use of io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC in project grpc-java by grpc.
the class AuthorizationPolicyTranslatorTest method missingSourceAndRequest.
@Test
public void missingSourceAndRequest() throws Exception {
String policy = "{" + " \"name\" : \"authz\" ," + " \"allow_rules\" : [" + " {" + " \"name\": \"allow_all\"" + " }" + " ]" + "}";
List<RBAC> rbacs = AuthorizationPolicyTranslator.translate(policy);
assertEquals(1, rbacs.size());
RBAC expected_rbac = RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("authz_allow_all", Policy.newBuilder().addPrincipals(Principal.newBuilder().setAny(true)).addPermissions(Permission.newBuilder().setAny(true)).build()).build();
assertEquals(expected_rbac, rbacs.get(0));
}
use of io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC in project grpc-java by grpc.
the class AuthorizationPolicyTranslatorTest method emptySourceAndRequest.
@Test
public void emptySourceAndRequest() throws Exception {
String policy = "{" + " \"name\" : \"authz\" ," + " \"allow_rules\" : [" + " {" + " \"name\": \"allow_all\"," + " \"source\": {}," + " \"request\": {}" + " }" + " ]" + "}";
List<RBAC> rbacs = AuthorizationPolicyTranslator.translate(policy);
assertEquals(1, rbacs.size());
RBAC expected_rbac = RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("authz_allow_all", Policy.newBuilder().addPrincipals(Principal.newBuilder().setAny(true)).addPermissions(Permission.newBuilder().setAny(true)).build()).build();
assertEquals(expected_rbac, rbacs.get(0));
}
use of io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC in project grpc-java by grpc.
the class RbacFilter method parseFilterConfig.
@Override
public ConfigOrError<RbacConfig> parseFilterConfig(Message rawProtoMessage) {
RBAC rbacProto;
if (!(rawProtoMessage instanceof Any)) {
return ConfigOrError.fromError("Invalid config type: " + rawProtoMessage.getClass());
}
Any anyMessage = (Any) rawProtoMessage;
try {
rbacProto = anyMessage.unpack(RBAC.class);
} catch (InvalidProtocolBufferException e) {
return ConfigOrError.fromError("Invalid proto: " + e);
}
return parseRbacConfig(rbacProto);
}
use of io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC in project grpc-java by grpc.
the class AuthorizationPolicyTranslatorTest method parseSourceSuccess.
@Test
public void parseSourceSuccess() throws Exception {
String policy = "{" + " \"name\" : \"authz\" ," + " \"deny_rules\": [" + " {" + " \"name\": \"deny_users\"," + " \"source\": {" + " \"principals\": [" + " \"spiffe://foo.com\"," + " \"spiffe://bar*\"," + " \"*baz\"," + " \"spiffe://*.com\"" + " ]" + " }" + " }" + " ]," + " \"allow_rules\": [" + " {" + " \"name\": \"allow_any\"," + " \"source\": {" + " \"principals\": [" + " \"*\"" + " ]" + " }" + " }" + " ]" + "}";
List<RBAC> rbacs = AuthorizationPolicyTranslator.translate(policy);
assertEquals(2, rbacs.size());
RBAC expected_deny_rbac = RBAC.newBuilder().setAction(Action.DENY).putPolicies("authz_deny_users", Policy.newBuilder().addPrincipals(Principal.newBuilder().setOrIds(Principal.Set.newBuilder().addIds(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(StringMatcher.newBuilder().setExact("spiffe://foo.com").build()).build()).build()).addIds(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(StringMatcher.newBuilder().setPrefix("spiffe://bar").build()).build()).build()).addIds(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(StringMatcher.newBuilder().setSuffix("baz").build()).build()).build()).addIds(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(StringMatcher.newBuilder().setExact("spiffe://*.com").build()).build()).build()).build()).build()).addPermissions(Permission.newBuilder().setAny(true)).build()).build();
RBAC expected_allow_rbac = RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("authz_allow_any", Policy.newBuilder().addPrincipals(Principal.newBuilder().setOrIds(Principal.Set.newBuilder().addIds(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(StringMatcher.newBuilder().setSafeRegex(RegexMatcher.newBuilder().setRegex(".+").build()).build()).build()).build()).build()).build()).addPermissions(Permission.newBuilder().setAny(true)).build()).build();
assertEquals(expected_deny_rbac, rbacs.get(0));
assertEquals(expected_allow_rbac, rbacs.get(1));
}
use of io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC in project grpc-java by grpc.
the class AuthorizationPolicyTranslatorTest method parseRequestSuccess.
