mirror of https://github.com/grpc/grpc.git
[Audit Logging] Logger and factory APIs in C-Core and C++. (#32750)
Audit logging APIs for both built-in loggers and third-party logger implementations. C++ uses using decls referring to C-Core APIs. --------- Co-authored-by: rockspore <rockspore@users.noreply.github.com>pull/32947/head
Luwei Ge
2 years ago
committed by
GitHub
parent
da5dbc068d
commit
dcfc5d6904
22 changed files with 586 additions and 0 deletions
@ -0,0 +1,96 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2023 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#ifndef GRPC_GRPC_AUDIT_LOGGING_H |
||||
#define GRPC_GRPC_AUDIT_LOGGING_H |
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include <memory> |
||||
#include <string> |
||||
|
||||
#include "absl/status/statusor.h" |
||||
#include "absl/strings/string_view.h" |
||||
|
||||
// TODO(lwge): Switch to public header when it's ready.
|
||||
#include "src/core/lib/json/json.h" |
||||
|
||||
namespace grpc_core { |
||||
namespace experimental { |
||||
|
||||
// The class containing the context for an audited RPC.
|
||||
class AuditContext { |
||||
public: |
||||
AuditContext(absl::string_view rpc_method, absl::string_view principal, |
||||
absl::string_view policy_name, absl::string_view matched_rule, |
||||
bool authorized) |
||||
: rpc_method_(rpc_method), |
||||
principal_(principal), |
||||
policy_name_(policy_name), |
||||
matched_rule_(matched_rule), |
||||
authorized_(authorized) {} |
||||
|
||||
absl::string_view rpc_method() const { return rpc_method_; } |
||||
absl::string_view principal() const { return principal_; } |
||||
absl::string_view policy_name() const { return policy_name_; } |
||||
absl::string_view matched_rule() const { return matched_rule_; } |
||||
bool authorized() const { return authorized_; } |
||||
|
||||
private: |
||||
absl::string_view rpc_method_; |
||||
absl::string_view principal_; |
||||
absl::string_view policy_name_; |
||||
absl::string_view matched_rule_; |
||||
bool authorized_; |
||||
}; |
||||
|
||||
// This base class for audit logger implementations.
|
||||
class AuditLogger { |
||||
public: |
||||
virtual ~AuditLogger() = default; |
||||
virtual void Log(const AuditContext& audit_context) = 0; |
||||
}; |
||||
|
||||
// This is the base class for audit logger factory implementations.
|
||||
class AuditLoggerFactory { |
||||
public: |
||||
class Config { |
||||
public: |
||||
virtual ~Config() = default; |
||||
virtual absl::string_view name() const = 0; |
||||
virtual std::string ToString() const = 0; |
||||
}; |
||||
|
||||
virtual ~AuditLoggerFactory() = default; |
||||
virtual absl::string_view name() const = 0; |
||||
|
||||
virtual absl::StatusOr<std::unique_ptr<Config>> ParseAuditLoggerConfig( |
||||
const Json& json) = 0; |
||||
|
||||
virtual std::unique_ptr<AuditLogger> CreateAuditLogger( |
||||
std::unique_ptr<AuditLoggerFactory::Config>) = 0; |
||||
}; |
||||
|
||||
// Registers an audit logger factory. This should only be called during
|
||||
// initialization.
|
||||
void RegisterAuditLoggerFactory(std::unique_ptr<AuditLoggerFactory> factory); |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc_core
|
||||
|
||||
#endif /* GRPC_GRPC_AUDIT_LOGGING_H */ |
||||
@ -0,0 +1,44 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2023 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#ifndef GRPCPP_SECURITY_AUDIT_LOGGING_H |
||||
#define GRPCPP_SECURITY_AUDIT_LOGGING_H |
||||
|
||||
#include <memory> |
||||
#include <string> |
||||
#include <utility> |
||||
|
||||
#include "absl/status/statusor.h" |
||||
|
||||
#include <grpc/grpc_audit_logging.h> |
||||
#include <grpcpp/support/string_ref.h> |
||||
|
||||
namespace grpc { |
||||
namespace experimental { |
||||
|
||||
using grpc_core::experimental::AuditContext; // NOLINT(misc-unused-using-decls)
|
||||
using grpc_core::experimental::AuditLogger; // NOLINT(misc-unused-using-decls)
|
||||
using grpc_core::experimental:: |
||||
AuditLoggerFactory; // NOLINT(misc-unused-using-decls)
|
||||
using grpc_core::experimental:: |
||||
RegisterAuditLoggerFactory; // NOLINT(misc-unused-using-decls)
|
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc
|
||||
|
||||
#endif // GRPCPP_SECURITY_AUDIT_LOGGING_H
|
||||
