[Audit Logging] Logger and factory APIs in C-Core and C++.

include/grpc/grpc_audit_logging.h

@@ -0,0 +1,71 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_GRPC_AUDIT_LOGGING_H
+#define GRPC_GRPC_AUDIT_LOGGING_H
+
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+
+namespace grpc_core {
+namespace experimental {
+
+// The base struct for audit context.
+typedef struct CoreAuditContext {
+ public:
+  absl::string_view rpc_method() const;
+  absl::string_view principal() const;
+  absl::string_view policy_name() const;
+  absl::string_view matched_rule() const;
+  bool authorized() const;
+} AuditContext;
+
+// This base class for audit logger implementations.
+class CoreAuditLogger {
+ public:
+  virtual void CoreLog(const CoreAuditContext& audit_context) = 0;
+};
+
+// This is the base class for audit logger factory implementations.
+class CoreAuditLoggerFactory {
+ public:
+  class CoreConfig {
+   public:
+    virtual const char* core_name() const = 0;
+    virtual std::string CoreToString() = 0;
+  };
+  virtual const char* core_name() const = 0;
+
+  // TODO(lwge): change to grpc_core::Json once it's exposed.
+  virtual absl::StatusOr<std::unique_ptr<CoreConfig>>
+  ParseCoreAuditLoggerConfig(absl::string_view config_json) = 0;
+
+  virtual std::unique_ptr<CoreAuditLogger> CreateCoreAuditLogger(
+      std::unique_ptr<CoreAuditLoggerFactory::CoreConfig>) = 0;
+};
+
+// Registers an audit logger factory. This should only be called during
+// initialization.
+void RegisterAuditLoggerFactory(
+    std::unique_ptr<CoreAuditLoggerFactory> factory);
+
+}  // namespace experimental
+}  // namespace grpc_core
+
+#endif /* GRPC_GRPC_AUDIT_LOGGING_H */

include/grpcpp/security/audit_logging.h

@@ -0,0 +1,106 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPCPP_SECURITY_AUDIT_LOGGING_H
+#define GRPCPP_SECURITY_AUDIT_LOGGING_H
+
+#include <grpc/grpc_audit_logging.h>
+#include <grpcpp/support/string_ref.h>
+
+namespace grpc {
+namespace experimental {
+
+// This class contains useful information to be consumed in an audit logging
+// event.
+class AuditContext {
+ public:
+  // Does not take the ownership of core_context. Callers have to ensure it
+  // outlives this class.
+  explicit AuditContext(
+      const grpc_core::experimental::CoreAuditContext* core_context)
+      : core_context_(core_context) {}
+
+  grpc::string_ref rpc_method() const;
+  grpc::string_ref principal() const;
+  grpc::string_ref policy_name() const;
+  grpc::string_ref matched_rule() const;
+  bool authorized() const;
+
+ private:
+  const grpc_core::experimental::CoreAuditContext* core_context_;
+};
+
+// The base class for audit logger implementations.
+// Users are expected to inherit this class and implement the Log() function.
+class AuditLogger : public grpc_core::experimental::CoreAuditLogger {
+ public:
+  // This function will be invoked synchronously when applicable during the
+  // RBAC-based authorization process. It does not return anything and thus will
+  // not impact whether the RPC will be rejected or not.
+  virtual void Log(const AuditContext& audit_context) = 0;
+
+  void CoreLog(const grpc_core::experimental::CoreAuditContext&) final;
+};
+
+// The base class for audit logger factory implementations.
+// Users should inherit this class and implement those declared virtual
+// funcitons.
+class AuditLoggerFactory
+    : public grpc_core::experimental::CoreAuditLoggerFactory {
+ public:
+  // The base class for the audit logger config that the factory parses.
+  // Users should inherit this class to define the configuration needed for
+  // their custom loggers.
+  class Config
+      : public grpc_core::experimental::CoreAuditLoggerFactory::CoreConfig {
+   public:
+    virtual const char* name() const = 0;
+    virtual std::string ToString() = 0;
+
+    const char* core_name() const final;
+    std::string CoreToString() final;
+  };
+  virtual const char* name() const = 0;
+
+  virtual absl::StatusOr<std::unique_ptr<Config>> ParseAuditLoggerConfig(
+      grpc::string_ref config_json) = 0;
+
+  virtual std::unique_ptr<AuditLogger> CreateAuditLogger(
+      std::unique_ptr<AuditLoggerFactory::Config>) = 0;
+
+  const char* core_name() const final;
+
+  absl::StatusOr<std::unique_ptr<
+      grpc_core::experimental::CoreAuditLoggerFactory::CoreConfig>>
+  ParseCoreAuditLoggerConfig(absl::string_view config_json) final;
+
+  std::unique_ptr<grpc_core::experimental::CoreAuditLogger>
+      CreateCoreAuditLogger(
+          std::unique_ptr<
+              grpc_core::experimental::CoreAuditLoggerFactory::CoreConfig>)
+          final;
+};
+
+// Registers an audit logger factory. This should only be called during
+// initialization.
+void RegisterAuditLoggerFactory(std::unique_ptr<AuditLoggerFactory> factory);
+
+}  // namespace experimental
+}  // namespace grpc
+
+#endif  // GRPCPP_SECURITY_AUDIT_LOGGING_H

