/lib/security/authorization/evaluate_args.h', + 'src/core/lib/security/authorization/grpc_authorization_engine.h', + 'src/core/lib/security/authorization/matchers.h', + 'src/core/lib/security/authorization/rbac_policy.h', 'src/core/lib/security/authorization/sdk_server_authz_filter.h', 'src/core/lib/security/context/security_context.h', 'src/core/lib/security/credentials/alts/alts_credentials.h', @@ -2187,14 +2229,8 @@ Pod::Spec.new do |s| ss.dependency 'abseil/debugging/stacktrace', abseil_version ss.dependency 'abseil/debugging/symbolize', abseil_version - ss.source_files = 'src/core/lib/security/authorization/grpc_authorization_engine.cc', - 'src/core/lib/security/authorization/grpc_authorization_engine.h', - 'src/core/lib/security/authorization/grpc_authorization_policy_provider.cc', + ss.source_files = 'src/core/lib/security/authorization/grpc_authorization_policy_provider.cc', 'src/core/lib/security/authorization/grpc_authorization_policy_provider.h', - 'src/core/lib/security/authorization/matchers.cc', - 'src/core/lib/security/authorization/matchers.h', - 'src/core/lib/security/authorization/rbac_policy.cc', - 'src/core/lib/security/authorization/rbac_policy.h', 'src/core/lib/security/authorization/rbac_translator.cc', 'src/core/lib/security/authorization/rbac_translator.h', 'test/core/compression/args_utils.cc', diff --git a/grpc.gemspec b/grpc.gemspec index f6cc5adfde0..b7c78bc1948 100644 --- a/grpc.gemspec +++ b/grpc.gemspec @@ -241,6 +241,10 @@ Gem::Specification.new do |s| s.files += %w( src/core/ext/filters/max_age/max_age_filter.h ) s.files += %w( src/core/ext/filters/message_size/message_size_filter.cc ) s.files += %w( src/core/ext/filters/message_size/message_size_filter.h ) + s.files += %w( src/core/ext/filters/rbac/rbac_filter.cc ) + s.files += %w( src/core/ext/filters/rbac/rbac_filter.h ) + s.files += %w( src/core/ext/filters/rbac/rbac_service_config_parser.cc ) + s.files += %w( src/core/ext/filters/rbac/rbac_service_config_parser.h ) s.files += %w( src/core/ext/filters/server_config_selector/server_config_selector.cc ) s.files += %w( src/core/ext/filters/server_config_selector/server_config_selector.h ) s.files += %w( src/core/ext/filters/server_config_selector/server_config_selector_filter.cc ) @@ -398,6 +402,8 @@ Gem::Specification.new do |s| s.files += %w( src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h ) s.files += %w( src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c ) s.files += %w( src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h ) + s.files += %w( src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c ) + s.files += %w( src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h ) s.files += %w( src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c ) s.files += %w( src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h ) s.files += %w( src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c ) @@ -598,6 +604,8 @@ Gem::Specification.new do |s| s.files += %w( src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h ) s.files += %w( src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c ) s.files += %w( src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h ) + s.files += %w( src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c ) + s.files += %w( src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h ) s.files += %w( src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c ) s.files += %w( src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h ) s.files += %w( src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c ) @@ -612,6 +620,8 @@ Gem::Specification.new do |s| s.files += %w( src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h ) s.files += %w( src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c ) s.files += %w( src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h ) + s.files += %w( src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c ) + s.files += %w( src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h ) s.files += %w( src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c ) s.files += %w( src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h ) s.files += %w( src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c ) @@ -674,6 +684,16 @@ Gem::Specification.new do |s| s.files += %w( src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.h ) s.files += %w( src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c ) s.files += %w( src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.h ) + s.files += %w( src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c ) + s.files += %w( src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h ) + s.files += %w( src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c ) + s.files += %w( src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h ) + s.files += %w( src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c ) + s.files += %w( src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h ) + s.files += %w( src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c ) + s.files += %w( src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h ) + s.files += %w( src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c ) + s.files += %w( src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h ) s.files += %w( src/core/ext/upbdefs-generated/google/api/http.upbdefs.c ) s.files += %w( src/core/ext/upbdefs-generated/google/api/http.upbdefs.h ) s.files += %w( src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c ) @@ -751,6 +771,8 @@ Gem::Specification.new do |s| s.files += %w( src/core/ext/xds/xds_http_fault_filter.h ) s.files += %w( src/core/ext/xds/xds_http_filters.cc ) s.files += %w( src/core/ext/xds/xds_http_filters.h ) + s.files += %w( src/core/ext/xds/xds_http_rbac_filter.cc ) + s.files += %w( src/core/ext/xds/xds_http_rbac_filter.h ) s.files += %w( src/core/ext/xds/xds_listener.cc ) s.files += %w( src/core/ext/xds/xds_listener.h ) s.files += %w( src/core/ext/xds/xds_resource_type.cc ) @@ -1113,6 +1135,12 @@ Gem::Specification.new do |s| s.files += %w( src/core/lib/security/authorization/authorization_policy_provider_vtable.cc ) s.files += %w( src/core/lib/security/authorization/evaluate_args.cc ) s.files += %w( src/core/lib/security/authorization/evaluate_args.h ) + s.files += %w( src/core/lib/security/authorization/grpc_authorization_engine.cc ) + s.files += %w( src/core/lib/security/authorization/grpc_authorization_engine.h ) + s.files += %w( src/core/lib/security/authorization/matchers.cc ) + s.files += %w( src/core/lib/security/authorization/matchers.h ) + s.files += %w( src/core/lib/security/authorization/rbac_policy.cc ) + s.files += %w( src/core/lib/security/authorization/rbac_policy.h ) s.files += %w( src/core/lib/security/authorization/sdk_server_authz_filter.cc ) s.files += %w( src/core/lib/security/authorization/sdk_server_authz_filter.h ) s.files += %w( src/core/lib/security/context/security_context.cc ) diff --git a/grpc.gyp b/grpc.gyp index 68d9aa56695..8252126b6cb 100644 --- a/grpc.gyp +++ b/grpc.gyp @@ -286,10 +286,7 @@ 'grpc_test_util', ], 'sources': [ - 'src/core/lib/security/authorization/grpc_authorization_engine.cc', 'src/core/lib/security/authorization/grpc_authorization_policy_provider.cc', - 'src/core/lib/security/authorization/matchers.cc', - 'src/core/lib/security/authorization/rbac_policy.cc', 'src/core/lib/security/authorization/rbac_translator.cc', 'test/core/compression/args_utils.cc', 'test/core/end2end/cq_verifier.cc', @@ -547,6 +544,8 @@ 'src/core/ext/filters/http/server/http_server_filter.cc', 'src/core/ext/filters/max_age/max_age_filter.cc', 'src/core/ext/filters/message_size/message_size_filter.cc', + 'src/core/ext/filters/rbac/rbac_filter.cc', + 'src/core/ext/filters/rbac/rbac_service_config_parser.cc', 'src/core/ext/filters/server_config_selector/server_config_selector.cc', 'src/core/ext/filters/server_config_selector/server_config_selector_filter.cc', 'src/core/ext/service_config/service_config.cc', @@ -628,6 +627,7 @@ 'src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c', 'src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c', 'src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c', + 'src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c', 'src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c', 'src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c', 'src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c', @@ -728,6 +728,7 @@ 'src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c', + 'src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.c', @@ -735,6 +736,7 @@ 'src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c', + 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c', @@ -766,6 +768,11 @@ 'src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c', 'src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c', 'src/core/ext/upbdefs-generated/google/api/http.upbdefs.c', 'src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c', 'src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c', @@ -803,6 +810,7 @@ 'src/core/ext/xds/xds_endpoint.cc', 'src/core/ext/xds/xds_http_fault_filter.cc', 'src/core/ext/xds/xds_http_filters.cc', + 'src/core/ext/xds/xds_http_rbac_filter.cc', 'src/core/ext/xds/xds_listener.cc', 'src/core/ext/xds/xds_resource_type.cc', 'src/core/ext/xds/xds_route_config.cc', @@ -945,6 +953,9 @@ 'src/core/lib/resource_quota/trace.cc', 'src/core/lib/security/authorization/authorization_policy_provider_vtable.cc', 'src/core/lib/security/authorization/evaluate_args.cc', + 'src/core/lib/security/authorization/grpc_authorization_engine.cc', + 'src/core/lib/security/authorization/matchers.cc', + 'src/core/lib/security/authorization/rbac_policy.cc', 'src/core/lib/security/authorization/sdk_server_authz_filter.cc', 'src/core/lib/security/context/security_context.cc', 'src/core/lib/security/credentials/alts/alts_credentials.cc', diff --git a/package.xml b/package.xml index d75e1fbf8f8..1db62b17410 100644 --- a/package.xml +++ b/package.xml @@ -221,6 +221,10 @@ + + + + @@ -378,6 +382,8 @@ + + @@ -578,6 +584,8 @@ + + @@ -592,6 +600,8 @@ + + @@ -654,6 +664,16 @@ + + + + + + + + + + @@ -731,6 +751,8 @@ + + @@ -1093,6 +1115,12 @@ + + + + + + diff --git a/src/core/ext/filters/rbac/rbac_filter.cc b/src/core/ext/filters/rbac/rbac_filter.cc new file mode 100644 index 00000000000..5cac6cd462d --- /dev/null +++ b/src/core/ext/filters/rbac/rbac_filter.cc @@ -0,0 +1,157 @@ +// +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +#include + +#include "src/core/ext/filters/rbac/rbac_filter.h" + +#include "src/core/ext/filters/rbac/rbac_service_config_parser.h" +#include "src/core/ext/service_config/service_config_call_data.h" +#include "src/core/lib/security/authorization/grpc_authorization_engine.h" +#include "src/core/lib/transport/metadata_batch.h" + +namespace grpc_core { + +// +// RbacFilter::CallData +// + +// CallData + +grpc_error_handle RbacFilter::CallData::Init( + grpc_call_element* elem, const grpc_call_element_args* args) { + new (elem->call_data) CallData(elem, *args); + return GRPC_ERROR_NONE; +} + +void RbacFilter::CallData::Destroy(grpc_call_element* elem, + const grpc_call_final_info* /*final_info*/, + grpc_closure* /*then_schedule_closure*/) { + auto* calld = static_cast(elem->call_data); + calld->~CallData(); +} + +void RbacFilter::CallData::StartTransportStreamOpBatch( + grpc_call_element* elem, grpc_transport_stream_op_batch* op) { + CallData* calld = static_cast(elem->call_data); + if (op->recv_initial_metadata) { + calld->recv_initial_metadata_ = + op->payload->recv_initial_metadata.recv_initial_metadata; + calld->original_recv_initial_metadata_ready_ = + op->payload->recv_initial_metadata.recv_initial_metadata_ready; + op->payload->recv_initial_metadata.recv_initial_metadata_ready = + &calld->recv_initial_metadata_ready_; + } + // Chain to the next filter. + grpc_call_next_op(elem, op); +} + +RbacFilter::CallData::CallData(grpc_call_element* elem, + const grpc_call_element_args& args) + : call_context_(args.context) { + GRPC_CLOSURE_INIT(&recv_initial_metadata_ready_, RecvInitialMetadataReady, + elem, grpc_schedule_on_exec_ctx); +} + +void RbacFilter::CallData::RecvInitialMetadataReady(void* user_data, + grpc_error_handle error) { + grpc_call_element* elem = static_cast(user_data); + CallData* calld = static_cast(elem->call_data); + if (error == GRPC_ERROR_NONE) { + // Fetch and apply the rbac policy from the service config. + auto* service_config_call_data = static_cast( + calld->call_context_[GRPC_CONTEXT_SERVICE_CONFIG_CALL_DATA].value); + auto* method_params = static_cast( + service_config_call_data->GetMethodParsedConfig( + RbacServiceConfigParser::ParserIndex())); + if (method_params == nullptr) { + error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("No RBAC policy found."); + } else { + RbacFilter* chand = static_cast(elem->channel_data); + auto* authorization_engine = + method_params->authorization_engine(chand->index_); + if (authorization_engine + ->Evaluate(EvaluateArgs(calld->recv_initial_metadata_, + &chand->per_channel_evaluate_args_)) + .type == AuthorizationEngine::Decision::Type::kDeny) { + error = + GRPC_ERROR_CREATE_FROM_STATIC_STRING("Unauthorized RPC rejected"); + } + } + if (error != GRPC_ERROR_NONE) { + error = grpc_error_set_int(error, GRPC_ERROR_INT_GRPC_STATUS, + GRPC_STATUS_PERMISSION_DENIED); + } + } else { + GRPC_ERROR_REF(error); + } + grpc_closure* closure = calld->original_recv_initial_metadata_ready_; + calld->original_recv_initial_metadata_ready_ = nullptr; + Closure::Run(DEBUG_LOCATION, closure, error); +} + +// +// RbacFilter +// + +const grpc_channel_filter RbacFilter::kFilterVtable = { + RbacFilter::CallData::StartTransportStreamOpBatch, + grpc_channel_next_op, + sizeof(RbacFilter::CallData), + RbacFilter::CallData::Init, + grpc_call_stack_ignore_set_pollset_or_pollset_set, + RbacFilter::CallData::Destroy, + sizeof(RbacFilter), + RbacFilter::Init, + RbacFilter::Destroy, + grpc_channel_next_get_info, + "rbac_filter", +}; + +RbacFilter::RbacFilter(size_t index, + EvaluateArgs::PerChannelArgs per_channel_evaluate_args) + : index_(index), + per_channel_evaluate_args_(std::move(per_channel_evaluate_args)) {} + +grpc_error_handle RbacFilter::Init(grpc_channel_element* elem, + grpc_channel_element_args* args) { + GPR_ASSERT(elem->filter == &kFilterVtable); + auto* auth_context = grpc_find_auth_context_in_args(args->channel_args); + if (auth_context == nullptr) { + return GRPC_ERROR_CREATE_FROM_STATIC_STRING("No auth context found"); + } + if (args->optional_transport == nullptr) { + // This should never happen since the transport is always set on the server + // side. + return GRPC_ERROR_CREATE_FROM_STATIC_STRING("No transport configured"); + } + new (elem->channel_data) RbacFilter( + grpc_channel_stack_filter_instance_number(args->channel_stack, elem), + EvaluateArgs::PerChannelArgs( + auth_context, grpc_transport_get_endpoint(args->optional_transport))); + return GRPC_ERROR_NONE; +} + +void RbacFilter::Destroy(grpc_channel_element* elem) { + auto* chand = static_cast(elem->channel_data); + chand->~RbacFilter(); +} + +void RbacFilterInit(void) { RbacServiceConfigParser::Register(); } + +void RbacFilterShutdown(void) {} + +} // namespace grpc_core diff --git a/src/core/ext/filters/rbac/rbac_filter.h b/src/core/ext/filters/rbac/rbac_filter.h new file mode 100644 index 00000000000..beedcf03609 --- /dev/null +++ b/src/core/ext/filters/rbac/rbac_filter.h @@ -0,0 +1,74 @@ +// +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +#ifndef GRPC_CORE_EXT_FILTERS_RBAC_RBAC_FILTER_H +#define GRPC_CORE_EXT_FILTERS_RBAC_RBAC_FILTER_H + +#include + +#include "src/core/lib/channel/channel_stack.h" +#include "src/core/lib/security/authorization/evaluate_args.h" + +namespace grpc_core { + +// Filter used when xDS server config fetcher provides a configuration with an +// HTTP RBAC filter. Also serves as the type for channel data for the filter. +class RbacFilter { + public: + // This channel filter is intended to be used by connections on xDS enabled + // servers configured with RBAC. The RBAC filter fetches the RBAC policy from + // the method config of service config returned by the ServerConfigSelector, + // and enforces the RBAC policy. + static const grpc_channel_filter kFilterVtable; + + private: + class CallData { + public: + static grpc_error_handle Init(grpc_call_element* elem, + const grpc_call_element_args* args); + static void Destroy(grpc_call_element* elem, + const grpc_call_final_info* /* final_info */, + grpc_closure* /* then_schedule_closure */); + static void StartTransportStreamOpBatch(grpc_call_element* elem, + grpc_transport_stream_op_batch* op); + + private: + CallData(grpc_call_element* elem, const grpc_call_element_args& args); + static void RecvInitialMetadataReady(void* user_data, + grpc_error_handle error); + + grpc_call_context_element* call_context_; + // State for keeping track of recv_initial_metadata + grpc_metadata_batch* recv_initial_metadata_ = nullptr; + grpc_closure* original_recv_initial_metadata_ready_ = nullptr; + grpc_closure recv_initial_metadata_ready_; + }; + + RbacFilter(size_t index, + EvaluateArgs::PerChannelArgs per_channel_evaluate_args); + static grpc_error_handle Init(grpc_channel_element* elem, + grpc_channel_element_args* args); + static void Destroy(grpc_channel_element* elem); + + // The index of this filter instance among instances of the same filter. + size_t index_; + // Per channel args used for authorization. + EvaluateArgs::PerChannelArgs per_channel_evaluate_args_; +}; + +} // namespace grpc_core + +#endif // GRPC_CORE_EXT_FILTERS_RBAC_RBAC_FILTER_H diff --git a/src/core/ext/filters/rbac/rbac_service_config_parser.cc b/src/core/ext/filters/rbac/rbac_service_config_parser.cc new file mode 100644 index 00000000000..f2838f212c1 --- /dev/null +++ b/src/core/ext/filters/rbac/rbac_service_config_parser.cc @@ -0,0 +1,604 @@ +// +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +#include + +#include "src/core/ext/filters/rbac/rbac_service_config_parser.h" + +#include "absl/strings/str_format.h" + +#include "src/core/lib/channel/channel_args.h" +#include "src/core/lib/json/json_util.h" +#include "src/core/lib/transport/error_utils.h" + +namespace grpc_core { + +namespace { + +size_t g_rbac_parser_index; + +std::string ParseRegexMatcher(const Json::Object& regex_matcher_json, + std::vector* error_list) { + std::string regex; + ParseJsonObjectField(regex_matcher_json, "regex", ®ex, error_list); + return regex; +} + +absl::StatusOr ParseHeaderMatcher( + const Json::Object& header_matcher_json, + std::vector* error_list) { + std::string name; + ParseJsonObjectField(header_matcher_json, "name", &name, error_list); + std::string match; + HeaderMatcher::Type type = HeaderMatcher::Type(); + const Json::Object* inner_json; + int64_t start = 0; + int64_t end = 0; + bool present_match = false; + bool invert_match = false; + ParseJsonObjectField(header_matcher_json, "invertMatch", &invert_match, + error_list, /*required=*/false); + if (ParseJsonObjectField(header_matcher_json, "exactMatch", &match, + error_list, /*required=*/false)) { + type = HeaderMatcher::Type::kExact; + } else if (ParseJsonObjectField(header_matcher_json, "safeRegexMatch", + &inner_json, error_list, + /*required=*/false)) { + type = HeaderMatcher::Type::kSafeRegex; + std::vector safe_regex_matcher_error_list; + match = ParseRegexMatcher(*inner_json, &safe_regex_matcher_error_list); + if (!safe_regex_matcher_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR( + "safeRegexMatch", &safe_regex_matcher_error_list)); + } + } else if (ParseJsonObjectField(header_matcher_json, "rangeMatch", + &inner_json, error_list, + /*required=*/false)) { + type = HeaderMatcher::Type::kRange; + std::vector range_error_list; + ParseJsonObjectField(*inner_json, "start", &start, &range_error_list); + ParseJsonObjectField(*inner_json, "end", &end, &range_error_list); + if (!range_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("rangeMatch", &range_error_list)); + } + } else if (ParseJsonObjectField(header_matcher_json, "presentMatch", + &present_match, error_list, + /*required=*/false)) { + type = HeaderMatcher::Type::kPresent; + } else if (ParseJsonObjectField(header_matcher_json, "prefixMatch", &match, + error_list, /*required=*/false)) { + type = HeaderMatcher::Type::kPrefix; + } else if (ParseJsonObjectField(header_matcher_json, "suffixMatch", &match, + error_list, /*required=*/false)) { + type = HeaderMatcher::Type::kSuffix; + } else if (ParseJsonObjectField(header_matcher_json, "containsMatch", &match, + error_list, /*required=*/false)) { + type = HeaderMatcher::Type::kContains; + } else { + return absl::InvalidArgumentError("No valid matcher found"); + } + return HeaderMatcher::Create(name, type, match, start, end, present_match, + invert_match); +} + +absl::StatusOr ParseStringMatcher( + const Json::Object& string_matcher_json, + std::vector* error_list) { + std::string match; + StringMatcher::Type type = StringMatcher::Type(); + const Json::Object* inner_json; + bool ignore_case = false; + ParseJsonObjectField(string_matcher_json, "ignoreCase", &ignore_case, + error_list, /*required=*/false); + if (ParseJsonObjectField(string_matcher_json, "exact", &match, error_list, + /*required=*/false)) { + type = StringMatcher::Type::kExact; + } else if (ParseJsonObjectField(string_matcher_json, "prefix", &match, + error_list, /*required=*/false)) { + type = StringMatcher::Type::kPrefix; + } else if (ParseJsonObjectField(string_matcher_json, "suffix", &match, + error_list, /*required=*/false)) { + type = StringMatcher::Type::kSuffix; + } else if (ParseJsonObjectField(string_matcher_json, "safeRegex", &inner_json, + error_list, /*required=*/false)) { + type = StringMatcher::Type::kSafeRegex; + std::vector safe_regex_matcher_error_list; + match = ParseRegexMatcher(*inner_json, &safe_regex_matcher_error_list); + if (!safe_regex_matcher_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR( + "safeRegex", &safe_regex_matcher_error_list)); + } + } else if (ParseJsonObjectField(string_matcher_json, "contains", &match, + error_list, /*required=*/false)) { + type = StringMatcher::Type::kContains; + } else { + return absl::InvalidArgumentError("No valid matcher found"); + } + return StringMatcher::Create(type, match, ignore_case); +} + +absl::StatusOr ParsePathMatcher( + const Json::Object& path_matcher_json, + std::vector* error_list) { + const Json::Object* string_matcher_json; + if (ParseJsonObjectField(path_matcher_json, "path", &string_matcher_json, + error_list)) { + std::vector sub_error_list; + auto matcher = ParseStringMatcher(*string_matcher_json, &sub_error_list); + if (!sub_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("path", &sub_error_list)); + } + return matcher; + } + return absl::InvalidArgumentError("No path found"); +} + +Rbac::CidrRange ParseCidrRange(const Json::Object& cidr_range_json, + std::vector* error_list) { + std::string address_prefix; + ParseJsonObjectField(cidr_range_json, "addressPrefix", &address_prefix, + error_list); + const Json::Object* uint32_json; + uint32_t prefix_len = 0; // default value + if (ParseJsonObjectField(cidr_range_json, "prefixLen", &uint32_json, + error_list, /*required=*/false)) { + std::vector sub_error_list; + ParseJsonObjectField(*uint32_json, "value", &prefix_len, &sub_error_list); + if (!sub_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("prefixLen", &sub_error_list)); + } + } + return Rbac::CidrRange(std::move(address_prefix), prefix_len); +} + +Rbac::Permission ParsePermission(const Json::Object& permission_json, + std::vector* error_list) { + auto parse_permission_set = [](const Json::Object& permission_set_json, + std::vector* error_list) { + const Json::Array* rules_json; + std::vector> permissions; + if (ParseJsonObjectField(permission_set_json, "rules", &rules_json, + error_list)) { + for (size_t i = 0; i < rules_json->size(); ++i) { + const Json::Object* permission_json; + if (!ExtractJsonType((*rules_json)[i], + absl::StrFormat("rules[%d]", i).c_str(), + &permission_json, error_list)) { + continue; + } + std::vector permission_error_list; + permissions.emplace_back(absl::make_unique( + ParsePermission(*permission_json, &permission_error_list))); + if (!permission_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING( + absl::StrFormat("rules[%d]", i), &permission_error_list)); + } + } + } + return permissions; + }; + Rbac::Permission permission; + const Json::Object* inner_json; + bool any; + int port; + if (ParseJsonObjectField(permission_json, "andRules", &inner_json, error_list, + /*required=*/false)) { + std::vector and_rules_error_list; + permission = Rbac::Permission( + Rbac::Permission::RuleType::kAnd, + parse_permission_set(*inner_json, &and_rules_error_list)); + if (!and_rules_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("andRules", &and_rules_error_list)); + } + } else if (ParseJsonObjectField(permission_json, "orRules", &inner_json, + error_list, /*required=*/false)) { + std::vector or_rules_error_list; + permission = Rbac::Permission( + Rbac::Permission::RuleType::kOr, + parse_permission_set(*inner_json, &or_rules_error_list)); + if (!or_rules_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("orRules", &or_rules_error_list)); + } + } else if (ParseJsonObjectField(permission_json, "any", &any, error_list, + /*required=*/false) && + any) { + permission = Rbac::Permission(Rbac::Permission::RuleType::kAny); + } else if (ParseJsonObjectField(permission_json, "header", &inner_json, + error_list, + /*required=*/false)) { + std::vector header_error_list; + auto matcher = ParseHeaderMatcher(*inner_json, &header_error_list); + if (matcher.ok()) { + permission = + Rbac::Permission(Rbac::Permission::RuleType::kHeader, *matcher); + } else { + header_error_list.push_back(absl_status_to_grpc_error(matcher.status())); + } + if (!header_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("header", &header_error_list)); + } + } else if (ParseJsonObjectField(permission_json, "urlPath", &inner_json, + error_list, + /*required=*/false)) { + std::vector url_path_error_list; + auto matcher = ParsePathMatcher(*inner_json, &url_path_error_list); + if (matcher.ok()) { + permission = + Rbac::Permission(Rbac::Permission::RuleType::kPath, *matcher); + } else { + url_path_error_list.push_back( + absl_status_to_grpc_error(matcher.status())); + } + if (!url_path_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("urlPath", &url_path_error_list)); + } + } else if (ParseJsonObjectField(permission_json, "destinationIp", &inner_json, + error_list, /*required=*/false)) { + std::vector destination_ip_error_list; + permission = Rbac::Permission( + Rbac::Permission::RuleType::kDestIp, + ParseCidrRange(*inner_json, &destination_ip_error_list)); + if (!destination_ip_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR( + "destinationIp", &destination_ip_error_list)); + } + } else if (ParseJsonObjectField(permission_json, "destinationPort", &port, + error_list, /*required=*/false)) { + permission = Rbac::Permission(Rbac::Permission::RuleType::kDestPort, port); + } else if (ParseJsonObjectField(permission_json, "metadata", &inner_json, + error_list, /*required=*/false)) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_STATIC_STRING("Cannot handle metadata")); + } else if (ParseJsonObjectField(permission_json, "notRule", &inner_json, + error_list, /*required=*/false)) { + std::vector not_rule_error_list; + permission = + Rbac::Permission(Rbac::Permission::RuleType::kNot, + ParsePermission(*inner_json, ¬_rule_error_list)); + if (!not_rule_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("notRule", ¬_rule_error_list)); + } + } else if (ParseJsonObjectField(permission_json, "requestedServerName", + &inner_json, error_list, + /*required=*/false)) { + std::vector req_server_name_error_list; + auto matcher = ParseStringMatcher(*inner_json, &req_server_name_error_list); + if (matcher.ok()) { + permission = Rbac::Permission(Rbac::Permission::RuleType::kReqServerName, + *matcher); + } else { + req_server_name_error_list.push_back( + absl_status_to_grpc_error(matcher.status())); + } + if (!req_server_name_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR( + "requestedServerName", &req_server_name_error_list)); + } + } else { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_STATIC_STRING("No valid rule found")); + } + return permission; +} + +Rbac::Principal ParsePrincipal(const Json::Object& principal_json, + std::vector* error_list) { + auto parse_principal_set = [](const Json::Object& principal_set_json, + std::vector* error_list) { + const Json::Array* rules_json; + std::vector> principals; + if (ParseJsonObjectField(principal_set_json, "ids", &rules_json, + error_list)) { + for (size_t i = 0; i < rules_json->size(); ++i) { + const Json::Object* principal_json; + if (!ExtractJsonType((*rules_json)[i], + absl::StrFormat("ids[%d]", i).c_str(), + &principal_json, error_list)) { + continue; + } + std::vector principal_error_list; + principals.emplace_back(absl::make_unique( + ParsePrincipal(*principal_json, &principal_error_list))); + if (!principal_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING( + absl::StrFormat("ids[%d]", i), &principal_error_list)); + } + } + } + return principals; + }; + Rbac::Principal principal; + const Json::Object* inner_json; + bool any; + if (ParseJsonObjectField(principal_json, "andIds", &inner_json, error_list, + /*required=*/false)) { + std::vector and_rules_error_list; + principal = Rbac::Principal( + Rbac::Principal::RuleType::kAnd, + parse_principal_set(*inner_json, &and_rules_error_list)); + if (!and_rules_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("andIds", &and_rules_error_list)); + } + } else if (ParseJsonObjectField(principal_json, "orIds", &inner_json, + error_list, /*required=*/false)) { + std::vector or_rules_error_list; + principal = + Rbac::Principal(Rbac::Principal::RuleType::kOr, + parse_principal_set(*inner_json, &or_rules_error_list)); + if (!or_rules_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("orIds", &or_rules_error_list)); + } + } else if (ParseJsonObjectField(principal_json, "any", &any, error_list, + /*required=*/false) && + any) { + principal = Rbac::Principal(Rbac::Principal::RuleType::kAny); + } else if (ParseJsonObjectField(principal_json, "authenticated", &inner_json, + error_list, /*required=*/false)) { + std::vector authenticated_error_list; + const Json::Object* principal_name_json; + if (ParseJsonObjectField(*inner_json, "principalName", &principal_name_json, + &authenticated_error_list, /*required=*/false)) { + std::vector principal_name_error_list; + auto matcher = + ParseStringMatcher(*principal_name_json, &principal_name_error_list); + if (matcher.ok()) { + principal = Rbac::Principal(Rbac::Principal::RuleType::kPrincipalName, + *matcher); + } else { + principal_name_error_list.push_back( + absl_status_to_grpc_error(matcher.status())); + } + if (!principal_name_error_list.empty()) { + authenticated_error_list.push_back(GRPC_ERROR_CREATE_FROM_VECTOR( + "principalName", &principal_name_error_list)); + } + } else if (authenticated_error_list.empty()) { + // No principalName found. Match for all users. + principal = Rbac::Principal(Rbac::Principal::RuleType::kAny); + } else { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR( + "authenticated", &authenticated_error_list)); + } + } else if (ParseJsonObjectField(principal_json, "sourceIp", &inner_json, + error_list, /*required=*/false)) { + std::vector source_ip_error_list; + principal = + Rbac::Principal(Rbac::Principal::RuleType::kSourceIp, + ParseCidrRange(*inner_json, &source_ip_error_list)); + if (!source_ip_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("sourceIp", &source_ip_error_list)); + } + } else if (ParseJsonObjectField(principal_json, "directRemoteIp", &inner_json, + error_list, /*required=*/false)) { + std::vector direct_remote_ip_error_list; + principal = Rbac::Principal( + Rbac::Principal::RuleType::kDirectRemoteIp, + ParseCidrRange(*inner_json, &direct_remote_ip_error_list)); + if (!direct_remote_ip_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR( + "directRemoteIp", &direct_remote_ip_error_list)); + } + } else if (ParseJsonObjectField(principal_json, "remoteIp", &inner_json, + error_list, /*required=*/false)) { + std::vector remote_ip_error_list; + principal = + Rbac::Principal(Rbac::Principal::RuleType::kRemoteIp, + ParseCidrRange(*inner_json, &remote_ip_error_list)); + if (!remote_ip_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("remoteIp", &remote_ip_error_list)); + } + } else if (ParseJsonObjectField(principal_json, "header", &inner_json, + error_list, + /*required=*/false)) { + std::vector header_error_list; + auto matcher = ParseHeaderMatcher(*inner_json, &header_error_list); + if (matcher.ok()) { + principal = Rbac::Principal(Rbac::Principal::RuleType::kHeader, *matcher); + } else { + header_error_list.push_back(absl_status_to_grpc_error(matcher.status())); + } + if (!header_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("header", &header_error_list)); + } + } else if (ParseJsonObjectField(principal_json, "urlPath", &inner_json, + error_list, + /*required=*/false)) { + std::vector url_path_error_list; + auto matcher = ParsePathMatcher(*inner_json, &url_path_error_list); + if (matcher.ok()) { + principal = Rbac::Principal(Rbac::Principal::RuleType::kPath, *matcher); + } else { + url_path_error_list.push_back( + absl_status_to_grpc_error(matcher.status())); + } + if (!url_path_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("urlPath", &url_path_error_list)); + } + } else if (ParseJsonObjectField(principal_json, "metadata", &inner_json, + error_list, /*required=*/false)) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_STATIC_STRING("Cannot handle metadata")); + } else if (ParseJsonObjectField(principal_json, "notId", &inner_json, + error_list, /*required=*/false)) { + std::vector not_rule_error_list; + principal = + Rbac::Principal(Rbac::Principal::RuleType::kNot, + ParsePrincipal(*inner_json, ¬_rule_error_list)); + if (!not_rule_error_list.empty()) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_VECTOR("notId", ¬_rule_error_list)); + } + } else { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_STATIC_STRING("No valid id found")); + } + return principal; +} + +Rbac::Policy ParsePolicy(const Json::Object& policy_json, + std::vector* error_list) { + Rbac::Policy policy; + const Json::Array* permissions_json_array; + std::vector> permissions; + if (ParseJsonObjectField(policy_json, "permissions", &permissions_json_array, + error_list)) { + for (size_t i = 0; i < permissions_json_array->size(); ++i) { + const Json::Object* permission_json; + if (!ExtractJsonType((*permissions_json_array)[i], + absl::StrFormat("permissions[%d]", i), + &permission_json, error_list)) { + continue; + } + std::vector permission_error_list; + permissions.emplace_back(absl::make_unique( + ParsePermission(*permission_json, &permission_error_list))); + if (!permission_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING( + absl::StrFormat("permissions[%d]", i), &permission_error_list)); + } + } + } + const Json::Array* principals_json_array; + std::vector> principals; + if (ParseJsonObjectField(policy_json, "principals", &principals_json_array, + error_list)) { + for (size_t i = 0; i < principals_json_array->size(); ++i) { + const Json::Object* principal_json; + if (!ExtractJsonType((*principals_json_array)[i], + absl::StrFormat("principals[%d]", i), + &principal_json, error_list)) { + continue; + } + std::vector principal_error_list; + principals.emplace_back(absl::make_unique( + ParsePrincipal(*principal_json, &principal_error_list))); + if (!principal_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING( + absl::StrFormat("principals[%d]", i), &principal_error_list)); + } + } + } + policy.permissions = + Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(permissions)); + policy.principals = + Rbac::Principal(Rbac::Principal::RuleType::kOr, std::move(principals)); + return policy; +} + +Rbac ParseRbac(const Json::Object& rbac_json, + std::vector* error_list) { + Rbac rbac; + const Json::Object* rules_json; + if (!ParseJsonObjectField(rbac_json, "rules", &rules_json, error_list, + /*required=*/false)) { + // No enforcing to be applied. An empty deny policy with an empty map is + // equivalent to no enforcing. + return Rbac(Rbac::Action::kDeny, {}); + } + int action; + if (ParseJsonObjectField(*rules_json, "action", &action, error_list)) { + if (action > 1) { + error_list->push_back( + GRPC_ERROR_CREATE_FROM_STATIC_STRING("Unknown action")); + } + } + rbac.action = static_cast(action); + const Json::Object* policies_json; + if (ParseJsonObjectField(*rules_json, "policies", &policies_json, error_list, + /*required=*/false)) { + for (const auto& entry : *policies_json) { + std::vector policy_error_list; + rbac.policies.emplace( + entry.first, + ParsePolicy(entry.second.object_value(), &policy_error_list)); + if (!policy_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING( + absl::StrFormat("policies key:'%s'", entry.first.c_str()), + &policy_error_list)); + } + } + } + return rbac; +} + +std::vector ParseRbacArray(const Json::Array& policies_json_array, + std::vector* error_list) { + std::vector policies; + for (size_t i = 0; i < policies_json_array.size(); ++i) { + const Json::Object* rbac_json; + if (!ExtractJsonType(policies_json_array[i], + absl::StrFormat("rbacPolicy[%d]", i), &rbac_json, + error_list)) { + continue; + } + std::vector rbac_policy_error_list; + policies.emplace_back(ParseRbac(*rbac_json, &rbac_policy_error_list)); + if (!rbac_policy_error_list.empty()) { + error_list->push_back(GRPC_ERROR_CREATE_FROM_VECTOR_AND_CPP_STRING( + absl::StrFormat("rbacPolicy[%d]", i), &rbac_policy_error_list)); + } + } + return policies; +} + +} // namespace + +std::unique_ptr +RbacServiceConfigParser::ParsePerMethodParams(const grpc_channel_args* args, + const Json& json, + grpc_error_handle* error) { + GPR_DEBUG_ASSERT(error != nullptr && *error == GRPC_ERROR_NONE); + // Only parse rbac policy if the channel arg is present + if (!grpc_channel_args_find_bool(args, GRPC_ARG_PARSE_RBAC_METHOD_CONFIG, + false)) { + return nullptr; + } + std::vector rbac_policies; + std::vector error_list; + const Json::Array* policies_json_array; + if (ParseJsonObjectField(json.object_value(), "rbacPolicy", + &policies_json_array, &error_list)) { + rbac_policies = ParseRbacArray(*policies_json_array, &error_list); + } + *error = GRPC_ERROR_CREATE_FROM_VECTOR("Rbac parser", &error_list); + if (*error != GRPC_ERROR_NONE || rbac_policies.empty()) { + return nullptr; + } + return absl::make_unique(std::move(rbac_policies)); +} + +void RbacServiceConfigParser::Register() { + g_rbac_parser_index = ServiceConfigParser::RegisterParser( + absl::make_unique()); +} + +size_t RbacServiceConfigParser::ParserIndex() { return g_rbac_parser_index; } + +} // namespace grpc_core diff --git a/src/core/ext/filters/rbac/rbac_service_config_parser.h b/src/core/ext/filters/rbac/rbac_service_config_parser.h new file mode 100644 index 00000000000..35811f315c9 --- /dev/null +++ b/src/core/ext/filters/rbac/rbac_service_config_parser.h @@ -0,0 +1,70 @@ +// +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +#ifndef GRPC_CORE_EXT_FILTERS_RBAC_RBAC_SERVICE_CONFIG_PARSER_H +#define GRPC_CORE_EXT_FILTERS_RBAC_RBAC_SERVICE_CONFIG_PARSER_H + +#include + +#include + +#include "src/core/ext/service_config/service_config_parser.h" +#include "src/core/lib/security/authorization/grpc_authorization_engine.h" + +namespace grpc_core { + +// Channel arg key for enabling parsing RBAC via method config. +#define GRPC_ARG_PARSE_RBAC_METHOD_CONFIG \ + "grpc.internal.parse_rbac_method_config" + +class RbacMethodParsedConfig : public ServiceConfigParser::ParsedConfig { + public: + explicit RbacMethodParsedConfig(std::vector rbac_policies) { + for (auto& rbac_policy : rbac_policies) { + authorization_engines_.emplace_back(std::move(rbac_policy)); + } + } + + // Returns the authorization engine for a rbac policy at a certain index. For + // a connection on the server, multiple RBAC policies might be active. The + // RBAC filter uses this method to get the RBAC policy configured for a + // instance at a particular instance. + const GrpcAuthorizationEngine* authorization_engine(int index) const { + if (static_cast(index) >= authorization_engines_.size()) { + return nullptr; + } + return &authorization_engines_[index]; + } + + private: + std::vector authorization_engines_; +}; + +class RbacServiceConfigParser : public ServiceConfigParser::Parser { + public: + // Parses the per-method service config for rbac filter. + std::unique_ptr ParsePerMethodParams( + const grpc_channel_args* args, const Json& json, + grpc_error_handle* error) override; + // Returns the parser index for RbacServiceConfigParser. + static size_t ParserIndex(); + // Registers RbacServiceConfigParser to ServiceConfigParser. + static void Register(); +}; + +} // namespace grpc_core + +#endif // GRPC_CORE_EXT_FILTERS_RBAC_RBAC_SERVICE_CONFIG_PARSER_H diff --git a/src/core/ext/filters/server_config_selector/server_config_selector.h b/src/core/ext/filters/server_config_selector/server_config_selector.h index 334bdbd9bb8..06c121f989b 100644 --- a/src/core/ext/filters/server_config_selector/server_config_selector.h +++ b/src/core/ext/filters/server_config_selector/server_config_selector.h @@ -22,6 +22,7 @@ #include "absl/status/statusor.h" #include "src/core/ext/service_config/service_config.h" +#include "src/core/lib/gprpp/dual_ref_counted.h" #include "src/core/lib/transport/metadata_batch.h" namespace grpc_core { @@ -45,7 +46,7 @@ class ServerConfigSelector : public RefCounted { // ServerConfigSelectorProvider allows for subscribers to watch for updates on // ServerConfigSelector. It is propagated via channel args. class ServerConfigSelectorProvider - : public RefCounted { + : public DualRefCounted { public: class ServerConfigSelectorWatcher { public: diff --git a/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc b/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc index 25988fdbbdb..ff6a0a68929 100644 --- a/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc +++ b/src/core/ext/filters/server_config_selector/server_config_selector_filter.cc @@ -36,7 +36,7 @@ class ChannelData { absl::StatusOr> config_selector() { MutexLock lock(&mu_); - return config_selector_; + return config_selector_.value(); } private: @@ -60,8 +60,8 @@ class ChannelData { RefCountedPtr server_config_selector_provider_; Mutex mu_; - absl::StatusOr> config_selector_ - ABSL_GUARDED_BY(mu_); + absl::optional>> + config_selector_ ABSL_GUARDED_BY(mu_); }; class CallData { @@ -103,7 +103,7 @@ class CallData { grpc_error_handle ChannelData::Init(grpc_channel_element* elem, grpc_channel_element_args* args) { - GPR_ASSERT(elem->filter = &kServerConfigSelectorFilter); + GPR_ASSERT(elem->filter == &kServerConfigSelectorFilter); RefCountedPtr server_config_selector_provider = ServerConfigSelectorProvider::GetFromChannelArgs(*args->channel_args); if (server_config_selector_provider == nullptr) { @@ -127,8 +127,13 @@ ChannelData::ChannelData( GPR_ASSERT(server_config_selector_provider_ != nullptr); auto server_config_selector_watcher = absl::make_unique(this); - config_selector_ = server_config_selector_provider_->Watch( + auto config_selector = server_config_selector_provider_->Watch( std::move(server_config_selector_watcher)); + MutexLock lock(&mu_); + // It's possible for the watcher to have already updated config_selector_ + if (!config_selector_.has_value()) { + config_selector_ = std::move(config_selector); + } } ChannelData::~ChannelData() { server_config_selector_provider_->CancelWatch(); } diff --git a/src/core/ext/transport/chttp2/server/chttp2_server.cc b/src/core/ext/transport/chttp2/server/chttp2_server.cc index 4016d4f7c94..911f9c8c2b7 100644 --- a/src/core/ext/transport/chttp2/server/chttp2_server.cc +++ b/src/core/ext/transport/chttp2/server/chttp2_server.cc @@ -174,7 +174,8 @@ class Chttp2ServerListener : public Server::ListenerInterface { grpc_closure on_close_; grpc_timer drain_grace_timer_; grpc_closure on_drain_grace_time_expiry_; - bool drain_grace_timer_expiry_callback_pending_ = false; + bool drain_grace_timer_expiry_callback_pending_ ABSL_GUARDED_BY(&mu_) = + false; bool shutdown_ ABSL_GUARDED_BY(&mu_) = false; }; @@ -547,24 +548,27 @@ void Chttp2ServerListener::ActiveConnection::SendGoAway() { grpc_chttp2_transport* transport = nullptr; { MutexLock lock(&mu_); - transport = transport_; + if (transport_ != nullptr && !shutdown_) { + transport = transport_; + Ref().release(); // Ref held by OnDrainGraceTimeExpiry + GRPC_CLOSURE_INIT(&on_drain_grace_time_expiry_, OnDrainGraceTimeExpiry, + this, nullptr); + grpc_timer_init(&drain_grace_timer_, + ExecCtx::Get()->Now() + + grpc_channel_args_find_integer( + listener_->args_, + GRPC_ARG_SERVER_CONFIG_CHANGE_DRAIN_GRACE_TIME_MS, + {10 * 60 * GPR_MS_PER_SEC, 0, INT_MAX}), + &on_drain_grace_time_expiry_); + drain_grace_timer_expiry_callback_pending_ = true; + shutdown_ = true; + } } if (transport != nullptr) { grpc_transport_op* op = grpc_make_transport_op(nullptr); op->goaway_error = GRPC_ERROR_CREATE_FROM_STATIC_STRING( "Server is stopping to serve requests."); grpc_transport_perform_op(&transport->base, op); - Ref().release(); // Ref held by OnDrainGraceTimeExpiry - GRPC_CLOSURE_INIT(&on_drain_grace_time_expiry_, OnDrainGraceTimeExpiry, - this, nullptr); - grpc_timer_init(&drain_grace_timer_, - ExecCtx::Get()->Now() + - grpc_channel_args_find_integer( - listener_->args_, - GRPC_ARG_SERVER_CONFIG_CHANGE_DRAIN_GRACE_TIME_MS, - {10 * 60 * GPR_MS_PER_SEC, 0, INT_MAX}), - &on_drain_grace_time_expiry_); - drain_grace_timer_expiry_callback_pending_ = true; } } @@ -598,6 +602,7 @@ void Chttp2ServerListener::ActiveConnection::OnClose( connection = std::move(it->second); self->listener_->connections_.erase(it); } + self->shutdown_ = true; } // Cancel the drain_grace_timer_ if needed. if (self->drain_grace_timer_expiry_callback_pending_) { diff --git a/src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c b/src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c new file mode 100644 index 00000000000..a3a45686936 --- /dev/null +++ b/src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c @@ -0,0 +1,61 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * envoy/extensions/filters/http/rbac/v3/rbac.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#include +#include "upb/msg_internal.h" +#include "envoy/extensions/filters/http/rbac/v3/rbac.upb.h" +#include "envoy/config/rbac/v3/rbac.upb.h" +#include "udpa/annotations/status.upb.h" +#include "udpa/annotations/versioning.upb.h" + +#include "upb/port_def.inc" + +static const upb_msglayout_sub envoy_extensions_filters_http_rbac_v3_RBAC_submsgs[1] = { + {.submsg = &envoy_config_rbac_v3_RBAC_msginit}, +}; + +static const upb_msglayout_field envoy_extensions_filters_http_rbac_v3_RBAC__fields[3] = { + {1, UPB_SIZE(12, 24), 1, 0, 11, _UPB_MODE_SCALAR | (_UPB_REP_PTR << _UPB_REP_SHIFT)}, + {2, UPB_SIZE(16, 32), 2, 0, 11, _UPB_MODE_SCALAR | (_UPB_REP_PTR << _UPB_REP_SHIFT)}, + {3, UPB_SIZE(4, 8), 0, 0, 9, _UPB_MODE_SCALAR | (_UPB_REP_STRVIEW << _UPB_REP_SHIFT)}, +}; + +const upb_msglayout envoy_extensions_filters_http_rbac_v3_RBAC_msginit = { + &envoy_extensions_filters_http_rbac_v3_RBAC_submsgs[0], + &envoy_extensions_filters_http_rbac_v3_RBAC__fields[0], + UPB_SIZE(24, 48), 3, _UPB_MSGEXT_NONE, 3, 255, +}; + +static const upb_msglayout_sub envoy_extensions_filters_http_rbac_v3_RBACPerRoute_submsgs[1] = { + {.submsg = &envoy_extensions_filters_http_rbac_v3_RBAC_msginit}, +}; + +static const upb_msglayout_field envoy_extensions_filters_http_rbac_v3_RBACPerRoute__fields[1] = { + {2, UPB_SIZE(4, 8), 1, 0, 11, _UPB_MODE_SCALAR | (_UPB_REP_PTR << _UPB_REP_SHIFT)}, +}; + +const upb_msglayout envoy_extensions_filters_http_rbac_v3_RBACPerRoute_msginit = { + &envoy_extensions_filters_http_rbac_v3_RBACPerRoute_submsgs[0], + &envoy_extensions_filters_http_rbac_v3_RBACPerRoute__fields[0], + UPB_SIZE(8, 16), 1, _UPB_MSGEXT_NONE, 0, 255, +}; + +static const upb_msglayout *messages_layout[2] = { + &envoy_extensions_filters_http_rbac_v3_RBAC_msginit, + &envoy_extensions_filters_http_rbac_v3_RBACPerRoute_msginit, +}; + +const upb_msglayout_file envoy_extensions_filters_http_rbac_v3_rbac_proto_upb_file_layout = { + messages_layout, + NULL, + 2, + 0, +}; + +#include "upb/port_undef.inc" + diff --git a/src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h b/src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h new file mode 100644 index 00000000000..7aad918ddff --- /dev/null +++ b/src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h @@ -0,0 +1,146 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * envoy/extensions/filters/http/rbac/v3/rbac.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#ifndef ENVOY_EXTENSIONS_FILTERS_HTTP_RBAC_V3_RBAC_PROTO_UPB_H_ +#define ENVOY_EXTENSIONS_FILTERS_HTTP_RBAC_V3_RBAC_PROTO_UPB_H_ + +#include "upb/msg_internal.h" +#include "upb/decode.h" +#include "upb/decode_fast.h" +#include "upb/encode.h" + +#include "upb/port_def.inc" + +#ifdef __cplusplus +extern "C" { +#endif + +struct envoy_extensions_filters_http_rbac_v3_RBAC; +struct envoy_extensions_filters_http_rbac_v3_RBACPerRoute; +typedef struct envoy_extensions_filters_http_rbac_v3_RBAC envoy_extensions_filters_http_rbac_v3_RBAC; +typedef struct envoy_extensions_filters_http_rbac_v3_RBACPerRoute envoy_extensions_filters_http_rbac_v3_RBACPerRoute; +extern const upb_msglayout envoy_extensions_filters_http_rbac_v3_RBAC_msginit; +extern const upb_msglayout envoy_extensions_filters_http_rbac_v3_RBACPerRoute_msginit; +struct envoy_config_rbac_v3_RBAC; +extern const upb_msglayout envoy_config_rbac_v3_RBAC_msginit; + + +/* envoy.extensions.filters.http.rbac.v3.RBAC */ + +UPB_INLINE envoy_extensions_filters_http_rbac_v3_RBAC *envoy_extensions_filters_http_rbac_v3_RBAC_new(upb_arena *arena) { + return (envoy_extensions_filters_http_rbac_v3_RBAC *)_upb_msg_new(&envoy_extensions_filters_http_rbac_v3_RBAC_msginit, arena); +} +UPB_INLINE envoy_extensions_filters_http_rbac_v3_RBAC *envoy_extensions_filters_http_rbac_v3_RBAC_parse(const char *buf, size_t size, + upb_arena *arena) { + envoy_extensions_filters_http_rbac_v3_RBAC *ret = envoy_extensions_filters_http_rbac_v3_RBAC_new(arena); + if (!ret) return NULL; + if (!upb_decode(buf, size, ret, &envoy_extensions_filters_http_rbac_v3_RBAC_msginit, arena)) return NULL; + return ret; +} +UPB_INLINE envoy_extensions_filters_http_rbac_v3_RBAC *envoy_extensions_filters_http_rbac_v3_RBAC_parse_ex(const char *buf, size_t size, + const upb_extreg *extreg, int options, + upb_arena *arena) { + envoy_extensions_filters_http_rbac_v3_RBAC *ret = envoy_extensions_filters_http_rbac_v3_RBAC_new(arena); + if (!ret) return NULL; + if (!_upb_decode(buf, size, ret, &envoy_extensions_filters_http_rbac_v3_RBAC_msginit, extreg, options, arena)) { + return NULL; + } + return ret; +} +UPB_INLINE char *envoy_extensions_filters_http_rbac_v3_RBAC_serialize(const envoy_extensions_filters_http_rbac_v3_RBAC *msg, upb_arena *arena, size_t *len) { + return upb_encode(msg, &envoy_extensions_filters_http_rbac_v3_RBAC_msginit, arena, len); +} + +UPB_INLINE bool envoy_extensions_filters_http_rbac_v3_RBAC_has_rules(const envoy_extensions_filters_http_rbac_v3_RBAC *msg) { return _upb_hasbit(msg, 1); } +UPB_INLINE const struct envoy_config_rbac_v3_RBAC* envoy_extensions_filters_http_rbac_v3_RBAC_rules(const envoy_extensions_filters_http_rbac_v3_RBAC *msg) { return *UPB_PTR_AT(msg, UPB_SIZE(12, 24), const struct envoy_config_rbac_v3_RBAC*); } +UPB_INLINE bool envoy_extensions_filters_http_rbac_v3_RBAC_has_shadow_rules(const envoy_extensions_filters_http_rbac_v3_RBAC *msg) { return _upb_hasbit(msg, 2); } +UPB_INLINE const struct envoy_config_rbac_v3_RBAC* envoy_extensions_filters_http_rbac_v3_RBAC_shadow_rules(const envoy_extensions_filters_http_rbac_v3_RBAC *msg) { return *UPB_PTR_AT(msg, UPB_SIZE(16, 32), const struct envoy_config_rbac_v3_RBAC*); } +UPB_INLINE upb_strview envoy_extensions_filters_http_rbac_v3_RBAC_shadow_rules_stat_prefix(const envoy_extensions_filters_http_rbac_v3_RBAC *msg) { return *UPB_PTR_AT(msg, UPB_SIZE(4, 8), upb_strview); } + +UPB_INLINE void envoy_extensions_filters_http_rbac_v3_RBAC_set_rules(envoy_extensions_filters_http_rbac_v3_RBAC *msg, struct envoy_config_rbac_v3_RBAC* value) { + _upb_sethas(msg, 1); + *UPB_PTR_AT(msg, UPB_SIZE(12, 24), struct envoy_config_rbac_v3_RBAC*) = value; +} +UPB_INLINE struct envoy_config_rbac_v3_RBAC* envoy_extensions_filters_http_rbac_v3_RBAC_mutable_rules(envoy_extensions_filters_http_rbac_v3_RBAC *msg, upb_arena *arena) { + struct envoy_config_rbac_v3_RBAC* sub = (struct envoy_config_rbac_v3_RBAC*)envoy_extensions_filters_http_rbac_v3_RBAC_rules(msg); + if (sub == NULL) { + sub = (struct envoy_config_rbac_v3_RBAC*)_upb_msg_new(&envoy_config_rbac_v3_RBAC_msginit, arena); + if (!sub) return NULL; + envoy_extensions_filters_http_rbac_v3_RBAC_set_rules(msg, sub); + } + return sub; +} +UPB_INLINE void envoy_extensions_filters_http_rbac_v3_RBAC_set_shadow_rules(envoy_extensions_filters_http_rbac_v3_RBAC *msg, struct envoy_config_rbac_v3_RBAC* value) { + _upb_sethas(msg, 2); + *UPB_PTR_AT(msg, UPB_SIZE(16, 32), struct envoy_config_rbac_v3_RBAC*) = value; +} +UPB_INLINE struct envoy_config_rbac_v3_RBAC* envoy_extensions_filters_http_rbac_v3_RBAC_mutable_shadow_rules(envoy_extensions_filters_http_rbac_v3_RBAC *msg, upb_arena *arena) { + struct envoy_config_rbac_v3_RBAC* sub = (struct envoy_config_rbac_v3_RBAC*)envoy_extensions_filters_http_rbac_v3_RBAC_shadow_rules(msg); + if (sub == NULL) { + sub = (struct envoy_config_rbac_v3_RBAC*)_upb_msg_new(&envoy_config_rbac_v3_RBAC_msginit, arena); + if (!sub) return NULL; + envoy_extensions_filters_http_rbac_v3_RBAC_set_shadow_rules(msg, sub); + } + return sub; +} +UPB_INLINE void envoy_extensions_filters_http_rbac_v3_RBAC_set_shadow_rules_stat_prefix(envoy_extensions_filters_http_rbac_v3_RBAC *msg, upb_strview value) { + *UPB_PTR_AT(msg, UPB_SIZE(4, 8), upb_strview) = value; +} + +/* envoy.extensions.filters.http.rbac.v3.RBACPerRoute */ + +UPB_INLINE envoy_extensions_filters_http_rbac_v3_RBACPerRoute *envoy_extensions_filters_http_rbac_v3_RBACPerRoute_new(upb_arena *arena) { + return (envoy_extensions_filters_http_rbac_v3_RBACPerRoute *)_upb_msg_new(&envoy_extensions_filters_http_rbac_v3_RBACPerRoute_msginit, arena); +} +UPB_INLINE envoy_extensions_filters_http_rbac_v3_RBACPerRoute *envoy_extensions_filters_http_rbac_v3_RBACPerRoute_parse(const char *buf, size_t size, + upb_arena *arena) { + envoy_extensions_filters_http_rbac_v3_RBACPerRoute *ret = envoy_extensions_filters_http_rbac_v3_RBACPerRoute_new(arena); + if (!ret) return NULL; + if (!upb_decode(buf, size, ret, &envoy_extensions_filters_http_rbac_v3_RBACPerRoute_msginit, arena)) return NULL; + return ret; +} +UPB_INLINE envoy_extensions_filters_http_rbac_v3_RBACPerRoute *envoy_extensions_filters_http_rbac_v3_RBACPerRoute_parse_ex(const char *buf, size_t size, + const upb_extreg *extreg, int options, + upb_arena *arena) { + envoy_extensions_filters_http_rbac_v3_RBACPerRoute *ret = envoy_extensions_filters_http_rbac_v3_RBACPerRoute_new(arena); + if (!ret) return NULL; + if (!_upb_decode(buf, size, ret, &envoy_extensions_filters_http_rbac_v3_RBACPerRoute_msginit, extreg, options, arena)) { + return NULL; + } + return ret; +} +UPB_INLINE char *envoy_extensions_filters_http_rbac_v3_RBACPerRoute_serialize(const envoy_extensions_filters_http_rbac_v3_RBACPerRoute *msg, upb_arena *arena, size_t *len) { + return upb_encode(msg, &envoy_extensions_filters_http_rbac_v3_RBACPerRoute_msginit, arena, len); +} + +UPB_INLINE bool envoy_extensions_filters_http_rbac_v3_RBACPerRoute_has_rbac(const envoy_extensions_filters_http_rbac_v3_RBACPerRoute *msg) { return _upb_hasbit(msg, 1); } +UPB_INLINE const envoy_extensions_filters_http_rbac_v3_RBAC* envoy_extensions_filters_http_rbac_v3_RBACPerRoute_rbac(const envoy_extensions_filters_http_rbac_v3_RBACPerRoute *msg) { return *UPB_PTR_AT(msg, UPB_SIZE(4, 8), const envoy_extensions_filters_http_rbac_v3_RBAC*); } + +UPB_INLINE void envoy_extensions_filters_http_rbac_v3_RBACPerRoute_set_rbac(envoy_extensions_filters_http_rbac_v3_RBACPerRoute *msg, envoy_extensions_filters_http_rbac_v3_RBAC* value) { + _upb_sethas(msg, 1); + *UPB_PTR_AT(msg, UPB_SIZE(4, 8), envoy_extensions_filters_http_rbac_v3_RBAC*) = value; +} +UPB_INLINE struct envoy_extensions_filters_http_rbac_v3_RBAC* envoy_extensions_filters_http_rbac_v3_RBACPerRoute_mutable_rbac(envoy_extensions_filters_http_rbac_v3_RBACPerRoute *msg, upb_arena *arena) { + struct envoy_extensions_filters_http_rbac_v3_RBAC* sub = (struct envoy_extensions_filters_http_rbac_v3_RBAC*)envoy_extensions_filters_http_rbac_v3_RBACPerRoute_rbac(msg); + if (sub == NULL) { + sub = (struct envoy_extensions_filters_http_rbac_v3_RBAC*)_upb_msg_new(&envoy_extensions_filters_http_rbac_v3_RBAC_msginit, arena); + if (!sub) return NULL; + envoy_extensions_filters_http_rbac_v3_RBACPerRoute_set_rbac(msg, sub); + } + return sub; +} + +extern const upb_msglayout_file envoy_extensions_filters_http_rbac_v3_rbac_proto_upb_file_layout; + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#include "upb/port_undef.inc" + +#endif /* ENVOY_EXTENSIONS_FILTERS_HTTP_RBAC_V3_RBAC_PROTO_UPB_H_ */ diff --git a/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c b/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c new file mode 100644 index 00000000000..7d17eaa8366 --- /dev/null +++ b/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c @@ -0,0 +1,56 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * envoy/extensions/filters/http/rbac/v3/rbac.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#include "upb/def.h" +#include "envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h" +#include "envoy/extensions/filters/http/rbac/v3/rbac.upb.h" + +extern upb_def_init envoy_config_rbac_v3_rbac_proto_upbdefinit; +extern upb_def_init udpa_annotations_status_proto_upbdefinit; +extern upb_def_init udpa_annotations_versioning_proto_upbdefinit; +static const char descriptor[639] = {'\n', '0', 'e', 'n', 'v', 'o', 'y', '/', 'e', 'x', 't', 'e', 'n', 's', 'i', 'o', 'n', 's', '/', 'f', 'i', 'l', 't', 'e', 'r', +'s', '/', 'h', 't', 't', 'p', '/', 'r', 'b', 'a', 'c', '/', 'v', '3', '/', 'r', 'b', 'a', 'c', '.', 'p', 'r', 'o', 't', 'o', +'\022', '%', 'e', 'n', 'v', 'o', 'y', '.', 'e', 'x', 't', 'e', 'n', 's', 'i', 'o', 'n', 's', '.', 'f', 'i', 'l', 't', 'e', 'r', +'s', '.', 'h', 't', 't', 'p', '.', 'r', 'b', 'a', 'c', '.', 'v', '3', '\032', '\037', 'e', 'n', 'v', 'o', 'y', '/', 'c', 'o', 'n', +'f', 'i', 'g', '/', 'r', 'b', 'a', 'c', '/', 'v', '3', '/', 'r', 'b', 'a', 'c', '.', 'p', 'r', 'o', 't', 'o', '\032', '\035', 'u', +'d', 'p', 'a', '/', 'a', 'n', 'n', 'o', 't', 'a', 't', 'i', 'o', 'n', 's', '/', 's', 't', 'a', 't', 'u', 's', '.', 'p', 'r', +'o', 't', 'o', '\032', '!', 'u', 'd', 'p', 'a', '/', 'a', 'n', 'n', 'o', 't', 'a', 't', 'i', 'o', 'n', 's', '/', 'v', 'e', 'r', +'s', 'i', 'o', 'n', 'i', 'n', 'g', '.', 'p', 'r', 'o', 't', 'o', '\"', '\336', '\001', '\n', '\004', 'R', 'B', 'A', 'C', '\022', '0', '\n', +'\005', 'r', 'u', 'l', 'e', 's', '\030', '\001', ' ', '\001', '(', '\013', '2', '\032', '.', 'e', 'n', 'v', 'o', 'y', '.', 'c', 'o', 'n', 'f', +'i', 'g', '.', 'r', 'b', 'a', 'c', '.', 'v', '3', '.', 'R', 'B', 'A', 'C', 'R', '\005', 'r', 'u', 'l', 'e', 's', '\022', '=', '\n', +'\014', 's', 'h', 'a', 'd', 'o', 'w', '_', 'r', 'u', 'l', 'e', 's', '\030', '\002', ' ', '\001', '(', '\013', '2', '\032', '.', 'e', 'n', 'v', +'o', 'y', '.', 'c', 'o', 'n', 'f', 'i', 'g', '.', 'r', 'b', 'a', 'c', '.', 'v', '3', '.', 'R', 'B', 'A', 'C', 'R', '\013', 's', +'h', 'a', 'd', 'o', 'w', 'R', 'u', 'l', 'e', 's', '\022', '7', '\n', '\030', 's', 'h', 'a', 'd', 'o', 'w', '_', 'r', 'u', 'l', 'e', +'s', '_', 's', 't', 'a', 't', '_', 'p', 'r', 'e', 'f', 'i', 'x', '\030', '\003', ' ', '\001', '(', '\t', 'R', '\025', 's', 'h', 'a', 'd', +'o', 'w', 'R', 'u', 'l', 'e', 's', 'S', 't', 'a', 't', 'P', 'r', 'e', 'f', 'i', 'x', ':', ',', '\232', '\305', '\210', '\036', '\'', '\n', +'%', 'e', 'n', 'v', 'o', 'y', '.', 'c', 'o', 'n', 'f', 'i', 'g', '.', 'f', 'i', 'l', 't', 'e', 'r', '.', 'h', 't', 't', 'p', +'.', 'r', 'b', 'a', 'c', '.', 'v', '2', '.', 'R', 'B', 'A', 'C', '\"', '\213', '\001', '\n', '\014', 'R', 'B', 'A', 'C', 'P', 'e', 'r', +'R', 'o', 'u', 't', 'e', '\022', '?', '\n', '\004', 'r', 'b', 'a', 'c', '\030', '\002', ' ', '\001', '(', '\013', '2', '+', '.', 'e', 'n', 'v', +'o', 'y', '.', 'e', 'x', 't', 'e', 'n', 's', 'i', 'o', 'n', 's', '.', 'f', 'i', 'l', 't', 'e', 'r', 's', '.', 'h', 't', 't', +'p', '.', 'r', 'b', 'a', 'c', '.', 'v', '3', '.', 'R', 'B', 'A', 'C', 'R', '\004', 'r', 'b', 'a', 'c', ':', '4', '\232', '\305', '\210', +'\036', '/', '\n', '-', 'e', 'n', 'v', 'o', 'y', '.', 'c', 'o', 'n', 'f', 'i', 'g', '.', 'f', 'i', 'l', 't', 'e', 'r', '.', 'h', +'t', 't', 'p', '.', 'r', 'b', 'a', 'c', '.', 'v', '2', '.', 'R', 'B', 'A', 'C', 'P', 'e', 'r', 'R', 'o', 'u', 't', 'e', 'J', +'\004', '\010', '\001', '\020', '\002', 'B', 'J', '\n', '3', 'i', 'o', '.', 'e', 'n', 'v', 'o', 'y', 'p', 'r', 'o', 'x', 'y', '.', 'e', 'n', +'v', 'o', 'y', '.', 'e', 'x', 't', 'e', 'n', 's', 'i', 'o', 'n', 's', '.', 'f', 'i', 'l', 't', 'e', 'r', 's', '.', 'h', 't', +'t', 'p', '.', 'r', 'b', 'a', 'c', '.', 'v', '3', 'B', '\t', 'R', 'b', 'a', 'c', 'P', 'r', 'o', 't', 'o', 'P', '\001', '\272', '\200', +'\310', '\321', '\006', '\002', '\020', '\002', 'b', '\006', 'p', 'r', 'o', 't', 'o', '3', +}; + +static upb_def_init *deps[4] = { + &envoy_config_rbac_v3_rbac_proto_upbdefinit, + &udpa_annotations_status_proto_upbdefinit, + &udpa_annotations_versioning_proto_upbdefinit, + NULL +}; + +upb_def_init envoy_extensions_filters_http_rbac_v3_rbac_proto_upbdefinit = { + deps, + &envoy_extensions_filters_http_rbac_v3_rbac_proto_upb_file_layout, + "envoy/extensions/filters/http/rbac/v3/rbac.proto", + UPB_STRVIEW_INIT(descriptor, 639) +}; diff --git a/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h b/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h new file mode 100644 index 00000000000..afd1a89d76f --- /dev/null +++ b/src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h @@ -0,0 +1,40 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * envoy/extensions/filters/http/rbac/v3/rbac.