Examples with GrpcAuthorizationEngine io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine used on opensource projects

Search in sources :

Example 1 with GrpcAuthorizationEngine

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine in project grpc-java by grpc.

the class RbacFilterTest method compositeRules.

@Test
@SuppressWarnings("unchecked")
public void compositeRules() {
    MetadataMatcher metadataMatcher = MetadataMatcher.newBuilder().build();
    List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setMetadata(metadataMatcher).build()).build()).build());
    List<Principal> principalList = Arrays.asList(Principal.newBuilder().setNotId(Principal.newBuilder().setMetadata(metadataMatcher).build()).build());
    ConfigOrError<? extends FilterConfig> result = parse(permissionList, principalList);
    assertThat(result.errorDetail).isNull();
    assertThat(result.config).isInstanceOf(RbacConfig.class);
    ServerCall<Void, Void> serverCall = mock(ServerCall.class);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(((RbacConfig) result.config).authConfig());
    AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
    assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.ALLOW);
}
Also used : MetadataMatcher(io.envoyproxy.envoy.type.matcher.v3.MetadataMatcher) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) Permission(io.envoyproxy.envoy.config.rbac.v3.Permission) Metadata(io.grpc.Metadata) GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine) Principal(io.envoyproxy.envoy.config.rbac.v3.Principal) Test(org.junit.Test)

Example 2 with GrpcAuthorizationEngine

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine in project grpc-java by grpc.

the class RbacFilterTest method portRangeParser.

@Test
@SuppressWarnings({ "unchecked", "deprecation" })
public void portRangeParser() {
    List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setDestinationPortRange(Int32Range.newBuilder().setStart(1010).setEnd(65535).build()).build());
    List<Principal> principalList = Arrays.asList(Principal.newBuilder().setRemoteIp(CidrRange.newBuilder().setAddressPrefix("10.10.10.0").setPrefixLen(UInt32Value.of(24)).build()).build());
    ConfigOrError<?> result = parse(permissionList, principalList);
    assertThat(result.errorDetail).isNull();
    ServerCall<Void, Void> serverCall = mock(ServerCall.class);
    Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, new InetSocketAddress("10.10.10.0", 1)).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("10.10.10.0", 9090)).build();
    when(serverCall.getAttributes()).thenReturn(attributes);
    when(serverCall.getMethodDescriptor()).thenReturn(method().build());
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(((RbacConfig) result.config).authConfig());
    AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
    assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
Also used : AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) InetSocketAddress(java.net.InetSocketAddress) Permission(io.envoyproxy.envoy.config.rbac.v3.Permission) Attributes(io.grpc.Attributes) Metadata(io.grpc.Metadata) GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine) Principal(io.envoyproxy.envoy.config.rbac.v3.Principal) Test(org.junit.Test)

Example 3 with GrpcAuthorizationEngine

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine in project grpc-java by grpc.

the class RbacFilterTest method authenticatedParser.

@Test
@SuppressWarnings("unchecked")
public void authenticatedParser() throws Exception {
    List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setNotRule(Permission.newBuilder().setRequestedServerName(STRING_MATCHER).build()).build());
    List<Principal> principalList = Arrays.asList(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(STRING_MATCHER).build()).build());
    ConfigOrError<?> result = parse(permissionList, principalList);
    assertThat(result.errorDetail).isNull();
    SSLSession sslSession = mock(SSLSession.class);
    X509Certificate mockCert = mock(X509Certificate.class);
    when(sslSession.getPeerCertificates()).thenReturn(new X509Certificate[] { mockCert });
    when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "/" + PATH)));
    Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_SSL_SESSION, sslSession).build();
    ServerCall<Void, Void> serverCall = mock(ServerCall.class);
    when(serverCall.getAttributes()).thenReturn(attributes);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(((RbacConfig) result.config).authConfig());
    AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
    assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
Also used : AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) SSLSession(javax.net.ssl.SSLSession) Attributes(io.grpc.Attributes) Metadata(io.grpc.Metadata) GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine) X509Certificate(java.security.cert.X509Certificate) Permission(io.envoyproxy.envoy.config.rbac.v3.Permission) Principal(io.envoyproxy.envoy.config.rbac.v3.Principal) Test(org.junit.Test)

