From 1602a02a82fa27291af48875c5ef1871cafa3040 Mon Sep 17 00:00:00 2001 From: Ashitha Santhosh Date: Sun, 10 Jan 2021 20:40:50 -0800 Subject: [PATCH] Add gRPC SDK Authorization Policy proto. --- .../src/proto/grpc/auth/v1/authz_policy.upb.c | 85 ++++++ .../src/proto/grpc/auth/v1/authz_policy.upb.h | 276 ++++++++++++++++++ .../proto/grpc/auth/v1/authz_policy.upbdefs.c | 58 ++++ .../proto/grpc/auth/v1/authz_policy.upbdefs.h | 55 ++++ src/proto/grpc/auth/v1/BUILD | 25 ++ src/proto/grpc/auth/v1/authz_policy.proto | 122 ++++++++ tools/codegen/core/gen_upb_api.sh | 1 + 7 files changed, 622 insertions(+) create mode 100644 src/core/ext/upb-generated/src/proto/grpc/auth/v1/authz_policy.upb.c create mode 100644 src/core/ext/upb-generated/src/proto/grpc/auth/v1/authz_policy.upb.h create mode 100644 src/core/ext/upbdefs-generated/src/proto/grpc/auth/v1/authz_policy.upbdefs.c create mode 100644 src/core/ext/upbdefs-generated/src/proto/grpc/auth/v1/authz_policy.upbdefs.h create mode 100644 src/proto/grpc/auth/v1/BUILD create mode 100644 src/proto/grpc/auth/v1/authz_policy.proto diff --git a/src/core/ext/upb-generated/src/proto/grpc/auth/v1/authz_policy.upb.c b/src/core/ext/upb-generated/src/proto/grpc/auth/v1/authz_policy.upb.c new file mode 100644 index 00000000000..62947d66238 --- /dev/null +++ b/src/core/ext/upb-generated/src/proto/grpc/auth/v1/authz_policy.upb.c @@ -0,0 +1,85 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * src/proto/grpc/auth/v1/authz_policy.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#include +#include "upb/msg.h" +#include "src/proto/grpc/auth/v1/authz_policy.upb.h" + +#include "upb/port_def.inc" + +static const upb_msglayout_field grpc_auth_v1_Peer__fields[1] = { + {1, UPB_SIZE(0, 0), 0, 0, 9, 3}, +}; + +const upb_msglayout grpc_auth_v1_Peer_msginit = { + NULL, + &grpc_auth_v1_Peer__fields[0], + UPB_SIZE(8, 8), 1, false, 255, +}; + +static const upb_msglayout_field grpc_auth_v1_Header__fields[2] = { + {1, UPB_SIZE(0, 0), 0, 0, 9, 1}, + {2, UPB_SIZE(8, 16), 0, 0, 9, 3}, +}; + +const upb_msglayout grpc_auth_v1_Header_msginit = { + NULL, + &grpc_auth_v1_Header__fields[0], + UPB_SIZE(16, 32), 2, false, 255, +}; + +static const upb_msglayout *const grpc_auth_v1_Request_submsgs[1] = { + &grpc_auth_v1_Header_msginit, +}; + +static const upb_msglayout_field grpc_auth_v1_Request__fields[2] = { + {1, UPB_SIZE(0, 0), 0, 0, 9, 3}, + {3, UPB_SIZE(4, 8), 0, 0, 11, 3}, +}; + +const upb_msglayout grpc_auth_v1_Request_msginit = { + &grpc_auth_v1_Request_submsgs[0], + &grpc_auth_v1_Request__fields[0], + UPB_SIZE(8, 16), 2, false, 255, +}; + +static const upb_msglayout *const grpc_auth_v1_Rule_submsgs[2] = { + &grpc_auth_v1_Peer_msginit, + &grpc_auth_v1_Request_msginit, +}; + +static const upb_msglayout_field grpc_auth_v1_Rule__fields[3] = { + {1, UPB_SIZE(4, 8), 0, 0, 9, 1}, + {2, UPB_SIZE(12, 24), 1, 0, 11, 1}, + {3, UPB_SIZE(16, 32), 2, 1, 11, 1}, +}; + +const upb_msglayout grpc_auth_v1_Rule_msginit = { + &grpc_auth_v1_Rule_submsgs[0], + &grpc_auth_v1_Rule__fields[0], + UPB_SIZE(24, 48), 3, false, 255, +}; + +static const upb_msglayout *const grpc_auth_v1_AuthorizationPolicy_submsgs[1] = { + &grpc_auth_v1_Rule_msginit, +}; + +static const upb_msglayout_field grpc_auth_v1_AuthorizationPolicy__fields[3] = { + {1, UPB_SIZE(0, 0), 0, 0, 9, 1}, + {2, UPB_SIZE(8, 16), 0, 0, 11, 3}, + {3, UPB_SIZE(12, 24), 0, 0, 11, 3}, +}; + +const upb_msglayout grpc_auth_v1_AuthorizationPolicy_msginit = { + &grpc_auth_v1_AuthorizationPolicy_submsgs[0], + &grpc_auth_v1_AuthorizationPolicy__fields[0], + UPB_SIZE(16, 32), 3, false, 255, +}; + +#include "upb/port_undef.inc" + diff --git a/src/core/ext/upb-generated/src/proto/grpc/auth/v1/authz_policy.upb.h b/src/core/ext/upb-generated/src/proto/grpc/auth/v1/authz_policy.upb.h new file mode 100644 index 00000000000..2177b9df8bf --- /dev/null +++ b/src/core/ext/upb-generated/src/proto/grpc/auth/v1/authz_policy.upb.h @@ -0,0 +1,276 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * src/proto/grpc/auth/v1/authz_policy.