New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authz: Rbac engine audit logging #6225
Merged
Merged
Changes from 102 commits
Commits
Show all changes
106 commits
Select commit
Hold shift + click to select a range
8b9f59a
Add conversion of json to RBAC Audit Logging config
gtcooke94 56ab1cd
Swap to passing around references instead of copied values
gtcooke94 0f3b6e7
Change v3 to v3corepb
gtcooke94 6bff58b
go mod tidy compat=1.17
gtcooke94 9b3ab47
go mod tidy in examples
gtcooke94 bbafb89
mod tidy
gtcooke94 5dad66e
go mod tidy compat=1.17
gtcooke94 73b1390
more tidy
gtcooke94 27cfe85
replace panic with t.fatal
gtcooke94 c8751d3
return nil when error
gtcooke94 441fb5c
lowercase start of error message
gtcooke94 2326e9f
remove redundant change
gtcooke94 abcb93f
Fix test logging hard-coding problem
gtcooke94 3f57e69
Changed behavior of missing configs per PR discussion
gtcooke94 b7863ee
Change parser to use map from generated proto go file
gtcooke94 48a875e
ALLOW and DENY filter should get separate audit logger config
gtcooke94 edf40f1
Small change remove and else
gtcooke94 551ced9
Construct and allow and denyproto from the beginning
gtcooke94 1718c45
Merge branch 'master' into AuditLoggingRBACTranslator
gtcooke94 dad7293
compat 1.17 in examples
gtcooke94 7b9e96e
more 1.17 compat
gtcooke94 1f4c0c0
Address PR comments
gtcooke94 2eb4512
starting work
gtcooke94 fd97b2c
Move audit logger to it's own package
gtcooke94 ca8f66c
remove audit prefixes since its the package name now
gtcooke94 bf571d6
Add package comment
gtcooke94 49f1ff3
Merge branch 'MoveAuditPackage' into RBACEngine
gtcooke94 066adbb
Merge branch 'master' into RBACEngine
gtcooke94 472d752
some work
gtcooke94 66fa61a
Shell for audit logging
gtcooke94 95a5253
Continuing impl
gtcooke94 67a71ff
Continuing work
gtcooke94 1a4e978
Adding NewChainEngine tests
gtcooke94 1a5b03d
Don't create a new anonymous type every time
gtcooke94 5490046
basic engine test
gtcooke94 1c4b097
Working on pushing policyname through
gtcooke94 0747d62
Changing NewChainEngine to include policyName
gtcooke94 fa5e894
new commented tests
gtcooke94 b95b6f1
Renamed to NewChainEngine
gtcooke94 9ef033b
Finish renaming
gtcooke94 4896f7e
More tests
gtcooke94 6fb2f46
more tests
gtcooke94 760f946
More comments
gtcooke94 d426edb
Add policyName to tests
gtcooke94 5aef84f
merge master
gtcooke94 1b60ec1
fix
gtcooke94 6287772
Cleanup
gtcooke94 90a1306
tests for bad cases
gtcooke94 bc236d9
configJson -> configJSON
gtcooke94 60338b3
Added feature and tests for handling IsOptional on unsupported logger…
gtcooke94 c4e6067
Make lines wrap shorter
gtcooke94 4fec2a8
Addressing PR comments
gtcooke94 60088e3
Addressing PR comments
gtcooke94 50f2673
undo rename of matchingPolicyName
gtcooke94 26e48ce
make builder manage the list of auditEvents
gtcooke94 67613d3
Add comment in internal.go
gtcooke94 468126a
Don't use pointer to audit.Logger interface
gtcooke94 4a9e3f8
Change error message
gtcooke94 16ea27e
Cleanup parsing custom config
gtcooke94 89bc833
changing a name for receiver consistency
gtcooke94 938b6b9
rename engine receiver -> e
gtcooke94 752d9e6
Refactor audit logger option parsing to it's own func
gtcooke94 844216c
Change to more preferred slice declaration
gtcooke94 a46cd2e
Merge branch 'master' into RBACEngineAuditLogging
gtcooke94 f86c660
Moving to correct TypedConfig structure for custom config
gtcooke94 cab68ba
Use TypedStruct properly for custom configs
gtcooke94 21a3788
parse out the prefix of the name
gtcooke94 5e5f9e9
Move custom config logic to it's own converter.go file, setup pattern…
gtcooke94 724e066
standardize imports
gtcooke94 89aca52
Change principal handling:
gtcooke94 1685b62
Remove extra package comment
gtcooke94 2f51981
Rename helper functions
gtcooke94 8e20f7f
fix go vet error
gtcooke94 c5798a9
Added error cases for buildLogger
gtcooke94 d35a865
Actually add the new converter_test.go file
gtcooke94 9e16b15
Remove tests that weren't being used
gtcooke94 697ad75
Add copyright
gtcooke94 2bead31
git messiness, sorry
gtcooke94 5ce64e9
combine if conditions
gtcooke94 1402f64
Addressing PR comments
gtcooke94 ac17f03
Address PR comments
gtcooke94 488c09d
Use test name for individual loggers rather than clearing the registry
gtcooke94 9fa7542
Remove internal unregister function
gtcooke94 5392f60
remove unregisterLoggerBuilder
gtcooke94 421acff
Apply punctuation suggestions from code review
gtcooke94 0960c8b
%s/typedURLPrefix/typeURLPrefix
gtcooke94 2cb5de1
More PR comments
gtcooke94 361dcba
Merge master
gtcooke94 4dd9061
Add more descriptive error in helper
gtcooke94 a81070c
Own TODO
gtcooke94 50d1699
Apply suggestions from code review
gtcooke94 1637d73
Address PR comments
