grpc · rockspore · May 17, 2023 · May 5, 2023 · May 5, 2023 · May 5, 2023
diff --git a/src/core/BUILD b/src/core/BUILD
@@ -3699,6 +3699,7 @@ grpc_cc_library(
         "channel_fwd",
         "closure",
         "error",
+        "grpc_audit_logging",
         "grpc_authorization_base",
         "grpc_matchers",
         "grpc_rbac_engine",

diff --git a/src/core/ext/filters/rbac/rbac_service_config_parser.cc b/src/core/ext/filters/rbac/rbac_service_config_parser.cc
@@ -20,21 +20,29 @@
 
 #include <cstdint>
 #include <map>
+#include <memory>
 #include <string>
 
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
+#include "absl/strings/str_cat.h"
 #include "absl/types/optional.h"
 
+#include <grpc/support/log.h>
+
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/json/json_args.h"
 #include "src/core/lib/json/json_object_loader.h"
 #include "src/core/lib/matchers/matchers.h"
+#include "src/core/lib/security/authorization/audit_logging.h"
 
 namespace grpc_core {
 
 namespace {
 
+using experimental::AuditLoggerFactory;
+using experimental::AuditLoggerRegistry;
+
 // RbacConfig: one or more RbacPolicy structs
 struct RbacConfig {
   // RbacPolicy: optional Rules
@@ -179,16 +187,29 @@ struct RbacConfig {
         static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
       };
 
+      // AuditLogger: the name of logger and its config in json
+      struct AuditLogger {
+        std::string name;
+        Json::Object config;
+
+        static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
+        void JsonPostLoad(const Json&, const JsonArgs&,
+                          ValidationErrors* errors);
+      };
+
       int action;
       std::map<std::string, Policy> policies;
+      // Defaults to 0 since its json field is optional.
+      Rbac::AuditCondition audit_condition;
+      std::vector<std::unique_ptr<AuditLoggerFactory::Config>> logger_configs;
 
       Rules() = default;
       Rules(const Rules&) = delete;
       Rules& operator=(const Rules&) = delete;
       Rules(Rules&&) = default;
       Rules& operator=(Rules&&) = default;
 
-      Rbac TakeAsRbac();
+      Rbac TakeAsRbac(std::string name);
       static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
       void JsonPostLoad(const Json&, const JsonArgs&, ValidationErrors* errors);
     };
@@ -716,32 +737,60 @@ const JsonLoaderInterface* RbacConfig::RbacPolicy::Rules::Policy::JsonLoader(
   return loader;
 }
 
+//
+// RbacConfig::RbacPolicy::Rules::AuditLogger
+//
+
+const JsonLoaderInterface*
+RbacConfig::RbacPolicy::Rules::AuditLogger::JsonLoader(const JsonArgs&) {
+  // All fields handled in JsonPostLoad().
+  static const auto* loader = JsonObjectLoader<AuditLogger>().Finish();
+  return loader;
+}
+
+void RbacConfig::RbacPolicy::Rules::AuditLogger::JsonPostLoad(
+    const Json& json, const JsonArgs& args, ValidationErrors* errors) {
+  // Should have exactly one field as the logger name.
+  if (json.object().size() != 1) {
+    errors->AddError("audit logger should have exactly one field");
+    return;
+  }
+  name = json.object().begin()->first;
+  auto config_or =
+      LoadJsonObjectField<Json::Object>(json.object(), args, name, errors);
+  if (config_or.has_value()) {
+    config = std::move(*config_or);
+  }
+}
+
 //
 // RbacConfig::RbacPolicy::Rules
 //
 
-Rbac RbacConfig::RbacPolicy::Rules::TakeAsRbac() {
+Rbac RbacConfig::RbacPolicy::Rules::TakeAsRbac(std::string name) {
   Rbac rbac;
-  // TODO(lwge): This is to fix msan failure for now. Add proper conversion once
-  // audit logging support is added.
-  rbac.audit_condition = Rbac::AuditCondition::kNone;
+  rbac.name = std::move(name);
   rbac.action = static_cast<Rbac::Action>(action);
+  rbac.audit_condition = audit_condition;
   for (auto& p : policies) {
     rbac.policies.emplace(p.first, p.second.TakeAsRbacPolicy());
   }
+  rbac.logger_configs = std::move(logger_configs);
   return rbac;
 }
 
 const JsonLoaderInterface* RbacConfig::RbacPolicy::Rules::JsonLoader(
     const JsonArgs&) {
+  // Audit logger configs handled in post load.
   static const auto* loader = JsonObjectLoader<Rules>()
                                   .Field("action", &Rules::action)
                                   .OptionalField("policies", &Rules::policies)
                                   .Finish();
   return loader;
 }
 
-void RbacConfig::RbacPolicy::Rules::JsonPostLoad(const Json&, const JsonArgs&,
+void RbacConfig::RbacPolicy::Rules::JsonPostLoad(const Json& json,
+                                                 const JsonArgs& args,
                                                  ValidationErrors* errors) {
   // Validate action field.
   auto rbac_action = static_cast<Rbac::Action>(action);
@@ -750,6 +799,47 @@ void RbacConfig::RbacPolicy::Rules::JsonPostLoad(const Json&, const JsonArgs&,
     ValidationErrors::ScopedField field(errors, ".action");
     errors->AddError("unknown action");
   }
+  // Parse and validate audit_condition field.
+  auto it = json.object().find("audit_condition");
+  int condition = static_cast<int>(Rbac::AuditCondition::kNone);
+  if (it != json.object().end()) {
+    if (it->second.type() != Json::Type::kNumber) {
+      ValidationErrors::ScopedField field(errors, ".audit_condition");
+      errors->AddError("is not a number");
+    } else {
+      GPR_ASSERT(absl::SimpleAtoi(it->second.string(), &condition));
+    }
+  }
+  switch (condition) {
+    case static_cast<int>(Rbac::AuditCondition::kNone):
+    case static_cast<int>(Rbac::AuditCondition::kOnAllow):
+    case static_cast<int>(Rbac::AuditCondition::kOnDeny):
+    case static_cast<int>(Rbac::AuditCondition::kOnDenyAndAllow):
+      break;
+    default: {
+      ValidationErrors::ScopedField field(errors, ".audit_condition");
+      errors->AddError("unknown audit condition");
+    }
+  }
+  audit_condition = static_cast<Rbac::AuditCondition>(condition);
+  if (json.object().find("audit_loggers") == json.object().end()) return;
+  // Parse and validate audit logger configs.
+  auto configs = LoadJsonObjectField<std::vector<AuditLogger>>(
+      json.object(), args, "audit_loggers", errors);
+  if (configs.has_value()) {
+    for (size_t i = 0; i < configs->size(); ++i) {
+      auto& logger = (*configs)[i];
+      auto config = AuditLoggerRegistry::ParseConfig(
+          logger.name, Json::FromObject(std::move(logger.config)));
+      if (!config.ok()) {
+        ValidationErrors::ScopedField field(
+            errors, absl::StrCat(".audit_loggers[", i, "]"));
+        errors->AddError(config.status().message());
+        continue;
+      }
+      logger_configs.push_back(std::move(*config));
+    }
+  }
 }
 
 //
@@ -762,8 +852,7 @@ Rbac RbacConfig::RbacPolicy::TakeAsRbac() {
     // is equivalent to no enforcing.
     return Rbac(std::move(name), Rbac::Action::kDeny, {});
   }
-  // TODO(lwge): This also needs to take the name.
-  return rules->TakeAsRbac();
+  return rules->TakeAsRbac(std::move(name));
 }
 
 const JsonLoaderInterface* RbacConfig::RbacPolicy::JsonLoader(const JsonArgs&) {

diff --git a/src/core/lib/security/authorization/grpc_authorization_engine.h b/src/core/lib/security/authorization/grpc_authorization_engine.h
@@ -56,6 +56,12 @@ class GrpcAuthorizationEngine : public AuthorizationEngine {
   // Required only for testing purpose.
   size_t num_policies() const { return policies_.size(); }
 
+  // Required only for testing purpose.
+  Rbac::AuditCondition audit_condition() const { return audit_condition_; }
+
+  // Required only for testing purpose.
+  size_t num_audit_loggers() const { return audit_loggers_.size(); }
+
   // Evaluates incoming request against RBAC policy and makes a decision to
   // whether allow/deny this request.
   Decision Evaluate(const EvaluateArgs& args) const override;