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#ifndef SRC_PROTO_GRPC_AUTH_V1_AUTHZ_POLICY_PROTO_UPB_H_ +#define SRC_PROTO_GRPC_AUTH_V1_AUTHZ_POLICY_PROTO_UPB_H_ + +#include "upb/msg.h" +#include "upb/decode.h" +#include "upb/decode_fast.h" +#include "upb/encode.h" + +#include "upb/port_def.inc" + +#ifdef __cplusplus +extern "C" { +#endif + +struct grpc_auth_v1_Peer; +struct grpc_auth_v1_Header; +struct grpc_auth_v1_Request; +struct grpc_auth_v1_Rule; +struct grpc_auth_v1_AuthorizationPolicy; +typedef struct grpc_auth_v1_Peer grpc_auth_v1_Peer; +typedef struct grpc_auth_v1_Header grpc_auth_v1_Header; +typedef struct grpc_auth_v1_Request grpc_auth_v1_Request; +typedef struct grpc_auth_v1_Rule grpc_auth_v1_Rule; +typedef struct grpc_auth_v1_AuthorizationPolicy grpc_auth_v1_AuthorizationPolicy; +extern const upb_msglayout grpc_auth_v1_Peer_msginit; +extern const upb_msglayout grpc_auth_v1_Header_msginit; +extern const upb_msglayout grpc_auth_v1_Request_msginit; +extern const upb_msglayout grpc_auth_v1_Rule_msginit; +extern const upb_msglayout grpc_auth_v1_AuthorizationPolicy_msginit; + + +/* grpc.auth.v1.Peer */ + +UPB_INLINE grpc_auth_v1_Peer *grpc_auth_v1_Peer_new(upb_arena *arena) { + return (grpc_auth_v1_Peer *)_upb_msg_new(&grpc_auth_v1_Peer_msginit, arena); +} +UPB_INLINE grpc_auth_v1_Peer *grpc_auth_v1_Peer_parse(const char *buf, size_t size, + upb_arena *arena) { + grpc_auth_v1_Peer *ret = grpc_auth_v1_Peer_new(arena); + return (ret && upb_decode(buf, size, ret, &grpc_auth_v1_Peer_msginit, arena)) ? ret : NULL; +} +UPB_INLINE grpc_auth_v1_Peer *grpc_auth_v1_Peer_parse_ex(const char *buf, size_t size, + upb_arena *arena, int options) { + grpc_auth_v1_Peer *ret = grpc_auth_v1_Peer_new(arena); + return (ret && _upb_decode(buf, size, ret, &grpc_auth_v1_Peer_msginit, arena, options)) + ? ret : NULL; +} +UPB_INLINE char *grpc_auth_v1_Peer_serialize(const grpc_auth_v1_Peer *msg, upb_arena *arena, size_t *len) { + return upb_encode(msg, &grpc_auth_v1_Peer_msginit, arena, len); +} + +UPB_INLINE upb_strview const* grpc_auth_v1_Peer_principals(const grpc_auth_v1_Peer *msg, size_t *len) { return (upb_strview const*)_upb_array_accessor(msg, UPB_SIZE(0, 0), len); } + +UPB_INLINE upb_strview* grpc_auth_v1_Peer_mutable_principals(grpc_auth_v1_Peer *msg, size_t *len) { + return (upb_strview*)_upb_array_mutable_accessor(msg, UPB_SIZE(0, 0), len); +} +UPB_INLINE upb_strview* grpc_auth_v1_Peer_resize_principals(grpc_auth_v1_Peer *msg, size_t len, upb_arena *arena) { + return (upb_strview*)_upb_array_resize_accessor2(msg, UPB_SIZE(0, 0), len, UPB_SIZE(3, 4), arena); +} +UPB_INLINE bool grpc_auth_v1_Peer_add_principals(grpc_auth_v1_Peer *msg, upb_strview val, upb_arena *arena) { + return _upb_array_append_accessor2(msg, UPB_SIZE(0, 0), UPB_SIZE(3, 4), &val, + arena); +} + +/* grpc.auth.v1.Header */ + +UPB_INLINE grpc_auth_v1_Header *grpc_auth_v1_Header_new(upb_arena *arena) { + return (grpc_auth_v1_Header *)_upb_msg_new(&grpc_auth_v1_Header_msginit, arena); +} +UPB_INLINE grpc_auth_v1_Header *grpc_auth_v1_Header_parse(const char *buf, size_t size, + upb_arena *arena) { + grpc_auth_v1_Header *ret = grpc_auth_v1_Header_new(arena); + return (ret && upb_decode(buf, size, ret, &grpc_auth_v1_Header_msginit, arena)) ? ret : NULL; +} +UPB_INLINE grpc_auth_v1_Header *grpc_auth_v1_Header_parse_ex(const char *buf, size_t size, + upb_arena *arena, int options) { + grpc_auth_v1_Header *ret = grpc_auth_v1_Header_new(arena); + return (ret && _upb_decode(buf, size, ret, &grpc_auth_v1_Header_msginit, arena, options)) + ? ret : NULL; +} +UPB_INLINE char *grpc_auth_v1_Header_serialize(const grpc_auth_v1_Header *msg, upb_arena *arena, size_t *len) { + return upb_encode(msg, &grpc_auth_v1_Header_msginit, arena, len); +} + +UPB_INLINE upb_strview