/proc/self/cwd/source/extensions/filters/network/rbac/config.cc

Source (jump to first uncovered line)
#include "source/extensions/filters/network/rbac/config.h"

#include "envoy/config/rbac/v3/rbac.pb.h"
#include "envoy/extensions/filters/network/rbac/v3/rbac.pb.h"
#include "envoy/extensions/filters/network/rbac/v3/rbac.pb.validate.h"
#include "envoy/network/connection.h"
#include "envoy/registry/registry.h"

#include "source/extensions/filters/network/rbac/rbac_filter.h"
#include "source/extensions/filters/network/well_known_names.h"

#include "xds/type/matcher/v3/matcher.pb.h"

namespace Envoy {
namespace Extensions {
namespace NetworkFilters {
namespace RBACFilter {

static void validateFail(const std::string& header) {
  throw EnvoyException(fmt::format("Found header({}) rule,"
                                   "not supported by RBAC network filter",
                                   header));
}

static void validatePermission(const envoy::config::rbac::v3::Permission& permission) {
  if (permission.has_header()) {
    validateFail(permission.header().DebugString());
  }
  if (permission.has_and_rules()) {
    for (const auto& r : permission.and_rules().rules()) {
      validatePermission(r);
    }
  }
  if (permission.has_or_rules()) {
    for (const auto& r : permission.or_rules().rules()) {
      validatePermission(r);
    }
  }
  if (permission.has_not_rule()) {
    validatePermission(permission.not_rule());
  }
}

static void validatePrincipal(const envoy::config::rbac::v3::Principal& principal) {
  if (principal.has_header()) {
    validateFail(principal.header().DebugString());
  }
  if (principal.has_and_ids()) {
    for (const auto& r : principal.and_ids().ids()) {
      validatePrincipal(r);
    }
  }
  if (principal.has_or_ids()) {
    for (const auto& r : principal.or_ids().ids()) {
      validatePrincipal(r);
    }
  }
  if (principal.has_not_id()) {
    validatePrincipal(principal.not_id());
  }
}

/**
 * Validate the RBAC rules doesn't include any header or metadata rule.
 */
static void validateRbacRules(const envoy::config::rbac::v3::RBAC& rules) {
  for (const auto& policy : rules.policies()) {
    for (const auto& permission : policy.second.permissions()) {
      validatePermission(permission);
    }
    for (const auto& principal : policy.second.principals()) {
      validatePrincipal(principal);
    }
  }
}

Network::FilterFactoryCb
RoleBasedAccessControlNetworkFilterConfigFactory::createFilterFactoryFromProtoTyped(
    const envoy::extensions::filters::network::rbac::v3::RBAC& proto_config,
    Server::Configuration::FactoryContext& context) {
  if (proto_config.has_rules()) {
    validateRbacRules(proto_config.rules());
  }
  if (proto_config.has_shadow_rules()) {
    validateRbacRules(proto_config.shadow_rules());
  }
  RoleBasedAccessControlFilterConfigSharedPtr config(
      std::make_shared<RoleBasedAccessControlFilterConfig>(proto_config, context.scope(),
                                                           context.getServerFactoryContext(),
                                                           context.messageValidationVisitor()));
  return [config](Network::FilterManager& filter_manager) -> void {
    filter_manager.addReadFilter(std::make_shared<RoleBasedAccessControlFilter>(config));
  };
}

/**
 * Static registration for the RBAC network filter. @see RegisterFactory.
 */
REGISTER_FACTORY(RoleBasedAccessControlNetworkFilterConfigFactory,
                 Server::Configuration::NamedNetworkFilterConfigFactory);

} // namespace RBACFilter
} // namespace NetworkFilters
} // namespace Extensions
} // namespace Envoy