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#ifndef ENVOY_EXTENSIONS_FILTERS_HTTP_RBAC_V3_RBAC_PROTO_UPBDEFS_H_ +#define ENVOY_EXTENSIONS_FILTERS_HTTP_RBAC_V3_RBAC_PROTO_UPBDEFS_H_ + +#include "upb/def.h" +#include "upb/port_def.inc" +#ifdef __cplusplus +extern "C" { +#endif + +#include "upb/def.h" + +#include "upb/port_def.inc" + +extern upb_def_init envoy_extensions_filters_http_rbac_v3_rbac_proto_upbdefinit; + +UPB_INLINE const upb_msgdef *envoy_extensions_filters_http_rbac_v3_RBAC_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &envoy_extensions_filters_http_rbac_v3_rbac_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "envoy.extensions.filters.http.rbac.v3.RBAC"); +} + +UPB_INLINE const upb_msgdef *envoy_extensions_filters_http_rbac_v3_RBACPerRoute_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &envoy_extensions_filters_http_rbac_v3_rbac_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "envoy.extensions.filters.http.rbac.v3.RBACPerRoute"); +} + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#include "upb/port_undef.inc" + +#endif /* ENVOY_EXTENSIONS_FILTERS_HTTP_RBAC_V3_RBAC_PROTO_UPBDEFS_H_ */ diff --git a/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c new file mode 100644 index 00000000000..3ff985637ca --- /dev/null +++ b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c @@ -0,0 +1,154 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * google/api/expr/v1alpha1/checked.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#include "upb/def.h" +#include "google/api/expr/v1alpha1/checked.upbdefs.h" +#include "google/api/expr/v1alpha1/checked.upb.h" + +extern upb_def_init google_api_expr_v1alpha1_syntax_proto_upbdefinit; +extern upb_def_init google_protobuf_empty_proto_upbdefinit; +extern upb_def_init google_protobuf_struct_proto_upbdefinit; +static const char descriptor[3089] = {'\n', '&', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', +'1', '/', 'c', 'h', 'e', 'c', 'k', 'e', 'd', '.', 'p', 'r', 'o', 't', 'o', '\022', '\030', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', +'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '\032', '%', 'g', 'o', 'o', 'g', 'l', 'e', '/', +'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '/', 's', 'y', 'n', 't', 'a', 'x', '.', +'p', 'r', 'o', 't', 'o', '\032', '\033', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'p', 'r', 'o', 't', 'o', 'b', 'u', 'f', '/', 'e', 'm', +'p', 't', 'y', '.', 'p', 'r', 'o', 't', 'o', '\032', '\034', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'p', 'r', 'o', 't', 'o', 'b', 'u', +'f', '/', 's', 't', 'r', 'u', 'c', 't', '.', 'p', 'r', 'o', 't', 'o', '\"', '\367', '\003', '\n', '\013', 'C', 'h', 'e', 'c', 'k', 'e', +'d', 'E', 'x', 'p', 'r', '\022', '\\', '\n', '\r', 'r', 'e', 'f', 'e', 'r', 'e', 'n', 'c', 'e', '_', 'm', 'a', 'p', '\030', '\002', ' ', +'\003', '(', '\013', '2', '7', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', +'l', 'p', 'h', 'a', '1', '.', 'C', 'h', 'e', 'c', 'k', 'e', 'd', 'E', 'x', 'p', 'r', '.', 'R', 'e', 'f', 'e', 'r', 'e', 'n', +'c', 'e', 'M', 'a', 'p', 'E', 'n', 't', 'r', 'y', 'R', '\014', 'r', 'e', 'f', 'e', 'r', 'e', 'n', 'c', 'e', 'M', 'a', 'p', '\022', +'M', '\n', '\010', 't', 'y', 'p', 'e', '_', 'm', 'a', 'p', '\030', '\003', ' ', '\003', '(', '\013', '2', '2', '.', 'g', 'o', 'o', 'g', 'l', +'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'C', 'h', 'e', 'c', 'k', +'e', 'd', 'E', 'x', 'p', 'r', '.', 'T', 'y', 'p', 'e', 'M', 'a', 'p', 'E', 'n', 't', 'r', 'y', 'R', '\007', 't', 'y', 'p', 'e', +'M', 'a', 'p', '\022', 'E', '\n', '\013', 's', 'o', 'u', 'r', 'c', 'e', '_', 'i', 'n', 'f', 'o', '\030', '\005', ' ', '\001', '(', '\013', '2', +'$', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', +'1', '.', 'S', 'o', 'u', 'r', 'c', 'e', 'I', 'n', 'f', 'o', 'R', '\n', 's', 'o', 'u', 'r', 'c', 'e', 'I', 'n', 'f', 'o', '\022', +'2', '\n', '\004', 'e', 'x', 'p', 'r', '\030', '\004', ' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', +'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\004', 'e', 'x', 'p', +'r', '\032', 'd', '\n', '\021', 'R', 'e', 'f', 'e', 'r', 'e', 'n', 'c', 'e', 'M', 'a', 'p', 'E', 'n', 't', 'r', 'y', '\022', '\020', '\n', +'\003', 'k', 'e', 'y', '\030', '\001', ' ', '\001', '(', '\003', 'R', '\003', 'k', 'e', 'y', '\022', '9', '\n', '\005', 'v', 'a', 'l', 'u', 'e', '\030', +'\002', ' ', '\001', '(', '\013', '2', '#', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', +'1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'R', 'e', 'f', 'e', 'r', 'e', 'n', 'c', 'e', 'R', '\005', 'v', 'a', 'l', 'u', 'e', ':', +'\002', '8', '\001', '\032', 'Z', '\n', '\014', 'T', 'y', 'p', 'e', 'M', 'a', 'p', 'E', 'n', 't', 'r', 'y', '\022', '\020', '\n', '\003', 'k', 'e', +'y', '\030', '\001', ' ', '\001', '(', '\003', 'R', '\003', 'k', 'e', 'y', '\022', '4', '\n', '\005', 'v', 'a', 'l', 'u', 'e', '\030', '\002', ' ', '\001', +'(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', +'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', 'R', '\005', 'v', 'a', 'l', 'u', 'e', ':', '\002', '8', '\001', '\"', '\310', '\013', '\n', '\004', +'T', 'y', 'p', 'e', '\022', '*', '\n', '\003', 'd', 'y', 'n', '\030', '\001', ' ', '\001', '(', '\013', '2', '\026', '.', 'g', 'o', 'o', 'g', 'l', +'e', '.', 'p', 'r', 'o', 't', 'o', 'b', 'u', 'f', '.', 'E', 'm', 'p', 't', 'y', 'H', '\000', 'R', '\003', 'd', 'y', 'n', '\022', '0', +'\n', '\004', 'n', 'u', 'l', 'l', '\030', '\002', ' ', '\001', '(', '\016', '2', '\032', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'p', 'r', 'o', +'t', 'o', 'b', 'u', 'f', '.', 'N', 'u', 'l', 'l', 'V', 'a', 'l', 'u', 'e', 'H', '\000', 'R', '\004', 'n', 'u', 'l', 'l', '\022', 'L', +'\n', '\t', 'p', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', '\030', '\003', ' ', '\001', '(', '\016', '2', ',', '.', 'g', 'o', 'o', 'g', 'l', +'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', '.', +'P', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 'T', 'y', 'p', 'e', 'H', '\000', 'R', '\t', 'p', 'r', 'i', 'm', 'i', 't', 'i', 'v', +'e', '\022', 'H', '\n', '\007', 'w', 'r', 'a', 'p', 'p', 'e', 'r', '\030', '\004', ' ', '\001', '(', '\016', '2', ',', '.', 'g', 'o', 'o', 'g', +'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', +'.', 'P', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 'T', 'y', 'p', 'e', 'H', '\000', 'R', '\007', 'w', 'r', 'a', 'p', 'p', 'e', 'r', +'\022', 'M', '\n', '\n', 'w', 'e', 'l', 'l', '_', 'k', 'n', 'o', 'w', 'n', '\030', '\005', ' ', '\001', '(', '\016', '2', ',', '.', 'g', 'o', +'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', +'p', 'e', '.', 'W', 'e', 'l', 'l', 'K', 'n', 'o', 'w', 'n', 'T', 'y', 'p', 'e', 'H', '\000', 'R', '\t', 'w', 'e', 'l', 'l', 'K', +'n', 'o', 'w', 'n', '\022', 'F', '\n', '\t', 'l', 'i', 's', 't', '_', 't', 'y', 'p', 'e', '\030', '\006', ' ', '\001', '(', '\013', '2', '\'', +'.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', +'.', 'T', 'y', 'p', 'e', '.', 'L', 'i', 's', 't', 'T', 'y', 'p', 'e', 'H', '\000', 'R', '\010', 'l', 'i', 's', 't', 'T', 'y', 'p', +'e', '\022', 'C', '\n', '\010', 'm', 'a', 'p', '_', 't', 'y', 'p', 'e', '\030', '\007', ' ', '\001', '(', '\013', '2', '&', '.', 'g', 'o', 'o', +'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', +'e', '.', 'M', 'a', 'p', 'T', 'y', 'p', 'e', 'H', '\000', 'R', '\007', 'm', 'a', 'p', 'T', 'y', 'p', 'e', '\022', 'I', '\n', '\010', 'f', +'u', 'n', 'c', 't', 'i', 'o', 'n', '\030', '\010', ' ', '\001', '(', '\013', '2', '+', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', +'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', '.', 'F', 'u', 'n', 'c', +'t', 'i', 'o', 'n', 'T', 'y', 'p', 'e', 'H', '\000', 'R', '\010', 'f', 'u', 'n', 'c', 't', 'i', 'o', 'n', '\022', '#', '\n', '\014', 'm', +'e', 's', 's', 'a', 'g', 'e', '_', 't', 'y', 'p', 'e', '\030', '\t', ' ', '\001', '(', '\t', 'H', '\000', 'R', '\013', 'm', 'e', 's', 's', +'a', 'g', 'e', 'T', 'y', 'p', 'e', '\022', '\037', '\n', '\n', 't', 'y', 'p', 'e', '_', 'p', 'a', 'r', 'a', 'm', '\030', '\n', ' ', '\001', +'(', '\t', 'H', '\000', 'R', '\t', 't', 'y', 'p', 'e', 'P', 'a', 'r', 'a', 'm', '\022', '4', '\n', '\004', 't', 'y', 'p', 'e', '\030', '\013', +' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', +'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', 'H', '\000', 'R', '\004', 't', 'y', 'p', 'e', '\022', '.', '\n', '\005', 'e', 'r', +'r', 'o', 'r', '\030', '\014', ' ', '\001', '(', '\013', '2', '\026', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'p', 'r', 'o', 't', 'o', 'b', +'u', 'f', '.', 'E', 'm', 'p', 't', 'y', 'H', '\000', 'R', '\005', 'e', 'r', 'r', 'o', 'r', '\022', 'R', '\n', '\r', 'a', 'b', 's', 't', +'r', 'a', 'c', 't', '_', 't', 'y', 'p', 'e', '\030', '\016', ' ', '\001', '(', '\013', '2', '+', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', +'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', '.', 'A', 'b', +'s', 't', 'r', 'a', 'c', 't', 'T', 'y', 'p', 'e', 'H', '\000', 'R', '\014', 'a', 'b', 's', 't', 'r', 'a', 'c', 't', 'T', 'y', 'p', +'e', '\032', 'G', '\n', '\010', 'L', 'i', 's', 't', 'T', 'y', 'p', 'e', '\022', ';', '\n', '\t', 'e', 'l', 'e', 'm', '_', 't', 'y', 'p', +'e', '\030', '\001', ' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', +'.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', 'R', '\010', 'e', 'l', 'e', 'm', 'T', 'y', 'p', 'e', '\032', +'\203', '\001', '\n', '\007', 'M', 'a', 'p', 'T', 'y', 'p', 'e', '\022', '9', '\n', '\010', 'k', 'e', 'y', '_', 't', 'y', 'p', 'e', '\030', '\001', +' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', +'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', 'R', '\007', 'k', 'e', 'y', 'T', 'y', 'p', 'e', '\022', '=', '\n', '\n', 'v', +'a', 'l', 'u', 'e', '_', 't', 'y', 'p', 'e', '\030', '\002', ' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', +'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', 'R', '\t', 'v', +'a', 'l', 'u', 'e', 'T', 'y', 'p', 'e', '\032', '\214', '\001', '\n', '\014', 'F', 'u', 'n', 'c', 't', 'i', 'o', 'n', 'T', 'y', 'p', 'e', +'\022', '?', '\n', '\013', 'r', 'e', 's', 'u', 'l', 't', '_', 't', 'y', 'p', 'e', '\030', '\001', ' ', '\001', '(', '\013', '2', '\036', '.', 'g', +'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', +'y', 'p', 'e', 'R', '\n', 'r', 'e', 's', 'u', 'l', 't', 'T', 'y', 'p', 'e', '\022', ';', '\n', '\t', 'a', 'r', 'g', '_', 't', 'y', +'p', 'e', 's', '\030', '\002', ' ', '\003', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', +'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', 'R', '\010', 'a', 'r', 'g', 'T', 'y', 'p', 'e', +'s', '\032', 'k', '\n', '\014', 'A', 'b', 's', 't', 'r', 'a', 'c', 't', 'T', 'y', 'p', 'e', '\022', '\022', '\n', '\004', 'n', 'a', 'm', 'e', +'\030', '\001', ' ', '\001', '(', '\t', 'R', '\004', 'n', 'a', 'm', 'e', '\022', 'G', '\n', '\017', 'p', 'a', 'r', 'a', 'm', 'e', 't', 'e', 'r', +'_', 't', 'y', 'p', 'e', 's', '\030', '\002', ' ', '\003', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', +'.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', 'R', '\016', 'p', 'a', 'r', 'a', +'m', 'e', 't', 'e', 'r', 'T', 'y', 'p', 'e', 's', '\"', 's', '\n', '\r', 'P', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 'T', 'y', +'p', 'e', '\022', '\036', '\n', '\032', 'P', 'R', 'I', 'M', 'I', 'T', 'I', 'V', 'E', '_', 'T', 'Y', 'P', 'E', '_', 'U', 'N', 'S', 'P', +'E', 'C', 'I', 'F', 'I', 'E', 'D', '\020', '\000', '\022', '\010', '\n', '\004', 'B', 'O', 'O', 'L', '\020', '\001', '\022', '\t', '\n', '\005', 'I', 'N', +'T', '6', '4', '\020', '\002', '\022', '\n', '\n', '\006', 'U', 'I', 'N', 'T', '6', '4', '\020', '\003', '\022', '\n', '\n', '\006', 'D', 'O', 'U', 'B', +'L', 'E', '\020', '\004', '\022', '\n', '\n', '\006', 'S', 'T', 'R', 'I', 'N', 'G', '\020', '\005', '\022', '\t', '\n', '\005', 'B', 'Y', 'T', 'E', 'S', +'\020', '\006', '\"', 'V', '\n', '\r', 'W', 'e', 'l', 'l', 'K', 'n', 'o', 'w', 'n', 'T', 'y', 'p', 'e', '\022', '\037', '\n', '\033', 'W', 'E', +'L', 'L', '_', 'K', 'N', 'O', 'W', 'N', '_', 'T', 'Y', 'P', 'E', '_', 'U', 'N', 'S', 'P', 'E', 'C', 'I', 'F', 'I', 'E', 'D', +'\020', '\000', '\022', '\007', '\n', '\003', 'A', 'N', 'Y', '\020', '\001', '\022', '\r', '\n', '\t', 'T', 'I', 'M', 'E', 'S', 'T', 'A', 'M', 'P', '\020', +'\002', '\022', '\014', '\n', '\010', 'D', 'U', 'R', 'A', 'T', 'I', 'O', 'N', '\020', '\003', 'B', '\013', '\n', '\t', 't', 'y', 'p', 'e', '_', 'k', +'i', 'n', 'd', '\"', '\263', '\005', '\n', '\004', 'D', 'e', 'c', 'l', '\022', '\022', '\n', '\004', 'n', 'a', 'm', 'e', '\030', '\001', ' ', '\001', '(', +'\t', 'R', '\004', 'n', 'a', 'm', 'e', '\022', '@', '\n', '\005', 'i', 'd', 'e', 'n', 't', '\030', '\002', ' ', '\001', '(', '\013', '2', '(', '.', +'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', +'D', 'e', 'c', 'l', '.', 'I', 'd', 'e', 'n', 't', 'D', 'e', 'c', 'l', 'H', '\000', 'R', '\005', 'i', 'd', 'e', 'n', 't', '\022', 'I', +'\n', '\010', 'f', 'u', 'n', 'c', 't', 'i', 'o', 'n', '\030', '\003', ' ', '\001', '(', '\013', '2', '+', '.', 'g', 'o', 'o', 'g', 'l', 'e', +'.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'D', 'e', 'c', 'l', '.', 'F', +'u', 'n', 'c', 't', 'i', 'o', 'n', 'D', 'e', 'c', 'l', 'H', '\000', 'R', '\010', 'f', 'u', 'n', 'c', 't', 'i', 'o', 'n', '\032', '\213', +'\001', '\n', '\t', 'I', 'd', 'e', 'n', 't', 'D', 'e', 'c', 'l', '\022', '2', '\n', '\004', 't', 'y', 'p', 'e', '\030', '\001', ' ', '\001', '(', +'\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', +'h', 'a', '1', '.', 'T', 'y', 'p', 'e', 'R', '\004', 't', 'y', 'p', 'e', '\022', '8', '\n', '\005', 'v', 'a', 'l', 'u', 'e', '\030', '\002', +' ', '\001', '(', '\013', '2', '\"', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', +'a', 'l', 'p', 'h', 'a', '1', '.', 'C', 'o', 'n', 's', 't', 'a', 'n', 't', 'R', '\005', 'v', 'a', 'l', 'u', 'e', '\022', '\020', '\n', +'\003', 'd', 'o', 'c', '\030', '\003', ' ', '\001', '(', '\t', 'R', '\003', 'd', 'o', 'c', '\032', '\356', '\002', '\n', '\014', 'F', 'u', 'n', 'c', 't', +'i', 'o', 'n', 'D', 'e', 'c', 'l', '\022', 'R', '\n', '\t', 'o', 'v', 'e', 'r', 'l', 'o', 'a', 'd', 's', '\030', '\001', ' ', '\003', '(', +'\013', '2', '4', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', +'h', 'a', '1', '.', 'D', 'e', 'c', 'l', '.', 'F', 'u', 'n', 'c', 't', 'i', 'o', 'n', 'D', 'e', 'c', 'l', '.', 'O', 'v', 'e', +'r', 'l', 'o', 'a', 'd', 'R', '\t', 'o', 'v', 'e', 'r', 'l', 'o', 'a', 'd', 's', '\032', '\211', '\002', '\n', '\010', 'O', 'v', 'e', 'r', +'l', 'o', 'a', 'd', '\022', '\037', '\n', '\013', 'o', 'v', 'e', 'r', 'l', 'o', 'a', 'd', '_', 'i', 'd', '\030', '\001', ' ', '\001', '(', '\t', +'R', '\n', 'o', 'v', 'e', 'r', 'l', 'o', 'a', 'd', 'I', 'd', '\022', '6', '\n', '\006', 'p', 'a', 'r', 'a', 'm', 's', '\030', '\002', ' ', +'\003', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', +'l', 'p', 'h', 'a', '1', '.', 'T', 'y', 'p', 'e', 'R', '\006', 'p', 'a', 'r', 'a', 'm', 's', '\022', '\037', '\n', '\013', 't', 'y', 'p', +'e', '_', 'p', 'a', 'r', 'a', 'm', 's', '\030', '\003', ' ', '\003', '(', '\t', 'R', '\n', 't', 'y', 'p', 'e', 'P', 'a', 'r', 'a', 'm', +'s', '\022', '?', '\n', '\013', 'r', 'e', 's', 'u', 'l', 't', '_', 't', 'y', 'p', 'e', '\030', '\004', ' ', '\001', '(', '\013', '2', '\036', '.', +'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', +'T', 'y', 'p', 'e', 'R', '\n', 'r', 'e', 's', 'u', 'l', 't', 'T', 'y', 'p', 'e', '\022', '0', '\n', '\024', 'i', 's', '_', 'i', 'n', +'s', 't', 'a', 'n', 'c', 'e', '_', 'f', 'u', 'n', 'c', 't', 'i', 'o', 'n', '\030', '\005', ' ', '\001', '(', '\010', 'R', '\022', 'i', 's', +'I', 'n', 's', 't', 'a', 'n', 'c', 'e', 'F', 'u', 'n', 'c', 't', 'i', 'o', 'n', '\022', '\020', '\n', '\003', 'd', 'o', 'c', '\030', '\006', +' ', '\001', '(', '\t', 'R', '\003', 'd', 'o', 'c', 'B', '\013', '\n', '\t', 'd', 'e', 'c', 'l', '_', 'k', 'i', 'n', 'd', '\"', 'z', '\n', +'\t', 'R', 'e', 'f', 'e', 'r', 'e', 'n', 'c', 'e', '\022', '\022', '\n', '\004', 'n', 'a', 'm', 'e', '\030', '\001', ' ', '\001', '(', '\t', 'R', +'\004', 'n', 'a', 'm', 'e', '\022', '\037', '\n', '\013', 'o', 'v', 'e', 'r', 'l', 'o', 'a', 'd', '_', 'i', 'd', '\030', '\003', ' ', '\003', '(', +'\t', 'R', '\n', 'o', 'v', 'e', 'r', 'l', 'o', 'a', 'd', 'I', 'd', '\022', '8', '\n', '\005', 'v', 'a', 'l', 'u', 'e', '\030', '\004', ' ', +'\001', '(', '\013', '2', '\"', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', +'l', 'p', 'h', 'a', '1', '.', 'C', 'o', 'n', 's', 't', 'a', 'n', 't', 'R', '\005', 'v', 'a', 'l', 'u', 'e', 'B', 'l', '\n', '\034', +'c', 'o', 'm', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', +'h', 'a', '1', 'B', '\t', 'D', 'e', 'c', 'l', 'P', 'r', 'o', 't', 'o', 'P', '\001', 'Z', '<', 'g', 'o', 'o', 'g', 'l', 'e', '.', +'g', 'o', 'l', 'a', 'n', 'g', '.', 'o', 'r', 'g', '/', 'g', 'e', 'n', 'p', 'r', 'o', 't', 'o', '/', 'g', 'o', 'o', 'g', 'l', +'e', 'a', 'p', 'i', 's', '/', 'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', ';', 'e', +'x', 'p', 'r', '\370', '\001', '\001', 'b', '\006', 'p', 'r', 'o', 't', 'o', '3', +}; + +static upb_def_init *deps[4] = { + &google_api_expr_v1alpha1_syntax_proto_upbdefinit, + &google_protobuf_empty_proto_upbdefinit, + &google_protobuf_struct_proto_upbdefinit, + NULL +}; + +upb_def_init google_api_expr_v1alpha1_checked_proto_upbdefinit = { + deps, + &google_api_expr_v1alpha1_checked_proto_upb_file_layout, + "google/api/expr/v1alpha1/checked.proto", + UPB_STRVIEW_INIT(descriptor, 3089) +}; diff --git a/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h new file mode 100644 index 00000000000..539e255c606 --- /dev/null +++ b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h @@ -0,0 +1,95 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * google/api/expr/v1alpha1/checked.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#ifndef GOOGLE_API_EXPR_V1ALPHA1_CHECKED_PROTO_UPBDEFS_H_ +#define GOOGLE_API_EXPR_V1ALPHA1_CHECKED_PROTO_UPBDEFS_H_ + +#include "upb/def.h" +#include "upb/port_def.inc" +#ifdef __cplusplus +extern "C" { +#endif + +#include "upb/def.h" + +#include "upb/port_def.inc" + +extern upb_def_init google_api_expr_v1alpha1_checked_proto_upbdefinit; + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_CheckedExpr_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.CheckedExpr"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_CheckedExpr_ReferenceMapEntry_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.CheckedExpr.ReferenceMapEntry"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_CheckedExpr_TypeMapEntry_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.CheckedExpr.TypeMapEntry"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Type_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Type"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Type_ListType_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Type.ListType"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Type_MapType_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Type.MapType"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Type_FunctionType_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Type.FunctionType"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Type_AbstractType_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Type.AbstractType"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Decl_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Decl"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Decl_IdentDecl_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Decl.IdentDecl"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Decl_FunctionDecl_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Decl.FunctionDecl"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Decl_FunctionDecl_Overload_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Decl.FunctionDecl.Overload"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Reference_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_checked_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Reference"); +} + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#include "upb/port_undef.inc" + +#endif /* GOOGLE_API_EXPR_V1ALPHA1_CHECKED_PROTO_UPBDEFS_H_ */ diff --git a/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c new file mode 100644 index 00000000000..71a31f0c66a --- /dev/null +++ b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c @@ -0,0 +1,58 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * google/api/expr/v1alpha1/eval.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#include "upb/def.h" +#include "google/api/expr/v1alpha1/eval.upbdefs.h" +#include "google/api/expr/v1alpha1/eval.upb.h" + +extern upb_def_init google_api_expr_v1alpha1_value_proto_upbdefinit; +extern upb_def_init google_rpc_status_proto_upbdefinit; +static const char descriptor[738] = {'\n', '#', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', +'1', '/', 'e', 'v', 'a', 'l', '.', 'p', 'r', 'o', 't', 'o', '\022', '\030', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', +'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '\032', '$', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'a', 'p', 'i', +'/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '/', 'v', 'a', 'l', 'u', 'e', '.', 'p', 'r', 'o', 't', +'o', '\032', '\027', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'r', 'p', 'c', '/', 's', 't', 'a', 't', 'u', 's', '.', 'p', 'r', 'o', 't', +'o', '\"', '\302', '\001', '\n', '\t', 'E', 'v', 'a', 'l', 'S', 't', 'a', 't', 'e', '\022', ';', '\n', '\006', 'v', 'a', 'l', 'u', 'e', 's', +'\030', '\001', ' ', '\003', '(', '\013', '2', '#', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', +'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'V', 'a', 'l', 'u', 'e', 'R', '\006', 'v', 'a', 'l', 'u', 'e', +'s', '\022', 'D', '\n', '\007', 'r', 'e', 's', 'u', 'l', 't', 's', '\030', '\003', ' ', '\003', '(', '\013', '2', '*', '.', 'g', 'o', 'o', 'g', +'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'v', 'a', 'l', +'S', 't', 'a', 't', 'e', '.', 'R', 'e', 's', 'u', 'l', 't', 'R', '\007', 'r', 'e', 's', 'u', 'l', 't', 's', '\032', '2', '\n', '\006', +'R', 'e', 's', 'u', 'l', 't', '\022', '\022', '\n', '\004', 'e', 'x', 'p', 'r', '\030', '\001', ' ', '\001', '(', '\003', 'R', '\004', 'e', 'x', 'p', +'r', '\022', '\024', '\n', '\005', 'v', 'a', 'l', 'u', 'e', '\030', '\002', ' ', '\001', '(', '\003', 'R', '\005', 'v', 'a', 'l', 'u', 'e', '\"', '\312', +'\001', '\n', '\t', 'E', 'x', 'p', 'r', 'V', 'a', 'l', 'u', 'e', '\022', '7', '\n', '\005', 'v', 'a', 'l', 'u', 'e', '\030', '\001', ' ', '\001', +'(', '\013', '2', '\037', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', +'p', 'h', 'a', '1', '.', 'V', 'a', 'l', 'u', 'e', 'H', '\000', 'R', '\005', 'v', 'a', 'l', 'u', 'e', '\022', ':', '\n', '\005', 'e', 'r', +'r', 'o', 'r', '\030', '\002', ' ', '\001', '(', '\013', '2', '\"', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', +'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'r', 'r', 'o', 'r', 'S', 'e', 't', 'H', '\000', 'R', '\005', 'e', +'r', 'r', 'o', 'r', '\022', '@', '\n', '\007', 'u', 'n', 'k', 'n', 'o', 'w', 'n', '\030', '\003', ' ', '\001', '(', '\013', '2', '$', '.', 'g', +'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'U', +'n', 'k', 'n', 'o', 'w', 'n', 'S', 'e', 't', 'H', '\000', 'R', '\007', 'u', 'n', 'k', 'n', 'o', 'w', 'n', 'B', '\006', '\n', '\004', 'k', +'i', 'n', 'd', '\"', '6', '\n', '\010', 'E', 'r', 'r', 'o', 'r', 'S', 'e', 't', '\022', '*', '\n', '\006', 'e', 'r', 'r', 'o', 'r', 's', +'\030', '\001', ' ', '\003', '(', '\013', '2', '\022', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'r', 'p', 'c', '.', 'S', 't', 'a', 't', 'u', +'s', 'R', '\006', 'e', 'r', 'r', 'o', 'r', 's', '\"', '\"', '\n', '\n', 'U', 'n', 'k', 'n', 'o', 'w', 'n', 'S', 'e', 't', '\022', '\024', +'\n', '\005', 'e', 'x', 'p', 'r', 's', '\030', '\001', ' ', '\003', '(', '\003', 'R', '\005', 'e', 'x', 'p', 'r', 's', 'B', 'l', '\n', '\034', 'c', +'o', 'm', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', +'a', '1', 'B', '\t', 'E', 'v', 'a', 'l', 'P', 'r', 'o', 't', 'o', 'P', '\001', 'Z', '<', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'g', +'o', 'l', 'a', 'n', 'g', '.', 'o', 'r', 'g', '/', 'g', 'e', 'n', 'p', 'r', 'o', 't', 'o', '/', 'g', 'o', 'o', 'g', 'l', 'e', +'a', 'p', 'i', 's', '/', 'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', ';', 'e', 'x', +'p', 'r', '\370', '\001', '\001', 'b', '\006', 'p', 'r', 'o', 't', 'o', '3', +}; + +static upb_def_init *deps[3] = { + &google_api_expr_v1alpha1_value_proto_upbdefinit, + &google_rpc_status_proto_upbdefinit, + NULL +}; + +upb_def_init google_api_expr_v1alpha1_eval_proto_upbdefinit = { + deps, + &google_api_expr_v1alpha1_eval_proto_upb_file_layout, + "google/api/expr/v1alpha1/eval.proto", + UPB_STRVIEW_INIT(descriptor, 738) +}; diff --git a/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h new file mode 100644 index 00000000000..aba88bc8c26 --- /dev/null +++ b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h @@ -0,0 +1,55 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * google/api/expr/v1alpha1/eval.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#ifndef GOOGLE_API_EXPR_V1ALPHA1_EVAL_PROTO_UPBDEFS_H_ +#define GOOGLE_API_EXPR_V1ALPHA1_EVAL_PROTO_UPBDEFS_H_ + +#include "upb/def.h" +#include "upb/port_def.inc" +#ifdef __cplusplus +extern "C" { +#endif + +#include "upb/def.h" + +#include "upb/port_def.inc" + +extern upb_def_init google_api_expr_v1alpha1_eval_proto_upbdefinit; + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_EvalState_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_eval_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.EvalState"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_EvalState_Result_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_eval_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.EvalState.Result"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_ExprValue_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_eval_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.ExprValue"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_ErrorSet_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_eval_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.ErrorSet"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_UnknownSet_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_eval_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.UnknownSet"); +} + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#include "upb/port_undef.inc" + +#endif /* GOOGLE_API_EXPR_V1ALPHA1_EVAL_PROTO_UPBDEFS_H_ */ diff --git a/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c new file mode 100644 index 00000000000..9bb469f66c4 --- /dev/null +++ b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c @@ -0,0 +1,44 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * google/api/expr/v1alpha1/explain.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#include "upb/def.h" +#include "google/api/expr/v1alpha1/explain.upbdefs.h" +#include "google/api/expr/v1alpha1/explain.upb.h" + +extern upb_def_init google_api_expr_v1alpha1_value_proto_upbdefinit; +static const char descriptor[434] = {'\n', '&', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', +'1', '/', 'e', 'x', 'p', 'l', 'a', 'i', 'n', '.', 'p', 'r', 'o', 't', 'o', '\022', '\030', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', +'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '\032', '$', 'g', 'o', 'o', 'g', 'l', 'e', '/', +'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '/', 'v', 'a', 'l', 'u', 'e', '.', 'p', +'r', 'o', 't', 'o', '\"', '\316', '\001', '\n', '\007', 'E', 'x', 'p', 'l', 'a', 'i', 'n', '\022', '7', '\n', '\006', 'v', 'a', 'l', 'u', 'e', +'s', '\030', '\001', ' ', '\003', '(', '\013', '2', '\037', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', +'.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'V', 'a', 'l', 'u', 'e', 'R', '\006', 'v', 'a', 'l', 'u', 'e', 's', '\022', 'I', +'\n', '\n', 'e', 'x', 'p', 'r', '_', 's', 't', 'e', 'p', 's', '\030', '\002', ' ', '\003', '(', '\013', '2', '*', '.', 'g', 'o', 'o', 'g', +'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'l', +'a', 'i', 'n', '.', 'E', 'x', 'p', 'r', 'S', 't', 'e', 'p', 'R', '\t', 'e', 'x', 'p', 'r', 'S', 't', 'e', 'p', 's', '\032', ';', +'\n', '\010', 'E', 'x', 'p', 'r', 'S', 't', 'e', 'p', '\022', '\016', '\n', '\002', 'i', 'd', '\030', '\001', ' ', '\001', '(', '\003', 'R', '\002', 'i', +'d', '\022', '\037', '\n', '\013', 'v', 'a', 'l', 'u', 'e', '_', 'i', 'n', 'd', 'e', 'x', '\030', '\002', ' ', '\001', '(', '\005', 'R', '\n', 'v', +'a', 'l', 'u', 'e', 'I', 'n', 'd', 'e', 'x', ':', '\002', '\030', '\001', 'B', 'o', '\n', '\034', 'c', 'o', 'm', '.', 'g', 'o', 'o', 'g', +'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', 'B', '\014', 'E', 'x', 'p', +'l', 'a', 'i', 'n', 'P', 'r', 'o', 't', 'o', 'P', '\001', 'Z', '<', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'g', 'o', 'l', 'a', 'n', +'g', '.', 'o', 'r', 'g', '/', 'g', 'e', 'n', 'p', 'r', 'o', 't', 'o', '/', 'g', 'o', 'o', 'g', 'l', 'e', 'a', 'p', 'i', 's', +'/', 'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', ';', 'e', 'x', 'p', 'r', '\370', '\001', +'\001', 'b', '\006', 'p', 'r', 'o', 't', 'o', '3', +}; + +static upb_def_init *deps[2] = { + &google_api_expr_v1alpha1_value_proto_upbdefinit, + NULL +}; + +upb_def_init google_api_expr_v1alpha1_explain_proto_upbdefinit = { + deps, + &google_api_expr_v1alpha1_explain_proto_upb_file_layout, + "google/api/expr/v1alpha1/explain.proto", + UPB_STRVIEW_INIT(descriptor, 434) +}; diff --git a/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h new file mode 100644 index 00000000000..e7c7c090c4c --- /dev/null +++ b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h @@ -0,0 +1,40 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * google/api/expr/v1alpha1/explain.