Search in sources :

Example 1 with RBACPerRoute

use of io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute in project grpc-java by grpc.

the class RbacFilterTest method overrideConfig.

@Test
@SuppressWarnings("unchecked")
public void overrideConfig() {
    ServerCallHandler<Void, Void> mockHandler = mock(ServerCallHandler.class);
    ServerCall<Void, Void> mockServerCall = mock(ServerCall.class);
    Attributes attr = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("1::", 20)).build();
    when(mockServerCall.getAttributes()).thenReturn(attr);
    PolicyMatcher policyMatcher = PolicyMatcher.create("policy-matcher", OrMatcher.create(DestinationPortMatcher.create(99999)), OrMatcher.create(AlwaysTrueMatcher.INSTANCE));
    AuthConfig authconfig = AuthConfig.create(Collections.singletonList(policyMatcher), GrpcAuthorizationEngine.Action.ALLOW);
    RbacConfig original = RbacConfig.create(authconfig);
    RBACPerRoute rbacPerRoute = RBACPerRoute.newBuilder().build();
    RbacConfig override = new RbacFilter().parseFilterConfigOverride(Any.pack(rbacPerRoute)).config;
    assertThat(override).isEqualTo(RbacConfig.create(null));
    ServerInterceptor interceptor = new RbacFilter().buildServerInterceptor(original, override);
    assertThat(interceptor).isNull();
    policyMatcher = PolicyMatcher.create("policy-matcher-override", OrMatcher.create(DestinationPortMatcher.create(20)), OrMatcher.create(AlwaysTrueMatcher.INSTANCE));
    authconfig = AuthConfig.create(Collections.singletonList(policyMatcher), GrpcAuthorizationEngine.Action.ALLOW);
    override = RbacConfig.create(authconfig);
    new RbacFilter().buildServerInterceptor(original, override).interceptCall(mockServerCall, new Metadata(), mockHandler);
    verify(mockHandler).startCall(eq(mockServerCall), any(Metadata.class));
    verify(mockServerCall).getAttributes();
    verifyNoMoreInteractions(mockServerCall);
}
Also used : RBACPerRoute(io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute) InetSocketAddress(java.net.InetSocketAddress) ServerInterceptor(io.grpc.ServerInterceptor) Attributes(io.grpc.Attributes) Metadata(io.grpc.Metadata) AuthConfig(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Example 2 with RBACPerRoute

use of io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute in project grpc-java by grpc.

the class ClientXdsClientDataTest method parseOverrideRbacFilterConfig.

@Test
public void parseOverrideRbacFilterConfig() {
    filterRegistry.register(RbacFilter.INSTANCE);
    RBACPerRoute rbacPerRoute = RBACPerRoute.newBuilder().setRbac(io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC.newBuilder().setRules(RBAC.newBuilder().setAction(Action.ALLOW).putPolicies("allow-all", Policy.newBuilder().addPrincipals(Principal.newBuilder().setAny(true)).addPermissions(Permission.newBuilder().setAny(true)).build()))).build();
    Map<String, Any> configOverrides = ImmutableMap.of("envoy.auth", Any.pack(rbacPerRoute));
    Map<String, FilterConfig> parsedConfigs = ClientXdsClient.parseOverrideFilterConfigs(configOverrides, filterRegistry).getStruct();
    assertThat(parsedConfigs).hasSize(1);
    assertThat(parsedConfigs).containsKey("envoy.auth");
    assertThat(parsedConfigs.get("envoy.auth")).isInstanceOf(RbacConfig.class);
}
Also used : RBACPerRoute(io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute) FilterConfig(io.grpc.xds.Filter.FilterConfig) Any(com.google.protobuf.Any) Test(org.junit.Test)

Example 3 with RBACPerRoute

use of io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute in project grpc-java by grpc.

the class RbacFilterTest method parseOverride.

private ConfigOrError<RbacConfig> parseOverride(List<Permission> permissionList, List<Principal> principalList) {
    RBACPerRoute rbacPerRoute = RBACPerRoute.newBuilder().setRbac(buildRbac(permissionList, principalList)).build();
    Any proto = Any.pack(rbacPerRoute);
    return new RbacFilter().parseFilterConfigOverride(proto);
}
Also used : RBACPerRoute(io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute) Any(com.google.protobuf.Any)

Example 4 with RBACPerRoute

use of io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute in project grpc-java by grpc.

the class RbacFilter method parseFilterConfigOverride.

@Override
public ConfigOrError<RbacConfig> parseFilterConfigOverride(Message rawProtoMessage) {
    RBACPerRoute rbacPerRoute;
    if (!(rawProtoMessage instanceof Any)) {
        return ConfigOrError.fromError("Invalid config type: " + rawProtoMessage.getClass());
    }
    Any anyMessage = (Any) rawProtoMessage;
    try {
        rbacPerRoute = anyMessage.unpack(RBACPerRoute.class);
    } catch (InvalidProtocolBufferException e) {
        return ConfigOrError.fromError("Invalid proto: " + e);
    }
    if (rbacPerRoute.hasRbac()) {
        return parseRbacConfig(rbacPerRoute.getRbac());
    } else {
        return ConfigOrError.fromConfig(RbacConfig.create(null));
    }
}
Also used : RBACPerRoute(io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute) InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException) Any(com.google.protobuf.Any)

Aggregations

RBACPerRoute (io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute)4 Any (com.google.protobuf.Any)3 Test (org.junit.Test)2 InvalidProtocolBufferException (com.google.protobuf.InvalidProtocolBufferException)1 Attributes (io.grpc.Attributes)1 Metadata (io.grpc.Metadata)1 ServerInterceptor (io.grpc.ServerInterceptor)1 FilterConfig (io.grpc.xds.Filter.FilterConfig)1 AuthConfig (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig)1 PolicyMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)1 InetSocketAddress (java.net.InetSocketAddress)1