@ -0,0 +1,91 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2023 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include "src/core/lib/security/authorization/audit_logging.h" |
||||
|
||||
#include <initializer_list> |
||||
#include <map> |
||||
#include <memory> |
||||
#include <utility> |
||||
|
||||
#include "absl/status/status.h" |
||||
#include "absl/status/statusor.h" |
||||
#include "absl/strings/str_format.h" |
||||
#include "absl/strings/string_view.h" |
||||
|
||||
#include <grpc/grpc_audit_logging.h> |
||||
#include <grpc/support/log.h> |
||||
|
||||
#include "src/core/lib/gprpp/sync.h" |
||||
#include "src/core/lib/json/json.h" |
||||
|
||||
namespace grpc_core { |
||||
namespace experimental { |
||||
|
||||
Mutex* AuditLoggerRegistry::mu = new Mutex(); |
||||
|
||||
AuditLoggerRegistry* AuditLoggerRegistry::registry = new AuditLoggerRegistry(); |
||||
|
||||
void AuditLoggerRegistry::RegisterFactory( |
||||
std::unique_ptr<AuditLoggerFactory> factory) { |
||||
GPR_ASSERT(factory != nullptr); |
||||
MutexLock lock(mu); |
||||
absl::string_view name = factory->name(); |
||||
GPR_ASSERT( |
||||
registry->logger_factories_map_.emplace(name, std::move(factory)).second); |
||||
} |
||||
|
||||
bool AuditLoggerRegistry::FactoryExists(absl::string_view name) { |
||||
MutexLock lock(mu); |
||||
return registry->logger_factories_map_.find(name) != |
||||
registry->logger_factories_map_.end(); |
||||
} |
||||
|
||||
absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>> |
||||
AuditLoggerRegistry::ParseConfig(absl::string_view name, const Json& json) { |
||||
MutexLock lock(mu); |
||||
auto it = registry->logger_factories_map_.find(name); |
||||
if (it == registry->logger_factories_map_.end()) { |
||||
return absl::NotFoundError( |
||||
absl::StrFormat("audit logger factory for %s does not exist", name)); |
||||
} |
||||
return it->second->ParseAuditLoggerConfig(json); |
||||
} |
||||
|
||||
std::unique_ptr<AuditLogger> AuditLoggerRegistry::CreateAuditLogger( |
||||
std::unique_ptr<AuditLoggerFactory::Config> config) { |
||||
MutexLock lock(mu); |
||||
auto it = registry->logger_factories_map_.find(config->name()); |
||||
GPR_ASSERT(it != registry->logger_factories_map_.end()); |
||||
return it->second->CreateAuditLogger(std::move(config)); |
||||
} |
||||
|
||||
void AuditLoggerRegistry::TestOnlyResetRegistry() { |
||||
MutexLock lock(mu); |
||||
delete registry; |
||||
registry = new AuditLoggerRegistry(); |
||||
} |
||||
|
||||
void RegisterAuditLoggerFactory(std::unique_ptr<AuditLoggerFactory> factory) { |
||||
AuditLoggerRegistry::RegisterFactory(std::move(factory)); |
||||
} |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc_core
|
||||
@ -0,0 +1,74 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2023 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#ifndef GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H |
||||
#define GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H |
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include <map> |
||||
#include <memory> |
||||
|
||||
#include "absl/base/thread_annotations.h" |
||||
#include "absl/status/statusor.h" |
||||
#include "absl/strings/string_view.h" |
||||
|
||||
#include <grpc/grpc_audit_logging.h> |
||||
|
||||
#include "src/core/lib/gprpp/sync.h" |
||||
#include "src/core/lib/json/json.h" |
||||
|
||||
namespace grpc_core { |
||||
namespace experimental { |
||||
|
||||
class AuditLoggerRegistry { |
||||
public: |
||||
static void RegisterFactory(std::unique_ptr<AuditLoggerFactory>); |
||||
|
||||
static bool FactoryExists(absl::string_view name); |
||||
|
||||
static absl::StatusOr<std::unique_ptr<AuditLoggerFactory::Config>> |
||||
ParseConfig(absl::string_view name, const Json& json); |
||||
|
||||
// This assume the given config is parsed and validated already.
|
||||
// Therefore, it should always succeed in creating a logger.
|
||||
static std::unique_ptr<AuditLogger> CreateAuditLogger( |
||||
std::unique_ptr<AuditLoggerFactory::Config>); |
||||
|
||||
// Factories are registered during initialization. They should never be
|
||||
// unregistered since they will be looked up at any time till the program
|
||||
// exits. This function should only be used in tests to clear the registry.
|
||||
static void TestOnlyResetRegistry(); |
||||
|
||||
private: |
||||
// TODO(lwge): Add built-in logger registrations once avaialble.