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#ifndef GOOGLE_API_EXPR_V1ALPHA1_EXPLAIN_PROTO_UPBDEFS_H_ +#define GOOGLE_API_EXPR_V1ALPHA1_EXPLAIN_PROTO_UPBDEFS_H_ + +#include "upb/def.h" +#include "upb/port_def.inc" +#ifdef __cplusplus +extern "C" { +#endif + +#include "upb/def.h" + +#include "upb/port_def.inc" + +extern upb_def_init google_api_expr_v1alpha1_explain_proto_upbdefinit; + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Explain_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_explain_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Explain"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Explain_ExprStep_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_explain_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Explain.ExprStep"); +} + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#include "upb/port_undef.inc" + +#endif /* GOOGLE_API_EXPR_V1ALPHA1_EXPLAIN_PROTO_UPBDEFS_H_ */ diff --git a/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c new file mode 100644 index 00000000000..5219acb73d0 --- /dev/null +++ b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c @@ -0,0 +1,153 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * google/api/expr/v1alpha1/syntax.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#include "upb/def.h" +#include "google/api/expr/v1alpha1/syntax.upbdefs.h" +#include "google/api/expr/v1alpha1/syntax.upb.h" + +extern upb_def_init google_protobuf_duration_proto_upbdefinit; +extern upb_def_init google_protobuf_struct_proto_upbdefinit; +extern upb_def_init google_protobuf_timestamp_proto_upbdefinit; +static const char descriptor[3059] = {'\n', '%', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', +'1', '/', 's', 'y', 'n', 't', 'a', 'x', '.', 'p', 'r', 'o', 't', 'o', '\022', '\030', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', +'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '\032', '\036', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'p', +'r', 'o', 't', 'o', 'b', 'u', 'f', '/', 'd', 'u', 'r', 'a', 't', 'i', 'o', 'n', '.', 'p', 'r', 'o', 't', 'o', '\032', '\034', 'g', +'o', 'o', 'g', 'l', 'e', '/', 'p', 'r', 'o', 't', 'o', 'b', 'u', 'f', '/', 's', 't', 'r', 'u', 'c', 't', '.', 'p', 'r', 'o', +'t', 'o', '\032', '\037', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'p', 'r', 'o', 't', 'o', 'b', 'u', 'f', '/', 't', 'i', 'm', 'e', 's', +'t', 'a', 'm', 'p', '.', 'p', 'r', 'o', 't', 'o', '\"', '\207', '\001', '\n', '\n', 'P', 'a', 'r', 's', 'e', 'd', 'E', 'x', 'p', 'r', +'\022', '2', '\n', '\004', 'e', 'x', 'p', 'r', '\030', '\002', ' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', +'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\004', 'e', 'x', +'p', 'r', '\022', 'E', '\n', '\013', 's', 'o', 'u', 'r', 'c', 'e', '_', 'i', 'n', 'f', 'o', '\030', '\003', ' ', '\001', '(', '\013', '2', '$', +'.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', +'.', 'S', 'o', 'u', 'r', 'c', 'e', 'I', 'n', 'f', 'o', 'R', '\n', 's', 'o', 'u', 'r', 'c', 'e', 'I', 'n', 'f', 'o', '\"', '\334', +'\014', '\n', '\004', 'E', 'x', 'p', 'r', '\022', '\016', '\n', '\002', 'i', 'd', '\030', '\002', ' ', '\001', '(', '\003', 'R', '\002', 'i', 'd', '\022', 'C', +'\n', '\n', 'c', 'o', 'n', 's', 't', '_', 'e', 'x', 'p', 'r', '\030', '\003', ' ', '\001', '(', '\013', '2', '\"', '.', 'g', 'o', 'o', 'g', +'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'C', 'o', 'n', 's', +'t', 'a', 'n', 't', 'H', '\000', 'R', '\t', 'c', 'o', 'n', 's', 't', 'E', 'x', 'p', 'r', '\022', 'E', '\n', '\n', 'i', 'd', 'e', 'n', +'t', '_', 'e', 'x', 'p', 'r', '\030', '\004', ' ', '\001', '(', '\013', '2', '$', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', +'.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', '.', 'I', 'd', 'e', 'n', 't', +'H', '\000', 'R', '\t', 'i', 'd', 'e', 'n', 't', 'E', 'x', 'p', 'r', '\022', 'H', '\n', '\013', 's', 'e', 'l', 'e', 'c', 't', '_', 'e', +'x', 'p', 'r', '\030', '\005', ' ', '\001', '(', '\013', '2', '%', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', +'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', '.', 'S', 'e', 'l', 'e', 'c', 't', 'H', '\000', +'R', '\n', 's', 'e', 'l', 'e', 'c', 't', 'E', 'x', 'p', 'r', '\022', 'B', '\n', '\t', 'c', 'a', 'l', 'l', '_', 'e', 'x', 'p', 'r', +'\030', '\006', ' ', '\001', '(', '\013', '2', '#', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', +'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', '.', 'C', 'a', 'l', 'l', 'H', '\000', 'R', '\010', 'c', 'a', 'l', +'l', 'E', 'x', 'p', 'r', '\022', 'H', '\n', '\t', 'l', 'i', 's', 't', '_', 'e', 'x', 'p', 'r', '\030', '\007', ' ', '\001', '(', '\013', '2', +')', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', +'1', '.', 'E', 'x', 'p', 'r', '.', 'C', 'r', 'e', 'a', 't', 'e', 'L', 'i', 's', 't', 'H', '\000', 'R', '\010', 'l', 'i', 's', 't', +'E', 'x', 'p', 'r', '\022', 'N', '\n', '\013', 's', 't', 'r', 'u', 'c', 't', '_', 'e', 'x', 'p', 'r', '\030', '\010', ' ', '\001', '(', '\013', +'2', '+', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', +'a', '1', '.', 'E', 'x', 'p', 'r', '.', 'C', 'r', 'e', 'a', 't', 'e', 'S', 't', 'r', 'u', 'c', 't', 'H', '\000', 'R', '\n', 's', +'t', 'r', 'u', 'c', 't', 'E', 'x', 'p', 'r', '\022', ']', '\n', '\022', 'c', 'o', 'm', 'p', 'r', 'e', 'h', 'e', 'n', 's', 'i', 'o', +'n', '_', 'e', 'x', 'p', 'r', '\030', '\t', ' ', '\001', '(', '\013', '2', ',', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', +'.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', '.', 'C', 'o', 'm', 'p', 'r', +'e', 'h', 'e', 'n', 's', 'i', 'o', 'n', 'H', '\000', 'R', '\021', 'c', 'o', 'm', 'p', 'r', 'e', 'h', 'e', 'n', 's', 'i', 'o', 'n', +'E', 'x', 'p', 'r', '\032', '\033', '\n', '\005', 'I', 'd', 'e', 'n', 't', '\022', '\022', '\n', '\004', 'n', 'a', 'm', 'e', '\030', '\001', ' ', '\001', +'(', '\t', 'R', '\004', 'n', 'a', 'm', 'e', '\032', 'u', '\n', '\006', 'S', 'e', 'l', 'e', 'c', 't', '\022', '8', '\n', '\007', 'o', 'p', 'e', +'r', 'a', 'n', 'd', '\030', '\001', ' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', +'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\007', 'o', 'p', 'e', 'r', 'a', 'n', +'d', '\022', '\024', '\n', '\005', 'f', 'i', 'e', 'l', 'd', '\030', '\002', ' ', '\001', '(', '\t', 'R', '\005', 'f', 'i', 'e', 'l', 'd', '\022', '\033', +'\n', '\t', 't', 'e', 's', 't', '_', 'o', 'n', 'l', 'y', '\030', '\003', ' ', '\001', '(', '\010', 'R', '\010', 't', 'e', 's', 't', 'O', 'n', +'l', 'y', '\032', '\216', '\001', '\n', '\004', 'C', 'a', 'l', 'l', '\022', '6', '\n', '\006', 't', 'a', 'r', 'g', 'e', 't', '\030', '\001', ' ', '\001', +'(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', +'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\006', 't', 'a', 'r', 'g', 'e', 't', '\022', '\032', '\n', '\010', 'f', 'u', 'n', 'c', +'t', 'i', 'o', 'n', '\030', '\002', ' ', '\001', '(', '\t', 'R', '\010', 'f', 'u', 'n', 'c', 't', 'i', 'o', 'n', '\022', '2', '\n', '\004', 'a', +'r', 'g', 's', '\030', '\003', ' ', '\003', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', +'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\004', 'a', 'r', 'g', 's', '\032', 'H', '\n', +'\n', 'C', 'r', 'e', 'a', 't', 'e', 'L', 'i', 's', 't', '\022', ':', '\n', '\010', 'e', 'l', 'e', 'm', 'e', 'n', 't', 's', '\030', '\001', +' ', '\003', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', +'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\010', 'e', 'l', 'e', 'm', 'e', 'n', 't', 's', '\032', '\264', '\002', '\n', +'\014', 'C', 'r', 'e', 'a', 't', 'e', 'S', 't', 'r', 'u', 'c', 't', '\022', '!', '\n', '\014', 'm', 'e', 's', 's', 'a', 'g', 'e', '_', +'n', 'a', 'm', 'e', '\030', '\001', ' ', '\001', '(', '\t', 'R', '\013', 'm', 'e', 's', 's', 'a', 'g', 'e', 'N', 'a', 'm', 'e', '\022', 'K', +'\n', '\007', 'e', 'n', 't', 'r', 'i', 'e', 's', '\030', '\002', ' ', '\003', '(', '\013', '2', '1', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', +'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', '.', 'C', 'r', +'e', 'a', 't', 'e', 'S', 't', 'r', 'u', 'c', 't', '.', 'E', 'n', 't', 'r', 'y', 'R', '\007', 'e', 'n', 't', 'r', 'i', 'e', 's', +'\032', '\263', '\001', '\n', '\005', 'E', 'n', 't', 'r', 'y', '\022', '\016', '\n', '\002', 'i', 'd', '\030', '\001', ' ', '\001', '(', '\003', 'R', '\002', 'i', +'d', '\022', '\035', '\n', '\t', 'f', 'i', 'e', 'l', 'd', '_', 'k', 'e', 'y', '\030', '\002', ' ', '\001', '(', '\t', 'H', '\000', 'R', '\010', 'f', +'i', 'e', 'l', 'd', 'K', 'e', 'y', '\022', '9', '\n', '\007', 'm', 'a', 'p', '_', 'k', 'e', 'y', '\030', '\003', ' ', '\001', '(', '\013', '2', +'\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', +'1', '.', 'E', 'x', 'p', 'r', 'H', '\000', 'R', '\006', 'm', 'a', 'p', 'K', 'e', 'y', '\022', '4', '\n', '\005', 'v', 'a', 'l', 'u', 'e', +'\030', '\004', ' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', +'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\005', 'v', 'a', 'l', 'u', 'e', 'B', '\n', '\n', '\010', 'k', +'e', 'y', '_', 'k', 'i', 'n', 'd', '\032', '\375', '\002', '\n', '\r', 'C', 'o', 'm', 'p', 'r', 'e', 'h', 'e', 'n', 's', 'i', 'o', 'n', +'\022', '\031', '\n', '\010', 'i', 't', 'e', 'r', '_', 'v', 'a', 'r', '\030', '\001', ' ', '\001', '(', '\t', 'R', '\007', 'i', 't', 'e', 'r', 'V', +'a', 'r', '\022', '=', '\n', '\n', 'i', 't', 'e', 'r', '_', 'r', 'a', 'n', 'g', 'e', '\030', '\002', ' ', '\001', '(', '\013', '2', '\036', '.', +'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', +'E', 'x', 'p', 'r', 'R', '\t', 'i', 't', 'e', 'r', 'R', 'a', 'n', 'g', 'e', '\022', '\031', '\n', '\010', 'a', 'c', 'c', 'u', '_', 'v', +'a', 'r', '\030', '\003', ' ', '\001', '(', '\t', 'R', '\007', 'a', 'c', 'c', 'u', 'V', 'a', 'r', '\022', ';', '\n', '\t', 'a', 'c', 'c', 'u', +'_', 'i', 'n', 'i', 't', '\030', '\004', ' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', +'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\010', 'a', 'c', 'c', 'u', 'I', +'n', 'i', 't', '\022', 'E', '\n', '\016', 'l', 'o', 'o', 'p', '_', 'c', 'o', 'n', 'd', 'i', 't', 'i', 'o', 'n', '\030', '\005', ' ', '\001', +'(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', +'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\r', 'l', 'o', 'o', 'p', 'C', 'o', 'n', 'd', 'i', 't', 'i', 'o', 'n', '\022', +';', '\n', '\t', 'l', 'o', 'o', 'p', '_', 's', 't', 'e', 'p', '\030', '\006', ' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', +'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', +'R', '\010', 'l', 'o', 'o', 'p', 'S', 't', 'e', 'p', '\022', '6', '\n', '\006', 'r', 'e', 's', 'u', 'l', 't', '\030', '\007', ' ', '\001', '(', +'\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', +'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\006', 'r', 'e', 's', 'u', 'l', 't', 'B', '\013', '\n', '\t', 'e', 'x', 'p', 'r', '_', +'k', 'i', 'n', 'd', '\"', '\301', '\003', '\n', '\010', 'C', 'o', 'n', 's', 't', 'a', 'n', 't', '\022', ';', '\n', '\n', 'n', 'u', 'l', 'l', +'_', 'v', 'a', 'l', 'u', 'e', '\030', '\001', ' ', '\001', '(', '\016', '2', '\032', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'p', 'r', 'o', +'t', 'o', 'b', 'u', 'f', '.', 'N', 'u', 'l', 'l', 'V', 'a', 'l', 'u', 'e', 'H', '\000', 'R', '\t', 'n', 'u', 'l', 'l', 'V', 'a', +'l', 'u', 'e', '\022', '\037', '\n', '\n', 'b', 'o', 'o', 'l', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\002', ' ', '\001', '(', '\010', 'H', '\000', +'R', '\t', 'b', 'o', 'o', 'l', 'V', 'a', 'l', 'u', 'e', '\022', '!', '\n', '\013', 'i', 'n', 't', '6', '4', '_', 'v', 'a', 'l', 'u', +'e', '\030', '\003', ' ', '\001', '(', '\003', 'H', '\000', 'R', '\n', 'i', 'n', 't', '6', '4', 'V', 'a', 'l', 'u', 'e', '\022', '#', '\n', '\014', +'u', 'i', 'n', 't', '6', '4', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\004', ' ', '\001', '(', '\004', 'H', '\000', 'R', '\013', 'u', 'i', 'n', +'t', '6', '4', 'V', 'a', 'l', 'u', 'e', '\022', '#', '\n', '\014', 'd', 'o', 'u', 'b', 'l', 'e', '_', 'v', 'a', 'l', 'u', 'e', '\030', +'\005', ' ', '\001', '(', '\001', 'H', '\000', 'R', '\013', 'd', 'o', 'u', 'b', 'l', 'e', 'V', 'a', 'l', 'u', 'e', '\022', '#', '\n', '\014', 's', +'t', 'r', 'i', 'n', 'g', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\006', ' ', '\001', '(', '\t', 'H', '\000', 'R', '\013', 's', 't', 'r', 'i', +'n', 'g', 'V', 'a', 'l', 'u', 'e', '\022', '!', '\n', '\013', 'b', 'y', 't', 'e', 's', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\007', ' ', +'\001', '(', '\014', 'H', '\000', 'R', '\n', 'b', 'y', 't', 'e', 's', 'V', 'a', 'l', 'u', 'e', '\022', 'F', '\n', '\016', 'd', 'u', 'r', 'a', +'t', 'i', 'o', 'n', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\010', ' ', '\001', '(', '\013', '2', '\031', '.', 'g', 'o', 'o', 'g', 'l', 'e', +'.', 'p', 'r', 'o', 't', 'o', 'b', 'u', 'f', '.', 'D', 'u', 'r', 'a', 't', 'i', 'o', 'n', 'B', '\002', '\030', '\001', 'H', '\000', 'R', +'\r', 'd', 'u', 'r', 'a', 't', 'i', 'o', 'n', 'V', 'a', 'l', 'u', 'e', '\022', 'I', '\n', '\017', 't', 'i', 'm', 'e', 's', 't', 'a', +'m', 'p', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\t', ' ', '\001', '(', '\013', '2', '\032', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'p', +'r', 'o', 't', 'o', 'b', 'u', 'f', '.', 'T', 'i', 'm', 'e', 's', 't', 'a', 'm', 'p', 'B', '\002', '\030', '\001', 'H', '\000', 'R', '\016', +'t', 'i', 'm', 'e', 's', 't', 'a', 'm', 'p', 'V', 'a', 'l', 'u', 'e', 'B', '\017', '\n', '\r', 'c', 'o', 'n', 's', 't', 'a', 'n', +'t', '_', 'k', 'i', 'n', 'd', '\"', '\271', '\003', '\n', '\n', 'S', 'o', 'u', 'r', 'c', 'e', 'I', 'n', 'f', 'o', '\022', '%', '\n', '\016', +'s', 'y', 'n', 't', 'a', 'x', '_', 'v', 'e', 'r', 's', 'i', 'o', 'n', '\030', '\001', ' ', '\001', '(', '\t', 'R', '\r', 's', 'y', 'n', +'t', 'a', 'x', 'V', 'e', 'r', 's', 'i', 'o', 'n', '\022', '\032', '\n', '\010', 'l', 'o', 'c', 'a', 't', 'i', 'o', 'n', '\030', '\002', ' ', +'\001', '(', '\t', 'R', '\010', 'l', 'o', 'c', 'a', 't', 'i', 'o', 'n', '\022', '!', '\n', '\014', 'l', 'i', 'n', 'e', '_', 'o', 'f', 'f', +'s', 'e', 't', 's', '\030', '\003', ' ', '\003', '(', '\005', 'R', '\013', 'l', 'i', 'n', 'e', 'O', 'f', 'f', 's', 'e', 't', 's', '\022', 'Q', +'\n', '\t', 'p', 'o', 's', 'i', 't', 'i', 'o', 'n', 's', '\030', '\004', ' ', '\003', '(', '\013', '2', '3', '.', 'g', 'o', 'o', 'g', 'l', +'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'S', 'o', 'u', 'r', 'c', +'e', 'I', 'n', 'f', 'o', '.', 'P', 'o', 's', 'i', 't', 'i', 'o', 'n', 's', 'E', 'n', 't', 'r', 'y', 'R', '\t', 'p', 'o', 's', +'i', 't', 'i', 'o', 'n', 's', '\022', 'U', '\n', '\013', 'm', 'a', 'c', 'r', 'o', '_', 'c', 'a', 'l', 'l', 's', '\030', '\005', ' ', '\003', +'(', '\013', '2', '4', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', +'p', 'h', 'a', '1', '.', 'S', 'o', 'u', 'r', 'c', 'e', 'I', 'n', 'f', 'o', '.', 'M', 'a', 'c', 'r', 'o', 'C', 'a', 'l', 'l', +'s', 'E', 'n', 't', 'r', 'y', 'R', '\n', 'm', 'a', 'c', 'r', 'o', 'C', 'a', 'l', 'l', 's', '\032', '<', '\n', '\016', 'P', 'o', 's', +'i', 't', 'i', 'o', 'n', 's', 'E', 'n', 't', 'r', 'y', '\022', '\020', '\n', '\003', 'k', 'e', 'y', '\030', '\001', ' ', '\001', '(', '\003', 'R', +'\003', 'k', 'e', 'y', '\022', '\024', '\n', '\005', 'v', 'a', 'l', 'u', 'e', '\030', '\002', ' ', '\001', '(', '\005', 'R', '\005', 'v', 'a', 'l', 'u', +'e', ':', '\002', '8', '\001', '\032', ']', '\n', '\017', 'M', 'a', 'c', 'r', 'o', 'C', 'a', 'l', 'l', 's', 'E', 'n', 't', 'r', 'y', '\022', +'\020', '\n', '\003', 'k', 'e', 'y', '\030', '\001', ' ', '\001', '(', '\003', 'R', '\003', 'k', 'e', 'y', '\022', '4', '\n', '\005', 'v', 'a', 'l', 'u', +'e', '\030', '\002', ' ', '\001', '(', '\013', '2', '\036', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', +'.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'E', 'x', 'p', 'r', 'R', '\005', 'v', 'a', 'l', 'u', 'e', ':', '\002', '8', '\001', +'\"', 'p', '\n', '\016', 'S', 'o', 'u', 'r', 'c', 'e', 'P', 'o', 's', 'i', 't', 'i', 'o', 'n', '\022', '\032', '\n', '\010', 'l', 'o', 'c', +'a', 't', 'i', 'o', 'n', '\030', '\001', ' ', '\001', '(', '\t', 'R', '\010', 'l', 'o', 'c', 'a', 't', 'i', 'o', 'n', '\022', '\026', '\n', '\006', +'o', 'f', 'f', 's', 'e', 't', '\030', '\002', ' ', '\001', '(', '\005', 'R', '\006', 'o', 'f', 'f', 's', 'e', 't', '\022', '\022', '\n', '\004', 'l', +'i', 'n', 'e', '\030', '\003', ' ', '\001', '(', '\005', 'R', '\004', 'l', 'i', 'n', 'e', '\022', '\026', '\n', '\006', 'c', 'o', 'l', 'u', 'm', 'n', +'\030', '\004', ' ', '\001', '(', '\005', 'R', '\006', 'c', 'o', 'l', 'u', 'm', 'n', 'B', 'n', '\n', '\034', 'c', 'o', 'm', '.', 'g', 'o', 'o', +'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', 'B', '\013', 'S', 'y', +'n', 't', 'a', 'x', 'P', 'r', 'o', 't', 'o', 'P', '\001', 'Z', '<', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'g', 'o', 'l', 'a', 'n', +'g', '.', 'o', 'r', 'g', '/', 'g', 'e', 'n', 'p', 'r', 'o', 't', 'o', '/', 'g', 'o', 'o', 'g', 'l', 'e', 'a', 'p', 'i', 's', +'/', 'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', ';', 'e', 'x', 'p', 'r', '\370', '\001', +'\001', 'b', '\006', 'p', 'r', 'o', 't', 'o', '3', +}; + +static upb_def_init *deps[4] = { + &google_protobuf_duration_proto_upbdefinit, + &google_protobuf_struct_proto_upbdefinit, + &google_protobuf_timestamp_proto_upbdefinit, + NULL +}; + +upb_def_init google_api_expr_v1alpha1_syntax_proto_upbdefinit = { + deps, + &google_api_expr_v1alpha1_syntax_proto_upb_file_layout, + "google/api/expr/v1alpha1/syntax.proto", + UPB_STRVIEW_INIT(descriptor, 3059) +}; diff --git a/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h new file mode 100644 index 00000000000..750f563fa75 --- /dev/null +++ b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h @@ -0,0 +1,100 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * google/api/expr/v1alpha1/syntax.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#ifndef GOOGLE_API_EXPR_V1ALPHA1_SYNTAX_PROTO_UPBDEFS_H_ +#define GOOGLE_API_EXPR_V1ALPHA1_SYNTAX_PROTO_UPBDEFS_H_ + +#include "upb/def.h" +#include "upb/port_def.inc" +#ifdef __cplusplus +extern "C" { +#endif + +#include "upb/def.h" + +#include "upb/port_def.inc" + +extern upb_def_init google_api_expr_v1alpha1_syntax_proto_upbdefinit; + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_ParsedExpr_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.ParsedExpr"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Expr_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Expr"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Expr_Ident_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Expr.Ident"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Expr_Select_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Expr.Select"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Expr_Call_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Expr.Call"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Expr_CreateList_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Expr.CreateList"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Expr_CreateStruct_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Expr.CreateStruct"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Expr_CreateStruct_Entry_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Expr.CreateStruct.Entry"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Expr_Comprehension_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Expr.Comprehension"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Constant_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Constant"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_SourceInfo_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.SourceInfo"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_SourceInfo_PositionsEntry_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.SourceInfo.PositionsEntry"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_SourceInfo_MacroCallsEntry_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.SourceInfo.MacroCallsEntry"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_SourcePosition_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_syntax_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.SourcePosition"); +} + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#include "upb/port_undef.inc" + +#endif /* GOOGLE_API_EXPR_V1ALPHA1_SYNTAX_PROTO_UPBDEFS_H_ */ diff --git a/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c new file mode 100644 index 00000000000..1313c379668 --- /dev/null +++ b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c @@ -0,0 +1,75 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * google/api/expr/v1alpha1/value.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#include "upb/def.h" +#include "google/api/expr/v1alpha1/value.upbdefs.h" +#include "google/api/expr/v1alpha1/value.upb.h" + +extern upb_def_init google_protobuf_any_proto_upbdefinit; +extern upb_def_init google_protobuf_struct_proto_upbdefinit; +static const char descriptor[1153] = {'\n', '$', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'a', 'p', 'i', '/', 'e', 'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', +'1', '/', 'v', 'a', 'l', 'u', 'e', '.', 'p', 'r', 'o', 't', 'o', '\022', '\030', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', +'.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '\032', '\031', 'g', 'o', 'o', 'g', 'l', 'e', '/', 'p', 'r', +'o', 't', 'o', 'b', 'u', 'f', '/', 'a', 'n', 'y', '.', 'p', 'r', 'o', 't', 'o', '\032', '\034', 'g', 'o', 'o', 'g', 'l', 'e', '/', +'p', 'r', 'o', 't', 'o', 'b', 'u', 'f', '/', 's', 't', 'r', 'u', 'c', 't', '.', 'p', 'r', 'o', 't', 'o', '\"', '\315', '\004', '\n', +'\005', 'V', 'a', 'l', 'u', 'e', '\022', ';', '\n', '\n', 'n', 'u', 'l', 'l', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\001', ' ', '\001', '(', +'\016', '2', '\032', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'p', 'r', 'o', 't', 'o', 'b', 'u', 'f', '.', 'N', 'u', 'l', 'l', 'V', +'a', 'l', 'u', 'e', 'H', '\000', 'R', '\t', 'n', 'u', 'l', 'l', 'V', 'a', 'l', 'u', 'e', '\022', '\037', '\n', '\n', 'b', 'o', 'o', 'l', +'_', 'v', 'a', 'l', 'u', 'e', '\030', '\002', ' ', '\001', '(', '\010', 'H', '\000', 'R', '\t', 'b', 'o', 'o', 'l', 'V', 'a', 'l', 'u', 'e', +'\022', '!', '\n', '\013', 'i', 'n', 't', '6', '4', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\003', ' ', '\001', '(', '\003', 'H', '\000', 'R', '\n', +'i', 'n', 't', '6', '4', 'V', 'a', 'l', 'u', 'e', '\022', '#', '\n', '\014', 'u', 'i', 'n', 't', '6', '4', '_', 'v', 'a', 'l', 'u', +'e', '\030', '\004', ' ', '\001', '(', '\004', 'H', '\000', 'R', '\013', 'u', 'i', 'n', 't', '6', '4', 'V', 'a', 'l', 'u', 'e', '\022', '#', '\n', +'\014', 'd', 'o', 'u', 'b', 'l', 'e', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\005', ' ', '\001', '(', '\001', 'H', '\000', 'R', '\013', 'd', 'o', +'u', 'b', 'l', 'e', 'V', 'a', 'l', 'u', 'e', '\022', '#', '\n', '\014', 's', 't', 'r', 'i', 'n', 'g', '_', 'v', 'a', 'l', 'u', 'e', +'\030', '\006', ' ', '\001', '(', '\t', 'H', '\000', 'R', '\013', 's', 't', 'r', 'i', 'n', 'g', 'V', 'a', 'l', 'u', 'e', '\022', '!', '\n', '\013', +'b', 'y', 't', 'e', 's', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\007', ' ', '\001', '(', '\014', 'H', '\000', 'R', '\n', 'b', 'y', 't', 'e', +'s', 'V', 'a', 'l', 'u', 'e', '\022', 'D', '\n', '\n', 'e', 'n', 'u', 'm', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\t', ' ', '\001', '(', +'\013', '2', '#', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', +'h', 'a', '1', '.', 'E', 'n', 'u', 'm', 'V', 'a', 'l', 'u', 'e', 'H', '\000', 'R', '\t', 'e', 'n', 'u', 'm', 'V', 'a', 'l', 'u', +'e', '\022', '9', '\n', '\014', 'o', 'b', 'j', 'e', 'c', 't', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\n', ' ', '\001', '(', '\013', '2', '\024', +'.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'p', 'r', 'o', 't', 'o', 'b', 'u', 'f', '.', 'A', 'n', 'y', 'H', '\000', 'R', '\013', 'o', +'b', 'j', 'e', 'c', 't', 'V', 'a', 'l', 'u', 'e', '\022', 'A', '\n', '\t', 'm', 'a', 'p', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\013', +' ', '\001', '(', '\013', '2', '\"', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', +'a', 'l', 'p', 'h', 'a', '1', '.', 'M', 'a', 'p', 'V', 'a', 'l', 'u', 'e', 'H', '\000', 'R', '\010', 'm', 'a', 'p', 'V', 'a', 'l', +'u', 'e', '\022', 'D', '\n', '\n', 'l', 'i', 's', 't', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\014', ' ', '\001', '(', '\013', '2', '#', '.', +'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', +'L', 'i', 's', 't', 'V', 'a', 'l', 'u', 'e', 'H', '\000', 'R', '\t', 'l', 'i', 's', 't', 'V', 'a', 'l', 'u', 'e', '\022', '\037', '\n', +'\n', 't', 'y', 'p', 'e', '_', 'v', 'a', 'l', 'u', 'e', '\030', '\017', ' ', '\001', '(', '\t', 'H', '\000', 'R', '\t', 't', 'y', 'p', 'e', +'V', 'a', 'l', 'u', 'e', 'B', '\006', '\n', '\004', 'k', 'i', 'n', 'd', '\"', '5', '\n', '\t', 'E', 'n', 'u', 'm', 'V', 'a', 'l', 'u', +'e', '\022', '\022', '\n', '\004', 't', 'y', 'p', 'e', '\030', '\001', ' ', '\001', '(', '\t', 'R', '\004', 't', 'y', 'p', 'e', '\022', '\024', '\n', '\005', +'v', 'a', 'l', 'u', 'e', '\030', '\002', ' ', '\001', '(', '\005', 'R', '\005', 'v', 'a', 'l', 'u', 'e', '\"', 'D', '\n', '\t', 'L', 'i', 's', +'t', 'V', 'a', 'l', 'u', 'e', '\022', '7', '\n', '\006', 'v', 'a', 'l', 'u', 'e', 's', '\030', '\001', ' ', '\003', '(', '\013', '2', '\037', '.', +'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', +'V', 'a', 'l', 'u', 'e', 'R', '\006', 'v', 'a', 'l', 'u', 'e', 's', '\"', '\301', '\001', '\n', '\010', 'M', 'a', 'p', 'V', 'a', 'l', 'u', +'e', '\022', 'B', '\n', '\007', 'e', 'n', 't', 'r', 'i', 'e', 's', '\030', '\001', ' ', '\003', '(', '\013', '2', '(', '.', 'g', 'o', 'o', 'g', +'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'M', 'a', 'p', 'V', +'a', 'l', 'u', 'e', '.', 'E', 'n', 't', 'r', 'y', 'R', '\007', 'e', 'n', 't', 'r', 'i', 'e', 's', '\032', 'q', '\n', '\005', 'E', 'n', +'t', 'r', 'y', '\022', '1', '\n', '\003', 'k', 'e', 'y', '\030', '\001', ' ', '\001', '(', '\013', '2', '\037', '.', 'g', 'o', 'o', 'g', 'l', 'e', +'.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'V', 'a', 'l', 'u', 'e', 'R', +'\003', 'k', 'e', 'y', '\022', '5', '\n', '\005', 'v', 'a', 'l', 'u', 'e', '\030', '\002', ' ', '\001', '(', '\013', '2', '\037', '.', 'g', 'o', 'o', +'g', 'l', 'e', '.', 'a', 'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', '.', 'V', 'a', 'l', +'u', 'e', 'R', '\005', 'v', 'a', 'l', 'u', 'e', 'B', 'm', '\n', '\034', 'c', 'o', 'm', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'a', +'p', 'i', '.', 'e', 'x', 'p', 'r', '.', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', 'B', '\n', 'V', 'a', 'l', 'u', 'e', 'P', 'r', +'o', 't', 'o', 'P', '\001', 'Z', '<', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'g', 'o', 'l', 'a', 'n', 'g', '.', 'o', 'r', 'g', '/', +'g', 'e', 'n', 'p', 'r', 'o', 't', 'o', '/', 'g', 'o', 'o', 'g', 'l', 'e', 'a', 'p', 'i', 's', '/', 'a', 'p', 'i', '/', 'e', +'x', 'p', 'r', '/', 'v', '1', 'a', 'l', 'p', 'h', 'a', '1', ';', 'e', 'x', 'p', 'r', '\370', '\001', '\001', 'b', '\006', 'p', 'r', 'o', +'t', 'o', '3', +}; + +static upb_def_init *deps[3] = { + &google_protobuf_any_proto_upbdefinit, + &google_protobuf_struct_proto_upbdefinit, + NULL +}; + +upb_def_init google_api_expr_v1alpha1_value_proto_upbdefinit = { + deps, + &google_api_expr_v1alpha1_value_proto_upb_file_layout, + "google/api/expr/v1alpha1/value.proto", + UPB_STRVIEW_INIT(descriptor, 1153) +}; diff --git a/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h new file mode 100644 index 00000000000..8771e194118 --- /dev/null +++ b/src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h @@ -0,0 +1,55 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * google/api/expr/v1alpha1/value.