grpc_auth_v1_Header_key(const grpc_auth_v1_Header *msg) { return *UPB_PTR_AT(msg, UPB_SIZE(0, 0), upb_strview); } +UPB_INLINE upb_strview const* grpc_auth_v1_Header_values(const grpc_auth_v1_Header *msg, size_t *len) { return (upb_strview const*)_upb_array_accessor(msg, UPB_SIZE(8, 16), len); } + +UPB_INLINE void grpc_auth_v1_Header_set_key(grpc_auth_v1_Header *msg, upb_strview value) { + *UPB_PTR_AT(msg, UPB_SIZE(0, 0), upb_strview) = value; +} +UPB_INLINE upb_strview* grpc_auth_v1_Header_mutable_values(grpc_auth_v1_Header *msg, size_t *len) { + return (upb_strview*)_upb_array_mutable_accessor(msg, UPB_SIZE(8, 16), len); +} +UPB_INLINE upb_strview* grpc_auth_v1_Header_resize_values(grpc_auth_v1_Header *msg, size_t len, upb_arena *arena) { + return (upb_strview*)_upb_array_resize_accessor2(msg, UPB_SIZE(8, 16), len, UPB_SIZE(3, 4), arena); +} +UPB_INLINE bool grpc_auth_v1_Header_add_values(grpc_auth_v1_Header *msg, upb_strview val, upb_arena *arena) { + return _upb_array_append_accessor2(msg, UPB_SIZE(8, 16), UPB_SIZE(3, 4), &val, + arena); +} + +/* grpc.auth.v1.Request */ + +UPB_INLINE grpc_auth_v1_Request *grpc_auth_v1_Request_new(upb_arena *arena) { + return (grpc_auth_v1_Request *)_upb_msg_new(&grpc_auth_v1_Request_msginit, arena); +} +UPB_INLINE grpc_auth_v1_Request *grpc_auth_v1_Request_parse(const char *buf, size_t size, + upb_arena *arena) { + grpc_auth_v1_Request *ret = grpc_auth_v1_Request_new(arena); + return (ret && upb_decode(buf, size, ret, &grpc_auth_v1_Request_msginit, arena)) ? ret : NULL; +} +UPB_INLINE grpc_auth_v1_Request *grpc_auth_v1_Request_parse_ex(const char *buf, size_t size, + upb_arena *arena, int options) { + grpc_auth_v1_Request *ret = grpc_auth_v1_Request_new(arena); + return (ret && _upb_decode(buf, size, ret, &grpc_auth_v1_Request_msginit, arena, options)) + ? ret : NULL; +} +UPB_INLINE char *grpc_auth_v1_Request_serialize(const grpc_auth_v1_Request *msg, upb_arena *arena, size_t *len) { + return upb_encode(msg, &grpc_auth_v1_Request_msginit, arena, len); +} + +UPB_INLINE upb_strview const* grpc_auth_v1_Request_paths(const grpc_auth_v1_Request *msg, size_t *len) { return (upb_strview const*)_upb_array_accessor(msg, UPB_SIZE(0, 0), len); } +UPB_INLINE bool grpc_auth_v1_Request_has_headers(const grpc_auth_v1_Request *msg) { return _upb_has_submsg_nohasbit(msg, UPB_SIZE(4, 8)); } +UPB_INLINE const grpc_auth_v1_Header* const* grpc_auth_v1_Request_headers(const grpc_auth_v1_Request *msg, size_t *len) { return (const grpc_auth_v1_Header* const*)_upb_array_accessor(msg, UPB_SIZE(4, 8), len); } + +UPB_INLINE upb_strview* grpc_auth_v1_Request_mutable_paths(grpc_auth_v1_Request *msg, size_t *len) { + return (upb_strview*)_upb_array_mutable_accessor(msg, UPB_SIZE(0, 0), len); +} +UPB_INLINE upb_strview* grpc_auth_v1_Request_resize_paths(grpc_auth_v1_Request *msg, size_t len, upb_arena *arena) { + return (upb_strview*)_upb_array_resize_accessor2(msg, UPB_SIZE(0, 0), len, UPB_SIZE(3, 4), arena); +} +UPB_INLINE bool grpc_auth_v1_Request_add_paths(grpc_auth_v1_Request *msg, upb_strview val, upb_arena *arena) { + return _upb_array_append_accessor2(msg, UPB_SIZE(0, 0), UPB_SIZE(3, 4), &val, + arena); +} +UPB_INLINE grpc_auth_v1_Header** grpc_auth_v1_Request_mutable_headers(grpc_auth_v1_Request *msg, size_t *len) { + return (grpc_auth_v1_Header**)_upb_array_mutable_accessor(msg, UPB_SIZE(4, 8), len); +} +UPB_INLINE grpc_auth_v1_Header** grpc_auth_v1_Request_resize_headers(grpc_auth_v1_Request *msg, size_t len, upb_arena *arena) { + return (grpc_auth_v1_Header**)_upb_array_resize_accessor2(msg, UPB_SIZE(4, 8), len, UPB_SIZE(2, 3), arena); +} +UPB_INLINE struct grpc_auth_v1_Header* grpc_auth_v1_Request_add_headers(grpc_auth_v1_Request *msg, upb_arena *arena) { + struct grpc_auth_v1_Header* sub = (struct grpc_auth_v1_Header*)_upb_msg_new(&grpc_auth_v1_Header_msginit, arena); + bool ok = _upb_array_append_accessor2( + msg, UPB_SIZE(4, 