Search in sources :

Example 11 with AuthDecision

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method headerMatcher_pathHeader.

@Test
public void headerMatcher_pathHeader() {
    AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(":path", "/" + PATH, false));
    OrMatcher principal = OrMatcher.create(headerMatcher);
    OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
    PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
    AuthDecision decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.ALLOW);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used : AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Example 12 with AuthDecision

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method ipMatcher.

@Test
public void ipMatcher() throws Exception {
    CidrMatcher ip1 = CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24);
    DestinationIpMatcher destIpMatcher = DestinationIpMatcher.create(ip1);
    CidrMatcher ip2 = CidrMatcher.create(InetAddress.getByName(IP_ADDR2), 24);
    SourceIpMatcher sourceIpMatcher = SourceIpMatcher.create(ip2);
    DestinationPortMatcher portMatcher = DestinationPortMatcher.create(PORT);
    OrMatcher permission = OrMatcher.create(AndMatcher.create(portMatcher, destIpMatcher));
    OrMatcher principal = OrMatcher.create(sourceIpMatcher);
    PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
    AuthDecision decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.ALLOW);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
    Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, new InetSocketAddress(IP_ADDR2, PORT)).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress(IP_ADDR1, 2)).build();
    when(serverCall.getAttributes()).thenReturn(attributes);
    decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.DENY);
    assertThat(decision.matchingPolicyName()).isEqualTo(null);
    attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, null).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("1.1.1.1", PORT)).build();
    when(serverCall.getAttributes()).thenReturn(attributes);
    decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.DENY);
    assertThat(decision.matchingPolicyName()).isEqualTo(null);
    engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.DENY));
    decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.ALLOW);
    assertThat(decision.matchingPolicyName()).isEqualTo(null);
}
Also used : DestinationIpMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) SourceIpMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.SourceIpMatcher) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) InetSocketAddress(java.net.InetSocketAddress) Attributes(io.grpc.Attributes) CidrMatcher(io.grpc.xds.internal.Matchers.CidrMatcher) DestinationPortMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationPortMatcher) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Example 13 with AuthDecision

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method headerMatcher_aliasAuthorityAndHost.

@Test
public void headerMatcher_aliasAuthorityAndHost() {
    AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue("Host", "google.com", false));
    OrMatcher principal = OrMatcher.create(headerMatcher);
    OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
    PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
    when(serverCall.getAuthority()).thenReturn("google.com");
    AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
    assertThat(decision.decision()).isEqualTo(Action.ALLOW);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used : AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) Metadata(io.grpc.Metadata) AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Example 14 with AuthDecision

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.

the class RbacFilterTest method pathParser.

@Test
@SuppressWarnings("unchecked")
public void pathParser() {
    PathMatcher pathMatcher = PathMatcher.newBuilder().setPath(STRING_MATCHER).build();
    List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setUrlPath(pathMatcher).build());
    List<Principal> principalList = Arrays.asList(Principal.newBuilder().setUrlPath(pathMatcher).build());
    ConfigOrError<RbacConfig> result = parse(permissionList, principalList);
    assertThat(result.errorDetail).isNull();
    ServerCall<Void, Void> serverCall = mock(ServerCall.class);
    when(serverCall.getMethodDescriptor()).thenReturn(method().build());
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(result.config.authConfig());
    AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
    assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
Also used : PathMatcher(io.envoyproxy.envoy.type.matcher.v3.PathMatcher) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) Permission(io.envoyproxy.envoy.config.rbac.v3.Permission) Metadata(io.grpc.Metadata) GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine) Principal(io.envoyproxy.envoy.config.rbac.v3.Principal) Test(org.junit.Test)

Example 15 with AuthDecision

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision in project grpc-java by grpc.

the class RbacFilterTest method headerParser.

@Test
@SuppressWarnings({ "unchecked", "deprecation" })
public void headerParser() {
    HeaderMatcher headerMatcher = HeaderMatcher.newBuilder().setName("party").setExactMatch("win").build();
    List<Permission> permissionList = Arrays.asList(Permission.newBuilder().setHeader(headerMatcher).build());
    List<Principal> principalList = Arrays.asList(Principal.newBuilder().setHeader(headerMatcher).build());
    ConfigOrError<RbacConfig> result = parseOverride(permissionList, principalList);
    assertThat(result.errorDetail).isNull();
    ServerCall<Void, Void> serverCall = mock(ServerCall.class);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(result.config.authConfig());
    AuthDecision decision = engine.evaluate(metadata("party", "win"), serverCall);
    assertThat(decision.decision()).isEqualTo(GrpcAuthorizationEngine.Action.DENY);
}
Also used : HeaderMatcher(io.envoyproxy.envoy.config.route.v3.HeaderMatcher) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) Permission(io.envoyproxy.envoy.config.rbac.v3.Permission) GrpcAuthorizationEngine(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine) Principal(io.envoyproxy.envoy.config.rbac.v3.Principal) Test(org.junit.Test)

Aggregations

AuthDecision (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)16 Test (org.junit.Test)15 Metadata (io.grpc.Metadata)9 OrMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)9 PolicyMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)9 GrpcAuthorizationEngine (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine)7 Permission (io.envoyproxy.envoy.config.rbac.v3.Permission)6 Principal (io.envoyproxy.envoy.config.rbac.v3.Principal)6 AuthHeaderMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher)6 Attributes (io.grpc.Attributes)5 InetSocketAddress (java.net.InetSocketAddress)4 PathMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher)3 CidrMatcher (io.grpc.xds.internal.Matchers.CidrMatcher)2 AuthenticatedMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher)2 DestinationIpMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher)2 X509Certificate (java.security.cert.X509Certificate)2 CidrRange (io.envoyproxy.envoy.config.core.v3.CidrRange)1 HeaderMatcher (io.envoyproxy.envoy.config.route.v3.HeaderMatcher)1 MetadataMatcher (io.envoyproxy.envoy.type.matcher.v3.MetadataMatcher)1 PathMatcher (io.envoyproxy.envoy.type.matcher.v3.PathMatcher)1