Add InternalRbacFilter

authz/build.gradle

@@ -46,6 +46,12 @@ tasks.named("shadowJar").configure {
     relocate 'com.google.api.expr', 'io.grpc.xds.shaded.com.google.api.expr'
 }
 
+tasks.named("compileJava").configure {
+    it.options.compilerArgs += [
+        "-Xlint:-processing",
+    ]
+}
+
 publishing {
     publications {
         maven(MavenPublication) {

authz/src/main/java/io/grpc/authz/AuthorizationServerInterceptor.java

@@ -19,21 +19,21 @@
 import static com.google.common.base.Preconditions.checkNotNull;
 
 import io.envoyproxy.envoy.config.rbac.v3.RBAC;
+import io.grpc.ExperimentalApi;
 import io.grpc.InternalServerInterceptors;
 import io.grpc.Metadata;
 import io.grpc.ServerCall;
 import io.grpc.ServerCallHandler;
 import io.grpc.ServerInterceptor;
-import io.grpc.xds.ConfigOrError;
-import io.grpc.xds.RbacConfig;
-import io.grpc.xds.RbacFilter;
+import io.grpc.xds.InternalRbacFilter;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 
 /**
  * Authorization server interceptor for static policy.
  */
+@ExperimentalApi("https://github.com/grpc/grpc-java/issues/9746")
 public final class AuthorizationServerInterceptor implements ServerInterceptor {
   private final List<ServerInterceptor> interceptors = new ArrayList<>();
 
@@ -44,14 +44,10 @@ private AuthorizationServerInterceptor(String authorizationPolicy)
       throw new IllegalArgumentException("Failed to translate authorization policy");
     }
     for (RBAC rbac: rbacs) {
-      ConfigOrError<RbacConfig> filterConfig = RbacFilter.parseRbacConfig(
-          io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC.newBuilder()
-          .setRules(rbac).build());
-      if (filterConfig.errorDetail != null) {
-        throw new IllegalArgumentException(
-            String.format("Failed to parse Rbac policy: %s", filterConfig.errorDetail));
-      }
-      interceptors.add(new RbacFilter().buildServerInterceptor(filterConfig.config, null));
+      interceptors.add(
+          InternalRbacFilter.createInterceptor(
+            io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC.newBuilder()
+            .setRules(rbac).build()));
     }
   }
 

xds/src/main/java/io/grpc/xds/ConfigOrError.java

@@ -20,7 +20,7 @@
 
 // TODO(zdapeng): Unify with ClientXdsClient.StructOrError, or just have parseFilterConfig() throw
 //     certain types of Exception.
-public final class ConfigOrError<T> {
+final class ConfigOrError<T> {
 
   /**
    * Returns a {@link ConfigOrError} for the successfully converted data object.
@@ -36,8 +36,8 @@ static <T> ConfigOrError<T> fromError(String errorDetail) {
     return new ConfigOrError<>(errorDetail);
   }
 
-  public final String errorDetail;
-  public final T config;
+  final String errorDetail;
+  final T config;
 
   private ConfigOrError(T config) {
     this.config = checkNotNull(config, "config");

xds/src/main/java/io/grpc/xds/InternalRbacFilter.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2021 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds;
+
+import io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC;
+import io.grpc.Internal;
+import io.grpc.ServerInterceptor;
+import io.grpc.xds.RbacConfig;
+import io.grpc.xds.RbacFilter;
+
+@Internal
+public final class InternalRbacFilter {
+    public static ServerInterceptor createInterceptor(RBAC rbac) throws IllegalArgumentException {
+      ConfigOrError<RbacConfig> filterConfig = RbacFilter.parseRbacConfig(rbac);
+      if (filterConfig.errorDetail != null) {
+        throw new IllegalArgumentException(
+            String.format("Failed to parse Rbac policy: %s", filterConfig.errorDetail));
+      }
+      return new RbacFilter().buildServerInterceptor(filterConfig.config, null);
+    }
+}

xds/src/main/java/io/grpc/xds/RbacConfig.java

@@ -23,7 +23,7 @@
 
 /** Rbac configuration for Rbac filter. */
 @AutoValue
-public abstract class RbacConfig implements FilterConfig {
+abstract class RbacConfig implements FilterConfig {
   @Override
   public final String typeUrl() {
     return RbacFilter.TYPE_URL;

xds/src/main/java/io/grpc/xds/RbacFilter.java

@@ -18,6 +18,7 @@
 
 import static com.google.common.base.Preconditions.checkNotNull;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.protobuf.Any;
 import com.google.protobuf.InvalidProtocolBufferException;
 import com.google.protobuf.Message;
@@ -63,7 +64,7 @@
 import javax.annotation.Nullable;
 
 /** RBAC Http filter implementation. */
-public final class RbacFilter implements Filter, ServerInterceptorBuilder {
+final class RbacFilter implements Filter, ServerInterceptorBuilder {
   private static final Logger logger = Logger.getLogger(RbacFilter.class.getName());
 
   static final RbacFilter INSTANCE = new RbacFilter();
@@ -74,7 +75,7 @@ public final class RbacFilter implements Filter, ServerInterceptorBuilder {
   private static final String TYPE_URL_OVERRIDE_CONFIG =
           "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute";
 
-  public RbacFilter() {}
+  RbacFilter() {}
 
   @Override
   public String[] typeUrls() {
@@ -96,11 +97,8 @@ public ConfigOrError<RbacConfig> parseFilterConfig(Message rawProtoMessage) {
     return parseRbacConfig(rbacProto);
   }
 
-  /**
-   * Parses Rbac filter config and generates authorization config that is used in engine
-   * evaluation.
-   */
-  public static ConfigOrError<RbacConfig> parseRbacConfig(RBAC rbac) {
+  @VisibleForTesting
+  static ConfigOrError<RbacConfig> parseRbacConfig(RBAC rbac) {
     if (!rbac.hasRules()) {
       return ConfigOrError.fromConfig(RbacConfig.create(null));
     }