8), UPB_SIZE(2, 3), &sub, arena); + if (!ok) return NULL; + return sub; +} + +/* grpc.auth.v1.Rule */ + +UPB_INLINE grpc_auth_v1_Rule *grpc_auth_v1_Rule_new(upb_arena *arena) { + return (grpc_auth_v1_Rule *)_upb_msg_new(&grpc_auth_v1_Rule_msginit, arena); +} +UPB_INLINE grpc_auth_v1_Rule *grpc_auth_v1_Rule_parse(const char *buf, size_t size, + upb_arena *arena) { + grpc_auth_v1_Rule *ret = grpc_auth_v1_Rule_new(arena); + return (ret && upb_decode(buf, size, ret, &grpc_auth_v1_Rule_msginit, arena)) ? ret : NULL; +} +UPB_INLINE grpc_auth_v1_Rule *grpc_auth_v1_Rule_parse_ex(const char *buf, size_t size, + upb_arena *arena, int options) { + grpc_auth_v1_Rule *ret = grpc_auth_v1_Rule_new(arena); + return (ret && _upb_decode(buf, size, ret, &grpc_auth_v1_Rule_msginit, arena, options)) + ? ret : NULL; +} +UPB_INLINE char *grpc_auth_v1_Rule_serialize(const grpc_auth_v1_Rule *msg, upb_arena *arena, size_t *len) { + return upb_encode(msg, &grpc_auth_v1_Rule_msginit, arena, len); +} + +UPB_INLINE upb_strview grpc_auth_v1_Rule_name(const grpc_auth_v1_Rule *msg) { return *UPB_PTR_AT(msg, UPB_SIZE(4, 8), upb_strview); } +UPB_INLINE bool grpc_auth_v1_Rule_has_source(const grpc_auth_v1_Rule *msg) { return _upb_hasbit(msg, 1); } +UPB_INLINE const grpc_auth_v1_Peer* grpc_auth_v1_Rule_source(const grpc_auth_v1_Rule *msg) { return *UPB_PTR_AT(msg, UPB_SIZE(12, 24), const grpc_auth_v1_Peer*); } +UPB_INLINE bool grpc_auth_v1_Rule_has_request(const grpc_auth_v1_Rule *msg) { return _upb_hasbit(msg, 2); } +UPB_INLINE const grpc_auth_v1_Request* grpc_auth_v1_Rule_request(const grpc_auth_v1_Rule *msg) { return *UPB_PTR_AT(msg, UPB_SIZE(16, 32), const grpc_auth_v1_Request*); } + +UPB_INLINE void grpc_auth_v1_Rule_set_name(grpc_auth_v1_Rule *msg, upb_strview value) { + *UPB_PTR_AT(msg, UPB_SIZE(4, 8), upb_strview) = value; +} +UPB_INLINE void grpc_auth_v1_Rule_set_source(grpc_auth_v1_Rule *msg, grpc_auth_v1_Peer* value) { + _upb_sethas(msg, 1); + *UPB_PTR_AT(msg, UPB_SIZE(12, 24), grpc_auth_v1_Peer*) = value; +} +UPB_INLINE struct grpc_auth_v1_Peer* grpc_auth_v1_Rule_mutable_source(grpc_auth_v1_Rule *msg, upb_arena *arena) { + struct grpc_auth_v1_Peer* sub = (struct grpc_auth_v1_Peer*)grpc_auth_v1_Rule_source(msg); + if (sub == NULL) { + sub = (struct grpc_auth_v1_Peer*)_upb_msg_new(&grpc_auth_v1_Peer_msginit, arena); + if (!sub) return NULL; + grpc_auth_v1_Rule_set_source(msg, sub); + } + return sub; +} +UPB_INLINE void grpc_auth_v1_Rule_set_request(grpc_auth_v1_Rule *msg, grpc_auth_v1_Request* value) { + _upb_sethas(msg, 2); + *UPB_PTR_AT(msg, UPB_SIZE(16, 32), grpc_auth_v1_Request*) = value; +} +UPB_INLINE struct grpc_auth_v1_Request* grpc_auth_v1_Rule_mutable_request(grpc_auth_v1_Rule *msg, upb_arena *arena) { + struct grpc_auth_v1_Request* sub = (struct grpc_auth_v1_Request*)grpc_auth_v1_Rule_request(msg); + if (sub == NULL) { + sub = (struct grpc_auth_v1_Request*)_upb_msg_new(&grpc_auth_v1_Request_msginit, arena); + if (!sub) return NULL; + grpc_auth_v1_Rule_set_request(msg, sub); + } + return sub; +} + +/* grpc.auth.v1.AuthorizationPolicy */ + +UPB_INLINE grpc_auth_v1_AuthorizationPolicy *grpc_auth_v1_AuthorizationPolicy_new(upb_arena *arena) { + return (grpc_auth_v1_AuthorizationPolicy *)_upb_msg_new(&grpc_auth_v1_AuthorizationPolicy_msginit, arena); +} +UPB_INLINE grpc_auth_v1_AuthorizationPolicy *grpc_auth_v1_AuthorizationPolicy_parse(const char *buf, size_t size, + upb_arena *arena) { + grpc_auth_v1_AuthorizationPolicy *ret = grpc_auth_v1_AuthorizationPolicy_new(arena); + return (ret && upb_decode(buf, size, ret, &grpc_auth_v1_AuthorizationPolicy_msginit, arena)) ? ret : NULL; +} +UPB_INLINE grpc_auth_v1_AuthorizationPolicy *grpc_auth_v1_AuthorizationPolicy_parse_ex(const char *buf, size_t size, + upb_arena *arena, int options) { + grpc_auth_v1_AuthorizationPolicy *ret = grpc_auth_v1_AuthorizationPolicy_new(arena); + return (ret && _upb_decode(buf, size, ret, &grpc_auth_v1_AuthorizationPolicy_msginit, arena, options)) + ? ret : NULL; +} +UPB_INLINE char *grpc_auth_v1_AuthorizationPolicy_serialize(const grpc_auth_v1_AuthorizationPolicy *msg, upb_arena *arena, size_t *len) { + return upb_encode(msg, &grpc_auth_v1_AuthorizationPolicy_msginit, arena, len); +} + +UPB_INLINE upb_strview grpc_auth_v1_AuthorizationPolicy_name(const grpc_auth_v1_AuthorizationPolicy *msg) { return *UPB_PTR_AT(msg, UPB_SIZE(0, 0), upb_strview); } +UPB_INLINE bool grpc_auth_v1_AuthorizationPolicy_has_deny_rules(const grpc_auth_v1_AuthorizationPolicy *msg) { return _upb_has_submsg_nohasbit(msg, UPB_SIZE(8, 16)); } +UPB_INLINE const grpc_auth_v1_Rule* const* grpc_auth_v1_AuthorizationPolicy_deny_rules(const grpc_auth_v1_AuthorizationPolicy *msg, size_t *len) { return (const grpc_auth_v1_Rule* const*)_upb_array_accessor(msg, UPB_SIZE(8, 16), len); } +UPB_INLINE bool grpc_auth_v1_AuthorizationPolicy_has_allow_rules(const grpc_auth_v1_AuthorizationPolicy *msg) { return _upb_has_submsg_nohasbit(msg, UPB_SIZE(12, 24)); } +UPB_INLINE const grpc_auth_v1_Rule* const* grpc_auth_v1_AuthorizationPolicy_allow_rules(const grpc_auth_v1_AuthorizationPolicy *msg, size_t *len) { return (const grpc_auth_v1_Rule* const*)_upb_array_accessor(msg, UPB_SIZE(12, 24), len); } + +UPB_INLINE void grpc_auth_v1_AuthorizationPolicy_set_name(grpc_auth_v1_AuthorizationPolicy *msg, upb_strview value) { + *UPB_PTR_AT(msg, UPB_SIZE(0, 0), upb_strview) = value; +} +UPB_INLINE grpc_auth_v1_Rule** grpc_auth_v1_AuthorizationPolicy_mutable_deny_rules(grpc_auth_v1_AuthorizationPolicy *msg, size_t *len) { + return (grpc_auth_v1_Rule**)_upb_array_mutable_accessor(msg, UPB_SIZE(8, 16), len); +} +UPB_INLINE grpc_auth_v1_Rule** grpc_auth_v1_AuthorizationPolicy_resize_deny_rules(grpc_auth_v1_AuthorizationPolicy *msg, size_t len, upb_arena *arena) { + return (grpc_auth_v1_Rule**)_upb_array_resize_accessor2(msg, UPB_SIZE(8, 16), len, UPB_SIZE(2, 3), arena); +} +UPB_INLINE struct grpc_auth_v1_Rule* grpc_auth_v1_AuthorizationPolicy_add_deny_rules(grpc_auth_v1_AuthorizationPolicy *msg, upb_arena *arena) { + struct grpc_auth_v1_Rule* sub = (struct grpc_auth_v1_Rule*)_upb_msg_new(&grpc_auth_v1_Rule_msginit, arena); + bool ok = _upb_array_append_accessor2( + msg, UPB_SIZE(8, 16), UPB_SIZE(2, 3), &sub, arena); + if (!ok) return NULL; + return sub; +} +UPB_INLINE grpc_auth_v1_Rule** grpc_auth_v1_AuthorizationPolicy_mutable_allow_rules(grpc_auth_v1_AuthorizationPolicy *msg, size_t *len) { + return (grpc_auth_v1_Rule**)_upb_array_mutable_accessor(msg, UPB_SIZE(12, 24), len); +} +UPB_INLINE grpc_auth_v1_Rule** grpc_auth_v1_AuthorizationPolicy_resize_allow_rules(grpc_auth_v1_AuthorizationPolicy *msg, size_t len, upb_arena *arena) { + return (grpc_auth_v1_Rule**)_upb_array_resize_accessor2(msg, UPB_SIZE(12, 24), len, UPB_SIZE(2, 3), arena); +} +UPB_INLINE struct grpc_auth_v1_Rule* grpc_auth_v1_AuthorizationPolicy_add_allow_rules(grpc_auth_v1_AuthorizationPolicy *msg, upb_arena *arena) { + struct grpc_auth_v1_Rule* sub = (struct grpc_auth_v1_Rule*)_upb_msg_new(&grpc_auth_v1_Rule_msginit, arena); + bool ok = _upb_array_append_accessor2( + msg, UPB_SIZE(12, 24), UPB_SIZE(2, 3), &sub, arena); + if (!ok) return NULL; + return sub; +} + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#include "upb/port_undef.inc" + +#endif /* SRC_PROTO_GRPC_AUTH_V1_AUTHZ_POLICY_PROTO_UPB_H_ */ diff --git a/src/core/ext/upbdefs-generated/src/proto/grpc/auth/v1/authz_policy.upbdefs.c b/src/core/ext/upbdefs-generated/src/proto/grpc/auth/v1/authz_policy.upbdefs.c new file mode 100644 index 00000000000..7f317ae55ed --- /dev/null +++ b/src/core/ext/upbdefs-generated/src/proto/grpc/auth/v1/authz_policy.upbdefs.c @@ -0,0 +1,58 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * src/proto/grpc/auth/v1/authz_policy.