Examples with CidrMatcher io.grpc.xds.internal.Matchers.CidrMatcher used on opensource projects

Example 1 with CidrMatcher

use of io.grpc.xds.internal.Matchers.CidrMatcher in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method multiplePolicies.

@Test
public void multiplePolicies() throws Exception {
    AuthenticatedMatcher authMatcher = AuthenticatedMatcher.create(StringMatcher.forSuffix("TEST.google.fr", true));
    PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
    OrMatcher principal = OrMatcher.create(AndMatcher.create(authMatcher, pathMatcher));
    OrMatcher permission = OrMatcher.create(AndMatcher.create(pathMatcher, InvertMatcher.create(DestinationPortMatcher.create(PORT + 1))));
    PolicyMatcher policyMatcher1 = PolicyMatcher.create(POLICY_NAME, permission, principal);
    AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE + 1, false));
    authMatcher = AuthenticatedMatcher.create(StringMatcher.forContains("TEST.google.fr"));
    principal = OrMatcher.create(headerMatcher, authMatcher);
    CidrMatcher ip1 = CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24);
    DestinationIpMatcher destIpMatcher = DestinationIpMatcher.create(ip1);
    permission = OrMatcher.create(destIpMatcher, pathMatcher);
    PolicyMatcher policyMatcher2 = PolicyMatcher.create(POLICY_NAME + "-2", permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(ImmutableList.of(policyMatcher1, policyMatcher2), Action.DENY));
    AuthDecision decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.DENY);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}

Example 2 with CidrMatcher

use of io.grpc.xds.internal.Matchers.CidrMatcher in project grpc-java by grpc.

the class MatcherTest method ipMatcher_ipv4.

@Test
public void ipMatcher_ipv4() throws Exception {
    CidrMatcher matcher = CidrMatcher.create(InetAddress.getByName("10.10.24.10"), 20);
    assertThat(matcher.matches(InetAddress.getByName("::0"))).isFalse();
    assertThat(matcher.matches(InetAddress.getByName("10.10.20.0"))).isTrue();
    assertThat(matcher.matches(InetAddress.getByName("10.10.16.0"))).isTrue();
    assertThat(matcher.matches(InetAddress.getByName("10.10.24.10"))).isTrue();
    assertThat(matcher.matches(InetAddress.getByName("10.10.31.0"))).isTrue();
    assertThat(matcher.matches(InetAddress.getByName("10.10.17.0"))).isTrue();
    assertThat(matcher.matches(InetAddress.getByName("10.32.20.0"))).isFalse();
    assertThat(matcher.matches(InetAddress.getByName("10.10.40.0"))).isFalse();
    matcher = CidrMatcher.create(InetAddress.getByName("0.0.0.0"), 20);
    assertThat(matcher.matches(InetAddress.getByName("10.32.20.0"))).isFalse();
    assertThat(matcher.matches(InetAddress.getByName("0.0.31.0"))).isFalse();
    assertThat(matcher.matches(InetAddress.getByName("0.0.15.0"))).isTrue();
    assertThat(matcher.matches(null)).isFalse();
}

Example 3 with CidrMatcher

use of io.grpc.xds.internal.Matchers.CidrMatcher in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method ipMatcher.

@Test
public void ipMatcher() throws Exception {
    CidrMatcher ip1 = CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24);
    DestinationIpMatcher destIpMatcher = DestinationIpMatcher.create(ip1);
    CidrMatcher ip2 = CidrMatcher.create(InetAddress.getByName(IP_ADDR2), 24);
    SourceIpMatcher sourceIpMatcher = SourceIpMatcher.create(ip2);
    DestinationPortMatcher portMatcher = DestinationPortMatcher.create(PORT);
    OrMatcher permission = OrMatcher.create(AndMatcher.create(portMatcher, destIpMatcher));
    OrMatcher principal = OrMatcher.create(sourceIpMatcher);
    PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
    AuthDecision decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.ALLOW);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
    Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, new InetSocketAddress(IP_ADDR2, PORT)).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress(IP_ADDR1, 2)).build();
    when(serverCall.getAttributes()).thenReturn(attributes);
    decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.DENY);
    assertThat(decision.matchingPolicyName()).isEqualTo(null);
    attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, null).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("1.1.1.1", PORT)).build();
    when(serverCall.getAttributes()).thenReturn(attributes);
    decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.DENY);
    assertThat(decision.matchingPolicyName()).isEqualTo(null);
    engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.DENY));
    decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.ALLOW);
    assertThat(decision.matchingPolicyName()).isEqualTo(null);
}

Example 4 with CidrMatcher

use of io.grpc.xds.internal.Matchers.CidrMatcher in project grpc-java by grpc.

the class MatcherTest method ipMatcher_ipv6.

@Test
public void ipMatcher_ipv6() throws Exception {
    CidrMatcher matcher = CidrMatcher.create(InetAddress.getByName("2012:00fe:d808::"), 36);
    assertThat(matcher.matches(InetAddress.getByName("0.0.0.0"))).isFalse();
    assertThat(matcher.matches(InetAddress.getByName("2012:00fe:d000::0"))).isTrue();
    assertThat(matcher.matches(InetAddress.getByName("2012:00fe:d808::"))).isTrue();
    assertThat(matcher.matches(InetAddress.getByName("2012:00fe:da81:0909:0008:4018:e930:b019"))).isTrue();
    assertThat(matcher.matches(InetAddress.getByName("2013:00fe:d000::0"))).isFalse();
}