[Audit Logging] Authz policy support for audit logging (#32944)

Add audit condition and audit logger config into `grpc_core::Rbac`.
Support translation of audit logging options from authz policy to it.

Audit logging options in authz policy looks like:
```json
{
  "audit_logging_options": {
    "audit_condition": "ON_DENY",
    "audit_loggers": [
      {
        "name": "logger",
        "config": {},
        "is_optional": false
      }
    ]
  }
}
```
which is consistent with what's in the xDS RBAC proto but a little
flattened.

---------

Co-authored-by: rockspore <rockspore@users.noreply.github.com>

BUILD

@@ -927,6 +927,7 @@ grpc_cc_library(
         "grpc_trace",
         "ref_counted_ptr",
         "//src/core:error",
+        "//src/core:grpc_audit_logging",
         "//src/core:grpc_authorization_base",
         "//src/core:grpc_matchers",
         "//src/core:grpc_rbac_engine",

src/core/ext/filters/rbac/rbac_service_config_parser.cc

@@ -193,6 +193,7 @@ struct RbacConfig {
       void JsonPostLoad(const Json&, const JsonArgs&, ValidationErrors* errors);
     };
 
+    std::string name;
     absl::optional<Rules> rules;
 
     Rbac TakeAsRbac();
@@ -756,14 +757,16 @@ Rbac RbacConfig::RbacPolicy::TakeAsRbac() {
   if (!rules.has_value()) {
     // No enforcing to be applied. An empty deny policy with an empty map
     // is equivalent to no enforcing.
-    return Rbac(Rbac::Action::kDeny, {});
+    return Rbac(std::move(name), Rbac::Action::kDeny, {});
   }
+  // TODO(lwge): This also needs to take the name.
   return rules->TakeAsRbac();
 }
 
 const JsonLoaderInterface* RbacConfig::RbacPolicy::JsonLoader(const JsonArgs&) {
   static const auto* loader = JsonObjectLoader<RbacPolicy>()
                                   .OptionalField("rules", &RbacPolicy::rules)
+                                  .Field("filter_name", &RbacPolicy::name)
                                   .Finish();
   return loader;
 }

src/core/lib/security/authorization/rbac_policy.cc

@@ -22,33 +22,62 @@
 
 #include "absl/strings/str_format.h"
 #include "absl/strings/str_join.h"
+#include "absl/strings/string_view.h"
 
 namespace grpc_core {
 
 //
 // Rbac
 //
 
-Rbac::Rbac(Rbac::Action action, std::map<std::string, Policy> policies)
-    : action(action), policies(std::move(policies)) {}
+Rbac::Rbac(std::string name, Rbac::Action action,
+           std::map<std::string, Policy> policies)
+    : name(std::move(name)), action(action), policies(std::move(policies)) {}
 
 Rbac::Rbac(Rbac&& other) noexcept
-    : action(other.action), policies(std::move(other.policies)) {}
+    : name(std::move(other.name)),
+      action(other.action),
+      policies(std::move(other.policies)),
+      audit_condition(other.audit_condition),
+      logger_configs(std::move(other.logger_configs)) {}
 
 Rbac& Rbac::operator=(Rbac&& other) noexcept {
+  name = std::move(other.name);
   action = other.action;
   policies = std::move(other.policies);
+  audit_condition = other.audit_condition;
+  logger_configs = std::move(other.logger_configs);
   return *this;
 }
 
 std::string Rbac::ToString() const {
   std::vector<std::string> contents;
+  absl::string_view condition_str;
+  switch (audit_condition) {
+    case Rbac::AuditCondition::kNone:
+      condition_str = "None";
+      break;
+    case AuditCondition::kOnDeny:
+      condition_str = "OnDeny";
+      break;
+    case AuditCondition::kOnAllow:
+      condition_str = "OnAllow";
+      break;
+    case AuditCondition::kOnDenyAndAllow:
+      condition_str = "OnDenyAndAllow";
+      break;
+  }
   contents.push_back(absl::StrFormat(
-      "Rbac action=%s{", action == Rbac::Action::kAllow ? "Allow" : "Deny"));
+      "Rbac name=%s action=%s audit_condition=%s{", name,
+      action == Rbac::Action::kAllow ? "Allow" : "Deny", condition_str));
   for (const auto& p : policies) {
     contents.push_back(absl::StrFormat("{\n  policy_name=%s\n%s\n}", p.first,
                                        p.second.ToString()));
   }
+  for (const auto& config : logger_configs) {
+    contents.push_back(absl::StrFormat("{\n  audit_logger=%s\n%s\n}",
+                                       config->name(), config->ToString()));
+  }
   contents.push_back("}");
   return absl::StrJoin(contents, "\n");
 }

src/core/lib/security/authorization/rbac_policy.h

@@ -26,18 +26,27 @@
 
 #include "absl/types/optional.h"
 
+#include <grpc/grpc_audit_logging.h>
+
 #include "src/core/lib/matchers/matchers.h"
 
 namespace grpc_core {
 
 // Represents Envoy RBAC Proto. [See
-// https://github.com/envoyproxy/envoy/blob/release/v1.17/api/envoy/config/rbac/v3/rbac.proto]
+// https://github.com/envoyproxy/envoy/blob/release/v1.26/api/envoy/config/rbac/v3/rbac.proto]
 struct Rbac {
   enum class Action {
     kAllow,
     kDeny,
   };
 
+  enum class AuditCondition {
+    kNone,
+    kOnDeny,
+    kOnAllow,
+    kOnDenyAndAllow,
+  };
+
   struct CidrRange {
     CidrRange() = default;
     CidrRange(std::string address_prefix, uint32_t prefix_len);
@@ -162,15 +171,23 @@ struct Rbac {
   };
 
   Rbac() = default;
-  Rbac(Rbac::Action action, std::map<std::string, Policy> policies);
+  Rbac(std::string name, Rbac::Action action,
+       std::map<std::string, Policy> policies);
 
   Rbac(Rbac&& other) noexcept;
   Rbac& operator=(Rbac&& other) noexcept;
 
   std::string ToString() const;
 
+  // The authorization policy name or the HTTP RBAC filter name.
+  std::string name;
+
   Action action;
   std::map<std::string, Policy> policies;
+
+  AuditCondition audit_condition;
+  std::vector<std::unique_ptr<experimental::AuditLoggerFactory::Config>>
+      logger_configs;
 };
 
 }  // namespace grpc_core