|
||||
AuditLoggerRegistry() = default; |
||||
|
||||
static Mutex* mu; |
||||
|
||||
static AuditLoggerRegistry* registry ABSL_GUARDED_BY(mu); |
||||
|
||||
// The key is owned by the factory.
|
||||
std::map<absl::string_view, std::unique_ptr<AuditLoggerFactory>> |
||||
logger_factories_map_ ABSL_GUARDED_BY(mu); |
||||
}; |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc_core
|
||||
|
||||
#endif // GRPC_SRC_CORE_LIB_SECURITY_AUTHORIZATION_AUDIT_LOGGING_H
|
||||
@ -0,0 +1,114 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2023 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include <memory> |
||||
#include <string> |
||||
|
||||
#include <gtest/gtest.h> |
||||
|
||||
#include "absl/status/status.h" |
||||
#include "absl/status/statusor.h" |
||||
#include "absl/strings/string_view.h" |
||||
|
||||
#include <grpc/grpc_audit_logging.h> |
||||
|
||||
#include "src/core/lib/json/json.h" |
||||
#include "src/core/lib/security/authorization/audit_logging.h" |
||||
#include "test/core/util/test_config.h" |
||||
#include "test/core/util/tls_utils.h" |
||||
|
||||
namespace grpc_core { |
||||
namespace testing { |
||||
|
||||
constexpr absl::string_view kName = "test_logger"; |
||||
|
||||
using experimental::AuditContext; |
||||
using experimental::AuditLogger; |
||||
using experimental::AuditLoggerFactory; |
||||
using experimental::AuditLoggerRegistry; |
||||
using experimental::RegisterAuditLoggerFactory; |
||||
|
||||
namespace { |
||||
|
||||
class TestAuditLogger : public AuditLogger { |
||||
public: |
||||
void Log(const AuditContext&) override {} |
||||
}; |
||||
|
||||
class TestAuditLoggerFactory : public AuditLoggerFactory { |
||||
public: |
||||
class TestConfig : public Config { |
||||
public: |
||||
absl::string_view name() const override { return kName; } |
||||
std::string ToString() const override { return "test_config"; } |
||||
}; |
||||
|
||||
absl::string_view name() const override { return kName; } |
||||
std::unique_ptr<AuditLogger> CreateAuditLogger( |
||||
std::unique_ptr<AuditLoggerFactory::Config>) override { |
||||
return std::make_unique<TestAuditLogger>(); |
||||
} |
||||
absl::StatusOr<std::unique_ptr<Config>> ParseAuditLoggerConfig( |
||||
const Json&) override { |
||||
return std::make_unique<TestConfig>(); |
||||
} |
||||
}; |
||||
|
||||
class AuditLoggingTest : public ::testing::Test { |
||||
protected: |
||||
void SetUp() override { |
||||
RegisterAuditLoggerFactory(std::make_unique<TestAuditLoggerFactory>()); |
||||
} |
||||
void TearDown() override { AuditLoggerRegistry::TestOnlyResetRegistry(); } |
||||
}; |
||||
|
||||
} // namespace
|
||||
|
||||
TEST_F(AuditLoggingTest, SuccessfulLoggerCreation) { |
||||
auto result = AuditLoggerRegistry::ParseConfig(kName, Json()); |
||||
ASSERT_TRUE(result.ok()); |
||||
ASSERT_NE(AuditLoggerRegistry::CreateAuditLogger(std::move(result.value())), |
||||
nullptr); |
||||
} |
||||
|
||||
TEST_F(AuditLoggingTest, UnknownLogger) { |
||||
auto result = AuditLoggerRegistry::ParseConfig("unknown_logger", Json()); |
||||
EXPECT_EQ(result.status().code(), absl::StatusCode::kNotFound); |
||||
EXPECT_EQ(result.status().message(), |
||||
"audit logger factory for unknown_logger does not exist") |
||||
<< result.status(); |
||||
} |
||||
|
||||
TEST_F(AuditLoggingTest, AuditLoggerFactoryExistenceChecks) { |
||||
EXPECT_TRUE(AuditLoggerRegistry::FactoryExists(kName)); |
||||
EXPECT_FALSE(AuditLoggerRegistry::FactoryExists("unknown_logger")); |
||||
} |
||||
|
||||
} // namespace testing
|
||||
} // namespace grpc_core
|
||||
|
||||
int main(int argc, char** argv) { |
||||
grpc::testing::TestEnvironment env(&argc, argv); |
||||
::testing::InitGoogleTest(&argc, argv); |
||||
grpc_init(); |
||||
int ret = RUN_ALL_TESTS(); |
||||
grpc_shutdown(); |
||||
return ret; |
||||
} |
||||
Loading…
Reference in new issue