@Test
public void parseRequestSuccess() throws Exception {
String policy = "{" + " \"name\" : \"authz\" ," + " \"deny_rules\": [" + " {" + " \"name\": \"deny_access\"," + " \"request\": {" + " \"paths\": [" + " \"/pkg.service/foo\"," + " \"/pkg.service/bar*\"" + " ]," + " \"headers\": [" + " {" + " \"key\": \"dev-path\"," + " \"values\": [\"/dev/path/*\"]" + " }" + " ]" + " }" + " }" + " ]," + " \"allow_rules\": [" + " {" + " \"name\": \"allow_access1\"," + " \"request\": {" + " \"headers\": [" + " {" + " \"key\": \"key-1\"," + " \"values\": [" + " \"foo\"," + " \"*bar\"" + " ]" + " }," + " {" + " \"key\": \"key-2\"," + " \"values\": [" + " \"*\"" + " ]" + " }" + " ]" + " }" + " }," + " {" + " \"name\": \"allow_access2\"," + " \"request\": {" + " \"paths\": [" + " \"*baz\"" + " ]" + " }" + " }" + " ]" + "}";
List<RBAC> rbacs = AuthorizationPolicyTranslator.translate(policy);
assertEquals(2, rbacs.size());
RBAC expected_deny_rbac = RBAC.newBuilder().setAction(Action.DENY).putPolicies("authz_deny_access", Policy.newBuilder().addPermissions(Permission.newBuilder().setAndRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setUrlPath(PathMatcher.newBuilder().setPath(StringMatcher.newBuilder().setExact("/pkg.service/foo").build()).build()).build()).addRules(Permission.newBuilder().setUrlPath(PathMatcher.newBuilder().setPath(StringMatcher.newBuilder().setPrefix("/pkg.service/bar").build()).build()).build()).build()).build()).addRules(Permission.newBuilder().setAndRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setHeader(HeaderMatcher.newBuilder().setName("dev-path").setStringMatch(StringMatcher.newBuilder().setPrefix("/dev/path/").build()).build()).build()).build()).build()).build()).build()).build())).addPrincipals(Principal.newBuilder().setAny(true)).build()).build();
RBAC expected_allow_rbac = RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("authz_allow_access1", Policy.newBuilder().addPermissions(Permission.newBuilder().setAndRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setAndRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setHeader(HeaderMatcher.newBuilder().setName("key-1").setStringMatch(StringMatcher.newBuilder().setExact("foo").build()).build()).build()).addRules(Permission.newBuilder().setHeader(HeaderMatcher.newBuilder().setName("key-1").setStringMatch(StringMatcher.newBuilder().setSuffix("bar").build()).build()).build()).build()).build()).addRules(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setHeader(HeaderMatcher.newBuilder().setName("key-2").setStringMatch(StringMatcher.newBuilder().setSafeRegex(RegexMatcher.newBuilder().setRegex(".+").build()).build()).build()).build()).build()).build()).build()).build()).build())).addPrincipals(Principal.newBuilder().setAny(true)).build()).putPolicies("authz_allow_access2", Policy.newBuilder().addPermissions(Permission.newBuilder().setAndRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setUrlPath(PathMatcher.newBuilder().setPath(StringMatcher.newBuilder().setSuffix("baz").build()).build()).build()).build()).build()).build())).addPrincipals(Principal.newBuilder().setAny(true)).build()).build();
assertEquals(expected_deny_rbac, rbacs.get(0));
assertEquals(expected_allow_rbac, rbacs.get(1));
}
Aggregations