use of io.envoyproxy.envoy.config.rbac.v3.RBAC in project grpc-java by grpc.
the class AuthorizationPolicyTranslatorTest method parseRequestSuccess.
@Test
public void parseRequestSuccess() throws Exception {
String policy = "{" + " \"name\" : \"authz\" ," + " \"deny_rules\": [" + " {" + " \"name\": \"deny_access\"," + " \"request\": {" + " \"paths\": [" + " \"/pkg.service/foo\"," + " \"/pkg.service/bar*\"" + " ]," + " \"headers\": [" + " {" + " \"key\": \"dev-path\"," + " \"values\": [\"/dev/path/*\"]" + " }" + " ]" + " }" + " }" + " ]," + " \"allow_rules\": [" + " {" + " \"name\": \"allow_access1\"," + " \"request\": {" + " \"headers\": [" + " {" + " \"key\": \"key-1\"," + " \"values\": [" + " \"foo\"," + " \"*bar\"" + " ]" + " }," + " {" + " \"key\": \"key-2\"," + " \"values\": [" + " \"*\"" + " ]" + " }" + " ]" + " }" + " }," + " {" + " \"name\": \"allow_access2\"," + " \"request\": {" + " \"paths\": [" + " \"*baz\"" + " ]" + " }" + " }" + " ]" + "}";
List<RBAC> rbacs = AuthorizationPolicyTranslator.translate(policy);
assertEquals(2, rbacs.size());
RBAC expected_deny_rbac = RBAC.newBuilder().setAction(Action.DENY).putPolicies("authz_deny_access", Policy.newBuilder().addPermissions(Permission.newBuilder().setAndRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setUrlPath(PathMatcher.newBuilder().setPath(StringMatcher.newBuilder().setExact("/pkg.service/foo").build()).build()).build()).addRules(Permission.newBuilder().setUrlPath(PathMatcher.newBuilder().setPath(StringMatcher.newBuilder().setPrefix("/pkg.service/bar").build()).build()).build()).build()).build()).addRules(Permission.newBuilder().setAndRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setHeader(HeaderMatcher.newBuilder().setName("dev-path").setStringMatch(StringMatcher.newBuilder().setPrefix("/dev/path/").build()).build()).build()).build()).build()).build()).build()).build())).addPrincipals(Principal.newBuilder().setAny(true)).build()).build();
RBAC expected_allow_rbac = RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("authz_allow_access1", Policy.newBuilder().addPermissions(Permission.newBuilder().setAndRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setAndRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setHeader(HeaderMatcher.newBuilder().setName("key-1").setStringMatch(StringMatcher.newBuilder().setExact("foo").build()).build()).build()).addRules(Permission.newBuilder().setHeader(HeaderMatcher.newBuilder().setName("key-1").setStringMatch(StringMatcher.newBuilder().setSuffix("bar").build()).build()).build()).build()).build()).addRules(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setHeader(HeaderMatcher.newBuilder().setName("key-2").setStringMatch(StringMatcher.newBuilder().setSafeRegex(RegexMatcher.newBuilder().setRegex(".+").build()).build()).build()).build()).build()).build()).build()).build()).build())).addPrincipals(Principal.newBuilder().setAny(true)).build()).putPolicies("authz_allow_access2", Policy.newBuilder().addPermissions(Permission.newBuilder().setAndRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setUrlPath(PathMatcher.newBuilder().setPath(StringMatcher.newBuilder().setSuffix("baz").build()).build()).build()).build()).build()).build())).addPrincipals(Principal.newBuilder().setAny(true)).build()).build();
assertEquals(expected_deny_rbac, rbacs.get(0));
assertEquals(expected_allow_rbac, rbacs.get(1));
}
Aggregations