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#include "upb/def.h" +#include "src/proto/grpc/auth/v1/authz_policy.upbdefs.h" + +extern const upb_msglayout grpc_auth_v1_Peer_msginit; +extern const upb_msglayout grpc_auth_v1_Header_msginit; +extern const upb_msglayout grpc_auth_v1_Request_msginit; +extern const upb_msglayout grpc_auth_v1_Rule_msginit; +extern const upb_msglayout grpc_auth_v1_AuthorizationPolicy_msginit; + +static const upb_msglayout *layouts[5] = { + &grpc_auth_v1_Peer_msginit, + &grpc_auth_v1_Header_msginit, + &grpc_auth_v1_Request_msginit, + &grpc_auth_v1_Rule_msginit, + &grpc_auth_v1_AuthorizationPolicy_msginit, +}; + +static const char descriptor[507] = {'\n', ')', 's', 'r', 'c', '/', 'p', 'r', 'o', 't', 'o', '/', 'g', 'r', 'p', 'c', '/', 'a', 'u', 't', 'h', '/', 'v', '1', '/', +'a', 'u', 't', 'h', 'z', '_', 'p', 'o', 'l', 'i', 'c', 'y', '.', 'p', 'r', 'o', 't', 'o', '\022', '\014', 'g', 'r', 'p', 'c', '.', +'a', 'u', 't', 'h', '.', 'v', '1', '\"', '&', '\n', '\004', 'P', 'e', 'e', 'r', '\022', '\036', '\n', '\n', 'p', 'r', 'i', 'n', 'c', 'i', +'p', 'a', 'l', 's', '\030', '\001', ' ', '\003', '(', '\t', 'R', '\n', 'p', 'r', 'i', 'n', 'c', 'i', 'p', 'a', 'l', 's', '\"', '2', '\n', +'\006', 'H', 'e', 'a', 'd', 'e', 'r', '\022', '\020', '\n', '\003', 'k', 'e', 'y', '\030', '\001', ' ', '\001', '(', '\t', 'R', '\003', 'k', 'e', 'y', +'\022', '\026', '\n', '\006', 'v', 'a', 'l', 'u', 'e', 's', '\030', '\002', ' ', '\003', '(', '\t', 'R', '\006', 'v', 'a', 'l', 'u', 'e', 's', '\"', +'O', '\n', '\007', 'R', 'e', 'q', 'u', 'e', 's', 't', '\022', '\024', '\n', '\005', 'p', 'a', 't', 'h', 's', '\030', '\001', ' ', '\003', '(', '\t', +'R', '\005', 'p', 'a', 't', 'h', 's', '\022', '.', '\n', '\007', 'h', 'e', 'a', 'd', 'e', 'r', 's', '\030', '\003', ' ', '\003', '(', '\013', '2', +'\024', '.', 'g', 'r', 'p', 'c', '.', 'a', 'u', 't', 'h', '.', 'v', '1', '.', 'H', 'e', 'a', 'd', 'e', 'r', 'R', '\007', 'h', 'e', +'a', 'd', 'e', 'r', 's', '\"', 'w', '\n', '\004', 'R', 'u', 'l', 'e', '\022', '\022', '\n', '\004', 'n', 'a', 'm', 'e', '\030', '\001', ' ', '\001', +'(', '\t', 'R', '\004', 'n', 'a', 'm', 'e', '\022', '*', '\n', '\006', 's', 'o', 'u', 'r', 'c', 'e', '\030', '\002', ' ', '\001', '(', '\013', '2', +'\022', '.', 'g', 'r', 'p', 'c', '.', 'a', 'u', 't', 'h', '.', 'v', '1', '.', 'P', 'e', 'e', 'r', 'R', '\006', 's', 'o', 'u', 'r', +'c', 'e', '\022', '/', '\n', '\007', 'r', 'e', 'q', 'u', 'e', 's', 't', '\030', '\003', ' ', '\001', '(', '\013', '2', '\025', '.', 'g', 'r', 'p', +'c', '.', 'a', 'u', 't', 'h', '.', 'v', '1', '.', 'R', 'e', 'q', 'u', 'e', 's', 't', 'R', '\007', 'r', 'e', 'q', 'u', 'e', 's', +'t', '\"', '\221', '\001', '\n', '\023', 'A', 'u', 't', 'h', 'o', 'r', 'i', 'z', 'a', 't', 'i', 'o', 'n', 'P', 'o', 'l', 'i', 'c', 'y', +'\022', '\022', '\n', '\004', 'n', 'a', 'm', 'e', '\030', '\001', ' ', '\001', '(', '\t', 'R', '\004', 'n', 'a', 'm', 'e', '\022', '1', '\n', '\n', 'd', +'e', 'n', 'y', '_', 'r', 'u', 'l', 'e', 's', '\030', '\002', ' ', '\003', '(', '\013', '2', '\022', '.', 'g', 'r', 'p', 'c', '.', 'a', 'u', +'t', 'h', '.', 'v', '1', '.', 'R', 'u', 'l', 'e', 'R', '\t', 'd', 'e', 'n', 'y', 'R', 'u', 'l', 'e', 's', '\022', '3', '\n', '\013', +'a', 'l', 'l', 'o', 'w', '_', 'r', 'u', 'l', 'e', 's', '\030', '\003', ' ', '\003', '(', '\013', '2', '\022', '.', 'g', 'r', 'p', 'c', '.', +'a', 'u', 't', 'h', '.', 'v', '1', '.', 'R', 'u', 'l', 'e', 'R', '\n', 'a', 'l', 'l', 'o', 'w', 'R', 'u', 'l', 'e', 's', 'b', +'\006', 'p', 'r', 'o', 't', 'o', '3', +}; + +static upb_def_init *deps[1] = { + NULL +}; + +upb_def_init src_proto_grpc_auth_v1_authz_policy_proto_upbdefinit = { + deps, + layouts, + "src/proto/grpc/auth/v1/authz_policy.proto", + UPB_STRVIEW_INIT(descriptor, 507) +}; diff --git a/src/core/ext/upbdefs-generated/src/proto/grpc/auth/v1/authz_policy.upbdefs.h b/src/core/ext/upbdefs-generated/src/proto/grpc/auth/v1/authz_policy.upbdefs.h new file mode 100644 index 00000000000..c06fb251835 --- /dev/null +++ b/src/core/ext/upbdefs-generated/src/proto/grpc/auth/v1/authz_policy.upbdefs.h @@ -0,0 +1,55 @@ +/* This file was generated by upbc (the upb compiler) from the input + * file: + * + * src/proto/grpc/auth/v1/authz_policy.proto + * + * Do not edit -- your changes will be discarded when the file is + * regenerated. */ + +#ifndef SRC_PROTO_GRPC_AUTH_V1_AUTHZ_POLICY_PROTO_UPBDEFS_H_ +#define SRC_PROTO_GRPC_AUTH_V1_AUTHZ_POLICY_PROTO_UPBDEFS_H_ + +#include "upb/def.h" +#include "upb/port_def.inc" +#ifdef __cplusplus +extern "C" { +#endif + +#include "upb/def.h" + +#include "upb/port_def.inc" + +extern upb_def_init src_proto_grpc_auth_v1_authz_policy_proto_upbdefinit; + +UPB_INLINE const upb_msgdef *grpc_auth_v1_Peer_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &src_proto_grpc_auth_v1_authz_policy_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "grpc.auth.v1.Peer"); +} + +UPB_INLINE const upb_msgdef *grpc_auth_v1_Header_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &src_proto_grpc_auth_v1_authz_policy_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "grpc.auth.v1.Header"); +} + +UPB_INLINE const upb_msgdef *grpc_auth_v1_Request_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &src_proto_grpc_auth_v1_authz_policy_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "grpc.auth.v1.Request"); +} + +UPB_INLINE const upb_msgdef *grpc_auth_v1_Rule_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &src_proto_grpc_auth_v1_authz_policy_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "grpc.auth.v1.Rule"); +} + +UPB_INLINE const upb_msgdef *grpc_auth_v1_AuthorizationPolicy_getmsgdef(upb_symtab *s) { + _upb_symtab_loaddefinit(s, &src_proto_grpc_auth_v1_authz_policy_proto_upbdefinit); + return upb_symtab_lookupmsg(s, "grpc.auth.v1.AuthorizationPolicy"); +} + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#include "upb/port_undef.inc" + +#endif /* SRC_PROTO_GRPC_AUTH_V1_AUTHZ_POLICY_PROTO_UPBDEFS_H_ */ diff --git a/src/proto/grpc/auth/v1/BUILD b/src/proto/grpc/auth/v1/BUILD new file mode 100644 index 00000000000..d6f94ec5d1f --- /dev/null +++ b/src/proto/grpc/auth/v1/BUILD @@ -0,0 +1,25 @@ +# Copyright 2021 gRPC authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +licenses(["notice"]) # Apache v2 + +load("@rules_proto//proto:defs.bzl", "proto_library") + +proto_library( + name = "authz_policy_proto", + srcs = [ + "authz_policy.proto", + ], + visibility = ["//visibility:public"], +) diff --git a/src/proto/grpc/auth/v1/authz_policy.proto b/src/proto/grpc/auth/v1/authz_policy.proto new file mode 100644 index 00000000000..347386f3e66 --- /dev/null +++ b/src/proto/grpc/auth/v1/authz_policy.proto @@ -0,0 +1,122 @@ +// Copyright 2021 The gRPC Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package grpc.auth.v1; + +// Peer specifies attributes of a peer. Fields in the Peer are ANDed together, once +// we support multiple fields in the future. +message Peer { + // Optional. A list of peer identities to match for authorization. The principals + // are one of, i.e., it matches if one of the principals matches. The field + // supports Exact, Prefix, Suffix, and Presence matches. + // - Exact match: "abc" will match on value "abc". + // - Prefix match: "abc*" will match on value "abc" and "abcd". + // - Suffix match: "*abc" will match on value "abc" and "xabc". + // - Presence match: "*" will match when the value is not empty. + repeated string principals = 1; +} + +// Specification of HTTP header match attributes. +message Header { + // Required. The name of the HTTP header to match. The following headers are *not* + // supported: "hop-by-hop" headers (e.g., those listed in "Connection" header), + // HTTP/2 pseudo headers (":"-prefixed), the "Host" header, and headers prefixed + // with "grpc-". + string key = 1; + + // Required. A list of header values to match. The header values are ORed together, + // i.e., it matches if one