Example 4 with GrpcAuthorizationEngine

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine in project grpc-java by grpc.

the class RbacFilter method generateAuthorizationInterceptor.

private ServerInterceptor generateAuthorizationInterceptor(AuthConfig config) {
    checkNotNull(config, "config");
    final GrpcAuthorizationEngine authEngine = new GrpcAuthorizationEngine(config);
    return new ServerInterceptor() {

        @Override
        public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(final ServerCall<ReqT, RespT> call, final Metadata headers, ServerCallHandler<ReqT, RespT> next) {
            AuthDecision authResult = authEngine.evaluate(headers, call);
            if (logger.isLoggable(Level.FINE)) {
                logger.log(Level.FINE, "Authorization result for serverCall {0}: {1}, matching policy: {2}.", new Object[] { call, authResult.decision(), authResult.matchingPolicyName() });
            }
            if (GrpcAuthorizationEngine.Action.DENY.equals(authResult.decision())) {
                Status status = Status.PERMISSION_DENIED.withDescription("Access Denied");
                call.close(status, new Metadata());
                return new ServerCall.Listener<ReqT>() {
                };
            }
            return next.startCall(call, headers);
        }
    };
}
Also used : Status(io.grpc.Status) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) ServerCallHandler(io.grpc.ServerCallHandler) ServerCall(io.grpc.ServerCall) ServerInterceptor(io.grpc.ServerInterceptor) Metadata(io.grpc.Metadata) GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine)

Example 5 with GrpcAuthorizationEngine

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine in project grpc-java by grpc.

the class RbacFilterTest method pathParser.

@Test
@SuppressWarnings("unchecked")
public void pathParser() {
    PathMatcher pathMatcher = PathMatcher.newBuilder().setPath(STRING_MATCHER).build();
    List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setUrlPath(pathMatcher).build());
    List<Principal> principalList = Arrays.asList(Principal.newBuilder().setUrlPath(pathMatcher).build());
    ConfigOrError<RbacConfig> result = parse(permissionList, principalList);
    assertThat(result.errorDetail).isNull();
    ServerCall<Void, Void> serverCall = mock(ServerCall.class);
    when(serverCall.getMethodDescriptor()).thenReturn(method().build());
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(result.config.authConfig());
    AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
    assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
Also used : PathMatcher(io.envoyproxy.envoy.type.matcher.v3.PathMatcher) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) Permission(io.envoyproxy.envoy.config.rbac.v3.Permission) Metadata(io.grpc.Metadata) GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine) Principal(io.envoyproxy.envoy.config.rbac.v3.Principal) Test(org.junit.Test)

Aggregations

GrpcAuthorizationEngine (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine)7 AuthDecision (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)7 Permission (io.envoyproxy.envoy.config.rbac.v3.Permission)6 Principal (io.envoyproxy.envoy.config.rbac.v3.Principal)6 Metadata (io.grpc.Metadata)6 Test (org.junit.Test)6 Attributes (io.grpc.Attributes)3 InetSocketAddress (java.net.InetSocketAddress)2 CidrRange (io.envoyproxy.envoy.config.core.v3.CidrRange)1 HeaderMatcher (io.envoyproxy.envoy.config.route.v3.HeaderMatcher)1 MetadataMatcher (io.envoyproxy.envoy.type.matcher.v3.MetadataMatcher)1 PathMatcher (io.envoyproxy.envoy.type.matcher.v3.PathMatcher)1 ServerCall (io.grpc.ServerCall)1 ServerCallHandler (io.grpc.ServerCallHandler)1 ServerInterceptor (io.grpc.ServerInterceptor)1 Status (io.grpc.Status)1 X509Certificate (java.security.cert.X509Certificate)1 SSLSession (javax.net.ssl.SSLSession)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial