use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher_pathHeader.
@Test
public void headerMatcher_pathHeader() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(":path", "/" + PATH, false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method ipMatcher.
@Test
public void ipMatcher() throws Exception {
CidrMatcher ip1 = CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24);
DestinationIpMatcher destIpMatcher = DestinationIpMatcher.create(ip1);
CidrMatcher ip2 = CidrMatcher.create(InetAddress.getByName(IP_ADDR2), 24);
SourceIpMatcher sourceIpMatcher = SourceIpMatcher.create(ip2);
DestinationPortMatcher portMatcher = DestinationPortMatcher.create(PORT);
OrMatcher permission = OrMatcher.create(AndMatcher.create(portMatcher, destIpMatcher));
OrMatcher principal = OrMatcher.create(sourceIpMatcher);
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, new InetSocketAddress(IP_ADDR2, PORT)).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress(IP_ADDR1, 2)).build();
when(serverCall.getAttributes()).thenReturn(attributes);
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(null);
attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, null).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("1.1.1.1", PORT)).build();
when(serverCall.getAttributes()).thenReturn(attributes);
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(null);
engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.DENY));
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(null);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher_aliasAuthorityAndHost.
@Test
public void headerMatcher_aliasAuthorityAndHost() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue("Host", "google.com", false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
when(serverCall.getAuthority()).thenReturn("google.com");
AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class RbacFilterTest method pathParser.
@Test
@SuppressWarnings("unchecked")
public void pathParser() {
PathMatcher pathMatcher = PathMatcher.newBuilder().setPath(STRING_MATCHER).build();
List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setUrlPath(pathMatcher).build());
List<Principal> principalList = Arrays.asList(Principal.newBuilder().setUrlPath(pathMatcher).build());
ConfigOrError<RbacConfig> result = parse(permissionList, principalList);
assertThat(result.errorDetail).isNull();
ServerCall<Void, Void> serverCall = mock(ServerCall.class);
when(serverCall.getMethodDescriptor()).thenReturn(method().build());
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(result.config.authConfig());
AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.
the class RbacFilterTest method headerParser.
@Test
@SuppressWarnings({ "unchecked", "deprecation" })
public void headerParser() {
HeaderMatcher headerMatcher = HeaderMatcher.newBuilder().setName("party").setExactMatch("win").build();
List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setHeader(headerMatcher).build());
List<Principal> principalList = Arrays.asList(Principal.newBuilder().setHeader(headerMatcher).build());
ConfigOrError<RbacConfig> result = parseOverride(permissionList, principalList);
assertThat(result.errorDetail).isNull();
ServerCall<Void, Void> serverCall = mock(ServerCall.class);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(result.config.authConfig());
AuthDecision decision = engine.evaluate(metadata("party", "win"), serverCall);
assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
Aggregations