src/cpp/server/audit_logging.cc

@@ -0,0 +1,88 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <memory>
+
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+
+#include <grpc/grpc_audit_logging.h>
+#include <grpcpp/security/audit_logging.h>
+#include <grpcpp/support/string_ref.h>
+
+namespace grpc {
+namespace experimental {
+
+using grpc_core::experimental::CoreAuditContext;
+using grpc_core::experimental::CoreAuditLogger;
+using grpc_core::experimental::CoreAuditLoggerFactory;
+
+grpc::string_ref AuditContext::rpc_method() const {
+  absl::string_view s = core_context_->rpc_method();
+  return grpc::string_ref(s.data(), s.length());
+}
+
+grpc::string_ref AuditContext::principal() const {
+  absl::string_view s = core_context_->principal();
+  return grpc::string_ref(s.data(), s.length());
+}
+
+grpc::string_ref AuditContext::policy_name() const {
+  absl::string_view s = core_context_->policy_name();
+  return grpc::string_ref(s.data(), s.length());
+}
+
+grpc::string_ref AuditContext::matched_rule() const {
+  absl::string_view s = core_context_->matched_rule();
+  return grpc::string_ref(s.data(), s.length());
+}
+
+bool AuditContext::authorized() const { return core_context_->authorized(); }
+
+void AuditLogger::CoreLog(const CoreAuditContext& core_audit_context) {
+  AuditContext audit_context(&core_audit_context);
+  Log(audit_context);
+}
+
+const char* AuditLoggerFactory::Config::core_name() const { return name(); }
+
+std::string AuditLoggerFactory::Config::CoreToString() { return ToString(); }
+
+const char* AuditLoggerFactory::core_name() const { return name(); }
+
+absl::StatusOr<std::unique_ptr<CoreAuditLoggerFactory::CoreConfig>>
+AuditLoggerFactory::ParseCoreAuditLoggerConfig(absl::string_view config_json) {
+  grpc::string_ref config(config_json.data(), config_json.length());
+  return ParseAuditLoggerConfig(config);
+}
+
+std::unique_ptr<CoreAuditLogger> AuditLoggerFactory::CreateCoreAuditLogger(
+    std::unique_ptr<CoreAuditLoggerFactory::CoreConfig> config) {
+  std::unique_ptr<AuditLoggerFactory::Config> c(
+      static_cast<AuditLoggerFactory::Config*>(config.release()));
+  return CreateAuditLogger(std::move(c));
+}
+
+void RegisterAuditLoggerFactory(std::unique_ptr<AuditLoggerFactory> factory) {
+  std::unique_ptr<CoreAuditLoggerFactory> core_factory(
+      static_cast<CoreAuditLoggerFactory*>(factory.release()));
+  grpc_core::experimental::RegisterAuditLoggerFactory(std::move(core_factory));
+};
+
+}  // namespace experimental
+}  // namespace grpc