use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class RbacFilterTest method compositeRules.
@Test
@SuppressWarnings("unchecked")
public void compositeRules() {
MetadataMatcher metadataMatcher = MetadataMatcher.newBuilder().build();
List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setMetadata(metadataMatcher).build()).build()).build());
List<Principal> principalList = Arrays.asList(Principal.newBuilder().setNotId(Principal.newBuilder().setMetadata(metadataMatcher).build()).build());
ConfigOrError<? extends FilterConfig> result = parse(permissionList, principalList);
assertThat(result.errorDetail).isNull();
assertThat(result.config).isInstanceOf(RbacConfig.class);
ServerCall<Void, Void> serverCall = mock(ServerCall.class);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(((RbacConfig) result.config).authConfig());
AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.ALLOW);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class RbacFilterTest method portRangeParser.
@Test
@SuppressWarnings({ "unchecked", "deprecation" })
public void portRangeParser() {
List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setDestinationPortRange(Int32Range.newBuilder().setStart(1010).setEnd(65535).build()).build());
List<Principal> principalList = Arrays.asList(Principal.newBuilder().setRemoteIp(CidrRange.newBuilder().setAddressPrefix("10.10.10.0").setPrefixLen(UInt32Value.of(24)).build()).build());
ConfigOrError<?> result = parse(permissionList, principalList);
assertThat(result.errorDetail).isNull();
ServerCall<Void, Void> serverCall = mock(ServerCall.class);
Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, new InetSocketAddress("10.10.10.0", 1)).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("10.10.10.0", 9090)).build();
when(serverCall.getAttributes()).thenReturn(attributes);
when(serverCall.getMethodDescriptor()).thenReturn(method().build());
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(((RbacConfig) result.config).authConfig());
AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class RbacFilterTest method authenticatedParser.
@Test
@SuppressWarnings("unchecked")
public void authenticatedParser() throws Exception {
List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setNotRule(Permission.newBuilder().setRequestedServerName(STRING_MATCHER).build()).build());
List<Principal> principalList = Arrays.asList(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(STRING_MATCHER).build()).build());
ConfigOrError<?> result = parse(permissionList, principalList);
assertThat(result.errorDetail).isNull();
SSLSession sslSession = mock(SSLSession.class);
X509Certificate mockCert = mock(X509Certificate.class);
when(sslSession.getPeerCertificates()).thenReturn(new X509Certificate[] { mockCert });
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "/" + PATH)));
Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_SSL_SESSION, sslSession).build();
ServerCall<Void, Void> serverCall = mock(ServerCall.class);
when(serverCall.getAttributes()).thenReturn(attributes);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(((RbacConfig) result.config).authConfig());
AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method multiplePolicies.
@Test
public void multiplePolicies() throws Exception {
AuthenticatedMatcher authMatcher = AuthenticatedMatcher.create(StringMatcher.forSuffix("TEST.google.fr", true));
PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
OrMatcher principal = OrMatcher.create(AndMatcher.create(authMatcher, pathMatcher));
OrMatcher permission = OrMatcher.create(AndMatcher.create(pathMatcher, InvertMatcher.create(DestinationPortMatcher.create(PORT + 1))));
PolicyMatcher policyMatcher1 = PolicyMatcher.create(POLICY_NAME, permission, principal);
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE + 1, false));
authMatcher = AuthenticatedMatcher.create(StringMatcher.forContains("TEST.google.fr"));
principal = OrMatcher.create(headerMatcher, authMatcher);
CidrMatcher ip1 = CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24);
DestinationIpMatcher destIpMatcher = DestinationIpMatcher.create(ip1);
permission = OrMatcher.create(destIpMatcher, pathMatcher);
PolicyMatcher policyMatcher2 = PolicyMatcher.create(POLICY_NAME + "-2", permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(ImmutableList.of(policyMatcher1, policyMatcher2), Action.DENY));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher_binaryHeader.
@Test
public void headerMatcher_binaryHeader() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY + Metadata.BINARY_HEADER_SUFFIX, BaseEncoding.base64().omitPadding().encode(HEADER_VALUE.getBytes(US_ASCII)), false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
Metadata metadata = new Metadata();
metadata.put(Metadata.Key.of(HEADER_KEY + Metadata.BINARY_HEADER_SUFFIX, Metadata.BINARY_BYTE_MARSHALLER), HEADER_VALUE.getBytes(US_ASCII));
AuthDecision decision = engine.evaluate(metadata, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Aggregations