Example 11 with Policy
use of io.envoyproxy.envoy.config.rbac.v3.Policy in project grpc-java by grpc.
the class AuthorizationPolicyTranslatorTest method missingSourceAndRequest.
@Test
public void missingSourceAndRequest() throws Exception {
String policy = "{" + " \"name\" : \"authz\" ," + " \"allow_rules\" : [" + " {" + " \"name\": \"allow_all\"" + " }" + " ]" + "}";
List<RBAC> rbacs = AuthorizationPolicyTranslator.translate(policy);
assertEquals(1, rbacs.size());
RBAC expected_rbac = RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("authz_allow_all", Policy.newBuilder().addPrincipals(Principal.newBuilder().setAny(true)).addPermissions(Permission.newBuilder().setAny(true)).build()).build();
assertEquals(expected_rbac, rbacs.get(0));
}Example 12 with Policy
use of io.envoyproxy.envoy.config.rbac.v3.Policy in project grpc-java by grpc.
the class AuthorizationPolicyTranslatorTest method emptySourceAndRequest.
@Test
public void emptySourceAndRequest() throws Exception {
String policy = "{" + " \"name\" : \"authz\" ," + " \"allow_rules\" : [" + " {" + " \"name\": \"allow_all\"," + " \"source\": {}," + " \"request\": {}" + " }" + " ]" + "}";
List<RBAC> rbacs = AuthorizationPolicyTranslator.translate(policy);
assertEquals(1, rbacs.size());
RBAC expected_rbac = RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("authz_allow_all", Policy.newBuilder().addPrincipals(Principal.newBuilder().setAny(true)).addPermissions(Permission.newBuilder().setAny(true)).build()).build();
assertEquals(expected_rbac, rbacs.get(0));
}Example 13 with Policy
use of io.envoyproxy.envoy.config.rbac.v3.Policy in project grpc-java by grpc.
the class AuthorizationPolicyTranslator method parseRules.
private static Map<String, Policy> parseRules(List<Map<String, ?>> objects, String name) throws IllegalArgumentException {
Map<String, Policy> policies = new LinkedHashMap<String, Policy>();
for (Map<String, ?> object : objects) {
String policyName = JsonUtil.getString(object, "name");
if (policyName == null || policyName.isEmpty()) {
throw new IllegalArgumentException("rule \"name\" is absent or empty");
}
List<Principal> principals = new ArrayList<>();
Map<String, ?> source = JsonUtil.getObject(object, "source");
if (source != null) {
principals.add(parseSource(source));
} else {
principals.add(Principal.newBuilder().setAny(true).build());
}
List<Permission> permissions = new ArrayList<>();
Map<String, ?> request = JsonUtil.getObject(object, "request");
if (request != null) {
permissions.add(parseRequest(request));
} else {
permissions.add(Permission.newBuilder().setAny(true).build());
}
Policy policy = Policy.newBuilder().addAllPermissions(permissions).addAllPrincipals(principals).build();
policies.put(name + "_" + policyName, policy);
}
return policies;
}
Also used :
Policy(io.envoyproxy.envoy.config.rbac.v3.Policy)
ArrayList(java.util.ArrayList)
Permission(io.envoyproxy.envoy.config.rbac.v3.Permission)
Principal(io.envoyproxy.envoy.config.rbac.v3.Principal)
LinkedHashMap(java.util.LinkedHashMap)
Example 14 with Policy
use of io.envoyproxy.envoy.config.rbac.v3.Policy in project grpc-java by grpc.
the class RbacFilter method parseRbacConfig.