Line	Count	Source (jump to first uncovered line)
1		#include "source/extensions/filters/network/rbac/config.h"
2
3		#include "envoy/config/rbac/v3/rbac.pb.h"
4		#include "envoy/extensions/filters/network/rbac/v3/rbac.pb.h"
5		#include "envoy/extensions/filters/network/rbac/v3/rbac.pb.validate.h"
6		#include "envoy/network/connection.h"
7		#include "envoy/registry/registry.h"
8
9		#include "source/extensions/filters/network/rbac/rbac_filter.h"
10		#include "source/extensions/filters/network/well_known_names.h"
11
12		#include "xds/type/matcher/v3/matcher.pb.h"
13
14		namespace Envoy {
15		namespace Extensions {
16		namespace NetworkFilters {
17		namespace RBACFilter {
18
19	0	static void validateFail(const std::string& header) {
20	0	throw EnvoyException(fmt::format("Found header({}) rule,"
21	0	"not supported by RBAC network filter",
22	0	header));
23	0	}
24
25	4.80k	static void validatePermission(const envoy::config::rbac::v3::Permission& permission) {
26	4.80k	if (permission.has_header()) {
27	0	validateFail(permission.header().DebugString());
28	0	}
29	4.80k	if (permission.has_and_rules()) {
30	1.35k	for (const auto& r : permission.and_rules().rules()) {
31	1.35k	validatePermission(r);
32	1.35k	}
33	366	}
34	4.80k	if (permission.has_or_rules()) {
35	689	for (const auto& r : permission.or_rules().rules()) {
36	689	validatePermission(r);
37	689	}
38	324	}
39	4.80k	if (permission.has_not_rule()) {
40	973	validatePermission(permission.not_rule());
41	973	}
42	4.80k	}
43
44	8.10k	static void validatePrincipal(const envoy::config::rbac::v3::Principal& principal) {
45	8.10k	if (principal.has_header()) {
46	0	validateFail(principal.header().DebugString());
47	0	}
48	8.10k	if (principal.has_and_ids()) {
49	711	for (const auto& r : principal.and_ids().ids()) {
50	711	validatePrincipal(r);
51	711	}
52	156	}
53	8.10k	if (principal.has_or_ids()) {
54	4.08k	for (const auto& r : principal.or_ids().ids()) {
55	4.08k	validatePrincipal(r);
56	4.08k	}
57	1.41k	}
58	8.10k	if (principal.has_not_id()) {
59	1.49k	validatePrincipal(principal.not_id());
60	1.49k	}
61	8.10k	}
62
63		/**
64		* Validate the RBAC rules doesn't include any header or metadata rule.
65		*/
66	887	static void validateRbacRules(const envoy::config::rbac::v3::RBAC& rules) {
67	1.16k	for (const auto& policy : rules.policies()) {
68	1.78k	for (const auto& permission : policy.second.permissions()) {
69	1.78k	validatePermission(permission);
70	1.78k	}
71	1.81k	for (const auto& principal : policy.second.principals()) {
72	1.81k	validatePrincipal(principal);
73	1.81k	}
74	1.16k	}
75	887	}
76
77		Network::FilterFactoryCb
78		RoleBasedAccessControlNetworkFilterConfigFactory::createFilterFactoryFromProtoTyped(
79		const envoy::extensions::filters::network::rbac::v3::RBAC& proto_config,
80	609	Server::Configuration::FactoryContext& context) {
81	609	if (proto_config.has_rules()) {
82	406	validateRbacRules(proto_config.rules());
83	406	}
84	609	if (proto_config.has_shadow_rules()) {
85	481	validateRbacRules(proto_config.shadow_rules());
86	481	}
87	609	RoleBasedAccessControlFilterConfigSharedPtr config(
88	609	std::make_shared<RoleBasedAccessControlFilterConfig>(proto_config, context.scope(),
89	609	context.getServerFactoryContext(),
90	609	context.messageValidationVisitor()));
91	609	return [config](Network::FilterManager& filter_manager) -> void {
92	322	filter_manager.addReadFilter(std::make_shared<RoleBasedAccessControlFilter>(config));
93	322	};
94	609	}
95
96		/**
97		* Static registration for the RBAC network filter. @see RegisterFactory.
98		*/
99		REGISTER_FACTORY(RoleBasedAccessControlNetworkFilterConfigFactory,
100		Server::Configuration::NamedNetworkFilterConfigFactory);
101
102		} // namespace RBACFilter
103		} // namespace NetworkFilters
104		} // namespace Extensions
105		} // namespace Envoy

Coverage Report

Created: 2023-11-12 09:30