use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher_hardcodePostMethod.
@Test
public void headerMatcher_hardcodePostMethod() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(":method", "POST", false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method pathMatcher.
@Test
public void pathMatcher() {
PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
OrMatcher permission = OrMatcher.create(AlwaysTrueMatcher.INSTANCE);
OrMatcher principal = OrMatcher.create(pathMatcher);
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.DENY));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class RbacFilter method generateAuthorizationInterceptor.
private ServerInterceptor generateAuthorizationInterceptor(AuthConfig config) {
checkNotNull(config, "config");
final GrpcAuthorizationEngine authEngine = new GrpcAuthorizationEngine(config);
return new ServerInterceptor() {
@Override
public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(final ServerCall<ReqT, RespT> call, final Metadata headers, ServerCallHandler<ReqT, RespT> next) {
AuthDecision authResult = authEngine.evaluate(headers, call);
if (logger.isLoggable(Level.FINE)) {
logger.log(Level.FINE, "Authorization result for serverCall {0}: {1}, matching policy: {2}.", new Object[] { call, authResult.decision(), authResult.matchingPolicyName() });
}
if (GrpcAuthorizationEngine.Action.DENY.equals(authResult.decision())) {
Status status = Status.PERMISSION_DENIED.withDescription("Access Denied");
call.close(status, new Metadata());
return new ServerCall.Listener<ReqT>() {
};
}
return next.startCall(call, headers);
}
};
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher.
@Test
public void headerMatcher() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE, false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
HEADER.put(Metadata.Key.of(HEADER_KEY, Metadata.ASCII_STRING_MARSHALLER), HEADER_VALUE);
headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE + "," + HEADER_VALUE, false));
principal = OrMatcher.create(headerMatcher);
policyMatcher = PolicyMatcher.create(POLICY_NAME, OrMatcher.create(AlwaysTrueMatcher.INSTANCE), principal);
engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY + Metadata.BINARY_HEADER_SUFFIX, HEADER_VALUE, false));
principal = OrMatcher.create(headerMatcher);
policyMatcher = PolicyMatcher.create(POLICY_NAME, OrMatcher.create(AlwaysTrueMatcher.INSTANCE), principal);
engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method authenticatedMatcher.
@Test
public void authenticatedMatcher() throws Exception {
AuthenticatedMatcher authMatcher = AuthenticatedMatcher.create(StringMatcher.forExact("*.test.google.fr", false));
PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
OrMatcher permission = OrMatcher.create(authMatcher);
OrMatcher principal = OrMatcher.create(pathMatcher);
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
X509Certificate[] certs = { TestUtils.loadX509Cert("badserver.pem") };
when(sslSession.getPeerCertificates()).thenReturn(certs);
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(null);
X509Certificate mockCert = mock(X509Certificate.class);
when(sslSession.getPeerCertificates()).thenReturn(new X509Certificate[] { mockCert });
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
when(mockCert.getSubjectDN()).thenReturn(mock(Principal.class));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "*.test.google.fr")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(6, "*.test.google.fr")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(10, "*.test.google.fr")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "google.com"), Arrays.asList(6, "*.test.google.fr")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(6, "*.test.google.fr"), Arrays.asList(2, "google.com")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "*.test.google.fr"), Arrays.asList(6, "google.com")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "*.test.google.fr"), Arrays.asList(6, "google.com"), Arrays.asList(6, "*.test.google.fr")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
// match any authenticated connection if StringMatcher not set in AuthenticatedMatcher
permission = OrMatcher.create(AuthenticatedMatcher.create(null));
policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(6, "random")));
engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
// not match any unauthenticated connection
Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, new InetSocketAddress(IP_ADDR2, PORT)).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress(IP_ADDR1, PORT)).build();
when(serverCall.getAttributes()).thenReturn(attributes);
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
doThrow(new SSLPeerUnverifiedException("bad")).when(sslSession).getPeerCertificates();
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(null);
}
Aggregations