Example 1 with OrMatcher
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method multiplePolicies.
@Test
public void multiplePolicies() throws Exception {
AuthenticatedMatcher authMatcher = AuthenticatedMatcher.create(StringMatcher.forSuffix("TEST.google.fr", true));
PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
OrMatcher principal = OrMatcher.create(AndMatcher.create(authMatcher, pathMatcher));
OrMatcher permission = OrMatcher.create(AndMatcher.create(pathMatcher, InvertMatcher.create(DestinationPortMatcher.create(PORT + 1))));
PolicyMatcher policyMatcher1 = PolicyMatcher.create(POLICY_NAME, permission, principal);
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE + 1, false));
authMatcher = AuthenticatedMatcher.create(StringMatcher.forContains("TEST.google.fr"));
principal = OrMatcher.create(headerMatcher, authMatcher);
CidrMatcher ip1 = CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24);
DestinationIpMatcher destIpMatcher = DestinationIpMatcher.create(ip1);
permission = OrMatcher.create(destIpMatcher, pathMatcher);
PolicyMatcher policyMatcher2 = PolicyMatcher.create(POLICY_NAME + "-2", permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(ImmutableList.of(policyMatcher1, policyMatcher2), Action.DENY));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used :
AuthenticatedMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher)
PathMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher)
DestinationIpMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher)
AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)
OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)
AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher)
CidrMatcher(io.grpc.xds.internal.Matchers.CidrMatcher)
PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)
Test(org.junit.Test)
Example 2 with OrMatcher
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher_binaryHeader.
@Test
public void headerMatcher_binaryHeader() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY + Metadata.BINARY_HEADER_SUFFIX, BaseEncoding.base64().omitPadding().encode(HEADER_VALUE.getBytes(US_ASCII)), false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
Metadata metadata = new Metadata();
metadata.put(Metadata.Key.of(HEADER_KEY + Metadata.BINARY_HEADER_SUFFIX, Metadata.BINARY_BYTE_MARSHALLER), HEADER_VALUE.getBytes(US_ASCII));
AuthDecision decision = engine.evaluate(metadata, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used :
AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)
OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)
Metadata(io.grpc.Metadata)
AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher)
PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)
Test(org.junit.Test)
Example 3 with OrMatcher
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher_hardcodePostMethod.
@Test
public void headerMatcher_hardcodePostMethod() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(":method", "POST", false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used :
AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)
OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)
Metadata(io.grpc.Metadata)
AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher)
PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)
Test(org.junit.Test)
Example 4 with OrMatcher
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method pathMatcher.
@Test
public void pathMatcher() {
PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
OrMatcher permission = OrMatcher.create(AlwaysTrueMatcher.INSTANCE);
OrMatcher principal = OrMatcher.create(pathMatcher);
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.DENY));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used :
PathMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher)
AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)
OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)
PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)
Test(org.junit.Test)
Example 5 with OrMatcher
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher.
@Test
public void headerMatcher() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE, false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
HEADER.put(Metadata.Key.of(HEADER_KEY, Metadata.ASCII_STRING_MARSHALLER), HEADER_VALUE);
headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE + "," + HEADER_VALUE, false));
principal = OrMatcher.create(headerMatcher);
policyMatcher = PolicyMatcher.create(POLICY_NAME, OrMatcher.create(AlwaysTrueMatcher.INSTANCE), principal);
engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY + Metadata.BINARY_HEADER_SUFFIX, HEADER_VALUE, false));
principal = OrMatcher.create(headerMatcher);
policyMatcher = PolicyMatcher.create(POLICY_NAME, OrMatcher.create(AlwaysTrueMatcher.INSTANCE), principal);
engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
}
Also used :
AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)
OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)
AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher)
PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)
Test(org.junit.Test)
Aggregations
OrMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)10
PolicyMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)10
Test (org.junit.Test)10
AuthDecision (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)9
AuthHeaderMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher)7
PathMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher)4
Metadata (io.grpc.Metadata)3
AuthenticatedMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher)3
DestinationIpMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher)3
Attributes (io.grpc.Attributes)2
CidrMatcher (io.grpc.xds.internal.Matchers.CidrMatcher)2
DestinationPortMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationPortMatcher)2
SourceIpMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.SourceIpMatcher)2
InetSocketAddress (java.net.InetSocketAddress)2
AuthConfig (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig)1
InvertMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.InvertMatcher)1
Principal (java.security.Principal)1
X509Certificate (java.security.cert.X509Certificate)1
SSLPeerUnverifiedException (javax.net.ssl.SSLPeerUnverifiedException)1
