Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

[call-v3] Convert RBAC to new api (#35421)

Browse Source 
Closes #35421

COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/35421 from ctiller:rrrrrback 8ff26a1dd4
PiperOrigin-RevId: 595138895
pull/35415/head
Craig Tiller 11 months ago committed by Copybara-Service
parent c7101d0867
commit db3584dc9e
3 changed files with 82 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 26
      src/core/ext/filters/rbac/rbac_filter.cc
  2. 15
      src/core/ext/filters/rbac/rbac_filter.h
  3. 56
      src/core/lib/channel/promise_based_filter.h

26
src/core/ext/filters/rbac/rbac_filter.cc
Unescape View File

@ -43,8 +43,14 @@
namespace grpc_core {
ArenaPromise<ServerMetadataHandle> RbacFilter::MakeCallPromise(
CallArgs call_args, NextPromiseFactory next_promise_factory) {
const NoInterceptor RbacFilter::Call::OnServerInitialMetadata;
const NoInterceptor RbacFilter::Call::OnServerTrailingMetadata;
const NoInterceptor RbacFilter::Call::OnClientToServerMessage;
const NoInterceptor RbacFilter::Call::OnServerToClientMessage;
const NoInterceptor RbacFilter::Call::OnFinalize;
absl::Status RbacFilter::Call::OnClientInitialMetadata(ClientMetadata& md,
RbacFilter* filter) {
// Fetch and apply the rbac policy from the service config.
auto* service_config_call_data = static_cast<ServiceConfigCallData*>(
GetContext<
@ -52,21 +58,19 @@ ArenaPromise<ServerMetadataHandle> RbacFilter::MakeCallPromise(
.value);
auto* method_params = static_cast<RbacMethodParsedConfig*>(
service_config_call_data->GetMethodParsedConfig(
service_config_parser_index_));
filter->service_config_parser_index_));
if (method_params == nullptr) {
return Immediate(ServerMetadataFromStatus(
absl::PermissionDeniedError("No RBAC policy found.")));
return absl::PermissionDeniedError("No RBAC policy found.");
} else {
auto* authorization_engine = method_params->authorization_engine(index_);
auto* authorization_engine =
method_params->authorization_engine(filter->index_);
if (authorization_engine
->Evaluate(EvaluateArgs(call_args.client_initial_metadata.get(),
&per_channel_evaluate_args_))
->Evaluate(EvaluateArgs(&md, &filter->per_channel_evaluate_args_))
.type == AuthorizationEngine::Decision::Type::kDeny) {
return Immediate(ServerMetadataFromStatus(
absl::PermissionDeniedError("Unauthorized RPC rejected")));
return absl::PermissionDeniedError("Unauthorized RPC rejected");
}
}
return next_promise_factory(std::move(call_args));
return absl::OkStatus();
}
const grpc_channel_filter RbacFilter::kFilterVtable =

15
src/core/ext/filters/rbac/rbac_filter.h
Unescape View File

@ -34,7 +34,7 @@ namespace grpc_core {
// Filter used when xDS server config fetcher provides a configuration with an
// HTTP RBAC filter. Also serves as the type for channel data for the filter.
class RbacFilter : public ChannelFilter {
class RbacFilter : public ImplementChannelFilter<RbacFilter> {
public:
// This channel filter is intended to be used by connections on xDS enabled
// servers configured with RBAC. The RBAC filter fetches the RBAC policy from
@ -45,9 +45,16 @@ class RbacFilter : public ChannelFilter {
static absl::StatusOr<RbacFilter> Create(const ChannelArgs& args,
ChannelFilter::Args filter_args);
// Construct a promise for one call.
ArenaPromise<ServerMetadataHandle> MakeCallPromise(
CallArgs call_args, NextPromiseFactory next_promise_factory) override;
class Call {
public:
absl::Status OnClientInitialMetadata(ClientMetadata& md,
RbacFilter* filter);
static const NoInterceptor OnServerInitialMetadata;
static const NoInterceptor OnServerTrailingMetadata;
static const NoInterceptor OnClientToServerMessage;
static const NoInterceptor OnServerToClientMessage;
static const NoInterceptor OnFinalize;
};
private:
RbacFilter(size_t index,

56
src/core/lib/channel/promise_based_filter.h
Unescape View File

@ -378,6 +378,33 @@ struct RunCallImpl<ServerMetadataHandle (Derived::Call::*)(ClientMetadata& md,
}
};
template <typename Derived>
struct RunCallImpl<absl::Status (Derived::Call::*)(ClientMetadata& md),
Derived> {
static auto Run(CallArgs call_args, NextPromiseFactory next_promise_factory,
FilterCallData<Derived>* call_data)
-> ArenaPromise<ServerMetadataHandle> {
auto status = call_data->call.OnClientInitialMetadata(
*call_args.client_initial_metadata);
if (status.ok()) return next_promise_factory(std::move(call_args));
return Immediate(ServerMetadataFromStatus(status));
}
};
template <typename Derived>
struct RunCallImpl<absl::Status (Derived::Call::*)(ClientMetadata& md,
Derived* channel),
Derived> {
static auto Run(CallArgs call_args, NextPromiseFactory next_promise_factory,
FilterCallData<Derived>* call_data)
-> ArenaPromise<ServerMetadataHandle> {
auto status = call_data->call.OnClientInitialMetadata(
*call_args.client_initial_metadata, call_data->channel);
if (status.ok()) return next_promise_factory(std::move(call_args));
return Immediate(ServerMetadataFromStatus(status));
}
};
template <typename Derived>
struct RunCallImpl<
void (Derived::Call::*)(ClientMetadata& md, Derived* channel), Derived> {
@ -593,6 +620,35 @@ inline void InterceptClientInitialMetadata(
});
}
template <typename Derived>
inline void InterceptClientInitialMetadata(
absl::Status (Derived::Call::*fn)(ClientMetadata& md),
typename Derived::Call* call, Derived*, CallSpineInterface* call_spine) {
GPR_DEBUG_ASSERT(fn == &Derived::Call::OnClientInitialMetadata);
call_spine->client_initial_metadata().receiver.InterceptAndMap(
[call_spine,
call](ClientMetadataHandle md) -> absl::optional<ClientMetadataHandle> {
auto status = call->OnClientInitialMetadata(*md);
if (status.ok()) return std::move(md);
return call_spine->Cancel(ServerMetadataFromStatus(status));
});
}
template <typename Derived>
inline void InterceptClientInitialMetadata(
absl::Status (Derived::Call::*fn)(ClientMetadata& md, Derived* channel),
typename Derived::Call* call, Derived* channel,
CallSpineInterface* call_spine) {
GPR_DEBUG_ASSERT(fn == &Derived::Call::OnClientInitialMetadata);
call_spine->client_initial_metadata().receiver.InterceptAndMap(
[call_spine, call, channel](
ClientMetadataHandle md) -> absl::optional<ClientMetadataHandle> {
auto status = call->OnClientInitialMetadata(*md, channel);
if (status.ok()) return std::move(md);
return call_spine->Cancel(ServerMetadataFromStatus(status));
});
}
// Returning a promise that resolves to something that can be cast to
// ServerMetadataHandle also counts
template <typename Promise, typename Derived>

Write Preview
Loading…
Cancel
Save