diff --git a/contrib/endpoints/src/api_manager/BUILD b/contrib/endpoints/src/api_manager/BUILD index e3d54b46eac..38671d6e90e 100644 --- a/contrib/endpoints/src/api_manager/BUILD +++ b/contrib/endpoints/src/api_manager/BUILD @@ -68,6 +68,8 @@ cc_library( "api_manager_impl.cc", "check_auth.cc", "check_auth.h", + "check_security_rules.cc", + "check_security_rules.h", "check_service_control.cc", "check_service_control.h", "check_workflow.cc", diff --git a/contrib/endpoints/src/api_manager/check_security_rules.cc b/contrib/endpoints/src/api_manager/check_security_rules.cc new file mode 100644 index 00000000000..b1d6b90ac36 --- /dev/null +++ b/contrib/endpoints/src/api_manager/check_security_rules.cc @@ -0,0 +1,106 @@ +// Copyright 2017 Google Inc. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// +#include "contrib/endpoints/src/api_manager/check_security_rules.h" + +#include + +#include "contrib/endpoints/include/api_manager/api_manager.h" +#include "contrib/endpoints/include/api_manager/request.h" + +using ::google::api_manager::utils::Status; + +namespace google { +namespace api_manager { + +namespace { + +const char kFirebaseServerStaging[] = + "https://staging-firebaserules.sandbox.googleapis.com/"; + +// An AuthzChecker object is created for every incoming request. It does +// authorizaiton by calling Firebase Rules service. +class AuthzChecker : public std::enable_shared_from_this { + public: + AuthzChecker(std::shared_ptr context, + std::function continuation); + + void Check(); + + private: + // Helper function to send a http GET request. + void HttpFetch(const std::string &url, const std::string &request_body, + std::function continuation); + + // Get Auth token for accessing Firebase Rules service. + const std::string &GetAuthToken(); + + // Request context. + std::shared_ptr context_; + + // Pointer to access ESP running environment. + ApiManagerEnvInterface *env_; + + // The final continuation function. + std::function on_done_; +}; + +AuthzChecker::AuthzChecker(std::shared_ptr context, + std::function continuation) + : context_(context), + env_(context_->service_context()->env()), + on_done_(continuation) {} + +void AuthzChecker::Check() { + // TODO: Check service config to see if "useSecurityRules" is specified. + // If so, call Firebase Rules service TestRuleset API. +} + +const std::string &AuthzChecker::GetAuthToken() { + // TODO: Get Auth token for accessing Firebase Rules service. + static std::string empty; + return empty; +} + +void AuthzChecker::HttpFetch( + const std::string &url, const std::string &request_body, + std::function continuation) { + std::unique_ptr request(new HTTPRequest([continuation]( + Status status, std::map &&, + std::string &&body) { continuation(status, std::move(body)); })); + if (!request) { + continuation(Status(Code::INTERNAL, "Out of memory"), ""); + return; + } + + request->set_method("POST") + .set_url(url) + .set_auth_token(GetAuthToken()) + .set_header("Content-Type", "application/json") + .set_body(request_body); + env_->RunHTTPRequest(std::move(request)); +} + +} // namespace + +void CheckSecurityRules(std::shared_ptr context, + std::function continuation) { + std::shared_ptr authzChecker = + std::make_shared(context, continuation); + authzChecker->Check(); +} + +} // namespace api_manager +} // namespace google diff --git a/contrib/endpoints/src/api_manager/check_security_rules.h b/contrib/endpoints/src/api_manager/check_security_rules.h new file mode 100644 index 00000000000..bc971c48786 --- /dev/null +++ b/contrib/endpoints/src/api_manager/check_security_rules.h @@ -0,0 +1,32 @@ +/* Copyright 2017 Google Inc. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef API_MANAGER_CHECK_SECURITY_RULES_H_ +#define API_MANAGER_CHECK_SECURITY_RULES_H_ + +#include "contrib/endpoints/include/api_manager/utils/status.h" +#include "contrib/endpoints/src/api_manager/context/request_context.h" + +namespace google { +namespace api_manager { + +// This function checks security rules for a given request. +// It is called by CheckWorkflow class when processing a request. +void CheckSecurityRules(std::shared_ptr context, + std::function continuation); + +} // namespace api_manager +} // namespace google + +#endif // API_MANAGER_CHECK_SECURITY_RULES_H_ diff --git a/contrib/endpoints/src/api_manager/check_workflow.cc b/contrib/endpoints/src/api_manager/check_workflow.cc index 8335d779142..7c869ab30cc 100644 --- a/contrib/endpoints/src/api_manager/check_workflow.cc +++ b/contrib/endpoints/src/api_manager/check_workflow.cc @@ -16,6 +16,7 @@ #include "contrib/endpoints/src/api_manager/check_workflow.h" #include "contrib/endpoints/src/api_manager/check_auth.h" +#include "contrib/endpoints/src/api_manager/check_security_rules.h" #include "contrib/endpoints/src/api_manager/check_service_control.h" #include "contrib/endpoints/src/api_manager/fetch_metadata.h" @@ -33,6 +34,8 @@ void CheckWorkflow::RegisterAll() { Register(CheckAuth); // Checks service control. Register(CheckServiceControl); + // Check Security Rules. + Register(CheckSecurityRules); } void CheckWorkflow::Register(CheckHandler handler) {