gtcooke94 4c2b1bb
Change how we get SPIFFE ID
gtcooke94 218ba4b
Change missing custom config behavior
gtcooke94 1ec90ed
Merge remote-tracking branch 'origin/RBACEngineAuditLogging' into RBA…
gtcooke94 85696a7
lowercase
gtcooke94 d8777da
Change error message
gtcooke94 cfaf71d
reword other errors
gtcooke94 dd6ff8d
Fix test error strings
gtcooke94 4362f75
handle s == nil
gtcooke94 d582f2c
use value instead of pointer
gtcooke94 6908c86
Remove unnecessary spiffe scheme check
gtcooke94 ea8f50e
Make for loop use value
gtcooke94 dd2f2a6
Swap to []*auditLogger
gtcooke94 52f77b8
Add check for empty audit logger name
gtcooke94 2f0a376
Better error message
gtcooke94 File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
/* | ||
* Copyright 2023 gRPC authors. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package rbac | ||
|
||
import ( | ||
"encoding/json" | ||
"fmt" | ||
"strings" | ||
|
||
v1xdsudpatypepb "github.com/cncf/xds/go/udpa/type/v1" | ||
v3xdsxdstypepb "github.com/cncf/xds/go/xds/type/v3" | ||
v3rbacpb "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3" | ||
"google.golang.org/grpc/authz/audit" | ||
"google.golang.org/protobuf/types/known/anypb" | ||
"google.golang.org/protobuf/types/known/structpb" | ||
) | ||
|
||
const udpaTypedStuctType = "type.googleapis.com/udpa.type.v1.TypedStruct" | ||
const xdsTypedStuctType = "type.googleapis.com/xds.type.v3.TypedStruct" | ||
|
||
func buildLogger(loggerConfig *v3rbacpb.RBAC_AuditLoggingOptions_AuditLoggerConfig) (audit.Logger, error) { | ||
gtcooke94 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if loggerConfig.GetAuditLogger().GetTypedConfig() == nil { | ||
return nil, fmt.Errorf("missing required field: TypedConfig") | ||
} | ||
customConfig, loggerName, err := getCustomConfig(loggerConfig.AuditLogger.TypedConfig) | ||
if err != nil { | ||
return nil, err | ||
} | ||
if loggerName == "" { | ||
return nil, fmt.Errorf("field TypedConfig.TypeURL cannot be an empty string") | ||
} | ||
factory := audit.GetLoggerBuilder(loggerName) | ||
if factory == nil { | ||
if loggerConfig.IsOptional { | ||
return nil, nil | ||
} | ||
return nil, fmt.Errorf("no builder registered for %v", loggerName) | ||
} | ||
auditLoggerConfig, err := factory.ParseLoggerConfig(customConfig) | ||
if err != nil { | ||
return nil, fmt.Errorf("custom config could not be parsed by registered factory. error: %v", err) | ||
} | ||
auditLogger := factory.Build(auditLoggerConfig) | ||
return auditLogger, nil | ||
} | ||
|
||
func getCustomConfig(config *anypb.Any) (json.RawMessage, string, error) { | ||
switch config.GetTypeUrl() { | ||
case udpaTypedStuctType: | ||
typedStruct := &v1xdsudpatypepb.TypedStruct{} | ||
if err := config.UnmarshalTo(typedStruct); err != nil { | ||
return nil, "", fmt.Errorf("failed to unmarshal resource: %v", err) | ||
} | ||
return convertCustomConfig(typedStruct.TypeUrl, typedStruct.Value) | ||
case xdsTypedStuctType: | ||
typedStruct := &v3xdsxdstypepb.TypedStruct{} | ||
if err := config.UnmarshalTo(typedStruct); err != nil { | ||
return nil, "", fmt.Errorf("failed to unmarshal resource: %v", err) | ||
} | ||
return convertCustomConfig(typedStruct.TypeUrl, typedStruct.Value) | ||
} | ||
return nil, "", fmt.Errorf("custom config not implemented for type [%v]", config.GetTypeUrl()) | ||
} | ||
|
||
func convertCustomConfig(typeURL string, s *structpb.Struct) (json.RawMessage, string, error) { | ||
// The gRPC policy name will be the "type name" part of the value of the | ||
// type_url field in the TypedStruct. We get this by using the part after | ||
// the last / character. Can assume a valid type_url from the control plane. | ||
urls := strings.Split(typeURL, "/") | ||
if len(urls) == 0 { | ||
return nil, "", fmt.Errorf("error converting custom audit logger %v for %v: typeURL must have a url-like format with the typeName being the value after the last /", typeURL, s) | ||
} | ||
name := urls[len(urls)-1] | ||
|
||
rawJSON := []byte("{}") | ||
var err error | ||
if s != nil { | ||
rawJSON, err = json.Marshal(s) | ||
if err != nil { | ||
return nil, "", fmt.Errorf("error converting custom audit logger %v for %v: %v", typeURL, s, err) | ||
} | ||
} | ||
return rawJSON, name, nil | ||
} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for _, config := range options.AuditLoggers
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed, I think this was a holdover from when this was structured differently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this is why?
Should this be
[]*auditLogger
then?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh yes, I remember now that is why I had done that - changed to
[]*auditLogger