Search in sources :

Example 1 with AuthDecision

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.

the class RbacFilterTest method compositeRules.

@Test
@SuppressWarnings("unchecked")
public void compositeRules() {
    MetadataMatcher metadataMatcher = MetadataMatcher.newBuilder().build();
    List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setOrRules(Permission.Set.newBuilder().addRules(Permission.newBuilder().setMetadata(metadataMatcher).build()).build()).build());
    List<Principal> principalList = Arrays.asList(Principal.newBuilder().setNotId(Principal.newBuilder().setMetadata(metadataMatcher).build()).build());
    ConfigOrError<? extends FilterConfig> result = parse(permissionList, principalList);
    assertThat(result.errorDetail).isNull();
    assertThat(result.config).isInstanceOf(RbacConfig.class);
    ServerCall<Void, Void> serverCall = mock(ServerCall.class);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(((RbacConfig) result.config).authConfig());
    AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
    assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.ALLOW);
}
Also used : MetadataMatcher(io.envoyproxy.envoy.type.matcher.v3.MetadataMatcher) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) Permission(io.envoyproxy.envoy.config.rbac.v3.Permission) Metadata(io.grpc.Metadata) GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine) Principal(io.envoyproxy.envoy.config.rbac.v3.Principal) Test(org.junit.Test)

Example 2 with AuthDecision

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.

the class RbacFilterTest method portRangeParser.

@Test
@SuppressWarnings({ "unchecked", "deprecation" })
public void portRangeParser() {
    List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setDestinationPortRange(Int32Range.newBuilder().setStart(1010).setEnd(65535).build()).build());
    List<Principal> principalList = Arrays.asList(Principal.newBuilder().setRemoteIp(CidrRange.newBuilder().setAddressPrefix("10.10.10.0").setPrefixLen(UInt32Value.of(24)).build()).build());
    ConfigOrError<?> result = parse(permissionList, principalList);
    assertThat(result.errorDetail).isNull();
    ServerCall<Void, Void> serverCall = mock(ServerCall.class);
    Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, new InetSocketAddress("10.10.10.0", 1)).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("10.10.10.0", 9090)).build();
    when(serverCall.getAttributes()).thenReturn(attributes);
    when(serverCall.getMethodDescriptor()).thenReturn(method().build());
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(((RbacConfig) result.config).authConfig());
    AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
    assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
Also used : AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) InetSocketAddress(java.net.InetSocketAddress) Permission(io.envoyproxy.envoy.config.rbac.v3.Permission) Attributes(io.grpc.Attributes) Metadata(io.grpc.Metadata) GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine) Principal(io.envoyproxy.envoy.config.rbac.v3.Principal) Test(org.junit.Test)

Example 3 with AuthDecision

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.

the class RbacFilterTest method authenticatedParser.

@Test
@SuppressWarnings("unchecked")
public void authenticatedParser() throws Exception {
    List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setNotRule(Permission.newBuilder().setRequestedServerName(STRING_MATCHER).build()).build());
    List<Principal> principalList = Arrays.asList(Principal.newBuilder().setAuthenticated(Authenticated.newBuilder().setPrincipalName(STRING_MATCHER).build()).build());
    ConfigOrError<?> result = parse(permissionList, principalList);
    assertThat(result.errorDetail).isNull();
    SSLSession sslSession = mock(SSLSession.class);
    X509Certificate mockCert = mock(X509Certificate.class);
    when(sslSession.getPeerCertificates()).thenReturn(new X509Certificate[] { mockCert });
    when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "/" + PATH)));
    Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_SSL_SESSION, sslSession).build();
    ServerCall<Void, Void> serverCall = mock(ServerCall.class);
    when(serverCall.getAttributes()).thenReturn(attributes);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(((RbacConfig) result.config).authConfig());
    AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
    assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
Also used : AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) SSLSession(javax.net.ssl.SSLSession) Attributes(io.grpc.Attributes) Metadata(io.grpc.Metadata) GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine) X509Certificate(java.security.cert.X509Certificate) Permission(io.envoyproxy.envoy.config.rbac.v3.Permission) Principal(io.envoyproxy.envoy.config.rbac.v3.Principal) Test(org.junit.Test)

Example 4 with AuthDecision

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method multiplePolicies.

@Test
public void multiplePolicies() throws Exception {
    AuthenticatedMatcher authMatcher = AuthenticatedMatcher.create(StringMatcher.forSuffix("TEST.google.fr", true));
    PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
    OrMatcher principal = OrMatcher.create(AndMatcher.create(authMatcher, pathMatcher));
    OrMatcher permission = OrMatcher.create(AndMatcher.create(pathMatcher, InvertMatcher.create(DestinationPortMatcher.create(PORT + 1))));
    PolicyMatcher policyMatcher1 = PolicyMatcher.create(POLICY_NAME, permission, principal);
    AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE + 1, false));
    authMatcher = AuthenticatedMatcher.create(StringMatcher.forContains("TEST.google.fr"));
    principal = OrMatcher.create(headerMatcher, authMatcher);
    CidrMatcher ip1 = CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24);
    DestinationIpMatcher destIpMatcher = DestinationIpMatcher.create(ip1);
    permission = OrMatcher.create(destIpMatcher, pathMatcher);
    PolicyMatcher policyMatcher2 = PolicyMatcher.create(POLICY_NAME + "-2", permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(ImmutableList.of(policyMatcher1, policyMatcher2), Action.DENY));
    AuthDecision decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.DENY);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used : AuthenticatedMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher) PathMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher) DestinationIpMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher) CidrMatcher(io.grpc.xds.internal.Matchers.CidrMatcher) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Example 5 with AuthDecision

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method headerMatcher_binaryHeader.

@Test
public void headerMatcher_binaryHeader() {
    AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY + Metadata.BINARY_HEADER_SUFFIX, BaseEncoding.base64().omitPadding().encode(HEADER_VALUE.getBytes(US_ASCII)), false));
    OrMatcher principal = OrMatcher.create(headerMatcher);
    OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
    PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
    Metadata metadata = new Metadata();
    metadata.put(Metadata.Key.of(HEADER_KEY + Metadata.BINARY_HEADER_SUFFIX, Metadata.BINARY_BYTE_MARSHALLER), HEADER_VALUE.getBytes(US_ASCII));
    AuthDecision decision = engine.evaluate(metadata, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.ALLOW);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used : AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) Metadata(io.grpc.Metadata) AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Aggregations

AuthDecision (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)16 Test (org.junit.Test)15 Metadata (io.grpc.Metadata)9 OrMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)9 PolicyMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)9 GrpcAuthorizationEngine (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine)7 Permission (io.envoyproxy.envoy.config.rbac.v3.Permission)6 Principal (io.envoyproxy.envoy.config.rbac.v3.Principal)6 AuthHeaderMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher)6 Attributes (io.grpc.Attributes)5 InetSocketAddress (java.net.InetSocketAddress)4 PathMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher)3 CidrMatcher (io.grpc.xds.internal.Matchers.CidrMatcher)2 AuthenticatedMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher)2 DestinationIpMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher)2 X509Certificate (java.security.cert.X509Certificate)2 CidrRange (io.envoyproxy.envoy.config.core.v3.CidrRange)1 HeaderMatcher (io.envoyproxy.envoy.config.route.v3.HeaderMatcher)1 MetadataMatcher (io.envoyproxy.envoy.type.matcher.v3.MetadataMatcher)1 PathMatcher (io.envoyproxy.envoy.type.matcher.v3.PathMatcher)1