@VisibleForTesting
static ConfigOrError<RbacConfig> parseRbacConfig(RBAC rbac) {
if (!rbac.hasRules()) {
return ConfigOrError.fromConfig(RbacConfig.create(null));
}
io.envoyproxy.envoy.config.rbac.v3.RBAC rbacConfig = rbac.getRules();
GrpcAuthorizationEngine.Action authAction;
switch(rbacConfig.getAction()) {
case ALLOW:
authAction = GrpcAuthorizationEngine.Action.ALLOW;
break;
case DENY:
authAction = GrpcAuthorizationEngine.Action.DENY;
break;
case LOG:
return ConfigOrError.fromConfig(RbacConfig.create(null));
case UNRECOGNIZED:
default:
return ConfigOrError.fromError("Unknown rbacConfig action type: " + rbacConfig.getAction());
}
Map<String, Policy> policyMap = rbacConfig.getPoliciesMap();
List<GrpcAuthorizationEngine.PolicyMatcher> policyMatchers = new ArrayList<>();
for (Map.Entry<String, Policy> entry : policyMap.entrySet()) {
try {
Policy policy = entry.getValue();
if (policy.hasCondition() || policy.hasCheckedCondition()) {
return ConfigOrError.fromError("Policy.condition and Policy.checked_condition must not set: " + entry.getKey());
}
policyMatchers.add(PolicyMatcher.create(entry.getKey(), parsePermissionList(policy.getPermissionsList()), parsePrincipalList(policy.getPrincipalsList())));
} catch (Exception e) {
return ConfigOrError.fromError("Encountered error parsing policy: " + e);
}
}
return ConfigOrError.fromConfig(RbacConfig.create(AuthConfig.create(policyMatchers, authAction)));
}
Also used :
Policy(io.envoyproxy.envoy.config.rbac.v3.Policy)
ArrayList(java.util.ArrayList)
GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine)
InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException)
UnknownHostException(java.net.UnknownHostException)
PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)
Map(java.util.Map)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Example 15 with Policy
use of io.envoyproxy.envoy.config.rbac.v3.Policy in project google-cloud-java by GoogleCloudPlatform.
the class SourceSnippets method setIamPolicySource.
// [END securitycenter_get_source]
/**
* Set IAM policy for a source.
*
* @param sourceName The source to set IAM Policy for.
*/
// [START securitycenter_set_source_iam]
static Policy setIamPolicySource(SourceName sourceName, String userEmail) {
try (SecurityCenterClient client = SecurityCenterClient.create()) {
// userEmail = "someuser@domain.com"
// Set up IAM Policy for the user userMail to use the role findingsEditor.
// The user must be a valid google account.
Policy oldPolicy = client.getIamPolicy(sourceName.toString());
Binding bindings = Binding.newBuilder().setRole("roles/securitycenter.findingsEditor").addMembers("user:" + userEmail).build();
Policy policy = oldPolicy.toBuilder().addBindings(bindings).build();
// Start setting up a request to set IAM policy for a source.
// SourceName sourceName = SourceName.of("123234324", "423432321");
SetIamPolicyRequest.Builder request = SetIamPolicyRequest.newBuilder().setPolicy(policy).setResource(sourceName.toString());
// Call the API.
Policy response = client.setIamPolicy(request.build());
System.out.println("Policy: " + response);
return response;
} catch (IOException e) {
throw new RuntimeException("Couldn't create client.", e);
}
}
Also used :
Policy(com.google.iam.v1.Policy)
Binding(com.google.iam.v1.Binding)
SetIamPolicyRequest(com.google.iam.v1.SetIamPolicyRequest)
IOException(java.io.IOException)
SecurityCenterClient(com.google.cloud.securitycenter.v1.SecurityCenterClient)
Aggregations
Policy (com.google.iam.v1.Policy)17
Test (org.junit.Test)16
ByteString (com.google.protobuf.ByteString)9
Binding (com.google.iam.v1.Binding)4
GeneratedMessageV3 (com.google.protobuf.GeneratedMessageV3)4
RBAC (io.envoyproxy.envoy.config.rbac.v3.RBAC)4
GetIamPolicyRequest (com.google.iam.v1.GetIamPolicyRequest)3
SetIamPolicyRequest (com.google.iam.v1.SetIamPolicyRequest)3
ApiException (com.google.api.gax.grpc.ApiException)2
SubscriptionAdminClient (com.google.cloud.pubsub.spi.v1.SubscriptionAdminClient)2
TopicAdminClient (com.google.cloud.pubsub.spi.v1.TopicAdminClient)2
SecurityCenterClient (com.google.cloud.securitycenter.v1.SecurityCenterClient)2
TestIamPermissionsResponse (com.google.iam.v1.TestIamPermissionsResponse)2
SubscriptionName (com.google.pubsub.v1.SubscriptionName)2
TopicName (com.google.pubsub.v1.TopicName)2
Permission (io.envoyproxy.envoy.config.rbac.v3.Permission)2
Policy (io.envoyproxy.envoy.config.rbac.v3.Policy)2
Principal (io.envoyproxy.envoy.config.rbac.v3.Principal)2
StatusRuntimeException (io.grpc.StatusRuntimeException)2
IOException (java.io.IOException)2
