[Audit Logging] Authz policy support for audit logging

BUILD

@@ -915,6 +915,7 @@ grpc_cc_library(
         "grpc_trace",
         "ref_counted_ptr",
         "//src/core:error",
+        "//src/core:grpc_audit_logging",
         "//src/core:grpc_authorization_base",
         "//src/core:grpc_matchers",
         "//src/core:grpc_rbac_engine",

src/core/ext/filters/rbac/rbac_service_config_parser.cc

@@ -756,7 +756,8 @@ Rbac RbacConfig::RbacPolicy::TakeAsRbac() {
   if (!rules.has_value()) {
     // No enforcing to be applied. An empty deny policy with an empty map
     // is equivalent to no enforcing.
-    return Rbac(Rbac::Action::kDeny, {});
+    // TODO(lwge): Pass the fitler name when working on this parser.
+    return Rbac(Rbac::Action::kDeny, {}, "");
   }
   return rules->TakeAsRbac();
 }

src/core/lib/security/authorization/rbac_policy.cc

@@ -29,22 +29,46 @@ namespace grpc_core {
 // Rbac
 //
 
-Rbac::Rbac(Rbac::Action action, std::map<std::string, Policy> policies)
-    : action(action), policies(std::move(policies)) {}
+Rbac::Rbac(Rbac::Action action, std::map<std::string, Policy> policies,
+           absl::string_view name)
+    : action(action), policies(std::move(policies)), name(name) {}
 
 Rbac::Rbac(Rbac&& other) noexcept
-    : action(other.action), policies(std::move(other.policies)) {}
+    : action(other.action),
+      audit_condition(other.audit_condition),
+      policies(std::move(other.policies)),
+      logger_configs(std::move(other.logger_configs)),
+      name(std::move(other.name)) {}
 
 Rbac& Rbac::operator=(Rbac&& other) noexcept {
   action = other.action;
+  audit_condition = other.audit_condition;
   policies = std::move(other.policies);
+  logger_configs = std::move(other.logger_configs);
+  name = std::move(other.name);
   return *this;
 }
 
 std::string Rbac::ToString() const {
   std::vector<std::string> contents;
+  std::string condition_str;
+  switch (audit_condition) {
+    case Rbac::AuditCondition::kNone:
+      condition_str = "None";
+      break;
+    case AuditCondition::kOnDeny:
+      condition_str = "OnDeny";
+      break;
+    case AuditCondition::kOnAllow:
+      condition_str = "OnAllow";
+      break;
+    case AuditCondition::kOnDenyAndAllow:
+      condition_str = "OnDenyAndAllow";
+      break;
+  }
   contents.push_back(absl::StrFormat(
-      "Rbac action=%s{", action == Rbac::Action::kAllow ? "Allow" : "Deny"));
+      "Rbac name=%s action=%s audit_condition=%s{", name,
+      action == Rbac::Action::kAllow ? "Allow" : "Deny", condition_str));
   for (const auto& p : policies) {
     contents.push_back(absl::StrFormat("{\n  policy_name=%s\n%s\n}", p.first,
                                        p.second.ToString()));

src/core/lib/security/authorization/rbac_policy.h

@@ -24,20 +24,30 @@
 #include <string>
 #include <vector>
 
+#include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
 
+#include <grpc/grpc_audit_logging.h>
+
 #include "src/core/lib/matchers/matchers.h"
 
 namespace grpc_core {
 
 // Represents Envoy RBAC Proto. [See
-// https://github.com/envoyproxy/envoy/blob/release/v1.17/api/envoy/config/rbac/v3/rbac.proto]
+// https://github.com/envoyproxy/envoy/blob/release/v1.26/api/envoy/config/rbac/v3/rbac.proto]
 struct Rbac {
   enum class Action {
     kAllow,
     kDeny,
   };
 
+  enum class AuditCondition {
+    kNone,
+    kOnDeny,
+    kOnAllow,
+    kOnDenyAndAllow,
+  };
+
   struct CidrRange {
     CidrRange() = default;
     CidrRange(std::string address_prefix, uint32_t prefix_len);
@@ -162,15 +172,22 @@ struct Rbac {
   };
 
   Rbac() = default;
-  Rbac(Rbac::Action action, std::map<std::string, Policy> policies);
+  Rbac(Rbac::Action action, std::map<std::string, Policy> policies,
+       absl::string_view name);
 
   Rbac(Rbac&& other) noexcept;
   Rbac& operator=(Rbac&& other) noexcept;
 
   std::string ToString() const;
 
