/proc/self/cwd/source/extensions/filters/common/rbac/utility.h
Line | Count | Source |
1 | | #pragma once |
2 | | |
3 | | #include "envoy/stats/stats_macros.h" |
4 | | |
5 | | #include "source/common/common/fmt.h" |
6 | | #include "source/common/singleton/const_singleton.h" |
7 | | #include "source/extensions/filters/common/rbac/engine_impl.h" |
8 | | |
9 | | namespace Envoy { |
10 | | namespace Extensions { |
11 | | namespace Filters { |
12 | | namespace Common { |
13 | | namespace RBAC { |
14 | | |
15 | | /** |
16 | | * All stats for the enforced rules in RBAC filter. @see stats_macros.h |
17 | | */ |
18 | | #define ENFORCE_RBAC_FILTER_STATS(COUNTER) \ |
19 | 3.32k | COUNTER(allowed) \ |
20 | 3.32k | COUNTER(denied) |
21 | | |
22 | | /** |
23 | | * All stats for the shadow rules in RBAC filter. @see stats_macros.h |
24 | | */ |
25 | | #define SHADOW_RBAC_FILTER_STATS(COUNTER) \ |
26 | 3.32k | COUNTER(shadow_allowed) \ |
27 | 3.32k | COUNTER(shadow_denied) |
28 | | |
29 | | /** |
30 | | * Wrapper struct for shadow rules in RBAC filter stats. @see stats_macros.h |
31 | | */ |
32 | | struct RoleBasedAccessControlFilterStats { |
33 | | ENFORCE_RBAC_FILTER_STATS(GENERATE_COUNTER_STRUCT) |
34 | | SHADOW_RBAC_FILTER_STATS(GENERATE_COUNTER_STRUCT) |
35 | | }; |
36 | | |
37 | | RoleBasedAccessControlFilterStats |
38 | | generateStats(const std::string& prefix, const std::string& shadow_prefix, Stats::Scope& scope); |
39 | | |
40 | | template <class ConfigType> |
41 | | std::unique_ptr<RoleBasedAccessControlEngine> |
42 | | createEngine(const ConfigType& config, Server::Configuration::ServerFactoryContext& context, |
43 | | ProtobufMessage::ValidationVisitor& validation_visitor, |
44 | 3.32k | ActionValidationVisitor& action_validation_visitor) { |
45 | 3.32k | if (config.has_matcher()) { |
46 | 41 | if (config.has_rules()) { |
47 | 7 | ENVOY_LOG_MISC(warn, "RBAC rules are ignored when matcher is configured"); |
48 | 7 | } |
49 | 41 | return std::make_unique<RoleBasedAccessControlMatcherEngineImpl>( |
50 | 41 | config.matcher(), context, action_validation_visitor, EnforcementMode::Enforced); |
51 | 41 | } |
52 | 3.28k | if (config.has_rules()) { |
53 | 2.87k | return std::make_unique<RoleBasedAccessControlEngineImpl>(config.rules(), validation_visitor, |
54 | 2.87k | EnforcementMode::Enforced); |
55 | 2.87k | } |
56 | | |
57 | 414 | return nullptr; |
58 | 3.28k | } std::__1::unique_ptr<Envoy::Extensions::Filters::Common::RBAC::RoleBasedAccessControlEngine, std::__1::default_delete<Envoy::Extensions::Filters::Common::RBAC::RoleBasedAccessControlEngine> > Envoy::Extensions::Filters::Common::RBAC::createEngine<envoy::extensions::filters::network::rbac::v3::RBAC>(envoy::extensions::filters::network::rbac::v3::RBAC const&, Envoy::Server::Configuration::ServerFactoryContext&, Envoy::ProtobufMessage::ValidationVisitor&, Envoy::Matcher::MatchTreeValidationVisitor<Envoy::Http::HttpMatchingData>&) Line | Count | Source | 44 | 609 | ActionValidationVisitor& action_validation_visitor) { | 45 | 609 | if (config.has_matcher()) { | 46 | 13 | if (config.has_rules()) { | 47 | 0 | ENVOY_LOG_MISC(warn, "RBAC rules are ignored when matcher is configured"); | 48 | 0 | } | 49 | 13 | return std::make_unique<RoleBasedAccessControlMatcherEngineImpl>( | 50 | 13 | config.matcher(), context, action_validation_visitor, EnforcementMode::Enforced); | 51 | 13 | } | 52 | 596 | if (config.has_rules()) { | 53 | 406 | return std::make_unique<RoleBasedAccessControlEngineImpl>(config.rules(), validation_visitor, | 54 | 406 | EnforcementMode::Enforced); | 55 | 406 | } | 56 | | | 57 | 190 | return nullptr; | 58 | 596 | } |
std::__1::unique_ptr<Envoy::Extensions::Filters::Common::RBAC::RoleBasedAccessControlEngine, std::__1::default_delete<Envoy::Extensions::Filters::Common::RBAC::RoleBasedAccessControlEngine> > Envoy::Extensions::Filters::Common::RBAC::createEngine<envoy::extensions::filters::http::rbac::v3::RBAC>(envoy::extensions::filters::http::rbac::v3::RBAC const&, Envoy::Server::Configuration::ServerFactoryContext&, Envoy::ProtobufMessage::ValidationVisitor&, Envoy::Matcher::MatchTreeValidationVisitor<Envoy::Http::HttpMatchingData>&) Line | Count | Source | 44 | 2.71k | ActionValidationVisitor& action_validation_visitor) { | 45 | 2.71k | if (config.has_matcher()) { | 46 | 28 | if (config.has_rules()) { | 47 | 7 | ENVOY_LOG_MISC(warn, "RBAC rules are ignored when matcher is configured"); | 48 | 7 | } | 49 | 28 | return std::make_unique<RoleBasedAccessControlMatcherEngineImpl>( | 50 | 28 | config.matcher(), context, action_validation_visitor, EnforcementMode::Enforced); | 51 | 28 | } | 52 | 2.68k | if (config.has_rules()) { | 53 | 2.46k | return std::make_unique<RoleBasedAccessControlEngineImpl>(config.rules(), validation_visitor, | 54 | 2.46k | EnforcementMode::Enforced); | 55 | 2.46k | } | 56 | | | 57 | 224 | return nullptr; | 58 | 2.68k | } |
