/proc/self/cwd/source/extensions/filters/network/rbac/config.cc
Line | Count | Source (jump to first uncovered line) |
1 | | #include "source/extensions/filters/network/rbac/config.h" |
2 | | |
3 | | #include "envoy/config/rbac/v3/rbac.pb.h" |
4 | | #include "envoy/extensions/filters/network/rbac/v3/rbac.pb.h" |
5 | | #include "envoy/extensions/filters/network/rbac/v3/rbac.pb.validate.h" |
6 | | #include "envoy/network/connection.h" |
7 | | #include "envoy/registry/registry.h" |
8 | | |
9 | | #include "source/extensions/filters/network/rbac/rbac_filter.h" |
10 | | #include "source/extensions/filters/network/well_known_names.h" |
11 | | |
12 | | #include "xds/type/matcher/v3/matcher.pb.h" |
13 | | |
14 | | namespace Envoy { |
15 | | namespace Extensions { |
16 | | namespace NetworkFilters { |
17 | | namespace RBACFilter { |
18 | | |
19 | 0 | static void validateFail(const std::string& header) { |
20 | 0 | throw EnvoyException(fmt::format("Found header({}) rule," |
21 | 0 | "not supported by RBAC network filter", |
22 | 0 | header)); |
23 | 0 | } |
24 | | |
25 | 4.80k | static void validatePermission(const envoy::config::rbac::v3::Permission& permission) { |
26 | 4.80k | if (permission.has_header()) { |
27 | 0 | validateFail(permission.header().DebugString()); |
28 | 0 | } |
29 | 4.80k | if (permission.has_and_rules()) { |
30 | 1.35k | for (const auto& r : permission.and_rules().rules()) { |
31 | 1.35k | validatePermission(r); |
32 | 1.35k | } |
33 | 366 | } |
34 | 4.80k | if (permission.has_or_rules()) { |
35 | 689 | for (const auto& r : permission.or_rules().rules()) { |
36 | 689 | validatePermission(r); |
37 | 689 | } |
38 | 324 | } |
39 | 4.80k | if (permission.has_not_rule()) { |
40 | 973 | validatePermission(permission.not_rule()); |
41 | 973 | } |
42 | 4.80k | } |
43 | | |
44 | 8.10k | static void validatePrincipal(const envoy::config::rbac::v3::Principal& principal) { |
45 | 8.10k | if (principal.has_header()) { |
46 | 0 | validateFail(principal.header().DebugString()); |
47 | 0 | } |
48 | 8.10k | if (principal.has_and_ids()) { |
49 | 711 | for (const auto& r : principal.and_ids().ids()) { |
50 | 711 | validatePrincipal(r); |
51 | 711 | } |
52 | 156 | } |
53 | 8.10k | if (principal.has_or_ids()) { |
54 | 4.08k | for (const auto& r : principal.or_ids().ids()) { |
55 | 4.08k | validatePrincipal(r); |
56 | 4.08k | } |
57 | 1.41k | } |
58 | 8.10k | if (principal.has_not_id()) { |
59 | 1.49k | validatePrincipal(principal.not_id()); |
60 | 1.49k | } |
61 | 8.10k | } |
62 | | |
63 | | /** |
64 | | * Validate the RBAC rules doesn't include any header or metadata rule. |
65 | | */ |
66 | 887 | static void validateRbacRules(const envoy::config::rbac::v3::RBAC& rules) { |
67 | 1.16k | for (const auto& policy : rules.policies()) { |
68 | 1.78k | for (const auto& permission : policy.second.permissions()) { |
69 | 1.78k | validatePermission(permission); |
70 | 1.78k | } |
71 | 1.81k | for (const auto& principal : policy.second.principals()) { |
72 | 1.81k | validatePrincipal(principal); |
73 | 1.81k | } |
74 | 1.16k | } |
75 | 887 | } |
76 | | |
77 | | Network::FilterFactoryCb |
78 | | RoleBasedAccessControlNetworkFilterConfigFactory::createFilterFactoryFromProtoTyped( |
79 | | const envoy::extensions::filters::network::rbac::v3::RBAC& proto_config, |
80 | 609 | Server::Configuration::FactoryContext& context) { |
81 | 609 | if (proto_config.has_rules()) { |
82 | 406 | validateRbacRules(proto_config.rules()); |
83 | 406 | } |
84 | 609 | if (proto_config.has_shadow_rules()) { |
85 | 481 | validateRbacRules(proto_config.shadow_rules()); |
86 | 481 | } |
87 | 609 | RoleBasedAccessControlFilterConfigSharedPtr config( |
88 | 609 | std::make_shared<RoleBasedAccessControlFilterConfig>(proto_config, context.scope(), |
89 | 609 | context.getServerFactoryContext(), |
90 | 609 | context.messageValidationVisitor())); |
91 | 609 | return [config](Network::FilterManager& filter_manager) -> void { |
92 | 322 | filter_manager.addReadFilter(std::make_shared<RoleBasedAccessControlFilter>(config)); |
93 | 322 | }; |
94 | 609 | } |
95 | | |
96 | | /** |
97 | | * Static registration for the RBAC network filter. @see RegisterFactory. |
98 | | */ |
99 | | REGISTER_FACTORY(RoleBasedAccessControlNetworkFilterConfigFactory, |
100 | | Server::Configuration::NamedNetworkFilterConfigFactory); |
101 | | |
102 | | } // namespace RBACFilter |
103 | | } // namespace NetworkFilters |
104 | | } // namespace Extensions |
105 | | } // namespace Envoy |