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#ifndef GOOGLE_API_EXPR_V1ALPHA1_VALUE_PROTO_UPBDEFS_H_ +#define GOOGLE_API_EXPR_V1ALPHA1_VALUE_PROTO_UPBDEFS_H_ + +#include "upb/def.h" +#include "upb/port_def.inc" +#ifdef __cplusplus +extern "C" { +#endif + +#include "upb/def.h" + +#include "upb/port_def.inc" + +extern upb_def_init google_api_expr_v1alpha1_value_proto_upbdefinit; + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_Value_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_value_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.Value"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_EnumValue_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_value_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.EnumValue"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_ListValue_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_value_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.ListValue"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_MapValue_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_value_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.MapValue"); +} + +UPB_INLINE const upb_msgdef *google_api_expr_v1alpha1_MapValue_Entry_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &google_api_expr_v1alpha1_value_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "google.api.expr.v1alpha1.MapValue.Entry"); +} + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#include "upb/port_undef.inc" + +#endif /* GOOGLE_API_EXPR_V1ALPHA1_VALUE_PROTO_UPBDEFS_H_ */ diff --git a/src/core/ext/xds/xds_http_filters.cc b/src/core/ext/xds/xds_http_filters.cc index 4f79336cf3c..4d91e2e0df9 100644 --- a/src/core/ext/xds/xds_http_filters.cc +++ b/src/core/ext/xds/xds_http_filters.cc @@ -22,6 +22,7 @@ #include "envoy/extensions/filters/http/router/v3/router.upbdefs.h" #include "src/core/ext/xds/xds_http_fault_filter.h" +#include "src/core/ext/xds/xds_http_rbac_filter.h" namespace grpc_core { @@ -106,6 +107,10 @@ void XdsHttpFilterRegistry::Init() { {kXdsHttpRouterFilterConfigName}); RegisterFilter(absl::make_unique(), {kXdsHttpFaultFilterConfigName}); + RegisterFilter(absl::make_unique(), + {kXdsHttpRbacFilterConfigName}); + RegisterFilter(absl::make_unique(), + {kXdsHttpRbacFilterConfigOverrideName}); } void XdsHttpFilterRegistry::Shutdown() { diff --git a/src/core/ext/xds/xds_http_rbac_filter.cc b/src/core/ext/xds/xds_http_rbac_filter.cc new file mode 100644 index 00000000000..46ac35d21c5 --- /dev/null +++ b/src/core/ext/xds/xds_http_rbac_filter.cc @@ -0,0 +1,551 @@ +// +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +#include + +#include "src/core/ext/xds/xds_http_rbac_filter.h" + +#include "absl/strings/str_format.h" +#include "envoy/config/core/v3/address.upb.h" +#include "envoy/config/rbac/v3/rbac.upb.h" +#include "envoy/config/route/v3/route_components.upb.h" +#include "envoy/extensions/filters/http/rbac/v3/rbac.upb.h" +#include "envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h" +#include "envoy/type/matcher/v3/path.upb.h" +#include "envoy/type/matcher/v3/regex.upb.h" +#include "envoy/type/matcher/v3/string.upb.h" +#include "envoy/type/v3/range.upb.h" +#include "google/protobuf/wrappers.upb.h" + +#include "src/core/ext/filters/rbac/rbac_filter.h" +#include "src/core/ext/filters/rbac/rbac_service_config_parser.h" +#include "src/core/ext/xds/upb_utils.h" +#include "src/core/lib/channel/channel_args.h" + +namespace grpc_core { + +const char* kXdsHttpRbacFilterConfigName = + "envoy.extensions.filters.http.rbac.v3.RBAC"; + +const char* kXdsHttpRbacFilterConfigOverrideName = + "envoy.extensions.filters.http.rbac.v3.RBACPerRoute"; + +namespace { + +Json ParseRegexMatcherToJson( + const envoy_type_matcher_v3_RegexMatcher* regex_matcher) { + return Json::Object( + {{"regex", UpbStringToStdString(envoy_type_matcher_v3_RegexMatcher_regex( + regex_matcher))}}); +} + +Json ParseInt64RangeToJson(const envoy_type_v3_Int64Range* range) { + return Json::Object{{"start", envoy_type_v3_Int64Range_start(range)}, + {"end", envoy_type_v3_Int64Range_end(range)}}; +} + +absl::StatusOr ParseHeaderMatcherToJson( + const envoy_config_route_v3_HeaderMatcher* header) { + Json::Object header_json; + std::vector error_list; + std::string name = + UpbStringToStdString(envoy_config_route_v3_HeaderMatcher_name(header)); + if (name == ":scheme") { + error_list.push_back( + absl::InvalidArgumentError("':scheme' not allowed in header")); + } else if (absl::StartsWith(name, "grpc-")) { + error_list.push_back( + absl::InvalidArgumentError("'grpc-' prefixes not allowed in header")); + } + header_json.emplace("name", std::move(name)); + if (envoy_config_route_v3_HeaderMatcher_has_exact_match(header)) { + header_json.emplace( + "exactMatch", + UpbStringToStdString( + envoy_config_route_v3_HeaderMatcher_exact_match(header))); + } else if (envoy_config_route_v3_HeaderMatcher_has_safe_regex_match(header)) { + header_json.emplace( + "safeRegexMatch", + ParseRegexMatcherToJson( + envoy_config_route_v3_HeaderMatcher_safe_regex_match(header))); + } else if (envoy_config_route_v3_HeaderMatcher_has_range_match(header)) { + header_json.emplace( + "rangeMatch", + ParseInt64RangeToJson( + envoy_config_route_v3_HeaderMatcher_range_match(header))); + } else if (envoy_config_route_v3_HeaderMatcher_has_present_match(header)) { + header_json.emplace( + "presentMatch", + envoy_config_route_v3_HeaderMatcher_present_match(header)); + } else if (envoy_config_route_v3_HeaderMatcher_has_prefix_match(header)) { + header_json.emplace( + "prefixMatch", + UpbStringToStdString( + envoy_config_route_v3_HeaderMatcher_prefix_match(header))); + } else if (envoy_config_route_v3_HeaderMatcher_has_suffix_match(header)) { + header_json.emplace( + "suffixMatch", + UpbStringToStdString( + envoy_config_route_v3_HeaderMatcher_suffix_match(header))); + } else if (envoy_config_route_v3_HeaderMatcher_has_contains_match(header)) { + header_json.emplace( + "containsMatch", + UpbStringToStdString( + envoy_config_route_v3_HeaderMatcher_contains_match(header))); + } else { + error_list.push_back( + absl::InvalidArgumentError("Invalid route header matcher specified.")); + } + if (!error_list.empty()) { + return StatusCreate(absl::StatusCode::kInvalidArgument, + "Error parsing HeaderMatcher", DEBUG_LOCATION, + std::move(error_list)); + } + header_json.emplace("invertMatch", + envoy_config_route_v3_HeaderMatcher_invert_match(header)); + return header_json; +} + +absl::StatusOr ParseStringMatcherToJson( + const envoy_type_matcher_v3_StringMatcher* matcher) { + Json::Object json; + if (envoy_type_matcher_v3_StringMatcher_has_exact(matcher)) { + json.emplace("exact", + UpbStringToStdString( + envoy_type_matcher_v3_StringMatcher_exact(matcher))); + } else if (envoy_type_matcher_v3_StringMatcher_has_prefix(matcher)) { + json.emplace("prefix", + UpbStringToStdString( + envoy_type_matcher_v3_StringMatcher_prefix(matcher))); + } else if (envoy_type_matcher_v3_StringMatcher_has_suffix(matcher)) { + json.emplace("suffix", + UpbStringToStdString( + envoy_type_matcher_v3_StringMatcher_suffix(matcher))); + } else if (envoy_type_matcher_v3_StringMatcher_has_safe_regex(matcher)) { + json.emplace("safeRegex", + ParseRegexMatcherToJson( + envoy_type_matcher_v3_StringMatcher_safe_regex(matcher))); + } else if (envoy_type_matcher_v3_StringMatcher_has_contains(matcher)) { + json.emplace("contains", + UpbStringToStdString( + envoy_type_matcher_v3_StringMatcher_contains(matcher))); + } else { + return absl::InvalidArgumentError("StringMatcher: Invalid match pattern"); + } + json.emplace("ignoreCase", + envoy_type_matcher_v3_StringMatcher_ignore_case(matcher)); + return json; +} + +absl::StatusOr ParsePathMatcherToJson( + const envoy_type_matcher_v3_PathMatcher* matcher) { + const auto* path = envoy_type_matcher_v3_PathMatcher_path(matcher); + if (path == nullptr) { + return absl::InvalidArgumentError("PathMatcher has empty path"); + } + Json::Object json; + auto path_json = ParseStringMatcherToJson(path); + if (!path_json.ok()) { + return path_json; + } + json.emplace("path", std::move(*path_json)); + return json; +} + +Json ParseUInt32ValueToJson(const google_protobuf_UInt32Value* value) { + return Json::Object{{"value", google_protobuf_UInt32Value_value(value)}}; +} + +Json ParseCidrRangeToJson(const envoy_config_core_v3_CidrRange* range) { + Json::Object json; + json.emplace("addressPrefix", + UpbStringToStdString( + envoy_config_core_v3_CidrRange_address_prefix(range))); + const auto* prefix_len = envoy_config_core_v3_CidrRange_prefix_len(range); + if (prefix_len != nullptr) { + json.emplace("prefixLen", ParseUInt32ValueToJson(prefix_len)); + } + return json; +} + +absl::StatusOr ParsePermissionToJson( + const envoy_config_rbac_v3_Permission* permission) { + Json::Object permission_json; + // Helper function to parse Permission::Set to JSON. Used by `and_rules` and + // `or_rules`. + auto parse_permission_set_to_json = + [](const envoy_config_rbac_v3_Permission_Set* set) + -> absl::StatusOr { + std::vector error_list; + Json::Array rules_json; + size_t size; + const envoy_config_rbac_v3_Permission* const* rules = + envoy_config_rbac_v3_Permission_Set_rules(set, &size); + for (size_t i = 0; i < size; ++i) { + auto permission_json = ParsePermissionToJson(rules[i]); + if (!permission_json.ok()) { + error_list.push_back(permission_json.status()); + } else { + rules_json.emplace_back(std::move(*permission_json)); + } + } + if (!error_list.empty()) { + return StatusCreate(absl::StatusCode::kInvalidArgument, + "Error parsing Set", DEBUG_LOCATION, + std::move(error_list)); + } + return Json::Object({{"rules", std::move(rules_json)}}); + }; + if (envoy_config_rbac_v3_Permission_has_and_rules(permission)) { + const auto* and_rules = + envoy_config_rbac_v3_Permission_and_rules(permission); + auto permission_set_json = parse_permission_set_to_json(and_rules); + if (!permission_set_json.ok()) { + return permission_set_json; + } + permission_json.emplace("andRules", std::move(*permission_set_json)); + } else if (envoy_config_rbac_v3_Permission_has_or_rules(permission)) { + const auto* or_rules = envoy_config_rbac_v3_Permission_or_rules(permission); + auto permission_set_json = parse_permission_set_to_json(or_rules); + if (!permission_set_json.ok()) { + return permission_set_json; + } + permission_json.emplace("orRules", std::move(*permission_set_json)); + } else if (envoy_config_rbac_v3_Permission_has_any(permission)) { + permission_json.emplace("any", + envoy_config_rbac_v3_Permission_any(permission)); + } else if (envoy_config_rbac_v3_Permission_has_header(permission)) { + auto header_json = ParseHeaderMatcherToJson( + envoy_config_rbac_v3_Permission_header(permission)); + if (!header_json.ok()) { + return header_json; + } + permission_json.emplace("header", std::move(*header_json)); + } else if (envoy_config_rbac_v3_Permission_has_url_path(permission)) { + auto url_path_json = ParsePathMatcherToJson( + envoy_config_rbac_v3_Permission_url_path(permission)); + if (!url_path_json.ok()) { + return url_path_json; + } + permission_json.emplace("urlPath", std::move(*url_path_json)); + } else if (envoy_config_rbac_v3_Permission_has_destination_ip(permission)) { + permission_json.emplace( + "destinationIp", + ParseCidrRangeToJson( + envoy_config_rbac_v3_Permission_destination_ip(permission))); + } else if (envoy_config_rbac_v3_Permission_has_destination_port(permission)) { + permission_json.emplace( + "destinationPort", + envoy_config_rbac_v3_Permission_destination_port(permission)); + } else if (envoy_config_rbac_v3_Permission_has_metadata(permission)) { + // Not parsing metadata even if its present since it is not relevant to + // gRPC. + permission_json.emplace("metadata", Json::Object()); + } else if (envoy_config_rbac_v3_Permission_has_not_rule(permission)) { + auto not_rule_json = ParsePermissionToJson( + envoy_config_rbac_v3_Permission_not_rule(permission)); + if (!not_rule_json.ok()) { + return not_rule_json; + } + permission_json.emplace("notRule", std::move(*not_rule_json)); + } else if (envoy_config_rbac_v3_Permission_has_requested_server_name( + permission)) { + auto requested_server_name_json = ParseStringMatcherToJson( + envoy_config_rbac_v3_Permission_requested_server_name(permission)); + if (!requested_server_name_json.ok()) { + return requested_server_name_json; + } + permission_json.emplace("requestedServerName", + std::move(*requested_server_name_json)); + } else { + return absl::InvalidArgumentError("Permission: Invalid rule"); + } + return permission_json; +} + +absl::StatusOr ParsePrincipalToJson( + const envoy_config_rbac_v3_Principal* principal) { + Json::Object principal_json; + // Helper function to parse Principal::Set to JSON. Used by `and_ids` and + // `or_ids`. + auto parse_principal_set_to_json = + [](const envoy_config_rbac_v3_Principal_Set* set) + -> absl::StatusOr { + Json::Object json; + std::vector error_list; + Json::Array ids_json; + size_t size; + const envoy_config_rbac_v3_Principal* const* ids = + envoy_config_rbac_v3_Principal_Set_ids(set, &size); + for (size_t i = 0; i < size; ++i) { + auto principal_json = ParsePrincipalToJson(ids[i]); + if (!principal_json.ok()) { + error_list.push_back(principal_json.status()); + } else { + ids_json.emplace_back(std::move(*principal_json)); + } + } + if (!error_list.empty()) { + return StatusCreate(absl::StatusCode::kInvalidArgument, + "Error parsing Set", DEBUG_LOCATION, + std::move(error_list)); + } + return Json::Object({{"ids", std::move(ids_json)}}); + }; + if (envoy_config_rbac_v3_Principal_has_and_ids(principal)) { + const auto* and_rules = envoy_config_rbac_v3_Principal_and_ids(principal); + auto principal_set_json = parse_principal_set_to_json(and_rules); + if (!principal_set_json.ok()) { + return principal_set_json; + } + principal_json.emplace("andIds", std::move(*principal_set_json)); + } else if (envoy_config_rbac_v3_Principal_has_or_ids(principal)) { + const auto* or_rules = envoy_config_rbac_v3_Principal_or_ids(principal); + auto principal_set_json = parse_principal_set_to_json(or_rules); + if (!principal_set_json.ok()) { + return principal_set_json; + } + principal_json.emplace("orIds", std::move(*principal_set_json)); + } else if (envoy_config_rbac_v3_Principal_has_any(principal)) { + principal_json.emplace("any", + envoy_config_rbac_v3_Principal_any(principal)); + } else if (envoy_config_rbac_v3_Principal_has_authenticated(principal)) { + auto* authenticated_json = + principal_json.emplace("authenticated", Json::Object()) + .first->second.mutable_object(); + const auto* principal_name = + envoy_config_rbac_v3_Principal_Authenticated_principal_name( + envoy_config_rbac_v3_Principal_authenticated(principal)); + if (principal_name != nullptr) { + auto principal_name_json = ParseStringMatcherToJson(principal_name); + if (!principal_name_json.ok()) { + return principal_name_json; + } + authenticated_json->emplace("principalName", + std::move(*principal_name_json)); + } + } else if (envoy_config_rbac_v3_Principal_has_source_ip(principal)) { + principal_json.emplace( + "sourceIp", ParseCidrRangeToJson( + envoy_config_rbac_v3_Principal_source_ip(principal))); + } else if (envoy_config_rbac_v3_Principal_has_direct_remote_ip(principal)) { + principal_json.emplace( + "directRemoteIp", + ParseCidrRangeToJson( + envoy_config_rbac_v3_Principal_direct_remote_ip(principal))); + } else if (envoy_config_rbac_v3_Principal_has_remote_ip(principal)) { + principal_json.emplace( + "remoteIp", ParseCidrRangeToJson( + envoy_config_rbac_v3_Principal_remote_ip(principal))); + } else if (envoy_config_rbac_v3_Principal_has_header(principal)) { + auto header_json = ParseHeaderMatcherToJson( + envoy_config_rbac_v3_Principal_header(principal)); + if (!header_json.ok()) { + return header_json; + } + principal_json.emplace("header", std::move(*header_json)); + } else if (envoy_config_rbac_v3_Principal_has_url_path(principal)) { + auto url_path_json = ParsePathMatcherToJson( + envoy_config_rbac_v3_Principal_url_path(principal)); + if (!url_path_json.ok()) { + return url_path_json; + } + principal_json.emplace("urlPath", std::move(*url_path_json)); + } else if (envoy_config_rbac_v3_Principal_has_metadata(principal)) { + // Not parsing metadata even if its present since it is not relevant to + // gRPC. + principal_json.emplace("metadata", Json::Object()); + } else if (envoy_config_rbac_v3_Principal_has_not_id(principal)) { + auto not_id_json = + ParsePrincipalToJson(envoy_config_rbac_v3_Principal_not_id(principal)); + if (!not_id_json.ok()) { + return not_id_json; + } + principal_json.emplace("notId", std::move(*not_id_json)); + } else { + return absl::InvalidArgumentError("Principal: Invalid rule"); + } + return principal_json; +} + +absl::StatusOr ParsePolicyToJson( + const envoy_config_rbac_v3_Policy* policy) { + Json::Object policy_json; + std::vector error_list; + size_t size; + Json::Array permissions_json; + const envoy_config_rbac_v3_Permission* const* permissions = + envoy_config_rbac_v3_Policy_permissions(policy, &size); + for (size_t i = 0; i < size; ++i) { + auto permission_json = ParsePermissionToJson(permissions[i]); + if (!permission_json.ok()) { + error_list.push_back(permission_json.status()); + } else { + permissions_json.emplace_back(std::move(*permission_json)); + } + } + policy_json.emplace("permissions", std::move(permissions_json)); + Json::Array principals_json; + const envoy_config_rbac_v3_Principal* const* principals = + envoy_config_rbac_v3_Policy_principals(policy, &size); + for (size_t i = 0; i < size; ++i) { + auto principal_json = ParsePrincipalToJson(principals[i]); + if (!principal_json.ok()) { + error_list.push_back(principal_json.status()); + } else { + principals_json.emplace_back(std::move(*principal_json)); + } + } + policy_json.emplace("principals", std::move(principals_json)); + if (envoy_config_rbac_v3_Policy_has_condition(policy)) { + error_list.push_back( + absl::InvalidArgumentError("Policy: condition not supported")); + } + if (envoy_config_rbac_v3_Policy_has_checked_condition(policy)) { + error_list.push_back( + absl::InvalidArgumentError("Policy: checked condition not supported")); + } + if (!error_list.empty()) { + return StatusCreate(absl::StatusCode::kInvalidArgument, + "Error parsing Policy", DEBUG_LOCATION, + std::move(error_list)); + } + return policy_json; +} + +absl::StatusOr ParseHttpRbacToJson( + const envoy_extensions_filters_http_rbac_v3_RBAC* rbac) { + Json::Object rbac_json; + std::vector error_list; + const auto* rules = envoy_extensions_filters_http_rbac_v3_RBAC_rules(rbac); + if (rules != nullptr) { + int action = envoy_config_rbac_v3_RBAC_action(rules); + // Treat Log action as RBAC being absent + if (action == envoy_config_rbac_v3_RBAC_LOG) { + return rbac_json; + } + Json::Object inner_rbac_json; + inner_rbac_json.emplace("action", envoy_config_rbac_v3_RBAC_action(rules)); + if (envoy_config_rbac_v3_RBAC_has_policies(rules)) { + Json::Object policies_object; + size_t iter = UPB_MAP_BEGIN; + while (true) { + auto* entry = envoy_config_rbac_v3_RBAC_policies_next(rules, &iter); + if (entry == nullptr) { + break; + } + auto policy = ParsePolicyToJson( + envoy_config_rbac_v3_RBAC_PoliciesEntry_value(entry)); + if (!policy.ok()) { + error_list.push_back(StatusCreate( + absl::StatusCode::kInvalidArgument, + absl::StrFormat( + "RBAC PoliciesEntry key:%s", + UpbStringToStdString( + envoy_config_rbac_v3_RBAC_PoliciesEntry_key(entry))), + DEBUG_LOCATION, {policy.status()})); + } else { + policies_object.emplace( + UpbStringToStdString( + envoy_config_rbac_v3_RBAC_PoliciesEntry_key(entry)), + std::move(*policy)); + } + } + inner_rbac_json.emplace("policies", std::move(policies_object)); + } + rbac_json.emplace("rules", std::move(inner_rbac_json)); + } + if (!error_list.empty()) { + return StatusCreate(absl::StatusCode::kInvalidArgument, + "Error parsing RBAC", DEBUG_LOCATION, + std::move(error_list)); + } + return rbac_json; +} + +} // namespace + +void XdsHttpRbacFilter::PopulateSymtab(upb_symtab* symtab) const { + envoy_extensions_filters_http_rbac_v3_RBAC_getmsgdef(symtab); +} + +absl::StatusOr +XdsHttpRbacFilter::GenerateFilterConfig(upb_strview serialized_filter_config, + upb_arena* arena) const { + absl::StatusOr rbac_json; + auto* rbac = envoy_extensions_filters_http_rbac_v3_RBAC_parse( + serialized_filter_config.data, serialized_filter_config.size, arena); + if (rbac == nullptr) { + return absl::InvalidArgumentError( + "could not parse HTTP RBAC filter config"); + } + rbac_json = ParseHttpRbacToJson(rbac); + if (!rbac_json.ok()) { + return rbac_json.status(); + } + return FilterConfig{kXdsHttpRbacFilterConfigName, std::move(*rbac_json)}; +} + +absl::StatusOr +XdsHttpRbacFilter::GenerateFilterConfigOverride( + upb_strview serialized_filter_config, upb_arena* arena) const { + auto* rbac_per_route = + envoy_extensions_filters_http_rbac_v3_RBACPerRoute_parse( + serialized_filter_config.data, serialized_filter_config.size, arena); + if (rbac_per_route == nullptr) { + return absl::InvalidArgumentError("could not parse RBACPerRoute"); + } + absl::StatusOr rbac_json; + const auto* rbac = + envoy_extensions_filters_http_rbac_v3_RBACPerRoute_rbac(rbac_per_route); + if (rbac == nullptr) { + rbac_json = Json::Object(); + } else { + rbac_json = ParseHttpRbacToJson(rbac); + if (!rbac_json.ok()) { + return rbac_json.status(); + } + } + return FilterConfig{kXdsHttpRbacFilterConfigOverrideName, + std::move(*rbac_json)}; +} + +const grpc_channel_filter* XdsHttpRbacFilter::channel_filter() const { + return &RbacFilter::kFilterVtable; +} + +grpc_channel_args* XdsHttpRbacFilter::ModifyChannelArgs( + grpc_channel_args* args) const { + grpc_arg arg_to_add = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args* new_args = + grpc_channel_args_copy_and_add(args, &arg_to_add, 1); + grpc_channel_args_destroy(args); + return new_args; +} + +absl::StatusOr +XdsHttpRbacFilter::GenerateServiceConfig( + const FilterConfig& hcm_filter_config, + const FilterConfig* filter_config_override) const { + Json policy_json = filter_config_override != nullptr + ? filter_config_override->config + : hcm_filter_config.config; + // The policy JSON may be empty, that's allowed. + return ServiceConfigJsonEntry{"rbacPolicy", policy_json.Dump()}; +} + +} // namespace grpc_core diff --git a/src/core/ext/xds/xds_http_rbac_filter.h b/src/core/ext/xds/xds_http_rbac_filter.h new file mode 100644 index 00000000000..fab916a22a4 --- /dev/null +++ b/src/core/ext/xds/xds_http_rbac_filter.h @@ -0,0 +1,54 @@ +// +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +#ifndef GRPC_CORE_EXT_XDS_XDS_HTTP_RBAC_FILTER_H +#define GRPC_CORE_EXT_XDS_XDS_HTTP_RBAC_FILTER_H + +#include + +#include "src/core/ext/xds/xds_http_filters.h" + +namespace grpc_core { + +extern const char* kXdsHttpRbacFilterConfigName; +extern const char* kXdsHttpRbacFilterConfigOverrideName; + +class XdsHttpRbacFilter : public XdsHttpFilterImpl { + public: + void PopulateSymtab(upb_symtab* symtab) const override; + + absl::StatusOr GenerateFilterConfig( + upb_strview serialized_filter_config, upb_arena* arena) const override; + + absl::StatusOr GenerateFilterConfigOverride( + upb_strview serialized_filter_config, upb_arena* arena) const override; + + const grpc_channel_filter* channel_filter() const override; + + grpc_channel_args* ModifyChannelArgs(grpc_channel_args* args) const override; + + absl::StatusOr GenerateServiceConfig( + const FilterConfig& hcm_filter_config, + const FilterConfig* filter_config_override) const override; + + bool IsSupportedOnClients() const override { return false; } + + bool IsSupportedOnServers() const override { return true; } +}; + +} // namespace grpc_core + +#endif // GRPC_CORE_EXT_XDS_XDS_HTTP_RBAC_FILTER_H diff --git a/src/core/ext/xds/xds_listener.cc b/src/core/ext/xds/xds_listener.cc index 8d797dbd231..2684cc721ce 100644 --- a/src/core/ext/xds/xds_listener.cc +++ b/src/core/ext/xds/xds_listener.cc @@ -271,6 +271,19 @@ grpc_error_handle HttpConnectionManagerParse( bool is_v2, XdsListenerResource::HttpConnectionManager* http_connection_manager) { MaybeLogHttpConnectionManager(context, http_connection_manager_proto); + // NACK a non-zero `xff_num_trusted_hops` and a `non-empty + // original_ip_detection_extensions` as mentioned in + // https://github.com/grpc/proposal/blob/master/A41-xds-rbac.md + if (envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_xff_num_trusted_hops( + http_connection_manager_proto) != 0) { + return GRPC_ERROR_CREATE_FROM_STATIC_STRING( + "'xff_num_trusted_hops' must be zero"); + } + if (envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_has_original_ip_detection_extensions( + http_connection_manager_proto)) { + return GRPC_ERROR_CREATE_FROM_STATIC_STRING( + "'original_ip_detection_extensions' must be empty"); + } // Obtain max_stream_duration from Http Protocol Options. const envoy_config_core_v3_HttpProtocolOptions* options = envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_common_http_protocol_options( @@ -339,7 +352,7 @@ grpc_error_handle HttpConnectionManagerParse( if (!filter_config.ok()) { return GRPC_ERROR_CREATE_FROM_CPP_STRING(absl::StrCat( "filter config for type ", filter_type, - " failed to parse: ", filter_config.status().ToString())); + " failed to parse: ", StatusToString(filter_config.status()))); } http_connection_manager->http_filters.emplace_back( XdsListenerResource::HttpConnectionManager::HttpFilter{ diff --git a/src/core/ext/xds/xds_route_config.cc b/src/core/ext/xds/xds_route_config.cc index fa4c85143f1..0f548098f0a 100644 --- a/src/core/ext/xds/xds_route_config.cc +++ b/src/core/ext/xds/xds_route_config.cc @@ -538,7 +538,7 @@ grpc_error_handle ParseTypedPerFilterConfig( if (!filter_config.ok()) { return GRPC_ERROR_CREATE_FROM_CPP_STRING(absl::StrCat( "filter config for type ", filter_type, - " failed to parse: ", filter_config.status().ToString())); + " failed to parse: ", StatusToString(filter_config.status()))); } (*typed_per_filter_config)[std::string(key)] = std::move(*filter_config); } diff --git a/src/core/ext/xds/xds_server_config_fetcher.cc b/src/core/ext/xds/xds_server_config_fetcher.cc index 423eb02c3a2..a2fdc4aa06d 100644 --- a/src/core/ext/xds/xds_server_config_fetcher.cc +++ b/src/core/ext/xds/xds_server_config_fetcher.cc @@ -200,9 +200,8 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager // This ref is only kept around till the FilterChainMatchManager becomes // ready. RefCountedPtr listener_watcher_; - const XdsListenerResource::FilterChainMap filter_chain_map_; - const absl::optional - default_filter_chain_; + XdsListenerResource::FilterChainMap filter_chain_map_; + absl::optional default_filter_chain_; Mutex mu_; size_t rds_resources_yet_to_fetch_ ABSL_GUARDED_BY(mu_) = 0; std::map rds_map_ @@ -334,6 +333,8 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: http_filters_); } + void Orphan() override {} + void CancelWatch() override { watcher_.reset(); } private: @@ -356,6 +357,8 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: std::vector http_filters); + void Orphan() override; + absl::StatusOr> Watch( std::unique_ptr watcher) override; @@ -386,7 +389,7 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: : public XdsRouteConfigResourceType::WatcherInterface { public: explicit RouteConfigWatcher( - RefCountedPtr parent) + WeakRefCountedPtr parent) : parent_(std::move(parent)) {} void OnResourceChanged(XdsRouteConfigResource route_config) override { @@ -398,7 +401,7 @@ class XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: void OnResourceDoesNotExist() override { parent_->OnResourceDoesNotExist(); } private: - RefCountedPtr parent_; + WeakRefCountedPtr parent_; }; // @@ -591,8 +594,11 @@ XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: StartRdsWatch(RefCountedPtr listener_watcher) { - // Get the set of RDS resources to watch on + // Get the set of RDS resources to watch on. Also get the set of + // FilterChainData so that we can reverse the list of HTTP filters since + // received data moves *up* the stack in Core. std::set resource_names; + std::set filter_chain_data_set; for (const auto& destination_ip : filter_chain_map_.destination_ip_vector) { for (const auto& source_type : destination_ip.source_types_array) { for (const auto& source_ip : source_type) { @@ -603,17 +609,34 @@ void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: source_port_pair.second.data->http_connection_manager .route_config_name); } + filter_chain_data_set.insert(source_port_pair.second.data.get()); } } } } - if (default_filter_chain_.has_value() && - !default_filter_chain_->http_connection_manager.route_config_name - .empty()) { - resource_names.insert( - default_filter_chain_->http_connection_manager.route_config_name); + if (default_filter_chain_.has_value()) { + if (!default_filter_chain_->http_connection_manager.route_config_name + .empty()) { + resource_names.insert( + default_filter_chain_->http_connection_manager.route_config_name); + } + std::reverse( + default_filter_chain_->http_connection_manager.http_filters.begin(), + default_filter_chain_->http_connection_manager.http_filters.end()); + } + // Reverse the lists of HTTP filters in all the filter chains + for (auto* filter_chain_data : filter_chain_data_set) { + std::reverse( + filter_chain_data->http_connection_manager.http_filters.begin(), + filter_chain_data->http_connection_manager.http_filters.end()); } // Start watching on referenced RDS resources + struct WatcherToStart { + std::string resource_name; + RefCountedPtr watcher; + }; + std::vector watchers_to_start; + watchers_to_start.reserve(resource_names.size()); { MutexLock lock(&mu_); for (const auto& resource_name : resource_names) { @@ -622,14 +645,19 @@ void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: MakeRefCounted(resource_name, WeakRef()); rds_map_.emplace(resource_name, RdsUpdateState{route_config_watcher.get(), absl::nullopt}); - XdsRouteConfigResourceType::StartWatch(xds_client_.get(), resource_name, - std::move(route_config_watcher)); + watchers_to_start.push_back( + WatcherToStart{resource_name, std::move(route_config_watcher)}); } if (rds_resources_yet_to_fetch_ != 0) { listener_watcher_ = std::move(listener_watcher); listener_watcher = nullptr; } } + for (auto& watcher_to_start : watchers_to_start) { + XdsRouteConfigResourceType::StartWatch(xds_client_.get(), + watcher_to_start.resource_name, + std::move(watcher_to_start.watcher)); + } // Promote this filter chain match manager if all referenced resources are // fetched. if (listener_watcher != nullptr) { @@ -967,16 +995,13 @@ absl::StatusOr XdsServerConfigFetcher::ListenerWatcher:: std::vector filters; // Iterate the list of HTTP filters in reverse since in Core, received data // flows *up* the stack. - for (auto reverse_iterator = - filter_chain->http_connection_manager.http_filters.rbegin(); - reverse_iterator != - filter_chain->http_connection_manager.http_filters.rend(); - ++reverse_iterator) { + for (const auto& http_filter : + filter_chain->http_connection_manager.http_filters) { // Find filter. This is guaranteed to succeed, because it's checked // at config validation time in the XdsApi code. const XdsHttpFilterImpl* filter_impl = XdsHttpFilterRegistry::GetFilterForType( - reverse_iterator->config.config_proto_type_name); + http_filter.config.config_proto_type_name); GPR_ASSERT(filter_impl != nullptr); // Some filters like the router filter are no-op filters and do not have // an implementation. @@ -1162,12 +1187,22 @@ XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: http_filters_(std::move(http_filters)), resource_(std::move(initial_resource)) { GPR_ASSERT(!resource_name_.empty()); - auto route_config_watcher = MakeRefCounted(Ref()); + // RouteConfigWatcher is being created here instead of in Watch() to avoid + // deadlocks from invoking XdsRouteConfigResourceType::StartWatch whilst in a + // critical region. + auto route_config_watcher = MakeRefCounted(WeakRef()); route_config_watcher_ = route_config_watcher.get(); XdsRouteConfigResourceType::StartWatch(xds_client_.get(), resource_name_, std::move(route_config_watcher)); } +void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: + DynamicXdsServerConfigSelectorProvider::Orphan() { + XdsRouteConfigResourceType::CancelWatch(xds_client_.get(), resource_name_, + route_config_watcher_, + false /* delay_unsubscription */); +} + absl::StatusOr> XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: DynamicXdsServerConfigSelectorProvider::Watch( @@ -1189,9 +1224,6 @@ XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: DynamicXdsServerConfigSelectorProvider::CancelWatch() { - XdsRouteConfigResourceType::CancelWatch(xds_client_.get(), resource_name_, - route_config_watcher_, - false /* delay_unsubscription */); MutexLock lock(&mu_); watcher_.reset(); } @@ -1204,6 +1236,10 @@ void XdsServerConfigFetcher::ListenerWatcher::FilterChainMatchManager:: if (watcher_ == nullptr) { return; } + // Currently server_config_selector_filter does not call into + // DynamicXdsServerConfigSelectorProvider while holding a lock, but if that + // ever changes, we would want to invoke the update outside the critical + // region with the use of a WorkSerializer. watcher_->OnServerConfigSelectorUpdate( XdsServerConfigSelector::Create(*resource_, http_filters_)); } diff --git a/src/core/lib/gprpp/status_helper.cc b/src/core/lib/gprpp/status_helper.cc index 5746fd8b50f..d0fe6a8ec53 100644 --- a/src/core/lib/gprpp/status_helper.cc +++ b/src/core/lib/gprpp/status_helper.cc @@ -159,7 +159,7 @@ std::vector ParseChildren(absl::Cord children) { absl::Status StatusCreate(absl::StatusCode code, absl::string_view msg, const DebugLocation& location, - std::initializer_list children) { + std::vector children) { absl::Status s(code, msg); if (location.file() != nullptr) { StatusSetStr(&s, StatusStrProperty::kFile, location.file()); diff --git a/src/core/lib/gprpp/status_helper.h b/src/core/lib/gprpp/status_helper.h index 1587bad4f68..f9462d48e6c 100644 --- a/src/core/lib/gprpp/status_helper.h +++ b/src/core/lib/gprpp/status_helper.h @@ -110,7 +110,7 @@ enum class StatusTimeProperty { /// Creates a status with given additional information absl::Status StatusCreate( absl::StatusCode code, absl::string_view msg, const DebugLocation& location, - std::initializer_list children) GRPC_MUST_USE_RESULT; + std::vector children) GRPC_MUST_USE_RESULT; /// Sets the int property to the status void StatusSetInt(absl::Status* status, StatusIntProperty key, intptr_t value); diff --git a/src/core/lib/security/authorization/grpc_authorization_engine.cc b/src/core/lib/security/authorization/grpc_authorization_engine.cc index 34fc97675ef..5278a3bc647 100644 --- a/src/core/lib/security/authorization/grpc_authorization_engine.cc +++ b/src/core/lib/security/authorization/grpc_authorization_engine.cc @@ -29,6 +29,17 @@ GrpcAuthorizationEngine::GrpcAuthorizationEngine(Rbac policy) } } +GrpcAuthorizationEngine::GrpcAuthorizationEngine( + GrpcAuthorizationEngine&& other) noexcept + : action_(other.action_), policies_(std::move(other.policies_)) {} + +GrpcAuthorizationEngine& GrpcAuthorizationEngine::operator=( + GrpcAuthorizationEngine&& other) noexcept { + action_ = other.action_; + policies_ = std::move(other.policies_); + return *this; +} + AuthorizationEngine::Decision GrpcAuthorizationEngine::Evaluate( const EvaluateArgs& args) const { Decision decision; diff --git a/src/core/lib/security/authorization/grpc_authorization_engine.h b/src/core/lib/security/authorization/grpc_authorization_engine.h index 773dbd269c6..f50a69170ce 100644 --- a/src/core/lib/security/authorization/grpc_authorization_engine.h +++ b/src/core/lib/security/authorization/grpc_authorization_engine.h @@ -36,10 +36,13 @@ class GrpcAuthorizationEngine : public AuthorizationEngine { // Builds GrpcAuthorizationEngine with allow/deny RBAC policy. explicit GrpcAuthorizationEngine(Rbac policy); - Rbac::Action action() { return action_; } + GrpcAuthorizationEngine(GrpcAuthorizationEngine&& other) noexcept; + GrpcAuthorizationEngine& operator=(GrpcAuthorizationEngine&& other) noexcept; + + Rbac::Action action() const { return action_; } // Required only for testing purpose. - size_t num_policies() { return policies_.size(); } + size_t num_policies() const { return policies_.size(); } // Evaluates incoming request against RBAC policy and makes a decision to // whether allow/deny this request. @@ -50,7 +53,6 @@ class GrpcAuthorizationEngine : public AuthorizationEngine { std::string name; std::unique_ptr matcher; }; - Rbac::Action action_; std::vector policies_; }; diff --git a/src/core/lib/security/authorization/rbac_policy.h b/src/core/lib/security/authorization/rbac_policy.h index 3963eb84852..b57c4c37ac1 100644 --- a/src/core/lib/security/authorization/rbac_policy.h +++ b/src/core/lib/security/authorization/rbac_policy.h @@ -80,7 +80,7 @@ struct Rbac { std::string ToString() const; - RuleType type; + RuleType type = RuleType::kAnd; HeaderMatcher header_matcher; StringMatcher string_matcher; CidrRange ip; @@ -124,7 +124,7 @@ struct Rbac { std::string ToString() const; - RuleType type; + RuleType type = RuleType::kAnd; HeaderMatcher header_matcher; StringMatcher string_matcher; CidrRange ip; diff --git a/src/core/plugin_registry/grpc_plugin_registry.cc b/src/core/plugin_registry/grpc_plugin_registry.cc index 8a31816e40c..588e4d8cbc4 100644 --- a/src/core/plugin_registry/grpc_plugin_registry.cc +++ b/src/core/plugin_registry/grpc_plugin_registry.cc @@ -64,6 +64,8 @@ void ServiceConfigParserShutdown(void); #ifndef GRPC_NO_XDS namespace grpc_core { +void RbacFilterInit(void); +void RbacFilterShutdown(void); void XdsClientGlobalInit(); void XdsClientGlobalShutdown(); } // namespace grpc_core @@ -128,6 +130,8 @@ void grpc_register_built_in_plugins(void) { grpc_register_plugin(grpc_core::FaultInjectionFilterInit, grpc_core::FaultInjectionFilterShutdown); #ifndef GRPC_NO_XDS + // rbac_filter is being guarded with GRPC_NO_XDS to avoid a dependency on the re2 library by default + grpc_register_plugin(grpc_core::RbacFilterInit, grpc_core::RbacFilterShutdown); grpc_register_plugin(grpc_core::XdsClientGlobalInit, grpc_core::XdsClientGlobalShutdown); grpc_register_plugin(grpc_certificate_provider_registry_init, diff --git a/src/proto/grpc/testing/xds/v3/BUILD b/src/proto/grpc/testing/xds/v3/BUILD index 538ee8f73c0..54a457637d0 100644 --- a/src/proto/grpc/testing/xds/v3/BUILD +++ b/src/proto/grpc/testing/xds/v3/BUILD @@ -112,6 +112,17 @@ grpc_proto_library( well_known_protos = True, ) +grpc_proto_library( + name = "path_proto", + srcs = [ + "path.proto", + ], + well_known_protos = True, + deps = [ + "string_proto", + ], +) + grpc_proto_library( name = "listener_proto", srcs = [ @@ -200,6 +211,7 @@ grpc_proto_library( well_known_protos = True, deps = [ "config_source_proto", + "extension_proto", "protocol_proto", "route_proto", ], @@ -291,6 +303,56 @@ grpc_proto_library( ], ) +grpc_proto_library( + name = "metadata_proto", + srcs = [ + "metadata.proto", + ], + well_known_protos = True, +) + +grpc_proto_library( + name = "expr_proto", + srcs = [ + "expr.proto", + ], + well_known_protos = True, +) + +cc_library( + name = "expr_lib", + deps = ["expr_cc_proto"], +) + +grpc_proto_library( + name = "rbac_proto", + srcs = [ + "rbac.proto", + ], + well_known_protos = True, + deps = [ + "address_proto", + "expr_proto", + "extension_proto", + "metadata_proto", + "path_proto", + "range_proto", + "route_proto", + "string_proto", + ], +) + +grpc_proto_library( + name = "http_filter_rbac_proto", + srcs = [ + "http_filter_rbac.proto", + ], + well_known_protos = True, + deps = [ + "rbac_proto", + ], +) + py_proto_library( name = "csds_py_pb2", deps = [":_csds_proto_only"], diff --git a/src/proto/grpc/testing/xds/v3/expr.proto b/src/proto/grpc/testing/xds/v3/expr.proto new file mode 100644 index 00000000000..490a3d72b2c --- /dev/null +++ b/src/proto/grpc/testing/xds/v3/expr.proto @@ -0,0 +1,23 @@ +// Copyright 2021 The gRPC Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// TODO(yashykt) : Figure out how to not need this + +syntax = "proto3"; + +package google.api.expr.v1alpha1; + +message Expr {} + +message CheckedExpr {} diff --git a/src/proto/grpc/testing/xds/v3/http_connection_manager.proto b/src/proto/grpc/testing/xds/v3/http_connection_manager.proto index 74477073c70..a8d3ea49e75 100644 --- a/src/proto/grpc/testing/xds/v3/http_connection_manager.proto +++ b/src/proto/grpc/testing/xds/v3/http_connection_manager.proto @@ -21,6 +21,7 @@ package envoy.extensions.filters.network.http_connection_manager.v3; import "google/protobuf/any.proto"; import "src/proto/grpc/testing/xds/v3/config_source.proto"; +import "src/proto/grpc/testing/xds/v3/extension.proto"; import "src/proto/grpc/testing/xds/v3/protocol.proto"; import "src/proto/grpc/testing/xds/v3/route.proto"; @@ -50,6 +51,32 @@ message HttpConnectionManager { // Additional settings for HTTP requests handled by the connection manager. These will be // applicable to both HTTP1 and HTTP2 requests. config.core.v3.HttpProtocolOptions common_http_protocol_options = 35; + + // The number of additional ingress proxy hops from the right side of the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when + // determining the origin client's IP address. The default is zero if this option + // is not specified. See the documentation for + // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. + uint32 xff_num_trusted_hops = 19; + + // The configuration for the original IP detection extensions. + // + // When configured the extensions will be called along with the request headers + // and information about the downstream connection, such as the directly connected address. + // Each extension will then use these parameters to decide the request's effective remote address. + // If an extension fails to detect the original IP address and isn't configured to reject + // the request, the HCM will try the remaining extensions until one succeeds or rejects + // the request. If the request isn't rejected nor any extension succeeds, the HCM will + // fallback to using the remote address. + // + // .. WARNING:: + // Extensions cannot be used in conjunction with :ref:`use_remote_address + // ` + // nor :ref:`xff_num_trusted_hops + // `. + // + // [#extension-category: envoy.http.original_ip_detection] + repeated config.core.v3.TypedExtensionConfig original_ip_detection_extensions = 46; } message Rds { diff --git a/src/proto/grpc/testing/xds/v3/http_filter_rbac.proto b/src/proto/grpc/testing/xds/v3/http_filter_rbac.proto new file mode 100644 index 00000000000..03d5f7b2c09 --- /dev/null +++ b/src/proto/grpc/testing/xds/v3/http_filter_rbac.proto @@ -0,0 +1,41 @@ +// +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// Local copy of Envoy xDS proto file, used for testing only. + +syntax = "proto3"; + +package envoy.extensions.filters.http.rbac.v3; + +import "src/proto/grpc/testing/xds/v3/rbac.proto"; + +// [#protodoc-title: RBAC] +// Role-Based Access Control :ref:`configuration overview `. +// [#extension: envoy.filters.http.rbac] + +// RBAC filter config. +message RBAC { + // Specify the RBAC rules to be applied globally. + // If absent, no enforcing RBAC policy will be applied. + // If present and empty, DENY. + config.rbac.v3.RBAC rules = 1; +} + +message RBACPerRoute { + // Override the global configuration of the filter with this new config. + // If absent, the global RBAC policy will be disabled for this route. + RBAC rbac = 2; +} diff --git a/src/proto/grpc/testing/xds/v3/metadata.proto b/src/proto/grpc/testing/xds/v3/metadata.proto new file mode 100644 index 00000000000..633742121e2 --- /dev/null +++ b/src/proto/grpc/testing/xds/v3/metadata.proto @@ -0,0 +1,84 @@ +// Copyright 2021 The gRPC Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Local copy of Envoy xDS proto file, used for testing only. + +syntax = "proto3"; + +package envoy.type.matcher.v3; + +// [#protodoc-title: Metadata matcher] + +// MetadataMatcher provides a general interface to check if a given value is matched in +// :ref:`Metadata `. It uses `filter` and `path` to retrieve the value +// from the Metadata and then check if it's matched to the specified value. +// +// For example, for the following Metadata: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.filters.http.rbac: +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" +// from the Metadata which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following MetadataMatcher is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to +// enforce access control based on dynamic metadata in a request. See :ref:`Permission +// ` and :ref:`Principal +// `. + +// [#next-major-version: MetadataMatcher should use StructMatcher] +message MetadataMatcher { +} diff --git a/src/proto/grpc/testing/xds/v3/path.proto b/src/proto/grpc/testing/xds/v3/path.proto new file mode 100644 index 00000000000..18f3421be08 --- /dev/null +++ b/src/proto/grpc/testing/xds/v3/path.proto @@ -0,0 +1,35 @@ +// +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// Local copy of Envoy xDS proto file, used for testing only. + +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "src/proto/grpc/testing/xds/v3/string.proto"; + +// [#protodoc-title: Path matcher] + +// Specifies the way to match a path on HTTP request. +message PathMatcher { + oneof rule { + // The `path` must match the URL path portion of the :path header. The query and fragment + // string (if present) are removed in the URL path portion. + // For example, the path */data* will match the *:path* header */data#fragment?param=value*. + StringMatcher path = 1; + } +} diff --git a/src/proto/grpc/testing/xds/v3/range.proto b/src/proto/grpc/testing/xds/v3/range.proto index 5fe5530ee6e..e9a944227c1 100644 --- a/src/proto/grpc/testing/xds/v3/range.proto +++ b/src/proto/grpc/testing/xds/v3/range.proto @@ -29,3 +29,13 @@ message Int64Range { // end of the range (exclusive) int64 end = 2; } + +// Specifies the int32 start and end of the range using half-open interval semantics [start, +// end). +message Int32Range { + // start of the range (inclusive) + int32 start = 1; + + // end of the range (exclusive) + int32 end = 2; +} diff --git a/src/proto/grpc/testing/xds/v3/rbac.proto b/src/proto/grpc/testing/xds/v3/rbac.proto new file mode 100644 index 00000000000..d9f2213be63 --- /dev/null +++ b/src/proto/grpc/testing/xds/v3/rbac.proto @@ -0,0 +1,293 @@ +// +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// Local copy of Envoy xDS proto file, used for testing only. + +syntax = "proto3"; + +package envoy.config.rbac.v3; + +import "src/proto/grpc/testing/xds/v3/address.proto"; +import "src/proto/grpc/testing/xds/v3/extension.proto"; +import "src/proto/grpc/testing/xds/v3/route.proto"; +import "src/proto/grpc/testing/xds/v3/metadata.proto"; +import "src/proto/grpc/testing/xds/v3/path.proto"; +import "src/proto/grpc/testing/xds/v3/string.proto"; +import "src/proto/grpc/testing/xds/v3/range.proto"; + +import "src/proto/grpc/testing/xds/v3/expr.proto"; + +// [#protodoc-title: Role Based Access Control (RBAC)] + +// Role Based Access Control (RBAC) provides service-level and method-level access control for a +// service. Requests are allowed or denied based on the `action` and whether a matching policy is +// found. For instance, if the action is ALLOW and a matching policy is found the request should be +// allowed. +// +// RBAC can also be used to make access logging decisions by communicating with access loggers +// through dynamic metadata. When the action is LOG and at least one policy matches, the +// `access_log_hint` value in the shared key namespace 'envoy.common' is set to `true` indicating +// the request should be logged. +// +// Here is an example of RBAC configuration. It has two policies: +// +// * Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so +// does "cluster.local/ns/default/sa/superuser". +// +// * Any user can read ("GET") the service at paths with prefix "/products", so long as the +// destination port is either 80 or 443. +// +// .. code-block:: yaml +// +// action: ALLOW +// policies: +// "service-admin": +// permissions: +// - any: true +// principals: +// - authenticated: +// principal_name: +// exact: "cluster.local/ns/default/sa/admin" +// - authenticated: +// principal_name: +// exact: "cluster.local/ns/default/sa/superuser" +// "product-viewer": +// permissions: +// - and_rules: +// rules: +// - header: +// name: ":method" +// string_match: +// exact: "GET" +// - url_path: +// path: { prefix: "/products" } +// - or_rules: +// rules: +// - destination_port: 80 +// - destination_port: 443 +// principals: +// - any: true +// +message RBAC { + // Should we do safe-list or block-list style access control? + enum Action { + // The policies grant access to principals. The rest are denied. This is safe-list style + // access control. This is the default type. + ALLOW = 0; + + // The policies deny access to principals. The rest are allowed. This is block-list style + // access control. + DENY = 1; + + // The policies set the `access_log_hint` dynamic metadata key based on if requests match. + // All requests are allowed. + LOG = 2; + } + + // The action to take if a policy matches. Every action either allows or denies a request, + // and can also carry out action-specific operations. + // + // Actions: + // + // * ALLOW: Allows the request if and only if there is a policy that matches + // the request. + // * DENY: Allows the request if and only if there are no policies that + // match the request. + // * LOG: Allows all requests. If at least one policy matches, the dynamic + // metadata key `access_log_hint` is set to the value `true` under the shared + // key namespace 'envoy.common'. If no policies match, it is set to `false`. + // Other actions do not modify this key. + // + Action action = 1; + + // Maps from policy name to policy. A match occurs when at least one policy matches the request. + // The policies are evaluated in lexicographic order of the policy name. + map policies = 2; +} + +// Policy specifies a role and the principals that are assigned/denied the role. +// A policy matches if and only if at least one of its permissions match the +// action taking place AND at least one of its principals match the downstream +// AND the condition is true if specified. +message Policy { + // Required. The set of permissions that define a role. Each permission is + // matched with OR semantics. To match all actions for this policy, a single + // Permission with the `any` field set to true should be used. + repeated Permission permissions = 1; + + // Required. The set of principals that are assigned/denied the role based on + // “action”. Each principal is matched with OR semantics. To match all + // downstreams for this policy, a single Principal with the `any` field set to + // true should be used. + repeated Principal principals = 2; + + // An optional symbolic expression specifying an access control + // :ref:`condition `. The condition is combined + // with the permissions and the principals as a clause with AND semantics. + // Only be used when checked_condition is not used. + google.api.expr.v1alpha1.Expr condition = 3; + + // [#not-implemented-hide:] + // An optional symbolic expression that has been successfully type checked. + // Only be used when condition is not used. + google.api.expr.v1alpha1.CheckedExpr checked_condition = 4; +} + +// Permission defines an action (or actions) that a principal can take. +// [#next-free-field: 13] +message Permission { + // Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context, + // each are applied with the associated behavior. + message Set { + repeated Permission rules = 1; + } + + oneof rule { + // A set of rules that all must match in order to define the action. + Set and_rules = 1; + + // A set of rules where at least one must match in order to define the action. + Set or_rules = 2; + + // When any is set, it matches any action. + bool any = 3; + + // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only + // available for HTTP request. + // Note: the pseudo-header :path includes the query and fragment string. Use the `url_path` + // field if you want to match the URL path without the query and fragment string. + route.v3.HeaderMatcher header = 4; + + // A URL path on the incoming HTTP request. Only available for HTTP. + type.matcher.v3.PathMatcher url_path = 10; + + // A CIDR block that describes the destination IP. + core.v3.CidrRange destination_ip = 5; + + // A port number that describes the destination port connecting to. + uint32 destination_port = 6; + + // A port number range that describes a range of destination ports connecting to. + type.v3.Int32Range destination_port_range = 11; + + // Metadata that describes additional information about the action. + type.matcher.v3.MetadataMatcher metadata = 7; + + // Negates matching the provided permission. For instance, if the value of + // `not_rule` would match, this permission would not match. Conversely, if + // the value of `not_rule` would not match, this permission would match. + Permission not_rule = 8; + + // The request server from the client's connection request. This is + // typically TLS SNI. + // + // .. attention:: + // + // The behavior of this field may be affected by how Envoy is configured + // as explained below. + // + // * If the :ref:`TLS Inspector ` + // filter is not added, and if a `FilterChainMatch` is not defined for + // the :ref:`server name + // `, + // a TLS connection's requested SNI server name will be treated as if it + // wasn't present. + // + // * A :ref:`listener filter ` may + // overwrite a connection's requested server name within Envoy. + // + // Please refer to :ref:`this FAQ entry ` to learn to + // setup SNI. + type.matcher.v3.StringMatcher requested_server_name = 9; + + // Extension for configuring custom matchers for RBAC. + // [#extension-category: envoy.rbac.matchers] + core.v3.TypedExtensionConfig matcher = 12; + } +} + +// Principal defines an identity or a group of identities for a downstream +// subject. +// [#next-free-field: 12] +message Principal { + // Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. + // Depending on the context, each are applied with the associated behavior. + message Set { + repeated Principal ids = 1; + } + + // Authentication attributes for a downstream. + message Authenticated { + reserved 1; + + // The name of the principal. If set, The URI SAN or DNS SAN in that order + // is used from the certificate, otherwise the subject field is used. If + // unset, it applies to any user that is authenticated. + type.matcher.v3.StringMatcher principal_name = 2; + } + + oneof identifier { + // A set of identifiers that all must match in order to define the + // downstream. + Set and_ids = 1; + + // A set of identifiers at least one must match in order to define the + // downstream. + Set or_ids = 2; + + // When any is set, it matches any downstream. + bool any = 3; + + // Authenticated attributes that identify the downstream. + Authenticated authenticated = 4; + + // A CIDR block that describes the downstream IP. + // This address will honor proxy protocol, but will not honor XFF. + core.v3.CidrRange source_ip = 5; + + // A CIDR block that describes the downstream remote/origin address. + // Note: This is always the physical peer even if the + // :ref:`remote_ip ` is + // inferred from for example the x-forwarder-for header, proxy protocol, + // etc. + core.v3.CidrRange direct_remote_ip = 10; + + // A CIDR block that describes the downstream remote/origin address. + // Note: This may not be the physical peer and could be different from the + // :ref:`direct_remote_ip + // `. E.g, if the + // remote ip is inferred from for example the x-forwarder-for header, proxy + // protocol, etc. + core.v3.CidrRange remote_ip = 11; + + // A header (or pseudo-header such as :path or :method) on the incoming HTTP + // request. Only available for HTTP request. Note: the pseudo-header :path + // includes the query and fragment string. Use the `url_path` field if you + // want to match the URL path without the query and fragment string. + route.v3.HeaderMatcher header = 6; + + // A URL path on the incoming HTTP request. Only available for HTTP. + type.matcher.v3.PathMatcher url_path = 9; + + // Metadata that describes additional information about the principal. + type.matcher.v3.MetadataMatcher metadata = 7; + + // Negates matching the provided principal. For instance, if the value of + // `not_id` would match, this principal would not match. Conversely, if the + // value of `not_id` would not match, this principal would match. + Principal not_id = 8; + } +} diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py index a157d3aba71..f994fcdfac2 100644 --- a/src/python/grpcio/grpc_core_dependencies.py +++ b/src/python/grpcio/grpc_core_dependencies.py @@ -89,6 +89,8 @@ CORE_SOURCE_FILES = [ 'src/core/ext/filters/http/server/http_server_filter.cc', 'src/core/ext/filters/max_age/max_age_filter.cc', 'src/core/ext/filters/message_size/message_size_filter.cc', + 'src/core/ext/filters/rbac/rbac_filter.cc', + 'src/core/ext/filters/rbac/rbac_service_config_parser.cc', 'src/core/ext/filters/server_config_selector/server_config_selector.cc', 'src/core/ext/filters/server_config_selector/server_config_selector_filter.cc', 'src/core/ext/service_config/service_config.cc', @@ -170,6 +172,7 @@ CORE_SOURCE_FILES = [ 'src/core/ext/upb-generated/envoy/extensions/clusters/aggregate/v3/cluster.upb.c', 'src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c', 'src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c', + 'src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c', 'src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c', 'src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c', 'src/core/ext/upb-generated/envoy/extensions/transport_sockets/tls/v3/cert.upb.c', @@ -270,6 +273,7 @@ CORE_SOURCE_FILES = [ 'src/core/ext/upbdefs-generated/envoy/config/listener/v3/udp_listener_config.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c', + 'src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/config/route/v3/scoped_route.upbdefs.c', @@ -277,6 +281,7 @@ CORE_SOURCE_FILES = [ 'src/core/ext/upbdefs-generated/envoy/extensions/clusters/aggregate/v3/cluster.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c', + 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/cert.upbdefs.c', @@ -308,6 +313,11 @@ CORE_SOURCE_FILES = [ 'src/core/ext/upbdefs-generated/envoy/type/v3/range.upbdefs.c', 'src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c', 'src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c', + 'src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c', 'src/core/ext/upbdefs-generated/google/api/http.upbdefs.c', 'src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c', 'src/core/ext/upbdefs-generated/google/protobuf/descriptor.upbdefs.c', @@ -345,6 +355,7 @@ CORE_SOURCE_FILES = [ 'src/core/ext/xds/xds_endpoint.cc', 'src/core/ext/xds/xds_http_fault_filter.cc', 'src/core/ext/xds/xds_http_filters.cc', + 'src/core/ext/xds/xds_http_rbac_filter.cc', 'src/core/ext/xds/xds_listener.cc', 'src/core/ext/xds/xds_resource_type.cc', 'src/core/ext/xds/xds_route_config.cc', @@ -531,6 +542,9 @@ CORE_SOURCE_FILES = [ 'src/core/lib/resource_quota/trace.cc', 'src/core/lib/security/authorization/authorization_policy_provider_vtable.cc', 'src/core/lib/security/authorization/evaluate_args.cc', + 'src/core/lib/security/authorization/grpc_authorization_engine.cc', + 'src/core/lib/security/authorization/matchers.cc', + 'src/core/lib/security/authorization/rbac_policy.cc', 'src/core/lib/security/authorization/sdk_server_authz_filter.cc', 'src/core/lib/security/context/security_context.cc', 'src/core/lib/security/credentials/alts/alts_credentials.cc', diff --git a/test/core/ext/filters/rbac/BUILD b/test/core/ext/filters/rbac/BUILD new file mode 100644 index 00000000000..4c4d7d6255a --- /dev/null +++ b/test/core/ext/filters/rbac/BUILD @@ -0,0 +1,33 @@ +# Copyright 2021 gRPC authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +load("//bazel:grpc_build_system.bzl", "grpc_cc_test", "grpc_package") + +licenses(["notice"]) + +grpc_package(name = "test/core/ext/filters/rbac") + +grpc_cc_test( + name = "rbac_service_config_parser_test", + srcs = ["rbac_service_config_parser_test.cc"], + external_deps = [ + "gtest", + ], + language = "c++", + uses_polling = False, + deps = [ + "//:grpc_rbac_filter", + "//test/core/util:grpc_test_util", + ], +) diff --git a/test/core/ext/filters/rbac/rbac_service_config_parser_test.cc b/test/core/ext/filters/rbac/rbac_service_config_parser_test.cc new file mode 100644 index 00000000000..d97921ef90e --- /dev/null +++ b/test/core/ext/filters/rbac/rbac_service_config_parser_test.cc @@ -0,0 +1,652 @@ +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include "src/core/ext/filters/rbac/rbac_service_config_parser.h" + +#include +#include +#include + +#include "src/core/ext/service_config/service_config.h" +#include "test/core/util/test_config.h" + +// A regular expression to enter referenced or child errors. +#ifdef GRPC_ERROR_IS_ABSEIL_STATUS +#define CHILD_ERROR_TAG ".*children.*" +#else +#define CHILD_ERROR_TAG ".*referenced_errors.*" +#endif + +namespace grpc_core { +namespace testing { +namespace { + +// Test basic parsing of RBAC policy +TEST(RbacServiceConfigParsingTest, EmptyRbacPolicy) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [ {\n" + " } ]" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_std_string(error); + const auto* vector_ptr = + svc_cfg->GetMethodParsedConfigVector(grpc_empty_slice()); + ASSERT_NE(vector_ptr, nullptr); + auto* parsed_rbac_config = static_cast( + ((*vector_ptr)[RbacServiceConfigParser::ParserIndex()]).get()); + ASSERT_NE(parsed_rbac_config, nullptr); + ASSERT_NE(parsed_rbac_config->authorization_engine(0), nullptr); + EXPECT_EQ(parsed_rbac_config->authorization_engine(0)->action(), + Rbac::Action::kDeny); + EXPECT_EQ(parsed_rbac_config->authorization_engine(0)->num_policies(), 0); +} + +// Test that RBAC policies are not parsed if the channel arg +// GRPC_ARG_PARSE_RBAC_METHOD_CONFIG is not present +TEST(RbacServiceConfigParsingTest, MissingChannelArg) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [ {\n" + " } ]" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + auto svc_cfg = ServiceConfig::Create(nullptr, test_json, &error); + ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_std_string(error); + const auto* vector_ptr = + svc_cfg->GetMethodParsedConfigVector(grpc_empty_slice()); + ASSERT_NE(vector_ptr, nullptr); + auto* parsed_rbac_config = static_cast( + ((*vector_ptr)[RbacServiceConfigParser::ParserIndex()]).get()); + ASSERT_EQ(parsed_rbac_config, nullptr); +} + +// Test an empty rbacPolicy array +TEST(RbacServiceConfigParsingTest, EmptyRbacPolicyArray) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": []" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_std_string(error); + const auto* vector_ptr = + svc_cfg->GetMethodParsedConfigVector(grpc_empty_slice()); + ASSERT_NE(vector_ptr, nullptr); + auto* parsed_rbac_config = static_cast( + ((*vector_ptr)[RbacServiceConfigParser::ParserIndex()]).get()); + ASSERT_EQ(parsed_rbac_config, nullptr); +} + +// Test presence of multiple RBAC policies in the array +TEST(RbacServiceConfigParsingTest, MultipleRbacPolicies) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [ {}, {}, {} ]" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_std_string(error); + const auto* vector_ptr = + svc_cfg->GetMethodParsedConfigVector(grpc_empty_slice()); + ASSERT_NE(vector_ptr, nullptr); + auto* parsed_rbac_config = static_cast( + ((*vector_ptr)[RbacServiceConfigParser::ParserIndex()]).get()); + ASSERT_NE(parsed_rbac_config, nullptr); + for (auto i = 0; i < 3; ++i) { + ASSERT_NE(parsed_rbac_config->authorization_engine(i), nullptr); + EXPECT_EQ(parsed_rbac_config->authorization_engine(i)->action(), + Rbac::Action::kDeny); + EXPECT_EQ(parsed_rbac_config->authorization_engine(i)->num_policies(), 0); + } +} + +TEST(RbacServiceConfigParsingTest, BadRbacPolicyType) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": 1234" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + EXPECT_THAT( + grpc_error_std_string(error), + ::testing::ContainsRegex("Rbac parser" CHILD_ERROR_TAG + "field:rbacPolicy error:type should be ARRAY")); + GRPC_ERROR_UNREF(error); +} + +TEST(RbacServiceConfigParsingTest, BadRulesType) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [{\"rules\":1}]" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + EXPECT_THAT( + grpc_error_std_string(error), + ::testing::ContainsRegex("Rbac parser" CHILD_ERROR_TAG + "rbacPolicy\\[0\\]" CHILD_ERROR_TAG + "field:rules error:type should be OBJECT")); + GRPC_ERROR_UNREF(error); +} + +TEST(RbacServiceConfigParsingTest, BadActionAndPolicyType) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [{\n" + " \"rules\":{\n" + " \"action\":{},\n" + " \"policies\":123\n" + " }\n" + " } ]\n" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + EXPECT_THAT( + grpc_error_std_string(error), + ::testing::ContainsRegex("Rbac parser" CHILD_ERROR_TAG + "rbacPolicy\\[0\\]" CHILD_ERROR_TAG + "field:action error:type should be NUMBER.