   Action action;
+  AuditCondition audit_condition;
+
   std::map<std::string, Policy> policies;
+  std::vector<std::unique_ptr<experimental::AuditLoggerFactory::Config>>
+      logger_configs;
+  // The authorization policy name or the HTTP RBAC filter name.
+  std::string name;
 };
 
 }  // namespace grpc_core

src/core/lib/security/authorization/rbac_translator.cc

@@ -27,20 +27,28 @@
 #include <vector>
 
 #include "absl/status/status.h"
+#include "absl/status/statusor.h"
 #include "absl/strings/match.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_format.h"
+#include "absl/strings/string_view.h"
 #include "absl/strings/strip.h"
 
+#include <grpc/grpc_audit_logging.h>
+#include <grpc/support/log.h>
+
 #include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/json/json.h"
 #include "src/core/lib/json/json_reader.h"
 #include "src/core/lib/matchers/matchers.h"
+#include "src/core/lib/security/authorization/audit_logging.h"
 
 namespace grpc_core {
 
 namespace {
 
+using experimental::AuditLoggerRegistry;
+
 absl::string_view GetMatcherType(absl::string_view value,
                                  StringMatcher::Type* type) {
   if (value == "*") {
@@ -310,7 +318,7 @@ absl::StatusOr<Rbac::Policy> ParseRule(const Json& json,
 }
 
 absl::StatusOr<std::map<std::string, Rbac::Policy>> ParseRulesArray(
-    const Json& json, absl::string_view name) {
+    const Json& json) {
   if (json.array().empty()) {
     return absl::InvalidArgumentError("rules is empty.");
   }
@@ -328,24 +336,142 @@ absl::StatusOr<std::map<std::string, Rbac::Policy>> ParseRulesArray(
           policy_or.status().code(),
           absl::StrCat("rules ", i, ": ", policy_or.status().message()));
     }
-    policies[std::string(name) + "_" + policy_name] =
-        std::move(policy_or.value());
+    policies[policy_name] = std::move(policy_or.value());
   }
   return std::move(policies);
 }
 
 absl::StatusOr<Rbac> ParseDenyRulesArray(const Json& json,
                                          absl::string_view name) {
-  auto policies_or = ParseRulesArray(json, name);
+  auto policies_or = ParseRulesArray(json);
   if (!policies_or.ok()) return policies_or.status();
-  return Rbac(Rbac::Action::kDeny, std::move(policies_or.value()));
+  return Rbac(Rbac::Action::kDeny, std::move(policies_or.value()), name);
 }
 
