Search in sources :

Example 1 with AuthConfig

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig in project grpc-java by grpc.

the class RbacFilterTest method overrideConfig.

@Test
@SuppressWarnings("unchecked")
public void overrideConfig() {
    ServerCallHandler<Void, Void> mockHandler = mock(ServerCallHandler.class);
    ServerCall<Void, Void> mockServerCall = mock(ServerCall.class);
    Attributes attr = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("1::", 20)).build();
    when(mockServerCall.getAttributes()).thenReturn(attr);
    PolicyMatcher policyMatcher = PolicyMatcher.create("policy-matcher", OrMatcher.create(DestinationPortMatcher.create(99999)), OrMatcher.create(AlwaysTrueMatcher.INSTANCE));
    AuthConfig authconfig = AuthConfig.create(Collections.singletonList(policyMatcher), GrpcAuthorizationEngine.Action.ALLOW);
    RbacConfig original = RbacConfig.create(authconfig);
    RBACPerRoute rbacPerRoute = RBACPerRoute.newBuilder().build();
    RbacConfig override = new RbacFilter().parseFilterConfigOverride(Any.pack(rbacPerRoute)).config;
    assertThat(override).isEqualTo(RbacConfig.create(null));
    ServerInterceptor interceptor = new RbacFilter().buildServerInterceptor(original, override);
    assertThat(interceptor).isNull();
    policyMatcher = PolicyMatcher.create("policy-matcher-override", OrMatcher.create(DestinationPortMatcher.create(20)), OrMatcher.create(AlwaysTrueMatcher.INSTANCE));
    authconfig = AuthConfig.create(Collections.singletonList(policyMatcher), GrpcAuthorizationEngine.Action.ALLOW);
    override = RbacConfig.create(authconfig);
    new RbacFilter().buildServerInterceptor(original, override).interceptCall(mockServerCall, new Metadata(), mockHandler);
    verify(mockHandler).startCall(eq(mockServerCall), any(Metadata.class));
    verify(mockServerCall).getAttributes();
    verifyNoMoreInteractions(mockServerCall);
}
Also used : RBACPerRoute(io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute) InetSocketAddress(java.net.InetSocketAddress) ServerInterceptor(io.grpc.ServerInterceptor) Attributes(io.grpc.Attributes) Metadata(io.grpc.Metadata) AuthConfig(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Example 2 with AuthConfig

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method matchersEqualHashcode.

@Test
public void matchersEqualHashcode() throws Exception {
    PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
    AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue("foo", "bar", true));
    DestinationIpMatcher destinationIpMatcher = DestinationIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
    DestinationPortMatcher destinationPortMatcher = DestinationPortMatcher.create(PORT);
    GrpcAuthorizationEngine.DestinationPortRangeMatcher portRangeMatcher = GrpcAuthorizationEngine.DestinationPortRangeMatcher.create(PORT, PORT + 1);
    InvertMatcher invertMatcher = InvertMatcher.create(portRangeMatcher);
    GrpcAuthorizationEngine.RequestedServerNameMatcher requestedServerNameMatcher = GrpcAuthorizationEngine.RequestedServerNameMatcher.create(STRING_MATCHER);
    OrMatcher permission = OrMatcher.create(pathMatcher, headerMatcher, destinationIpMatcher, destinationPortMatcher, invertMatcher, requestedServerNameMatcher);
    AuthenticatedMatcher authenticatedMatcher = AuthenticatedMatcher.create(STRING_MATCHER);
    SourceIpMatcher sourceIpMatcher1 = SourceIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
    OrMatcher principal = OrMatcher.create(authenticatedMatcher, AndMatcher.create(sourceIpMatcher1, AlwaysTrueMatcher.INSTANCE));
    PolicyMatcher policyMatcher1 = PolicyMatcher.create("match", permission, principal);
    AuthConfig config1 = AuthConfig.create(Collections.singletonList(policyMatcher1), Action.ALLOW);
    PathMatcher pathMatcher2 = PathMatcher.create(STRING_MATCHER);
    AuthHeaderMatcher headerMatcher2 = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue("foo", "bar", true));
    DestinationIpMatcher destinationIpMatcher2 = DestinationIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
    DestinationPortMatcher destinationPortMatcher2 = DestinationPortMatcher.create(PORT);
    GrpcAuthorizationEngine.DestinationPortRangeMatcher portRangeMatcher2 = GrpcAuthorizationEngine.DestinationPortRangeMatcher.create(PORT, PORT + 1);
    InvertMatcher invertMatcher2 = InvertMatcher.create(portRangeMatcher2);
    GrpcAuthorizationEngine.RequestedServerNameMatcher requestedServerNameMatcher2 = GrpcAuthorizationEngine.RequestedServerNameMatcher.create(STRING_MATCHER);
    OrMatcher permission2 = OrMatcher.create(pathMatcher2, headerMatcher2, destinationIpMatcher2, destinationPortMatcher2, invertMatcher2, requestedServerNameMatcher2);
    AuthenticatedMatcher authenticatedMatcher2 = AuthenticatedMatcher.create(STRING_MATCHER);
    SourceIpMatcher sourceIpMatcher2 = SourceIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
    OrMatcher principal2 = OrMatcher.create(authenticatedMatcher2, AndMatcher.create(sourceIpMatcher2, AlwaysTrueMatcher.INSTANCE));
    PolicyMatcher policyMatcher2 = PolicyMatcher.create("match", permission2, principal2);
    AuthConfig config2 = AuthConfig.create(Collections.singletonList(policyMatcher2), Action.ALLOW);
    assertThat(config1).isEqualTo(config2);
    assertThat(config1.hashCode()).isEqualTo(config2.hashCode());
}
Also used : SourceIpMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.SourceIpMatcher) AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher) AuthConfig(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig) DestinationPortMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationPortMatcher) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) AuthenticatedMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher) PathMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher) InvertMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.InvertMatcher) DestinationIpMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) Test(org.junit.Test)