*" + "field:policies error:type should be OBJECT")); + GRPC_ERROR_UNREF(error); +} + +TEST(RbacServiceConfigParsingTest, MissingPermissionAndPrincipals) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [{\n" + " \"rules\":{\n" + " \"action\":1,\n" + " \"policies\":{\n" + " \"policy\":{\n" + " }\n" + " }\n" + " }\n" + " } ]\n" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + EXPECT_THAT( + grpc_error_std_string(error), + ::testing::ContainsRegex("Rbac parser" CHILD_ERROR_TAG + "rbacPolicy\\[0\\]" CHILD_ERROR_TAG + "policies key:'policy'" CHILD_ERROR_TAG + "field:permissions error:does not exist.*" + "field:principals error:does not exist")); + GRPC_ERROR_UNREF(error); +} + +TEST(RbacServiceConfigParsingTest, EmptyPrincipalAndPermission) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [{\n" + " \"rules\":{\n" + " \"action\":1,\n" + " \"policies\":{\n" + " \"policy\":{\n" + " \"permissions\":[{}],\n" + " \"principals\":[{}]\n" + " }\n" + " }\n" + " }\n" + " } ]\n" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + EXPECT_THAT( + grpc_error_std_string(error), + ::testing::ContainsRegex( + "Rbac parser" CHILD_ERROR_TAG "rbacPolicy\\[0\\]" CHILD_ERROR_TAG + "policies key:'policy'" CHILD_ERROR_TAG + "permissions\\[0\\]" CHILD_ERROR_TAG "No valid rule found.*" + "principals\\[0\\]" CHILD_ERROR_TAG "No valid id found")); + GRPC_ERROR_UNREF(error); +} + +TEST(RbacServiceConfigParsingTest, VariousPermissionsAndPrincipalsTypes) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [{\n" + " \"rules\":{\n" + " \"action\":1,\n" + " \"policies\":{\n" + " \"policy\":{\n" + " \"permissions\":[\n" + " {\"andRules\":{\"rules\":[{\"any\":true}]}},\n" + " {\"orRules\":{\"rules\":[{\"any\":true}]}},\n" + " {\"any\":true},\n" + " {\"header\":{\"name\":\"name\", \"exactMatch\":\"\"}},\n" + " {\"urlPath\":{\"path\":{\"exact\":\"\"}}},\n" + " {\"destinationIp\":{\"addressPrefix\":\"::1\"}},\n" + " {\"destinationPort\":1234},\n" + " {\"notRule\":{\"any\":true}},\n" + " {\"requestedServerName\":{\"exact\":\"\"}}\n" + " ],\n" + " \"principals\":[\n" + " {\"andIds\":{\"ids\":[{\"any\":true}]}},\n" + " {\"orIds\":{\"ids\":[{\"any\":true}]}},\n" + " {\"any\":true},\n" + " {\"authenticated\":{\n" + " \"principalName\":{\"exact\":\"\"}}},\n" + " {\"sourceIp\":{\"addressPrefix\":\"::1\"}},\n" + " {\"directRemoteIp\":{\"addressPrefix\":\"::1\"}},\n" + " {\"remoteIp\":{\"addressPrefix\":\"::1\"}},\n" + " {\"header\":{\"name\":\"name\", \"exactMatch\":\"\"}},\n" + " {\"urlPath\":{\"path\":{\"exact\":\"\"}}},\n" + " {\"notId\":{\"any\":true}}\n" + " ]\n" + " }\n" + " }\n" + " }\n" + " } ]\n" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_std_string(error); + const auto* vector_ptr = + svc_cfg->GetMethodParsedConfigVector(grpc_empty_slice()); + ASSERT_NE(vector_ptr, nullptr); + auto* parsed_rbac_config = static_cast( + ((*vector_ptr)[RbacServiceConfigParser::ParserIndex()]).get()); + ASSERT_NE(parsed_rbac_config, nullptr); + ASSERT_NE(parsed_rbac_config->authorization_engine(0), nullptr); + EXPECT_EQ(parsed_rbac_config->authorization_engine(0)->num_policies(), 1); +} + +TEST(RbacServiceConfigParsingTest, VariousPermissionsAndPrincipalsBadTypes) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [{\n" + " \"rules\":{\n" + " \"action\":1,\n" + " \"policies\":{\n" + " \"policy\":{\n" + " \"permissions\":[\n" + " {\"andRules\":1234},\n" + " {\"orRules\":1234},\n" + " {\"any\":1234},\n" + " {\"header\":1234},\n" + " {\"urlPath\":1234},\n" + " {\"destinationIp\":1234},\n" + " {\"destinationPort\":\"port\"},\n" + " {\"notRule\":1234},\n" + " {\"requestedServerName\":1234}\n" + " ],\n" + " \"principals\":[\n" + " {\"andIds\":1234},\n" + " {\"orIds\":1234},\n" + " {\"any\":1234},\n" + " {\"authenticated\":1234},\n" + " {\"sourceIp\":1234},\n" + " {\"directRemoteIp\":1234},\n" + " {\"remoteIp\":1234},\n" + " {\"header\":1234},\n" + " {\"urlPath\":1234},\n" + " {\"notId\":1234}\n" + " ]\n" + " }\n" + " }\n" + " }\n" + " } ]\n" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + EXPECT_THAT( + grpc_error_std_string(error), + ::testing::ContainsRegex( + "Rbac parser" CHILD_ERROR_TAG "rbacPolicy\\[0\\]" CHILD_ERROR_TAG + "policies key:'policy'" CHILD_ERROR_TAG + "permissions\\[0\\]" CHILD_ERROR_TAG + "field:andRules error:type should be OBJECT.*" + "permissions\\[1\\]" CHILD_ERROR_TAG + "field:orRules error:type should be OBJECT.*" + "permissions\\[2\\]" CHILD_ERROR_TAG + "field:any error:type should be BOOLEAN.*" + "permissions\\[3\\]" CHILD_ERROR_TAG + "field:header error:type should be OBJECT.*" + "permissions\\[4\\]" CHILD_ERROR_TAG + "field:urlPath error:type should be OBJECT.*" + "permissions\\[5\\]" CHILD_ERROR_TAG + "field:destinationIp error:type should be OBJECT.*" + "permissions\\[6\\]" CHILD_ERROR_TAG + "field:destinationPort error:type should be NUMBER.*" + "permissions\\[7\\]" CHILD_ERROR_TAG + "field:notRule error:type should be OBJECT.*" + "permissions\\[8\\]" CHILD_ERROR_TAG + "field:requestedServerName error:type should be OBJECT.*" + "principals\\[0\\]" CHILD_ERROR_TAG + "field:andIds error:type should be OBJECT.*" + "principals\\[1\\]" CHILD_ERROR_TAG + "field:orIds error:type should be OBJECT.*" + "principals\\[2\\]" CHILD_ERROR_TAG + "field:any error:type should be BOOLEAN.*" + "principals\\[3\\]" CHILD_ERROR_TAG + "field:authenticated error:type should be OBJECT.*" + "principals\\[4\\]" CHILD_ERROR_TAG + "field:sourceIp error:type should be OBJECT.*" + "principals\\[5\\]" CHILD_ERROR_TAG + "field:directRemoteIp error:type should be OBJECT.*" + "principals\\[6\\]" CHILD_ERROR_TAG + "field:remoteIp error:type should be OBJECT.*" + "principals\\[7\\]" CHILD_ERROR_TAG + "field:header error:type should be OBJECT.*" + "principals\\[8\\]" CHILD_ERROR_TAG + "field:urlPath error:type should be OBJECT.*" + "principals\\[9\\]" CHILD_ERROR_TAG + "field:notId error:type should be OBJECT.*")); + GRPC_ERROR_UNREF(error); +} + +TEST(RbacServiceConfigParsingTest, HeaderMatcherVariousTypes) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [{\n" + " \"rules\":{\n" + " \"action\":1,\n" + " \"policies\":{\n" + " \"policy\":{\n" + " \"permissions\":[\n" + " {\"header\":{\"name\":\"name\", \"exactMatch\":\"\", \n" + " \"invertMatch\":true}},\n" + " {\"header\":{\"name\":\"name\", \"safeRegexMatch\":{\n" + " \"regex\":\"\"}}},\n" + " {\"header\":{\"name\":\"name\", \"rangeMatch\":{\n" + " \"start\":0, \"end\":1}}},\n" + " {\"header\":{\"name\":\"name\", \"presentMatch\":true}},\n" + " {\"header\":{\"name\":\"name\", \"prefixMatch\":\"\"}},\n" + " {\"header\":{\"name\":\"name\", \"suffixMatch\":\"\"}},\n" + " {\"header\":{\"name\":\"name\", \"containsMatch\":\"\"}}\n" + " ],\n" + " \"principals\":[]\n" + " }\n" + " }\n" + " }\n" + " } ]\n" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_std_string(error); + const auto* vector_ptr = + svc_cfg->GetMethodParsedConfigVector(grpc_empty_slice()); + ASSERT_NE(vector_ptr, nullptr); + auto* parsed_rbac_config = static_cast( + ((*vector_ptr)[RbacServiceConfigParser::ParserIndex()]).get()); + ASSERT_NE(parsed_rbac_config, nullptr); + ASSERT_NE(parsed_rbac_config->authorization_engine(0), nullptr); + EXPECT_EQ(parsed_rbac_config->authorization_engine(0)->num_policies(), 1); +} + +TEST(RbacServiceConfigParsingTest, HeaderMatcherBadTypes) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [{\n" + " \"rules\":{\n" + " \"action\":1,\n" + " \"policies\":{\n" + " \"policy\":{\n" + " \"permissions\":[\n" + " {\"header\":{\"name\":\"name\", \"exactMatch\":1, \n" + " \"invertMatch\":1}},\n" + " {\"header\":{\"name\":\"name\", \"safeRegexMatch\":1}},\n" + " {\"header\":{\"name\":\"name\", \"rangeMatch\":1}},\n" + " {\"header\":{\"name\":\"name\", \"presentMatch\":1}},\n" + " {\"header\":{\"name\":\"name\", \"prefixMatch\":1}},\n" + " {\"header\":{\"name\":\"name\", \"suffixMatch\":1}},\n" + " {\"header\":{\"name\":\"name\", \"containsMatch\":1}}\n" + " ],\n" + " \"principals\":[]\n" + " }\n" + " }\n" + " }\n" + " } ]\n" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + EXPECT_THAT( + grpc_error_std_string(error), + ::testing::ContainsRegex( + "Rbac parser" CHILD_ERROR_TAG "rbacPolicy\\[0\\]" CHILD_ERROR_TAG + "policies key:'policy'" CHILD_ERROR_TAG + "permissions\\[0\\]" CHILD_ERROR_TAG "header" CHILD_ERROR_TAG + "field:invertMatch error:type should be BOOLEAN.*" + "field:exactMatch error:type should be STRING.*" + "permissions\\[1\\]" CHILD_ERROR_TAG "header" CHILD_ERROR_TAG + "field:safeRegexMatch error:type should be OBJECT.*" + "permissions\\[2\\]" CHILD_ERROR_TAG "header" CHILD_ERROR_TAG + "field:rangeMatch error:type should be OBJECT.*" + "permissions\\[3\\]" CHILD_ERROR_TAG "header" CHILD_ERROR_TAG + "field:presentMatch error:type should be BOOLEAN.*" + "permissions\\[4\\]" CHILD_ERROR_TAG "header" CHILD_ERROR_TAG + "field:prefixMatch error:type should be STRING.*" + "permissions\\[5\\]" CHILD_ERROR_TAG "header" CHILD_ERROR_TAG + "field:suffixMatch error:type should be STRING.*" + "permissions\\[6\\]" CHILD_ERROR_TAG "header" CHILD_ERROR_TAG + "field:containsMatch error:type should be STRING.*")); + GRPC_ERROR_UNREF(error); +} + +TEST(RbacServiceConfigParsingTest, StringMatcherVariousTypes) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [{\n" + " \"rules\":{\n" + " \"action\":1,\n" + " \"policies\":{\n" + " \"policy\":{\n" + " \"permissions\":[\n" + " {\"requestedServerName\":{\"exact\":\"\", \n" + " \"ignoreCase\":true}},\n" + " {\"requestedServerName\":{\"prefix\":\"\"}},\n" + " {\"requestedServerName\":{\"suffix\":\"\"}},\n" + " {\"requestedServerName\":{\"safeRegex\":{\n" + " \"regex\":\"\"}}},\n" + " {\"requestedServerName\":{\"contains\":\"\"}}\n" + " ],\n" + " \"principals\":[]\n" + " }\n" + " }\n" + " }\n" + " } ]\n" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_std_string(error); + const auto* vector_ptr = + svc_cfg->GetMethodParsedConfigVector(grpc_empty_slice()); + ASSERT_NE(vector_ptr, nullptr); + auto* parsed_rbac_config = static_cast( + ((*vector_ptr)[RbacServiceConfigParser::ParserIndex()]).get()); + ASSERT_NE(parsed_rbac_config, nullptr); + ASSERT_NE(parsed_rbac_config->authorization_engine(0), nullptr); + EXPECT_EQ(parsed_rbac_config->authorization_engine(0)->num_policies(), 1); +} + +TEST(RbacServiceConfigParsingTest, StringMatcherBadTypes) { + const char* test_json = + "{\n" + " \"methodConfig\": [ {\n" + " \"name\": [\n" + " {}\n" + " ],\n" + " \"rbacPolicy\": [{\n" + " \"rules\":{\n" + " \"action\":1,\n" + " \"policies\":{\n" + " \"policy\":{\n" + " \"permissions\":[\n" + " {\"requestedServerName\":{\"exact\":1, \n" + " \"ignoreCase\":1}},\n" + " {\"requestedServerName\":{\"prefix\":1}},\n" + " {\"requestedServerName\":{\"suffix\":1}},\n" + " {\"requestedServerName\":{\"safeRegex\":1}},\n" + " {\"requestedServerName\":{\"contains\":1}}\n" + " ],\n" + " \"principals\":[]\n" + " }\n" + " }\n" + " }\n" + " } ]\n" + " } ]\n" + "}"; + grpc_error_handle error = GRPC_ERROR_NONE; + grpc_arg arg = grpc_channel_arg_integer_create( + const_cast(GRPC_ARG_PARSE_RBAC_METHOD_CONFIG), 1); + grpc_channel_args args = {1, &arg}; + auto svc_cfg = ServiceConfig::Create(&args, test_json, &error); + EXPECT_THAT( + grpc_error_std_string(error), + ::testing::ContainsRegex("Rbac parser" CHILD_ERROR_TAG + "rbacPolicy\\[0\\]" CHILD_ERROR_TAG + "policies key:'policy'" CHILD_ERROR_TAG + "permissions\\[0\\]" CHILD_ERROR_TAG + "requestedServerName" CHILD_ERROR_TAG + "field:ignoreCase error:type should be BOOLEAN.*" + "field:exact error:type should be STRING.*" + "permissions\\[1\\]" CHILD_ERROR_TAG + "requestedServerName" CHILD_ERROR_TAG + "field:prefix error:type should be STRING.*" + "permissions\\[2\\]" CHILD_ERROR_TAG + "requestedServerName" CHILD_ERROR_TAG + "field:suffix error:type should be STRING.*" + "permissions\\[3\\]" CHILD_ERROR_TAG + "requestedServerName" CHILD_ERROR_TAG + "field:safeRegex error:type should be OBJECT.*" + "permissions\\[4\\]" CHILD_ERROR_TAG + "requestedServerName" CHILD_ERROR_TAG + "field:contains error:type should be STRING.*")); + GRPC_ERROR_UNREF(error); +} + +} // namespace +} // namespace testing +} // namespace grpc_core + +int main(int argc, char** argv) { + grpc::testing::TestEnvironment env(argc, argv); + ::testing::InitGoogleTest(&argc, argv); + grpc_init(); + int ret = RUN_ALL_TESTS(); + grpc_shutdown(); + return ret; +} diff --git a/test/core/server_config_selector/server_config_selector_test.cc b/test/core/server_config_selector/server_config_selector_test.cc index 74c7659ce22..85ab1fdb481 100644 --- a/test/core/server_config_selector/server_config_selector_test.cc +++ b/test/core/server_config_selector/server_config_selector_test.cc @@ -39,6 +39,8 @@ class TestServerConfigSelectorProvider : public ServerConfigSelectorProvider { return absl::UnavailableError("Test ServerConfigSelector"); } + void Orphan() override {} + void CancelWatch() override {} }; diff --git a/test/cpp/end2end/xds/BUILD b/test/cpp/end2end/xds/BUILD index 3c5bc1a8d93..19c53146c08 100644 --- a/test/cpp/end2end/xds/BUILD +++ b/test/cpp/end2end/xds/BUILD @@ -89,6 +89,7 @@ grpc_cc_test( "//src/proto/grpc/testing/xds/v3:fault_common_proto", "//src/proto/grpc/testing/xds/v3:fault_proto", "//src/proto/grpc/testing/xds/v3:http_connection_manager_proto", + "//src/proto/grpc/testing/xds/v3:http_filter_rbac_proto", "//src/proto/grpc/testing/xds/v3:listener_proto", "//src/proto/grpc/testing/xds/v3:route_proto", "//src/proto/grpc/testing/xds/v3:router_proto", diff --git a/test/cpp/end2end/xds/xds_end2end_test.cc b/test/cpp/end2end/xds/xds_end2end_test.cc index 84adbe3d5c2..203adfc8988 100644 --- a/test/cpp/end2end/xds/xds_end2end_test.cc +++ b/test/cpp/end2end/xds/xds_end2end_test.cc @@ -92,6 +92,7 @@ #include "src/proto/grpc/testing/xds/v3/endpoint.grpc.pb.h" #include "src/proto/grpc/testing/xds/v3/fault.grpc.pb.h" #include "src/proto/grpc/testing/xds/v3/http_connection_manager.grpc.pb.h" +#include "src/proto/grpc/testing/xds/v3/http_filter_rbac.grpc.pb.h" #include "src/proto/grpc/testing/xds/v3/listener.grpc.pb.h" #include "src/proto/grpc/testing/xds/v3/lrs.grpc.pb.h" #include "src/proto/grpc/testing/xds/v3/route.grpc.pb.h" @@ -128,9 +129,16 @@ using ::envoy::config::endpoint::v3::ClusterLoadAssignment; using ::envoy::config::endpoint::v3::HealthStatus; using ::envoy::config::listener::v3::FilterChainMatch; using ::envoy::config::listener::v3::Listener; +using ::envoy::config::rbac::v3::Policy; +using ::envoy::config::rbac::v3::RBAC_Action; +using ::envoy::config::rbac::v3::RBAC_Action_ALLOW; +using ::envoy::config::rbac::v3::RBAC_Action_DENY; +using ::envoy::config::rbac::v3::RBAC_Action_LOG; using ::envoy::config::route::v3::RouteConfiguration; using ::envoy::extensions::clusters::aggregate::v3::ClusterConfig; using ::envoy::extensions::filters::http::fault::v3::HTTPFault; +using ::envoy::extensions::filters::http::rbac::v3::RBAC; +using ::envoy::extensions::filters::http::rbac::v3::RBACPerRoute; using ::envoy::extensions::filters::network::http_connection_manager::v3:: HttpConnectionManager; using ::envoy::extensions::filters::network::http_connection_manager::v3:: @@ -358,6 +366,11 @@ class TestType { return *this; } + TestType& set_rbac_action(RBAC_Action action) { + rbac_action_ = action; + return *this; + } + bool enable_load_reporting() const { return enable_load_reporting_; } bool enable_rds_testing() const { return enable_rds_testing_; } bool use_v2() const { return use_v2_; } @@ -365,6 +378,7 @@ class TestType { bool use_csds_streaming() const { return use_csds_streaming_; } FilterConfigSetup filter_config_setup() const { return filter_config_setup_; } BootstrapSource bootstrap_source() const { return bootstrap_source_; } + RBAC_Action rbac_action() const { return rbac_action_; } std::string AsString() const { std::string retval = use_v2_ ? "V2" : "V3"; @@ -380,6 +394,11 @@ class TestType { } else if (bootstrap_source_ == kBootstrapFromEnvVar) { retval += "BootstrapFromEnvVar"; } + if (rbac_action_ == RBAC_Action_ALLOW) { + retval += "RbacAllow"; + } else if (rbac_action_ == RBAC_Action_DENY) { + retval += "RbacDeny"; + } return retval; } @@ -391,6 +410,7 @@ class TestType { bool use_csds_streaming_ = false; FilterConfigSetup filter_config_setup_ = kHTTPConnectionManagerOriginal; BootstrapSource bootstrap_source_ = kBootstrapFromChannelArg; + RBAC_Action rbac_action_ = RBAC_Action_LOG; }; std::string ReadFile(const char* file_path) { @@ -2889,6 +2909,41 @@ TEST_P(LdsTest, IgnoresOptionalHttpFiltersNotSupportedOnClients) { AdsServiceImpl::ResponseState::ACKED); } +// Test that we NACK non-zero xff_num_trusted_hops +TEST_P(LdsTest, RejectsNonZeroXffNumTrusterHops) { + auto listener = default_listener_; + HttpConnectionManager http_connection_manager; + listener.mutable_api_listener()->mutable_api_listener()->UnpackTo( + &http_connection_manager); + http_connection_manager.set_xff_num_trusted_hops(1); + listener.mutable_api_listener()->mutable_api_listener()->PackFrom( + http_connection_manager); + SetListenerAndRouteConfiguration(balancer_.get(), listener, + default_route_config_); + SetNextResolutionForLbChannelAllBalancers(); + ASSERT_TRUE(WaitForLdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT(balancer_->ads_service()->lds_response_state().error_message, + ::testing::HasSubstr("'xff_num_trusted_hops' must be zero")); +} + +// Test that we NACK non-empty original_ip_detection_extensions +TEST_P(LdsTest, RejectsNonEmptyOriginalIpDetectionExtensions) { + auto listener = default_listener_; + HttpConnectionManager http_connection_manager; + listener.mutable_api_listener()->mutable_api_listener()->UnpackTo( + &http_connection_manager); + http_connection_manager.add_original_ip_detection_extensions(); + listener.mutable_api_listener()->mutable_api_listener()->PackFrom( + http_connection_manager); + SetListenerAndRouteConfiguration(balancer_.get(), listener, + default_route_config_); + SetNextResolutionForLbChannelAllBalancers(); + ASSERT_TRUE(WaitForLdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT( + balancer_->ads_service()->lds_response_state().error_message, + ::testing::HasSubstr("'original_ip_detection_extensions' must be empty")); +} + using LdsV2Test = LdsTest; // Tests that we ignore the HTTP filter list in v2. @@ -7937,6 +7992,37 @@ TEST_P(XdsEnabledServerTest, BadLdsUpdateBothApiListenerAndAddress) { ::testing::HasSubstr("Listener has both address and ApiListener")); } +TEST_P(XdsEnabledServerTest, NacksNonZeroXffNumTrusterHops) { + Listener listener = default_server_listener_; + HttpConnectionManager http_connection_manager = + ServerHcmAccessor().Unpack(listener); + http_connection_manager.set_xff_num_trusted_hops(1); + ServerHcmAccessor().Pack(http_connection_manager, &listener); + SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener, + backends_[0]->port(), + default_server_route_config_); + backends_[0]->Start(); + ASSERT_TRUE(WaitForLdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT(balancer_->ads_service()->lds_response_state().error_message, + ::testing::HasSubstr("'xff_num_trusted_hops' must be zero")); +} + +TEST_P(XdsEnabledServerTest, NacksNonEmptyOriginalIpDetectionExtensions) { + Listener listener = default_server_listener_; + HttpConnectionManager http_connection_manager = + ServerHcmAccessor().Unpack(listener); + http_connection_manager.add_original_ip_detection_extensions(); + ServerHcmAccessor().Pack(http_connection_manager, &listener); + SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener, + backends_[0]->port(), + default_server_route_config_); + backends_[0]->Start(); + ASSERT_TRUE(WaitForLdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT( + balancer_->ads_service()->lds_response_state().error_message, + ::testing::HasSubstr("'original_ip_detection_extensions' must be empty")); +} + TEST_P(XdsEnabledServerTest, UnsupportedL4Filter) { Listener listener = default_server_listener_; listener.mutable_default_filter_chain()->clear_filters(); @@ -8204,10 +8290,12 @@ class XdsServerSecurityTest : public XdsEnd2endTest { return CreateCustomChannel(uri, InsecureChannelCredentials(), args); } - void SendRpc(std::function()> channel_creator, - std::vector expected_server_identity, - std::vector expected_client_identity, - bool test_expects_failure = false) { + void SendRpc( + std::function()> channel_creator, + std::vector expected_server_identity, + std::vector expected_client_identity, + bool test_expects_failure = false, + absl::optional expected_status = absl::nullopt) { gpr_log(GPR_INFO, "Sending RPC"); int num_tries = 0; constexpr int kRetryCount = 100; @@ -8226,6 +8314,13 @@ class XdsServerSecurityTest : public XdsEnd2endTest { gpr_log(GPR_ERROR, "RPC succeeded. Failure expected. Trying again."); continue; } + if (expected_status.has_value() && + *expected_status != status.error_code()) { + gpr_log(GPR_ERROR, + "Expected status does not match Actual(%d) vs Expected(%d)", + status.error_code(), *expected_status); + continue; + } } else { if (!status.ok()) { gpr_log(GPR_ERROR, "RPC failed. code=%d message=%s Trying again.", @@ -9662,6 +9757,945 @@ TEST_P(XdsServerRdsTest, MultipleRouteConfigurations) { SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}); } +// Tests RBAC configurations on the server with RDS testing and route config +// override permutations. +class XdsRbacTest : public XdsServerRdsTest { + protected: + void SetServerRbacPolicies(Listener listener, + const std::vector& rbac_policies) { + HttpConnectionManager http_connection_manager = + ServerHcmAccessor().Unpack(listener); + http_connection_manager.clear_http_filters(); + RouteConfiguration route_config = default_server_route_config_; + int count = 0; + for (auto& rbac : rbac_policies) { + auto* filter = http_connection_manager.add_http_filters(); + std::string filter_name = absl::StrFormat("rbac%d", ++count); + filter->set_name(filter_name); + switch (GetParam().filter_config_setup()) { + case TestType::FilterConfigSetup::kHTTPConnectionManagerOriginal: + filter->mutable_typed_config()->PackFrom(rbac); + break; + case TestType::FilterConfigSetup::kRouteOverride: + filter->mutable_typed_config()->PackFrom(RBAC()); + google::protobuf::Any filter_config; + RBACPerRoute rbac_per_route; + *rbac_per_route.mutable_rbac() = rbac; + filter_config.PackFrom(rbac_per_route); + auto* config_map = route_config.mutable_virtual_hosts(0) + ->mutable_routes(0) + ->mutable_typed_per_filter_config(); + (*config_map)[filter_name] = std::move(filter_config); + } + } + auto* filter = http_connection_manager.add_http_filters(); + filter->set_name("router"); + filter->mutable_typed_config()->PackFrom( + envoy::extensions::filters::http::router::v3::Router()); + ServerHcmAccessor().Pack(http_connection_manager, &listener); + SetServerListenerNameAndRouteConfiguration( + balancer_.get(), listener, backends_[0]->port(), route_config); + } + + void SetServerRbacPolicy(Listener listener, const RBAC& rbac) { + SetServerRbacPolicies(std::move(listener), {rbac}); + } + + void SetServerRbacPolicy(const RBAC& rbac) { + SetServerRbacPolicy(default_server_listener_, rbac); + } +}; + +TEST_P(XdsRbacTest, AbsentRbacPolicy) { + SetServerRbacPolicy(RBAC()); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + // An absent RBAC policy leads to all RPCs being accepted. + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}); +} + +TEST_P(XdsRbacTest, LogAction) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(envoy::config::rbac::v3::RBAC_Action_LOG); + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + // A Log action is identical to no rbac policy being configured. + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}); +} + +TEST_P(XdsRbacTest, NacksSchemePrincipalHeader) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(envoy::config::rbac::v3::RBAC_Action_ALLOW); + Policy policy; + auto* header = policy.add_principals()->mutable_header(); + header->set_name(":scheme"); + header->set_exact_match("http"); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + if (GetParam().enable_rds_testing() && + GetParam().filter_config_setup() == + TestType::FilterConfigSetup::kRouteOverride) { + ASSERT_TRUE(WaitForRdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT(balancer_->ads_service()->rds_response_state().error_message, + ::testing::HasSubstr("':scheme' not allowed in header")); + } else { + ASSERT_TRUE(WaitForLdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT(balancer_->ads_service()->lds_response_state().error_message, + ::testing::HasSubstr("':scheme' not allowed in header")); + } +} + +TEST_P(XdsRbacTest, NacksGrpcPrefixedPrincipalHeaders) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(envoy::config::rbac::v3::RBAC_Action_ALLOW); + Policy policy; + auto* header = policy.add_principals()->mutable_header(); + header->set_name("grpc-status"); + header->set_exact_match("0"); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + if (GetParam().enable_rds_testing() && + GetParam().filter_config_setup() == + TestType::FilterConfigSetup::kRouteOverride) { + ASSERT_TRUE(WaitForRdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT(balancer_->ads_service()->rds_response_state().error_message, + ::testing::HasSubstr("'grpc-' prefixes not allowed in header")); + } else { + ASSERT_TRUE(WaitForLdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT(balancer_->ads_service()->lds_response_state().error_message, + ::testing::HasSubstr("'grpc-' prefixes not allowed in header")); + } +} + +TEST_P(XdsRbacTest, NacksSchemePermissionHeader) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(envoy::config::rbac::v3::RBAC_Action_ALLOW); + Policy policy; + auto* header = policy.add_permissions()->mutable_header(); + header->set_name(":scheme"); + header->set_exact_match("http"); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + if (GetParam().enable_rds_testing() && + GetParam().filter_config_setup() == + TestType::FilterConfigSetup::kRouteOverride) { + ASSERT_TRUE(WaitForRdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT(balancer_->ads_service()->rds_response_state().error_message, + ::testing::HasSubstr("':scheme' not allowed in header")); + } else { + ASSERT_TRUE(WaitForLdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT(balancer_->ads_service()->lds_response_state().error_message, + ::testing::HasSubstr("':scheme' not allowed in header")); + } +} + +TEST_P(XdsRbacTest, NacksGrpcPrefixedPermissionHeaders) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(envoy::config::rbac::v3::RBAC_Action_ALLOW); + Policy policy; + auto* header = policy.add_permissions()->mutable_header(); + header->set_name("grpc-status"); + header->set_exact_match("0"); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + if (GetParam().enable_rds_testing() && + GetParam().filter_config_setup() == + TestType::FilterConfigSetup::kRouteOverride) { + ASSERT_TRUE(WaitForRdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT(balancer_->ads_service()->rds_response_state().error_message, + ::testing::HasSubstr("'grpc-' prefixes not allowed in header")); + } else { + ASSERT_TRUE(WaitForLdsNack()) << "timed out waiting for NACK"; + EXPECT_THAT(balancer_->ads_service()->lds_response_state().error_message, + ::testing::HasSubstr("'grpc-' prefixes not allowed in header")); + } +} + +// Tests RBAC policies where a route override is always present. Action +// permutations are not added. +using XdsRbacTestWithRouteOverrideAlwaysPresent = XdsRbacTest; + +TEST_P(XdsRbacTestWithRouteOverrideAlwaysPresent, EmptyRBACPerRouteOverride) { + HttpConnectionManager http_connection_manager; + Listener listener = default_server_listener_; + RouteConfiguration route_config = default_server_route_config_; + auto* filter = http_connection_manager.add_http_filters(); + filter->set_name("rbac"); + // Create a top-level RBAC policy with a DENY action for all RPCs + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(RBAC_Action_DENY); + Policy policy; + policy.add_permissions()->set_any(true); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + filter->mutable_typed_config()->PackFrom(rbac); + // Override with an Empty RBACPerRoute policy which should result in RBAC + // being disabled and RPCs being allowed. + google::protobuf::Any filter_config; + filter_config.PackFrom(RBACPerRoute()); + auto* config_map = route_config.mutable_virtual_hosts(0) + ->mutable_routes(0) + ->mutable_typed_per_filter_config(); + (*config_map)["rbac"] = std::move(filter_config); + filter = http_connection_manager.add_http_filters(); + filter->set_name("router"); + filter->mutable_typed_config()->PackFrom( + envoy::extensions::filters::http::router::v3::Router()); + ServerHcmAccessor().Pack(http_connection_manager, &listener); + SetServerListenerNameAndRouteConfiguration( + balancer_.get(), listener, backends_[0]->port(), route_config); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}); +} + +// Test a non-empty top level RBAC with a non-empty RBACPerRouteOverride +TEST_P(XdsRbacTestWithRouteOverrideAlwaysPresent, + NonEmptyTopLevelRBACNonEmptyPerRouteOverride) { + HttpConnectionManager http_connection_manager; + Listener listener = default_server_listener_; + RouteConfiguration route_config = default_server_route_config_; + auto* filter = http_connection_manager.add_http_filters(); + filter->set_name("rbac"); + // Create a top-level RBAC policy with a DENY action for all RPCs + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(RBAC_Action_DENY); + Policy policy; + policy.add_permissions()->set_any(true); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + filter->mutable_typed_config()->PackFrom(rbac); + // Override with a non-empty RBACPerRoute policy which allows all RPCs. + google::protobuf::Any filter_config; + RBACPerRoute rbac_per_route; + rules = rbac_per_route.mutable_rbac()->mutable_rules(); + rules->set_action(RBAC_Action_ALLOW); + (*rules->mutable_policies())["policy"] = policy; + filter_config.PackFrom(RBACPerRoute()); + auto* config_map = route_config.mutable_virtual_hosts(0) + ->mutable_routes(0) + ->mutable_typed_per_filter_config(); + (*config_map)["rbac"] = std::move(filter_config); + filter = http_connection_manager.add_http_filters(); + filter->set_name("router"); + filter->mutable_typed_config()->PackFrom( + envoy::extensions::filters::http::router::v3::Router()); + ServerHcmAccessor().Pack(http_connection_manager, &listener); + SetServerListenerNameAndRouteConfiguration( + balancer_.get(), listener, backends_[0]->port(), route_config); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}); +} + +// Adds Action Permutations to XdsRbacTest +using XdsRbacTestWithActionPermutations = XdsRbacTest; + +TEST_P(XdsRbacTestWithActionPermutations, EmptyRbacPolicy) { + RBAC rbac; + rbac.mutable_rules()->set_action(GetParam().rbac_action()); + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + // An empty RBAC policy leads to all RPCs being rejected. + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + policy.add_permissions()->set_any(true); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, MultipleRbacPolicies) { + RBAC always_allow; + auto* rules = always_allow.mutable_rules(); + rules->set_action(RBAC_Action_ALLOW); + Policy policy; + policy.add_permissions()->set_any(true); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + RBAC rbac; + rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicies(default_server_listener_, + {always_allow, rbac, always_allow}); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, MethodPostPermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* header = policy.add_permissions()->mutable_header(); + header->set_name(":method"); + header->set_exact_match("POST"); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + // All RPCs use POST method by default + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Test an RPC with a different method type + auto stub = grpc::testing::EchoTestService::NewStub(CreateInsecureChannel()); + ClientContext context; + context.set_wait_for_ready(true); + context.set_deadline(grpc_timeout_milliseconds_to_deadline(2000)); + context.set_cacheable(true); + EchoRequest request; + request.set_message(kRequestMessage); + EchoResponse response; + Status status = stub->Echo(&context, request, &response); + EXPECT_EQ(status.error_code(), GetParam().rbac_action() == RBAC_Action_DENY + ? grpc::OK + : grpc::PERMISSION_DENIED) + << status.error_code() << ", " << status.error_message() << ", " + << status.error_details() << ", " << context.debug_error_string(); +} + +TEST_P(XdsRbacTestWithActionPermutations, MethodGetPermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* header = policy.add_permissions()->mutable_header(); + header->set_name(":method"); + header->set_exact_match("GET"); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + // Send a cacheable RPC so that GET method is used + auto stub = grpc::testing::EchoTestService::NewStub(CreateInsecureChannel()); + ClientContext context; + context.set_wait_for_ready(true); + context.set_deadline(grpc_timeout_milliseconds_to_deadline(2000)); + context.set_cacheable(true); + EchoRequest request; + request.set_message(kRequestMessage); + EchoResponse response; + Status status = stub->Echo(&context, request, &response); + EXPECT_EQ(status.error_code(), GetParam().rbac_action() == RBAC_Action_ALLOW + ? grpc::OK + : grpc::PERMISSION_DENIED) + << status.error_code() << ", " << status.error_message() << ", " + << status.error_details() << ", " << context.debug_error_string(); + // Test an RPC with a different method type + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, MethodPutPermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* header = policy.add_permissions()->mutable_header(); + header->set_name(":method"); + header->set_exact_match("PUT"); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + // Send an idempotent RPC so that PUT method is used + auto stub = grpc::testing::EchoTestService::NewStub(CreateInsecureChannel()); + ClientContext context; + context.set_wait_for_ready(true); + context.set_deadline(grpc_timeout_milliseconds_to_deadline(2000)); + context.set_idempotent(true); + EchoRequest request; + request.set_message(kRequestMessage); + EchoResponse response; + Status status = stub->Echo(&context, request, &response); + EXPECT_EQ(status.error_code(), GetParam().rbac_action() == RBAC_Action_ALLOW + ? grpc::OK + : grpc::PERMISSION_DENIED) + << status.error_code() << ", " << status.error_message() << ", " + << status.error_details() << ", " << context.debug_error_string(); + // Test an RPC with a different method type + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, UrlPathPermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + policy.add_permissions()->mutable_url_path()->mutable_path()->set_exact( + "/grpc.testing.EchoTestService/Echo"); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Test an RPC with a different URL path + auto stub = grpc::testing::EchoTestService::NewStub(CreateInsecureChannel()); + ClientContext context; + context.set_wait_for_ready(true); + context.set_deadline(grpc_timeout_milliseconds_to_deadline(2000)); + EchoRequest request; + request.set_message(kRequestMessage); + EchoResponse response; + Status status = stub->Echo1(&context, request, &response); + EXPECT_TRUE(GetParam().rbac_action() == RBAC_Action_DENY ? status.ok() + : !status.ok()) + << status.error_code() << ", " << status.error_message() << ", " + << status.error_details() << ", " << context.debug_error_string(); +} + +TEST_P(XdsRbacTestWithActionPermutations, DestinationIpPermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* range = policy.add_permissions()->mutable_destination_ip(); + range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1"); + range->mutable_prefix_len()->set_value(ipv6_only_ ? 64 : 32); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Change the policy itself for a negative test where there is no match. + policy.clear_permissions(); + range = policy.add_permissions()->mutable_destination_ip(); + range->set_address_prefix(ipv6_only_ ? "::2" : "127.0.0.2"); + range->mutable_prefix_len()->set_value(ipv6_only_ ? 64 : 32); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, + DestinationPortPermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + policy.add_permissions()->set_destination_port(backends_[0]->port()); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Change the policy itself for a negative test where there is no match. + policy.clear_permissions(); + policy.add_permissions()->set_destination_port(1); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, ReqServerNamePermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + policy.add_permissions()->mutable_requested_server_name()->set_exact(""); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + policy.add_permissions()->mutable_requested_server_name()->set_exact( + "server_name"); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); + // TODO(yashykt): Uncomment once requested_server_name is properly supported + // by the RBAC engine + // policy.clear_permissions(); + // policy.add_permissions()->mutable_requested_server_name()->set_exact(""); + // (*rules->mutable_policies())["policy"] = policy; + // SetServerRbacPolicy(rbac); backends_[0]->Start(); + // SendRpc( + // [this]() { return CreateInsecureChannel(); }, {}, {}, + // /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + // grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, NotRulePermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + policy.add_permissions() + ->mutable_not_rule() + ->mutable_requested_server_name() + ->set_exact("server_name"); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Change the policy itself for a negative test where there is no match. + policy.clear_permissions(); + policy.add_permissions()->mutable_not_rule()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, AndRulePermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* and_rules = policy.add_permissions()->mutable_and_rules(); + and_rules->add_rules()->set_any(true); + and_rules->add_rules()->set_destination_port(backends_[0]->port()); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Change the policy itself for a negative test where there is no match. + and_rules = (*policy.mutable_permissions())[0].mutable_and_rules(); + (*and_rules->mutable_rules())[1].set_destination_port(1); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, OrRulePermissionAnyPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* or_rules = policy.add_permissions()->mutable_or_rules(); + or_rules->add_rules()->mutable_not_rule()->set_any(true); + or_rules->add_rules()->set_destination_port(backends_[0]->port()); + policy.add_principals()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Change the policy itself for a negative test where there is no match. + or_rules = (*policy.mutable_permissions())[0].mutable_or_rules(); + (*or_rules->mutable_rules())[1].set_destination_port(1); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionMethodPostPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* header = policy.add_principals()->mutable_header(); + header->set_name(":method"); + header->set_exact_match("POST"); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + // All RPCs use POST method by default + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Test an RPC with a different method type + auto stub = grpc::testing::EchoTestService::NewStub(CreateInsecureChannel()); + ClientContext context; + context.set_wait_for_ready(true); + context.set_deadline(grpc_timeout_milliseconds_to_deadline(2000)); + context.set_cacheable(true); + EchoRequest request; + request.set_message(kRequestMessage); + EchoResponse response; + Status status = stub->Echo(&context, request, &response); + EXPECT_EQ(status.error_code(), GetParam().rbac_action() == RBAC_Action_DENY + ? grpc::OK + : grpc::PERMISSION_DENIED) + << status.error_code() << ", " << status.error_message() << ", " + << status.error_details() << ", " << context.debug_error_string(); +} + +TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionMethodGetPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* header = policy.add_principals()->mutable_header(); + header->set_name(":method"); + header->set_exact_match("GET"); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + // Send a cacheable RPC so that GET method is used + auto stub = grpc::testing::EchoTestService::NewStub(CreateInsecureChannel()); + ClientContext context; + context.set_wait_for_ready(true); + context.set_deadline(grpc_timeout_milliseconds_to_deadline(2000)); + context.set_cacheable(true); + EchoRequest request; + request.set_message(kRequestMessage); + EchoResponse response; + Status status = stub->Echo(&context, request, &response); + EXPECT_TRUE(GetParam().rbac_action() == RBAC_Action_ALLOW ? status.ok() + : !status.ok()) + << status.error_code() << ", " << status.error_message() << ", " + << status.error_details() << ", " << context.debug_error_string(); + // Test an RPC with a different method type + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionMethodPutPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* header = policy.add_principals()->mutable_header(); + header->set_name(":method"); + header->set_exact_match("PUT"); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + // Send an idempotent RPC so that PUT method is used + auto stub = grpc::testing::EchoTestService::NewStub(CreateInsecureChannel()); + ClientContext context; + context.set_wait_for_ready(true); + context.set_deadline(grpc_timeout_milliseconds_to_deadline(2000)); + context.set_idempotent(true); + EchoRequest request; + request.set_message(kRequestMessage); + EchoResponse response; + Status status = stub->Echo(&context, request, &response); + EXPECT_TRUE(GetParam().rbac_action() == RBAC_Action_ALLOW ? status.ok() + : !status.ok()) + << status.error_code() << ", " << status.error_message() << ", " + << status.error_details() << ", " << context.debug_error_string(); + // Test an RPC with a different method type + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionUrlPathPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + policy.add_principals()->mutable_url_path()->mutable_path()->set_exact( + "/grpc.testing.EchoTestService/Echo"); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Test an RPC with a different URL path + auto stub = grpc::testing::EchoTestService::NewStub(CreateInsecureChannel()); + ClientContext context; + context.set_wait_for_ready(true); + context.set_deadline(grpc_timeout_milliseconds_to_deadline(2000)); + EchoRequest request; + request.set_message(kRequestMessage); + EchoResponse response; + Status status = stub->Echo1(&context, request, &response); + EXPECT_TRUE(GetParam().rbac_action() == RBAC_Action_DENY ? status.ok() + : !status.ok()) + << status.error_code() << ", " << status.error_message() << ", " + << status.error_details() << ", " << context.debug_error_string(); +} + +TEST_P(XdsRbacTestWithActionPermutations, + AnyPermissionDirectRemoteIpPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* range = policy.add_principals()->mutable_direct_remote_ip(); + range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1"); + range->mutable_prefix_len()->set_value(ipv6_only_ ? 64 : 32); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Change the policy itself for a negative test where there is no match. + policy.clear_principals(); + range = policy.add_principals()->mutable_direct_remote_ip(); + range->set_address_prefix(ipv6_only_ ? "::2" : "127.0.0.2"); + range->mutable_prefix_len()->set_value(ipv6_only_ ? 64 : 32); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionAuthenticatedPrincipal) { + FakeCertificateProvider::CertDataMap fake1_cert_map = { + {"", {root_cert_, identity_pair_}}}; + g_fake1_cert_data_map = &fake1_cert_map; + Listener listener = default_server_listener_; + auto* filter_chain = listener.mutable_default_filter_chain(); + auto* transport_socket = filter_chain->mutable_transport_socket(); + transport_socket->set_name("envoy.transport_sockets.tls"); + DownstreamTlsContext downstream_tls_context; + downstream_tls_context.mutable_common_tls_context() + ->mutable_tls_certificate_provider_instance() + ->set_instance_name("fake_plugin1"); + downstream_tls_context.mutable_common_tls_context() + ->mutable_validation_context() + ->mutable_ca_certificate_provider_instance() + ->set_instance_name("fake_plugin1"); + downstream_tls_context.mutable_require_client_certificate()->set_value(true); + transport_socket->mutable_typed_config()->PackFrom(downstream_tls_context); + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + policy.add_principals() + ->mutable_authenticated() + ->mutable_principal_name() + ->set_exact("*.test.google.fr"); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(listener, rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateMtlsChannel(); }, + server_authenticated_identity_, client_authenticated_identity_, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionNotIdPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + policy.add_principals() + ->mutable_not_id() + ->mutable_url_path() + ->mutable_path() + ->set_exact("/grpc.testing.EchoTestService/Echo1"); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Change the policy itself for a negative test where there is no match. + policy.clear_principals(); + policy.add_principals()->mutable_not_id()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionAndIdPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* and_ids = policy.add_principals()->mutable_and_ids(); + and_ids->add_ids()->set_any(true); + and_ids->add_ids()->mutable_url_path()->mutable_path()->set_exact( + "/grpc.testing.EchoTestService/Echo"); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Change the policy itself for a negative test where there is no match. + and_ids = (*policy.mutable_principals())[0].mutable_and_ids(); + (*and_ids->mutable_ids())[1].mutable_url_path()->mutable_path()->set_exact( + "/grpc.testing.EchoTestService/Echo1"); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + +TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionOrIdPrincipal) { + RBAC rbac; + auto* rules = rbac.mutable_rules(); + rules->set_action(GetParam().rbac_action()); + Policy policy; + auto* or_ids = policy.add_principals()->mutable_or_ids(); + or_ids->add_ids()->mutable_not_id()->set_any(true); + or_ids->add_ids()->mutable_url_path()->mutable_path()->set_exact( + "/grpc.testing.EchoTestService/Echo"); + policy.add_permissions()->set_any(true); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + backends_[0]->Start(); + backends_[0]->notifier()->WaitOnServingStatusChange( + absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()), + grpc::StatusCode::OK); + SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY, + grpc::PERMISSION_DENIED); + // Change the policy itself for a negative test where there is no match. + or_ids = (*policy.mutable_principals())[0].mutable_or_ids(); + (*or_ids->mutable_ids())[1].mutable_url_path()->mutable_path()->set_exact( + "/grpc.testing.EchoTestService/Echo1"); + (*rules->mutable_policies())["policy"] = policy; + SetServerRbacPolicy(rbac); + SendRpc( + [this]() { return CreateInsecureChannel(); }, {}, {}, + /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW, + grpc::PERMISSION_DENIED); +} + using EdsTest = BasicTest; // Tests that EDS client should send a NACK if the EDS update contains @@ -12173,6 +13207,105 @@ INSTANTIATE_TEST_SUITE_P(XdsTest, XdsServerRdsTest, .set_enable_rds_testing()), &TestTypeName); +// We are only testing the server here. +// Run with bootstrap from env var, so that we use a global XdsClient +// instance. Otherwise, we would need to use a separate fake resolver +// result generator on the client and server sides. +INSTANTIATE_TEST_SUITE_P( + XdsTest, XdsRbacTest, + ::testing::Values( + TestType().set_use_xds_credentials().set_bootstrap_source( + TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_enable_rds_testing() + .set_bootstrap_source(TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_filter_config_setup( + TestType::FilterConfigSetup::kRouteOverride) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_enable_rds_testing() + .set_filter_config_setup( + TestType::FilterConfigSetup::kRouteOverride) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar)), + &TestTypeName); + +// We are only testing the server here. +// Run with bootstrap from env var, so that we use a global XdsClient +// instance. Otherwise, we would need to use a separate fake resolver +// result generator on the client and server sides. +INSTANTIATE_TEST_SUITE_P( + XdsTest, XdsRbacTestWithRouteOverrideAlwaysPresent, + ::testing::Values( + TestType() + .set_use_xds_credentials() + .set_filter_config_setup( + TestType::FilterConfigSetup::kRouteOverride) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_enable_rds_testing() + .set_filter_config_setup( + TestType::FilterConfigSetup::kRouteOverride) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar)), + &TestTypeName); + +// We are only testing the server here. +// Run with bootstrap from env var, so that we use a global XdsClient +// instance. Otherwise, we would need to use a separate fake resolver +// result generator on the client and server sides. +INSTANTIATE_TEST_SUITE_P( + XdsTest, XdsRbacTestWithActionPermutations, + ::testing::Values( + TestType() + .set_use_xds_credentials() + .set_rbac_action(RBAC_Action_ALLOW) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_rbac_action(RBAC_Action_DENY) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_enable_rds_testing() + .set_rbac_action(RBAC_Action_ALLOW) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_enable_rds_testing() + .set_rbac_action(RBAC_Action_DENY) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_filter_config_setup( + TestType::FilterConfigSetup::kRouteOverride) + .set_rbac_action(RBAC_Action_ALLOW) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_filter_config_setup( + TestType::FilterConfigSetup::kRouteOverride) + .set_rbac_action(RBAC_Action_DENY) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_enable_rds_testing() + .set_filter_config_setup( + TestType::FilterConfigSetup::kRouteOverride) + .set_rbac_action(RBAC_Action_ALLOW) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar), + TestType() + .set_use_xds_credentials() + .set_enable_rds_testing() + .set_filter_config_setup( + TestType::FilterConfigSetup::kRouteOverride) + .set_rbac_action(RBAC_Action_DENY) + .set_bootstrap_source(TestType::kBootstrapFromEnvVar)), + &TestTypeName); + // EDS could be tested with or without XdsResolver, but the tests would // be the same either way, so we test it only with XdsResolver. INSTANTIATE_TEST_SUITE_P( diff --git a/tools/codegen/core/gen_upb_api.sh b/tools/codegen/core/gen_upb_api.sh index 9e0eacc1af6..1d0c2ef1274 100755 --- a/tools/codegen/core/gen_upb_api.sh +++ b/tools/codegen/core/gen_upb_api.sh @@ -86,6 +86,7 @@ proto_files=( \ "envoy/extensions/clusters/aggregate/v3/cluster.proto" \ "envoy/extensions/filters/common/fault/v3/fault.proto" \ "envoy/extensions/filters/http/fault/v3/fault.proto" \ + "envoy/extensions/filters/http/rbac/v3/rbac.proto" \ "envoy/extensions/filters/http/router/v3/router.proto" \ "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto" \ "envoy/extensions/transport_sockets/tls/v3/cert.proto" \ diff --git a/tools/doxygen/Doxyfile.c++.internal b/tools/doxygen/Doxyfile.c++.internal index 2f156d5c3bd..fdb68061cca 100644 --- a/tools/doxygen/Doxyfile.c++.internal +++ b/tools/doxygen/Doxyfile.c++.internal @@ -1182,6 +1182,10 @@ src/core/ext/filters/max_age/max_age_filter.cc \ src/core/ext/filters/max_age/max_age_filter.h \ src/core/ext/filters/message_size/message_size_filter.cc \ src/core/ext/filters/message_size/message_size_filter.h \ +src/core/ext/filters/rbac/rbac_filter.cc \ +src/core/ext/filters/rbac/rbac_filter.h \ +src/core/ext/filters/rbac/rbac_service_config_parser.cc \ +src/core/ext/filters/rbac/rbac_service_config_parser.h \ src/core/ext/filters/server_config_selector/server_config_selector.cc \ src/core/ext/filters/server_config_selector/server_config_selector.h \ src/core/ext/filters/server_config_selector/server_config_selector_filter.cc \ @@ -1377,6 +1381,8 @@ src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h \ src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h \ +src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c \ +src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h \ src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h \ src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c \ @@ -1577,6 +1583,8 @@ src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h \ +src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c \ +src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c \ @@ -1591,6 +1599,8 @@ src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.up src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h \ +src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c \ +src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c \ @@ -1653,6 +1663,16 @@ src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.h \ src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c \ src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.h \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h \ src/core/ext/upbdefs-generated/google/api/http.upbdefs.c \ src/core/ext/upbdefs-generated/google/api/http.upbdefs.h \ src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c \ @@ -1730,6 +1750,8 @@ src/core/ext/xds/xds_http_fault_filter.cc \ src/core/ext/xds/xds_http_fault_filter.h \ src/core/ext/xds/xds_http_filters.cc \ src/core/ext/xds/xds_http_filters.h \ +src/core/ext/xds/xds_http_rbac_filter.cc \ +src/core/ext/xds/xds_http_rbac_filter.h \ src/core/ext/xds/xds_listener.cc \ src/core/ext/xds/xds_listener.h \ src/core/ext/xds/xds_resource_type.cc \ @@ -2092,6 +2114,12 @@ src/core/lib/security/authorization/authorization_policy_provider.h \ src/core/lib/security/authorization/authorization_policy_provider_vtable.cc \ src/core/lib/security/authorization/evaluate_args.cc \ src/core/lib/security/authorization/evaluate_args.h \ +src/core/lib/security/authorization/grpc_authorization_engine.cc \ +src/core/lib/security/authorization/grpc_authorization_engine.h \ +src/core/lib/security/authorization/matchers.cc \ +src/core/lib/security/authorization/matchers.h \ +src/core/lib/security/authorization/rbac_policy.cc \ +src/core/lib/security/authorization/rbac_policy.h \ src/core/lib/security/authorization/sdk_server_authz_filter.cc \ src/core/lib/security/authorization/sdk_server_authz_filter.h \ src/core/lib/security/context/security_context.cc \ diff --git a/tools/doxygen/Doxyfile.core.internal b/tools/doxygen/Doxyfile.core.internal index 6b47fe4e0ee..6d3408142c7 100644 --- a/tools/doxygen/Doxyfile.core.internal +++ b/tools/doxygen/Doxyfile.core.internal @@ -1006,6 +1006,10 @@ src/core/ext/filters/max_age/max_age_filter.cc \ src/core/ext/filters/max_age/max_age_filter.h \ src/core/ext/filters/message_size/message_size_filter.cc \ src/core/ext/filters/message_size/message_size_filter.h \ +src/core/ext/filters/rbac/rbac_filter.cc \ +src/core/ext/filters/rbac/rbac_filter.h \ +src/core/ext/filters/rbac/rbac_service_config_parser.cc \ +src/core/ext/filters/rbac/rbac_service_config_parser.h \ src/core/ext/filters/server_config_selector/server_config_selector.cc \ src/core/ext/filters/server_config_selector/server_config_selector.h \ src/core/ext/filters/server_config_selector/server_config_selector_filter.cc \ @@ -1171,6 +1175,8 @@ src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.c src/core/ext/upb-generated/envoy/extensions/filters/common/fault/v3/fault.upb.h \ src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/http/fault/v3/fault.upb.h \ +src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.c \ +src/core/ext/upb-generated/envoy/extensions/filters/http/rbac/v3/rbac.upb.h \ src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.c \ src/core/ext/upb-generated/envoy/extensions/filters/http/router/v3/router.upb.h \ src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c \ @@ -1371,6 +1377,8 @@ src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/metrics/v3/stats.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/overload/v3/overload.upbdefs.h \ +src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c \ +src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/config/route/v3/route.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c \ @@ -1385,6 +1393,8 @@ src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.up src/core/ext/upbdefs-generated/envoy/extensions/filters/common/fault/v3/fault.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/fault/v3/fault.upbdefs.h \ +src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.c \ +src/core/ext/upbdefs-generated/envoy/extensions/filters/http/rbac/v3/rbac.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/extensions/filters/http/router/v3/router.upbdefs.h \ src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c \ @@ -1447,6 +1457,16 @@ src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.c \ src/core/ext/upbdefs-generated/envoy/type/v3/semantic_version.upbdefs.h \ src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.c \ src/core/ext/upbdefs-generated/google/api/annotations.upbdefs.h \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.c \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/checked.upbdefs.h \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.c \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/eval.upbdefs.h \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.c \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/explain.upbdefs.h \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.c \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/syntax.upbdefs.h \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.c \ +src/core/ext/upbdefs-generated/google/api/expr/v1alpha1/value.upbdefs.h \ src/core/ext/upbdefs-generated/google/api/http.upbdefs.c \ src/core/ext/upbdefs-generated/google/api/http.upbdefs.h \ src/core/ext/upbdefs-generated/google/protobuf/any.upbdefs.c \ @@ -1524,6 +1544,8 @@ src/core/ext/xds/xds_http_fault_filter.cc \ src/core/ext/xds/xds_http_fault_filter.h \ src/core/ext/xds/xds_http_filters.cc \ src/core/ext/xds/xds_http_filters.h \ +src/core/ext/xds/xds_http_rbac_filter.cc \ +src/core/ext/xds/xds_http_rbac_filter.h \ src/core/ext/xds/xds_listener.cc \ src/core/ext/xds/xds_listener.h \ src/core/ext/xds/xds_resource_type.cc \ @@ -1891,6 +1913,12 @@ src/core/lib/security/authorization/authorization_policy_provider.h \ src/core/lib/security/authorization/authorization_policy_provider_vtable.cc \ src/core/lib/security/authorization/evaluate_args.cc \ src/core/lib/security/authorization/evaluate_args.h \ +src/core/lib/security/authorization/grpc_authorization_engine.cc \ +src/core/lib/security/authorization/grpc_authorization_engine.h \ +src/core/lib/security/authorization/matchers.cc \ +src/core/lib/security/authorization/matchers.h \ +src/core/lib/security/authorization/rbac_policy.cc \ +src/core/lib/security/authorization/rbac_policy.h \ src/core/lib/security/authorization/sdk_server_authz_filter.cc \ src/core/lib/security/authorization/sdk_server_authz_filter.h \ src/core/lib/security/context/security_context.cc \ diff --git a/tools/run_tests/generated/tests.json b/tools/run_tests/generated/tests.json index 3e8c641d75d..bad061776af 100644 --- a/tools/run_tests/generated/tests.json +++ b/tools/run_tests/generated/tests.json @@ -5863,6 +5863,30 @@ ], "uses_polling": true }, + { + "args": [], + "benchmark": false, + "ci_platforms": [ + "linux", + "mac", + "posix", + "windows" + ], + "cpu_cost": 1.0, + "exclude_configs": [], + "exclude_iomgrs": [], + "flaky": false, + "gtest": true, + "language": "c++", + "name": "rbac_service_config_parser_test", + "platforms": [ + "linux", + "mac", + "posix", + "windows" + ], + "uses_polling": false + }, { "args": [], "benchmark": false,