 absl::StatusOr<Rbac> ParseAllowRulesArray(const Json& json,
                                           absl::string_view name) {
-  auto policies_or = ParseRulesArray(json, name);
+  auto policies_or = ParseRulesArray(json);
   if (!policies_or.ok()) return policies_or.status();
-  return Rbac(Rbac::Action::kAllow, std::move(policies_or.value()));
+  return Rbac(Rbac::Action::kAllow, std::move(policies_or.value()), name);
+}
+
+absl::StatusOr<std::unique_ptr<experimental::AuditLoggerFactory::Config>>
+ParseAuditLogger(const Json& json, size_t pos) {
+  if (json.type() != Json::Type::kObject) {
+    return absl::InvalidArgumentError(
+        absl::StrFormat("\"audit_loggers[%d]\" is not an object.", pos));
+  }
+  bool is_optional = false;
+  auto it = json.object().find("is_optional");
+  if (it != json.object().end()) {
+    switch (it->second.type()) {
+      case Json::Type::kTrue:
+        is_optional = true;
+        break;
+      case Json::Type::kFalse:
+        break;
+      default:
+        return absl::InvalidArgumentError(absl::StrFormat(
+            "\"audit_loggers[%d].is_optional\" is not a boolean.", pos));
+    }
+  }
+  it = json.object().find("name");
+  if (it == json.object().end()) {
+    return absl::InvalidArgumentError(
+        absl::StrFormat("\"audit_loggers[%d].name\" is required.", pos));
+  }
+  if (it->second.type() != Json::Type::kString) {
+    return absl::InvalidArgumentError(
+        absl::StrFormat("\"audit_loggers[%d].name\" is not a string.", pos));
+  }
+  absl::string_view name = it->second.string();
+  Json config = Json::Object();
+  it = json.object().find("config");
+  if (it != json.object().end()) {
+    if (it->second.type() != Json::Type::kObject) {
+      return absl::InvalidArgumentError(absl::StrFormat(
+          "\"audit_loggers[%d].config\" is not an object.", pos));
+    }
+    config = it->second;
+  }
+  if (!AuditLoggerRegistry::FactoryExists(name)) {
+    if (is_optional) {
+      return nullptr;
+    }
+    return absl::InvalidArgumentError(
+        absl::StrFormat("\"audit_loggers[%d].name\" %s is not supported "
+                        "natively or registered.",
+                        pos, name));
+  }
+  auto result = AuditLoggerRegistry::ParseConfig(name, config);
+  if (!result.ok()) {
+    return absl::InvalidArgumentError(absl::StrFormat(
+        "\"audit_loggers[%d]\" %s", pos, result.status().message()));
+  }
+  return result;
+}
+
+absl::Status ParseAuditLoggingOptions(RbacPolicies& rbacs, const Json& json) {
+  auto it = json.object().find("audit_condition");
+  if (it != json.object().end()) {
+    if (it->second.type() != Json::Type::kString) {
+      return absl::InvalidArgumentError("\"audit_condition\" is not a string.");
+    }
+    absl::string_view condition = it->second.string();
+    Rbac::AuditCondition deny_condition, allow_condition;
+    if (condition == "NONE") {
+      deny_condition = Rbac::AuditCondition::kNone;
+      allow_condition = Rbac::AuditCondition::kNone;
+    } else if (condition == "ON_ALLOW") {
+      deny_condition = Rbac::AuditCondition::kNone;
+      allow_condition = Rbac::AuditCondition::kOnAllow;
+    } else if (condition == "ON_DENY") {
+      deny_condition = Rbac::AuditCondition::kOnDeny;
+      allow_condition = Rbac::AuditCondition::kOnDeny;
+    } else if (condition == "ON_DENY_AND_ALLOW") {
+      deny_condition = Rbac::AuditCondition::kOnDeny;
+      allow_condition = Rbac::AuditCondition::kOnDenyAndAllow;
+    } else {
+      return absl::InvalidArgumentError(absl::StrFormat(
+          "Unsupported \"audit_condition\" value %s.", condition));
+    }
+    if (rbacs.deny_policy != absl::nullopt) {
+      rbacs.deny_policy->audit_condition = deny_condition;
+    }
+    rbacs.allow_policy.audit_condition = allow_condition;
+  }
+  it = json.object().find("audit_loggers");
+  if (it != json.object().end()) {
+    if (it->second.type() != Json::Type::kArray) {
+      return absl::InvalidArgumentError("\"audit_loggers\" is not an array.");
+    }
+    const auto& loggers = it->second.array();
+    for (size_t i = 0; i < loggers.size(); ++i) {
+      auto result = ParseAuditLogger(loggers.at(i), i);
+      if (!result.ok()) {
+        return result.status();
+      }
+      // Check the value since the unsupported logger config can also
+      // return ok when marked as optional.
+      if (result.value() != nullptr) {
+        // Only move the logger config over if audit condition is not NONE.
+        if (rbacs.allow_policy.audit_condition != Rbac::AuditCondition::kNone) {
+          rbacs.allow_policy.logger_configs.push_back(
+              std::move(result.value()));
+        }
+        if (rbacs.deny_policy != absl::nullopt &&
+            rbacs.deny_policy->audit_condition != Rbac::AuditCondition::kNone) {
+          // Parse again since it returns unique_ptr, but result should be ok
+          // this time.
+          auto result = ParseAuditLogger(loggers.at(i), i);
+          GPR_ASSERT(result.ok());
+          rbacs.deny_policy->logger_configs.push_back(
+              std::move(result.value()));
+        }
+      }
+    }
+  }
+  return absl::OkStatus();
 }
 
 }  // namespace
@@ -398,11 +524,25 @@ absl::StatusOr<RbacPolicies> GenerateRbacPolicies(
       }
       rbacs.allow_policy = std::move(*allow_policy_or);
       has_allow_rbac = true;
+    } else if (object.first == "audit_logging_options") {
+      // This must be processed this after policies are all parsed.
+      continue;
     } else {
       return absl::InvalidArgumentError(absl::StrFormat(
           "policy contains unknown field \"%s\".", object.first));
     }
   }
+  it = json->object().find("audit_logging_options");
+  if (it != json->object().end()) {
+    if (it->second.type() != Json::Type::kObject) {
+      return absl::InvalidArgumentError(
+          "\"audit_logging_options\" is not an object.");
+    }
+    absl::Status status = ParseAuditLoggingOptions(rbacs, it->second);
+    if (!status.ok()) {
+      return status;
+    }
+  }
   if (!has_allow_rbac) {
     return absl::InvalidArgumentError("\"allow_rules\" is not present.");
   }