Example 3 with AuthConfig

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig in project grpc-java by grpc.

the class RbacFilter method buildServerInterceptor.

@Nullable
@Override
public ServerInterceptor buildServerInterceptor(FilterConfig config, @Nullable FilterConfig overrideConfig) {
    checkNotNull(config, "config");
    if (overrideConfig != null) {
        config = overrideConfig;
    }
    AuthConfig authConfig = ((RbacConfig) config).authConfig();
    return authConfig == null ? null : generateAuthorizationInterceptor(authConfig);
}
Also used : AuthConfig(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig) Nullable(javax.annotation.Nullable)

Example 4 with AuthConfig

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig in project grpc-java by grpc.

the class RbacFilterTest method testAuthorizationInterceptor.

@SuppressWarnings("unchecked")
@Test
public void testAuthorizationInterceptor() {
    ServerCallHandler<Void, Void> mockHandler = mock(ServerCallHandler.class);
    ServerCall<Void, Void> mockServerCall = mock(ServerCall.class);
    Attributes attr = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("1::", 20)).build();
    when(mockServerCall.getAttributes()).thenReturn(attr);
    PolicyMatcher policyMatcher = PolicyMatcher.create("policy-matcher", OrMatcher.create(DestinationPortMatcher.create(99999)), OrMatcher.create(AlwaysTrueMatcher.INSTANCE));
    AuthConfig authconfig = AuthConfig.create(Collections.singletonList(policyMatcher), GrpcAuthorizationEngine.Action.ALLOW);
    new RbacFilter().buildServerInterceptor(RbacConfig.create(authconfig), null).interceptCall(mockServerCall, new Metadata(), mockHandler);
    verify(mockHandler, never()).startCall(eq(mockServerCall), any(Metadata.class));
    ArgumentCaptor<Status> captor = ArgumentCaptor.forClass(Status.class);
    verify(mockServerCall).close(captor.capture(), any(Metadata.class));
    assertThat(captor.getValue().getCode()).isEqualTo(Status.PERMISSION_DENIED.getCode());
    assertThat(captor.getValue().getDescription()).isEqualTo("Access Denied");
    verify(mockServerCall).getAttributes();
    verifyNoMoreInteractions(mockServerCall);
    authconfig = AuthConfig.create(Collections.singletonList(policyMatcher), GrpcAuthorizationEngine.Action.DENY);
    new RbacFilter().buildServerInterceptor(RbacConfig.create(authconfig), null).interceptCall(mockServerCall, new Metadata(), mockHandler);
    verify(mockHandler).startCall(eq(mockServerCall), any(Metadata.class));
}
Also used : Status(io.grpc.Status) InetSocketAddress(java.net.InetSocketAddress) Attributes(io.grpc.Attributes) Metadata(io.grpc.Metadata) AuthConfig(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Aggregations

AuthConfig (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig)4 PolicyMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)3 Test (org.junit.Test)3 Attributes (io.grpc.Attributes)2 Metadata (io.grpc.Metadata)2 InetSocketAddress (java.net.InetSocketAddress)2 RBACPerRoute (io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute)1 ServerInterceptor (io.grpc.ServerInterceptor)1 Status (io.grpc.Status)1 AuthHeaderMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher)1 AuthenticatedMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher)1 DestinationIpMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher)1 DestinationPortMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationPortMatcher)1 InvertMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.InvertMatcher)1 OrMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)1 PathMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher)1 SourceIpMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.SourceIpMatcher)1 Nullable (javax.annotation.Nullable)1