From 7dae92f40a2b7fd459583e1bace5528ef6cf1be6 Mon Sep 17 00:00:00 2001 From: Limin Wang Date: Tue, 10 Jan 2017 14:31:42 -0800 Subject: [PATCH 1/2] Created check security rules file and a few dummy/helper functions. And added it to check work flow. --- contrib/endpoints/src/api_manager/BUILD | 2 + .../src/api_manager/check_security_rules.cc | 111 ++++++++++++++++++ .../src/api_manager/check_security_rules.h | 32 +++++ .../src/api_manager/check_workflow.cc | 3 + 4 files changed, 148 insertions(+) create mode 100644 contrib/endpoints/src/api_manager/check_security_rules.cc create mode 100644 contrib/endpoints/src/api_manager/check_security_rules.h diff --git a/contrib/endpoints/src/api_manager/BUILD b/contrib/endpoints/src/api_manager/BUILD index e3d54b46eac..38671d6e90e 100644 --- a/contrib/endpoints/src/api_manager/BUILD +++ b/contrib/endpoints/src/api_manager/BUILD @@ -68,6 +68,8 @@ cc_library( "api_manager_impl.cc", "check_auth.cc", "check_auth.h", + "check_security_rules.cc", + "check_security_rules.h", "check_service_control.cc", "check_service_control.h", "check_workflow.cc", diff --git a/contrib/endpoints/src/api_manager/check_security_rules.cc b/contrib/endpoints/src/api_manager/check_security_rules.cc new file mode 100644 index 00000000000..e48dd2093e6 --- /dev/null +++ b/contrib/endpoints/src/api_manager/check_security_rules.cc @@ -0,0 +1,111 @@ +// Copyright 2017 Google Inc. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// +#include "contrib/endpoints/src/api_manager/check_security_rules.h" + +#include + +#include "contrib/endpoints/include/api_manager/api_manager.h" +#include "contrib/endpoints/include/api_manager/request.h" + +using ::google::api_manager::utils::Status; + +namespace google { +namespace api_manager { + +namespace { + +const char kFirebaseServerStaging[] = "https://staging-firebaserules.sandbox.googleapis.com/"; + +// An AuthzChecker object is created for every incoming request. It does +// authorizaiton by calling Firebase Rules service. +class AuthzChecker : public std::enable_shared_from_this { + public: + AuthzChecker(std::shared_ptr context, + std::function continuation); + + void Check(); + + private: + // Helper function to send a http GET request. + void HttpFetch(const std::string &url, + const std::string &request_body, + std::function continuation); + + // Get Auth token for accessing Firebase Rules service. + const std::string& GetAuthToken(); + + // Request context. + std::shared_ptr context_; + + // Pointer to access ESP running environment. + ApiManagerEnvInterface *env_; + + // The final continuation function. + std::function on_done_; +}; + +AuthzChecker::AuthzChecker(std::shared_ptr context, + std::function continuation) + : context_(context), + env_(context_->service_context()->env()), + on_done_(continuation) {} + +void AuthzChecker::Check() { + // TODO: Check service config to see if "useSecurityRules" is specified. + // If so, call Firebase Rules service TestRuleset API. +} + +const std::string& AuthzChecker::GetAuthToken() { + // TODO: Get Auth token for accessing Firebase Rules service. + static std::string empty; + return empty; +} + +void AuthzChecker::HttpFetch( + const std::string &url, + const std::string &request_body, + std::function continuation) { + std::unique_ptr request( + new HTTPRequest([continuation]( + Status status, std::map &&, + std::string &&body) { + continuation(status, std::move(body)); + })); + if (!request) { + continuation(Status(Code::INTERNAL, "Out of memory"), ""); + return; + } + + request->set_method("POST") + .set_url(url) + .set_auth_token(GetAuthToken()) + .set_header("Content-Type", "application/json") + .set_body(request_body); + env_->RunHTTPRequest(std::move(request)); +} + +} // namespace + +void CheckSecurityRules(std::shared_ptr context, + std::function continuation) { + std::shared_ptr authzChecker = + std::make_shared(context, continuation); + authzChecker->Check(); +} + +} // namespace api_manager +} // namespace google + diff --git a/contrib/endpoints/src/api_manager/check_security_rules.h b/contrib/endpoints/src/api_manager/check_security_rules.h new file mode 100644 index 00000000000..e3d9c499697 --- /dev/null +++ b/contrib/endpoints/src/api_manager/check_security_rules.h @@ -0,0 +1,32 @@ +/* Copyright 2017 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef API_MANAGER_CHECK_SECURITY_RULES_H_ +#define API_MANAGER_CHECK_SECURITY_RULES_H_ + +#include "contrib/endpoints/include/api_manager/utils/status.h" +#include "contrib/endpoints/src/api_manager/context/request_context.h" + +namespace google { +namespace api_manager { + +// This function checks security rules for a given request. +// It is called by CheckWorkflow class when processing a request. +void CheckSecurityRules(std::shared_ptr context, +std::function continuation); + +} // namespace api_manager +} // namespace google + +#endif // API_MANAGER_CHECK_SECURITY_RULES_H_ diff --git a/contrib/endpoints/src/api_manager/check_workflow.cc b/contrib/endpoints/src/api_manager/check_workflow.cc index 8335d779142..f12470b9aa4 100644 --- a/contrib/endpoints/src/api_manager/check_workflow.cc +++ b/contrib/endpoints/src/api_manager/check_workflow.cc @@ -18,6 +18,7 @@ #include "contrib/endpoints/src/api_manager/check_auth.h" #include "contrib/endpoints/src/api_manager/check_service_control.h" #include "contrib/endpoints/src/api_manager/fetch_metadata.h" +#include "contrib/endpoints/src/api_manager/check_security_rules.h" using ::google::api_manager::utils::Status; @@ -33,6 +34,8 @@ void CheckWorkflow::RegisterAll() { Register(CheckAuth); // Checks service control. Register(CheckServiceControl); + // Check Security Rules. + Register(CheckSecurityRules); } void CheckWorkflow::Register(CheckHandler handler) { From ca490b6ea7b48af5af2d26c503e6d958da7c198b Mon Sep 17 00:00:00 2001 From: Limin Wang Date: Tue, 10 Jan 2017 15:20:40 -0800 Subject: [PATCH 2/2] Fix format. --- .../src/api_manager/check_security_rules.cc | 23 ++++++++----------- .../src/api_manager/check_security_rules.h | 2 +- .../src/api_manager/check_workflow.cc | 2 +- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/contrib/endpoints/src/api_manager/check_security_rules.cc b/contrib/endpoints/src/api_manager/check_security_rules.cc index e48dd2093e6..b1d6b90ac36 100644 --- a/contrib/endpoints/src/api_manager/check_security_rules.cc +++ b/contrib/endpoints/src/api_manager/check_security_rules.cc @@ -27,7 +27,8 @@ namespace api_manager { namespace { -const char kFirebaseServerStaging[] = "https://staging-firebaserules.sandbox.googleapis.com/"; +const char kFirebaseServerStaging[] = + "https://staging-firebaserules.sandbox.googleapis.com/"; // An AuthzChecker object is created for every incoming request. It does // authorizaiton by calling Firebase Rules service. @@ -40,12 +41,11 @@ class AuthzChecker : public std::enable_shared_from_this { private: // Helper function to send a http GET request. - void HttpFetch(const std::string &url, - const std::string &request_body, + void HttpFetch(const std::string &url, const std::string &request_body, std::function continuation); // Get Auth token for accessing Firebase Rules service. - const std::string& GetAuthToken(); + const std::string &GetAuthToken(); // Request context. std::shared_ptr context_; @@ -68,22 +68,18 @@ void AuthzChecker::Check() { // If so, call Firebase Rules service TestRuleset API. } -const std::string& AuthzChecker::GetAuthToken() { +const std::string &AuthzChecker::GetAuthToken() { // TODO: Get Auth token for accessing Firebase Rules service. static std::string empty; return empty; } void AuthzChecker::HttpFetch( - const std::string &url, - const std::string &request_body, + const std::string &url, const std::string &request_body, std::function continuation) { - std::unique_ptr request( - new HTTPRequest([continuation]( - Status status, std::map &&, - std::string &&body) { - continuation(status, std::move(body)); - })); + std::unique_ptr request(new HTTPRequest([continuation]( + Status status, std::map &&, + std::string &&body) { continuation(status, std::move(body)); })); if (!request) { continuation(Status(Code::INTERNAL, "Out of memory"), ""); return; @@ -108,4 +104,3 @@ void CheckSecurityRules(std::shared_ptr context, } // namespace api_manager } // namespace google - diff --git a/contrib/endpoints/src/api_manager/check_security_rules.h b/contrib/endpoints/src/api_manager/check_security_rules.h index e3d9c499697..bc971c48786 100644 --- a/contrib/endpoints/src/api_manager/check_security_rules.h +++ b/contrib/endpoints/src/api_manager/check_security_rules.h @@ -24,7 +24,7 @@ namespace api_manager { // This function checks security rules for a given request. // It is called by CheckWorkflow class when processing a request. void CheckSecurityRules(std::shared_ptr context, -std::function continuation); + std::function continuation); } // namespace api_manager } // namespace google diff --git a/contrib/endpoints/src/api_manager/check_workflow.cc b/contrib/endpoints/src/api_manager/check_workflow.cc index f12470b9aa4..7c869ab30cc 100644 --- a/contrib/endpoints/src/api_manager/check_workflow.cc +++ b/contrib/endpoints/src/api_manager/check_workflow.cc @@ -16,9 +16,9 @@ #include "contrib/endpoints/src/api_manager/check_workflow.h" #include "contrib/endpoints/src/api_manager/check_auth.h" +#include "contrib/endpoints/src/api_manager/check_security_rules.h" #include "contrib/endpoints/src/api_manager/check_service_control.h" #include "contrib/endpoints/src/api_manager/fetch_metadata.h" -#include "contrib/endpoints/src/api_manager/check_security_rules.h" using ::google::api_manager::utils::Status;