gitee.com/ks-custle/core-gm@v0.0.0-20230922171213-b83bdd97b62c/grpc/internal/xds/rbac/rbac_engine.go (about)

     1  /*
     2   * Copyright 2021 gRPC authors.
     3   *
     4   * Licensed under the Apache License, Version 2.0 (the "License");
     5   * you may not use this file except in compliance with the License.
     6   * You may obtain a copy of the License at
     7   *
     8   *     http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13   * See the License for the specific language governing permissions and
    14   * limitations under the License.
    15   */
    16  
    17  // Package rbac provides service-level and method-level access control for a
    18  // service. See
    19  // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#role-based-access-control-rbac
    20  // for documentation.
    21  package rbac
    22  
    23  import (
    24  	"context"
    25  	"errors"
    26  	"fmt"
    27  	"net"
    28  	"strconv"
    29  
    30  	"gitee.com/ks-custle/core-gm/x509"
    31  
    32  	v3rbacpb "gitee.com/ks-custle/core-gm/go-control-plane/envoy/config/rbac/v3"
    33  	grpc "gitee.com/ks-custle/core-gm/grpc"
    34  	"gitee.com/ks-custle/core-gm/grpc/codes"
    35  	"gitee.com/ks-custle/core-gm/grpc/credentials"
    36  	"gitee.com/ks-custle/core-gm/grpc/grpclog"
    37  	"gitee.com/ks-custle/core-gm/grpc/internal/transport"
    38  	"gitee.com/ks-custle/core-gm/grpc/metadata"
    39  	"gitee.com/ks-custle/core-gm/grpc/peer"
    40  	"gitee.com/ks-custle/core-gm/grpc/status"
    41  )
    42  
    43  const logLevel = 2
    44  
    45  var logger = grpclog.Component("rbac")
    46  
    47  var getConnection = transport.GetConnection
    48  
    49  // ChainEngine represents a chain of RBAC Engines, used to make authorization
    50  // decisions on incoming RPCs.
    51  type ChainEngine struct {
    52  	chainedEngines []*engine
    53  }
    54  
    55  // NewChainEngine returns a chain of RBAC engines, used to make authorization
    56  // decisions on incoming RPCs. Returns a non-nil error for invalid policies.
    57  func NewChainEngine(policies []*v3rbacpb.RBAC) (*ChainEngine, error) {
    58  	engines := make([]*engine, 0, len(policies))
    59  	for _, policy := range policies {
    60  		engine, err := newEngine(policy)
    61  		if err != nil {
    62  			return nil, err
    63  		}
    64  		engines = append(engines, engine)
    65  	}
    66  	return &ChainEngine{chainedEngines: engines}, nil
    67  }
    68  
    69  // IsAuthorized determines if an incoming RPC is authorized based on the chain of RBAC
    70  // engines and their associated actions.
    71  //
    72  // Errors returned by this function are compatible with the status package.
    73  func (cre *ChainEngine) IsAuthorized(ctx context.Context) error {
    74  	// This conversion step (i.e. pulling things out of ctx) can be done once,
    75  	// and then be used for the whole chain of RBAC Engines.
    76  	rpcData, err := newRPCData(ctx)
    77  	if err != nil {
    78  		logger.Errorf("newRPCData: %v", err)
    79  		return status.Errorf(codes.Internal, "gRPC RBAC: %v", err)
    80  	}
    81  	for _, engine := range cre.chainedEngines {
    82  		matchingPolicyName, ok := engine.findMatchingPolicy(rpcData)
    83  		if logger.V(logLevel) && ok {
    84  			logger.Infof("incoming RPC matched to policy %v in engine with action %v", matchingPolicyName, engine.action)
    85  		}
    86  
    87  		switch {
    88  		case engine.action == v3rbacpb.RBAC_ALLOW && !ok:
    89  			return status.Errorf(codes.PermissionDenied, "incoming RPC did not match an allow policy")
    90  		case engine.action == v3rbacpb.RBAC_DENY && ok:
    91  			return status.Errorf(codes.PermissionDenied, "incoming RPC matched a deny policy %q", matchingPolicyName)
    92  		}
    93  		// Every policy in the engine list must be queried. Thus, iterate to the
    94  		// next policy.
    95  	}
    96  	// If the incoming RPC gets through all of the engines successfully (i.e.
    97  	// doesn't not match an allow or match a deny engine), the RPC is authorized
    98  	// to proceed.
    99  	return nil
   100  }
   101  
   102  // engine is used for matching incoming RPCs to policies.
   103  type engine struct {
   104  	policies map[string]*policyMatcher
   105  	// action must be ALLOW or DENY.
   106  	action v3rbacpb.RBAC_Action
   107  }
   108  
   109  // newEngine creates an RBAC Engine based on the contents of policy. Returns a
   110  // non-nil error if the policy is invalid.
   111  func newEngine(config *v3rbacpb.RBAC) (*engine, error) {
   112  	a := config.GetAction()
   113  	if a != v3rbacpb.RBAC_ALLOW && a != v3rbacpb.RBAC_DENY {
   114  		return nil, fmt.Errorf("unsupported action %s", config.Action)
   115  	}
   116  
   117  	policies := make(map[string]*policyMatcher, len(config.GetPolicies()))
   118  	for name, policy := range config.GetPolicies() {
   119  		matcher, err := newPolicyMatcher(policy)
   120  		if err != nil {
   121  			return nil, err
   122  		}
   123  		policies[name] = matcher
   124  	}
   125  	return &engine{
   126  		policies: policies,
   127  		action:   a,
   128  	}, nil
   129  }
   130  
   131  // findMatchingPolicy determines if an incoming RPC matches a policy. On a
   132  // successful match, it returns the name of the matching policy and a true bool
   133  // to specify that there was a matching policy found.  It returns false in
   134  // the case of not finding a matching policy.
   135  func (r *engine) findMatchingPolicy(rpcData *rpcData) (string, bool) {
   136  	for policy, matcher := range r.policies {
   137  		if matcher.match(rpcData) {
   138  			return policy, true
   139  		}
   140  	}
   141  	return "", false
   142  }
   143  
   144  // newRPCData takes an incoming context (should be a context representing state
   145  // needed for server RPC Call with metadata, peer info (used for source ip/port
   146  // and TLS information) and connection (used for destination ip/port) piped into
   147  // it) and the method name of the Service being called server side and populates
   148  // an rpcData struct ready to be passed to the RBAC Engine to find a matching
   149  // policy.
   150  func newRPCData(ctx context.Context) (*rpcData, error) {
   151  	// The caller should populate all of these fields (i.e. for empty headers,
   152  	// pipe an empty md into context).
   153  	md, ok := metadata.FromIncomingContext(ctx)
   154  	if !ok {
   155  		return nil, errors.New("missing metadata in incoming context")
   156  	}
   157  	// ":method can be hard-coded to POST if unavailable" - A41
   158  	md[":method"] = []string{"POST"}
   159  	// "If the transport exposes TE in Metadata, then RBAC must special-case the
   160  	// header to treat it as not present." - A41
   161  	delete(md, "TE")
   162  
   163  	pi, ok := peer.FromContext(ctx)
   164  	if !ok {
   165  		return nil, errors.New("missing peer info in incoming context")
   166  	}
   167  
   168  	// The methodName will be available in the passed in ctx from a unary or streaming
   169  	// interceptor, as grpc.Server pipes in a transport stream which contains the methodName
   170  	// into contexts available in both unary or streaming interceptors.
   171  	mn, ok := grpc.Method(ctx)
   172  	if !ok {
   173  		return nil, errors.New("missing method in incoming context")
   174  	}
   175  
   176  	// The connection is needed in order to find the destination address and
   177  	// port of the incoming RPC Call.
   178  	conn := getConnection(ctx)
   179  	if conn == nil {
   180  		return nil, errors.New("missing connection in incoming context")
   181  	}
   182  	_, dPort, err := net.SplitHostPort(conn.LocalAddr().String())
   183  	if err != nil {
   184  		return nil, fmt.Errorf("error parsing local address: %v", err)
   185  	}
   186  	dp, err := strconv.ParseUint(dPort, 10, 32)
   187  	if err != nil {
   188  		return nil, fmt.Errorf("error parsing local address: %v", err)
   189  	}
   190  
   191  	var authType string
   192  	var peerCertificates []*x509.Certificate
   193  	if pi.AuthInfo != nil {
   194  		tlsInfo, ok := pi.AuthInfo.(credentials.TLSInfo)
   195  		if ok {
   196  			authType = pi.AuthInfo.AuthType()
   197  			peerCertificates = tlsInfo.State.PeerCertificates
   198  		}
   199  	}
   200  
   201  	return &rpcData{
   202  		md:              md,
   203  		peerInfo:        pi,
   204  		fullMethod:      mn,
   205  		destinationPort: uint32(dp),
   206  		localAddr:       conn.LocalAddr(),
   207  		authType:        authType,
   208  		certs:           peerCertificates,
   209  	}, nil
   210  }
   211  
   212  // rpcData wraps data pulled from an incoming RPC that the RBAC engine needs to
   213  // find a matching policy.
   214  type rpcData struct {
   215  	// md is the HTTP Headers that are present in the incoming RPC.
   216  	md metadata.MD
   217  	// peerInfo is information about the downstream peer.
   218  	peerInfo *peer.Peer
   219  	// fullMethod is the method name being called on the upstream service.
   220  	fullMethod string
   221  	// destinationPort is the port that the RPC is being sent to on the
   222  	// server.
   223  	destinationPort uint32
   224  	// localAddr is the address that the RPC is being sent to.
   225  	localAddr net.Addr
   226  	// authType is the type of authentication e.g. "tls".
   227  	authType string
   228  	// certs are the certificates presented by the peer during a TLS
   229  	// handshake.
   230  	certs []*x509.Certificate
   231  }