of the values matches. This field supports Exact, + // Prefix, Suffix, and Presence match. Multi-valued headers are considered a single + // value with commas added between values. + // - Exact match: "abc" will match on value "abc". + // - Prefix match: "abc*" will match on value "abc" and "abcd". + // - Suffix match: "*abc" will match on value "abc" and "xabc". + // - Presence match: "*" will match when the value is not empty. + repeated string values = 2; +} + +// Request specifies attributes of a request. Fields in the Request are ANDed +// together. +message Request { + // Optional. A list of paths to match for authorization. This is the fully + // qualified name in the form of "/package.service/method". The paths are ORed + // together, i.e., it matches if one of the paths matches. This field supports + // Exact, Prefix, Suffix, and Presence matches. + // - Exact match: "abc" will match on value "abc". + // - Prefix match: "abc*" will match on value "abc" and "abcd". + // - Suffix match: "*abc" will match on value "abc" and "xabc". + // - Presence match: "*" will match when the value is not empty. + repeated string paths = 1; + + // Optional. A list of HTTP header key/value pairs to match against, for + // potentially advanced use cases. The headers are ANDed together, i.e., it matches + // only if *all* the headers match. + repeated Header headers = 3; +} + +// Specification of rules. +message Rule { + // Required. The name of an authorization rule. + // It is mainly for monitoring and error message generation. + string name = 1; + + // Optional. If not set, no checks will be performed against the source. An empty + // rule is always matched (i.e., both source and request are empty). + Peer source = 2; + + // Optional. If not set, no checks will be performed against the request. An empty + // rule is always matched (i.e., both source and request are empty). + Request request = 3; +} + +// AuthorizationPolicy defines which principals are permitted to access which +// resource. Resources are RPC methods scoped by services. +// +// In the following yaml policy example, a peer identity from ["admin1", "admin2", "admin3"] +// is authorized to access any RPC methods in pkg.service, and peer identity "dev" is +// authorized to access the "foo" and "bar" RPC methods. +// +// name: example-policy +// allow_rules: +// - name: admin-access +// source: +// principals: +// - "spiffe://foo.com/sa/admin1" +// - "spiffe://foo.com/sa/admin2" +// - "spiffe://foo.com/sa/admin3" +// request: +// paths: ["/pkg.service/*"] +// - name: dev-access +// source: +// principals: ["spiffe://foo.com/sa/dev"] +// request: +// paths: ["/pkg.service/foo", "/pkg.service/bar"] + +message AuthorizationPolicy { + // Required. The name of an authorization policy. + // It is mainly for monitoring and error message generation. + string name = 1; + + // Optional. List of deny rules to match. If a request matches any of the deny + // rules, then it will be denied. If none of the deny rules matches or there are + // no deny rules, the allow rules will be evaluated. + repeated Rule deny_rules = 2; + + // Required. List of allow rules to match. The allow rules will only be evaluated + // after the deny rules. If a request matches any of the allow rules, then it will + // allowed. If none of the allow rules matches, it will be denied. + repeated Rule allow_rules = 3; +} diff --git a/tools/codegen/core/gen_upb_api.sh b/tools/codegen/core/gen_upb_api.sh index b4f7688c559..6196a2da827 100755 --- a/tools/codegen/core/gen_upb_api.sh +++ b/tools/codegen/core/gen_upb_api.sh @@ -112,6 +112,7 @@ proto_files=( \ "google/protobuf/timestamp.proto" \ "google/protobuf/wrappers.proto" \ "google/rpc/status.proto" \ + "src/proto/grpc/auth/v1/authz_policy.proto" \ "src/proto/grpc/gcp/altscontext.proto" \ "src/proto/grpc/gcp/handshaker.proto" \ "src/proto/grpc/gcp/transport_security_common.proto" \