use of io.envoyproxy.envoy.config.rbac.v3.RBAC in project grpc-java by grpc.
the class AuthorizationPolicyTranslatorTest method missingSourceAndRequest.
@Test
public void missingSourceAndRequest() throws Exception {
String policy = "{" + " \"name\" : \"authz\" ," + " \"allow_rules\" : [" + " {" + " \"name\": \"allow_all\"" + " }" + " ]" + "}";
List<RBAC> rbacs = AuthorizationPolicyTranslator.translate(policy);
assertEquals(1, rbacs.size());
RBAC expected_rbac = RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("authz_allow_all", Policy.newBuilder().addPrincipals(Principal.newBuilder().setAny(true)).addPermissions(Permission.newBuilder().setAny(true)).build()).build();
assertEquals(expected_rbac, rbacs.get(0));
}
use of io.envoyproxy.envoy.config.rbac.v3.RBAC in project grpc-java by grpc.
the class AuthorizationPolicyTranslatorTest method emptySourceAndRequest.
@Test
public void emptySourceAndRequest() throws Exception {
String policy = "{" + " \"name\" : \"authz\" ," + " \"allow_rules\" : [" + " {" + " \"name\": \"allow_all\"," + " \"source\": {}," + " \"request\": {}" + " }" + " ]" + "}";
List<RBAC> rbacs = AuthorizationPolicyTranslator.translate(policy);
assertEquals(1, rbacs.size());
RBAC expected_rbac = RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("authz_allow_all", Policy.newBuilder().addPrincipals(Principal.newBuilder().setAny(true)).addPermissions(Permission.newBuilder().setAny(true)).build()).build();
assertEquals(expected_rbac, rbacs.get(0));
}
use of io.envoyproxy.envoy.config.rbac.v3.RBAC in project grpc-java by grpc.
the class RbacFilter method parseRbacConfig.
@VisibleForTesting
static ConfigOrError<RbacConfig> parseRbacConfig(RBAC rbac) {
if (!rbac.hasRules()) {
return ConfigOrError.fromConfig(RbacConfig.create(null));
}
io.envoyproxy.envoy.config.rbac.v3.RBAC rbacConfig = rbac.getRules();
GrpcAuthorizationEngine.Action authAction;
switch(rbacConfig.getAction()) {
case ALLOW:
authAction = GrpcAuthorizationEngine.Action.ALLOW;
break;
case DENY:
authAction = GrpcAuthorizationEngine.Action.DENY;
break;
case LOG:
return ConfigOrError.fromConfig(RbacConfig.create(null));
case UNRECOGNIZED:
default:
return ConfigOrError.fromError("Unknown rbacConfig action type: " + rbacConfig.getAction());
}
Map<String, Policy> policyMap = rbacConfig.getPoliciesMap();
List<GrpcAuthorizationEngine.PolicyMatcher> policyMatchers = new ArrayList<>();
for (Map.Entry<String, Policy> entry : policyMap.entrySet()) {
try {
Policy policy = entry.getValue();
if (policy.hasCondition() || policy.hasCheckedCondition()) {
return ConfigOrError.fromError("Policy.condition and Policy.checked_condition must not set: " + entry.getKey());
}
policyMatchers.add(PolicyMatcher.create(entry.getKey(), parsePermissionList(policy.getPermissionsList()), parsePrincipalList(policy.getPrincipalsList())));
} catch (Exception e) {
return ConfigOrError.fromError("Encountered error parsing policy: " + e);
}
}
return ConfigOrError.fromConfig(RbacConfig.create(AuthConfig.create(policyMatchers, authAction)));
}
use of io.envoyproxy.envoy.config.rbac.v3.RBAC in project grpc-java by grpc.
the class RbacFilter method parseFilterConfig.
@Override
public ConfigOrError<RbacConfig> parseFilterConfig(Message rawProtoMessage) {
RBAC rbacProto;
if (!(rawProtoMessage instanceof Any)) {
return ConfigOrError.fromError("Invalid config type: " + rawProtoMessage.getClass());
}
Any anyMessage = (Any) rawProtoMessage;
try {
rbacProto = anyMessage.unpack(RBAC.class);
} catch (InvalidProtocolBufferException e) {
return ConfigOrError.fromError("Invalid proto: " + e);
}
return parseRbacConfig(rbacProto);
}
use of io.envoyproxy.envoy.config.rbac.v3.RBAC in project grpc-java by grpc.
the class AuthorizationPolicyTranslatorTest method parseSourceSuccess.
@Test
public void parseSourceSuccess() throws Exception {
String policy = "{" + " \"name\" : \"authz\" ," + " \"deny_rules\": [" + " {" + " \"name\": \"deny_users\"," + " \"source\": {" + " \"principals\": [" + " \"spiffe://foo.com\"," + " \"spiffe://bar*\"," + " \"*baz\"," + " \"spiffe://*.com\"" + " ]" + " }" + " }" + " ]," + " \"allow_rules\": [" + " {" + " \"name\": \"allow_any\"," + " \"source\": {" + " \"principals\": [" + " \"*\"" + " ]" + " }" + " }" + " ]" + "}";
List<RBAC> rbacs = AuthorizationPolicyTranslator.translate(policy);
assertEquals(2, rbacs.size());
RBAC expected_deny_rbac = RBAC.newBuilder().setAction(Action.DENY).putPolicies("authz_deny_users", Policy.newBuilder().addPrincipals(Principal.newBuilder().setOrIds(Principal.Set.newBuilder().addIds(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(StringMatcher.newBuilder().setExact("spiffe://foo.com").build()).build()).build()).addIds(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(StringMatcher.newBuilder().setPrefix("spiffe://bar").build()).build()).build()).addIds(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(StringMatcher.newBuilder().setSuffix("baz").build()).build()).build()).addIds(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(StringMatcher.newBuilder().setExact("spiffe://*.com").build()).build()).build()).build()).build()).addPermissions(Permission.newBuilder().setAny(true)).build()).build();
RBAC expected_allow_rbac = RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("authz_allow_any", Policy.newBuilder().addPrincipals(Principal.newBuilder().setOrIds(Principal.Set.newBuilder().addIds(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(StringMatcher.newBuilder().setSafeRegex(RegexMatcher.newBuilder().setRegex(".+").build()).build()).build()).build()).build()).build()).addPermissions(Permission.newBuilder().setAny(true)).build()).build();
assertEquals(expected_deny_rbac, rbacs.get(0));
assertEquals(expected_allow_rbac, rbacs.get(1));
}
Aggregations