forked from grpc/grpc-go
-
Notifications
You must be signed in to change notification settings - Fork 1
/
converter.go
115 lines (106 loc) · 4.3 KB
/
converter.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/*
* Copyright 2023 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package rbac
import (
"encoding/json"
"fmt"
"strings"
v1xdsudpatypepb "github.com/cncf/xds/go/udpa/type/v1"
v3xdsxdstypepb "github.com/cncf/xds/go/xds/type/v3"
v3rbacpb "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
v3auditloggersstreampb "github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/audit_loggers/stream/v3"
"google.golang.org/grpc/authz/audit"
"google.golang.org/grpc/authz/audit/stdout"
"google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/structpb"
)
const (
udpaTypedStuctType = "type.googleapis.com/udpa.type.v1.TypedStruct"
xdsTypedStuctType = "type.googleapis.com/xds.type.v3.TypedStruct"
stdoutType = "type.googleapis.com/envoy.extensions.rbac.audit_loggers.stream.v3.StdoutAuditLog"
)
func buildLogger(loggerConfig *v3rbacpb.RBAC_AuditLoggingOptions_AuditLoggerConfig) (audit.Logger, error) {
if loggerConfig.GetAuditLogger().GetTypedConfig() == nil {
return nil, fmt.Errorf("missing required field: TypedConfig")
}
customConfig, loggerName, err := getCustomConfig(loggerConfig.AuditLogger.TypedConfig)
if err != nil {
return nil, err
}
if loggerName == "" {
return nil, fmt.Errorf("field TypedConfig.TypeURL cannot be an empty string")
}
factory := audit.GetLoggerBuilder(loggerName)
if factory == nil {
if loggerConfig.IsOptional {
return nil, nil
}
return nil, fmt.Errorf("no builder registered for %v", loggerName)
}
auditLoggerConfig, err := factory.ParseLoggerConfig(customConfig)
if err != nil {
return nil, fmt.Errorf("custom config could not be parsed by registered factory. error: %v", err)
}
auditLogger := factory.Build(auditLoggerConfig)
return auditLogger, nil
}
func getCustomConfig(config *anypb.Any) (json.RawMessage, string, error) {
switch config.GetTypeUrl() {
case udpaTypedStuctType:
typedStruct := &v1xdsudpatypepb.TypedStruct{}
if err := config.UnmarshalTo(typedStruct); err != nil {
return nil, "", fmt.Errorf("failed to unmarshal resource: %v", err)
}
return convertCustomConfig(typedStruct.TypeUrl, typedStruct.Value)
case xdsTypedStuctType:
typedStruct := &v3xdsxdstypepb.TypedStruct{}
if err := config.UnmarshalTo(typedStruct); err != nil {
return nil, "", fmt.Errorf("failed to unmarshal resource: %v", err)
}
return convertCustomConfig(typedStruct.TypeUrl, typedStruct.Value)
case stdoutType:
stdoutLoggerConfig := &v3auditloggersstreampb.StdoutAuditLog{}
if err := config.UnmarshalTo(stdoutLoggerConfig); err != nil {
return nil, "", fmt.Errorf("failed to unmarshal resource: %v", err)
}
return convertStdoutConfig(stdoutLoggerConfig)
}
return nil, "", fmt.Errorf("custom config not implemented for type [%v]", config.GetTypeUrl())
}
func convertStdoutConfig(config *v3auditloggersstreampb.StdoutAuditLog) (json.RawMessage, string, error) {
json, err := protojson.Marshal(config)
return json, stdout.Name, err
}
func convertCustomConfig(typeURL string, s *structpb.Struct) (json.RawMessage, string, error) {
// The gRPC policy name will be the "type name" part of the value of the
// type_url field in the TypedStruct. We get this by using the part after
// the last / character. Can assume a valid type_url from the control plane.
urls := strings.Split(typeURL, "/")
if len(urls) == 0 {
return nil, "", fmt.Errorf("error converting custom audit logger %v for %v: typeURL must have a url-like format with the typeName being the value after the last /", typeURL, s)
}
name := urls[len(urls)-1]
rawJSON := []byte("{}")
var err error
if s != nil {
rawJSON, err = json.Marshal(s)
if err != nil {
return nil, "", fmt.Errorf("error converting custom audit logger %v for %v: %v", typeURL, s, err)
}
}
return rawJSON, name, nil
}