/proc/self/cwd/source/extensions/filters/common/rbac/engine_impl.h
Line | Count | Source (jump to first uncovered line) |
1 | | #pragma once |
2 | | |
3 | | #include "envoy/config/rbac/v3/rbac.pb.h" |
4 | | |
5 | | #include "source/common/http/matching/data_impl.h" |
6 | | #include "source/common/matcher/matcher.h" |
7 | | #include "source/extensions/filters/common/rbac/engine.h" |
8 | | #include "source/extensions/filters/common/rbac/matchers.h" |
9 | | |
10 | | #include "xds/type/matcher/v3/matcher.pb.h" |
11 | | |
12 | | namespace Envoy { |
13 | | namespace Extensions { |
14 | | namespace Filters { |
15 | | namespace Common { |
16 | | namespace RBAC { |
17 | | |
18 | | class DynamicMetadataKeys { |
19 | | public: |
20 | | const std::string ShadowEffectivePolicyIdField{"shadow_effective_policy_id"}; |
21 | | const std::string ShadowEngineResultField{"shadow_engine_result"}; |
22 | | const std::string EngineResultAllowed{"allowed"}; |
23 | | const std::string EngineResultDenied{"denied"}; |
24 | | const std::string AccessLogKey{"access_log_hint"}; |
25 | | const std::string CommonNamespace{"envoy.common"}; |
26 | | }; |
27 | | |
28 | | using DynamicMetadataKeysSingleton = ConstSingleton<DynamicMetadataKeys>; |
29 | | |
30 | | enum class EnforcementMode { Enforced, Shadow }; |
31 | | |
32 | | struct ActionContext { |
33 | | bool has_log_; |
34 | | }; |
35 | | |
36 | | class Action : public Envoy::Matcher::ActionBase<envoy::config::rbac::v3::Action> { |
37 | | public: |
38 | | Action(const std::string& name, const envoy::config::rbac::v3::RBAC::Action action) |
39 | 0 | : name_(name), action_(action) {} |
40 | | |
41 | 0 | const std::string& name() const { return name_; } |
42 | 0 | envoy::config::rbac::v3::RBAC::Action action() const { return action_; } |
43 | | |
44 | | private: |
45 | | const std::string name_; |
46 | | const envoy::config::rbac::v3::RBAC::Action action_; |
47 | | }; |
48 | | |
49 | | class ActionFactory : public Envoy::Matcher::ActionFactory<ActionContext> { |
50 | | public: |
51 | | Envoy::Matcher::ActionFactoryCb |
52 | | createActionFactoryCb(const Protobuf::Message& config, ActionContext& context, |
53 | | ProtobufMessage::ValidationVisitor& validation_visitor) override; |
54 | 16 | std::string name() const override { return "envoy.filters.rbac.action"; } |
55 | 1 | ProtobufTypes::MessagePtr createEmptyConfigProto() override { |
56 | 1 | return std::make_unique<envoy::config::rbac::v3::Action>(); |
57 | 1 | } |
58 | | }; |
59 | | |
60 | | using ActionValidationVisitor = Envoy::Matcher::MatchTreeValidationVisitor<Http::HttpMatchingData>; |
61 | | |
62 | | void generateLog(StreamInfo::StreamInfo& info, EnforcementMode mode, bool log); |
63 | | |
64 | | class RoleBasedAccessControlEngineImpl : public RoleBasedAccessControlEngine, NonCopyable { |
65 | | public: |
66 | | RoleBasedAccessControlEngineImpl(const envoy::config::rbac::v3::RBAC& rules, |
67 | | ProtobufMessage::ValidationVisitor& validation_visitor, |
68 | | const EnforcementMode mode = EnforcementMode::Enforced); |
69 | | |
70 | | bool handleAction(const Network::Connection& connection, |
71 | | const Envoy::Http::RequestHeaderMap& headers, StreamInfo::StreamInfo& info, |
72 | | std::string* effective_policy_id) const override; |
73 | | |
74 | | bool handleAction(const Network::Connection& connection, StreamInfo::StreamInfo& info, |
75 | | std::string* effective_policy_id) const override; |
76 | | |
77 | | private: |
78 | | // Checks whether the request matches any policies |
79 | | bool checkPolicyMatch(const Network::Connection& connection, const StreamInfo::StreamInfo& info, |
80 | | const Envoy::Http::RequestHeaderMap& headers, |
81 | | std::string* effective_policy_id) const; |
82 | | |
83 | | const envoy::config::rbac::v3::RBAC::Action action_; |
84 | | const EnforcementMode mode_; |
85 | | |
86 | | std::map<std::string, std::unique_ptr<PolicyMatcher>> policies_; |
87 | | |
88 | | Protobuf::Arena constant_arena_; |
89 | | Expr::BuilderPtr builder_; |
90 | | }; |
91 | | |
92 | | class RoleBasedAccessControlMatcherEngineImpl : public RoleBasedAccessControlEngine, NonCopyable { |
93 | | public: |
94 | | RoleBasedAccessControlMatcherEngineImpl( |
95 | | const xds::type::matcher::v3::Matcher& matcher, |
96 | | Server::Configuration::ServerFactoryContext& factory_context, |
97 | | ActionValidationVisitor& validation_visitor, |
98 | | const EnforcementMode mode = EnforcementMode::Enforced); |
99 | | |
100 | | bool handleAction(const Network::Connection& connection, |
101 | | const Envoy::Http::RequestHeaderMap& headers, StreamInfo::StreamInfo& info, |
102 | | std::string* effective_policy_id) const override; |
103 | | |
104 | | bool handleAction(const Network::Connection& connection, StreamInfo::StreamInfo& info, |
105 | | std::string* effective_policy_id) const override; |
106 | | |
107 | | private: |
108 | | const EnforcementMode mode_; |
109 | | Envoy::Matcher::MatchTreeSharedPtr<Http::HttpMatchingData> matcher_; |
110 | | bool has_log_; |
111 | | }; |
112 | | |
113 | | } // namespace RBAC |
114 | | } // namespace Common |
115 | | } // namespace Filters |
116 | | } // namespace Extensions |
117 | | } // namespace Envoy |