|
59 | | |
60 | | template <class ConfigType> |
61 | | std::unique_ptr<RoleBasedAccessControlEngine> |
62 | | createShadowEngine(const ConfigType& config, Server::Configuration::ServerFactoryContext& context, |
63 | | ProtobufMessage::ValidationVisitor& validation_visitor, |
64 | 2.10k | ActionValidationVisitor& action_validation_visitor) { |
65 | 2.10k | if (config.has_shadow_matcher()) { |
66 | 58 | if (config.has_shadow_rules()) { |
67 | 14 | ENVOY_LOG_MISC(warn, "RBAC shadow rules are ignored when shadow matcher is configured"); |
68 | 14 | } |
69 | 58 | return std::make_unique<RoleBasedAccessControlMatcherEngineImpl>( |
70 | 58 | config.shadow_matcher(), context, action_validation_visitor, EnforcementMode::Shadow); |
71 | 58 | } |
72 | 2.04k | if (config.has_shadow_rules()) { |
73 | 1.46k | return std::make_unique<RoleBasedAccessControlEngineImpl>( |
74 | 1.46k | config.shadow_rules(), validation_visitor, EnforcementMode::Shadow); |
75 | 1.46k | } |
76 | | |
77 | 585 | return nullptr; |
78 | 2.04k | } std::__1::unique_ptr<Envoy::Extensions::Filters::Common::RBAC::RoleBasedAccessControlEngine, std::__1::default_delete<Envoy::Extensions::Filters::Common::RBAC::RoleBasedAccessControlEngine> > Envoy::Extensions::Filters::Common::RBAC::createShadowEngine<envoy::extensions::filters::network::rbac::v3::RBAC>(envoy::extensions::filters::network::rbac::v3::RBAC const&, Envoy::Server::Configuration::ServerFactoryContext&, Envoy::ProtobufMessage::ValidationVisitor&, Envoy::Matcher::MatchTreeValidationVisitor<Envoy::Http::HttpMatchingData>&) Line | Count | Source | 64 | 486 | ActionValidationVisitor& action_validation_visitor) { | 65 | 486 | if (config.has_shadow_matcher()) { | 66 | 20 | if (config.has_shadow_rules()) { | 67 | 13 | ENVOY_LOG_MISC(warn, "RBAC shadow rules are ignored when shadow matcher is configured"); | 68 | 13 | } | 69 | 20 | return std::make_unique<RoleBasedAccessControlMatcherEngineImpl>( | 70 | 20 | config.shadow_matcher(), context, action_validation_visitor, EnforcementMode::Shadow); | 71 | 20 | } | 72 | 466 | if (config.has_shadow_rules()) { | 73 | 452 | return std::make_unique<RoleBasedAccessControlEngineImpl>( | 74 | 452 | config.shadow_rules(), validation_visitor, EnforcementMode::Shadow); | 75 | 452 | } | 76 | | | 77 | 14 | return nullptr; | 78 | 466 | } |
std::__1::unique_ptr<Envoy::Extensions::Filters::Common::RBAC::RoleBasedAccessControlEngine, std::__1::default_delete<Envoy::Extensions::Filters::Common::RBAC::RoleBasedAccessControlEngine> > Envoy::Extensions::Filters::Common::RBAC::createShadowEngine<envoy::extensions::filters::http::rbac::v3::RBAC>(envoy::extensions::filters::http::rbac::v3::RBAC const&, Envoy::Server::Configuration::ServerFactoryContext&, Envoy::ProtobufMessage::ValidationVisitor&, Envoy::Matcher::MatchTreeValidationVisitor<Envoy::Http::HttpMatchingData>&) Line | Count | Source | 64 | 1.61k | ActionValidationVisitor& action_validation_visitor) { | 65 | 1.61k | if (config.has_shadow_matcher()) { | 66 | 38 | if (config.has_shadow_rules()) { | 67 | 1 | ENVOY_LOG_MISC(warn, "RBAC shadow rules are ignored when shadow matcher is configured"); | 68 | 1 | } | 69 | 38 | return std::make_unique<RoleBasedAccessControlMatcherEngineImpl>( | 70 | 38 | config.shadow_matcher(), context, action_validation_visitor, EnforcementMode::Shadow); | 71 | 38 | } | 72 | 1.58k | if (config.has_shadow_rules()) { | 73 | 1.01k | return std::make_unique<RoleBasedAccessControlEngineImpl>( | 74 | 1.01k | config.shadow_rules(), validation_visitor, EnforcementMode::Shadow); | 75 | 1.01k | } | 76 | | | 77 | 571 | return nullptr; | 78 | 1.58k | } |
|
79 | | |
80 | | std::string responseDetail(const std::string& policy_id); |
81 | | |
82 | | } // namespace RBAC |
83 | | } // namespace Common |
84 | | } // namespace Filters |
85 | | } // namespace Extensions |
86 | | } // namespace Envoy |