Search in sources :

Example 1 with PathMatcher

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method multiplePolicies.

@Test
public void multiplePolicies() throws Exception {
    AuthenticatedMatcher authMatcher = AuthenticatedMatcher.create(StringMatcher.forSuffix("TEST.google.fr", true));
    PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
    OrMatcher principal = OrMatcher.create(AndMatcher.create(authMatcher, pathMatcher));
    OrMatcher permission = OrMatcher.create(AndMatcher.create(pathMatcher, InvertMatcher.create(DestinationPortMatcher.create(PORT + 1))));
    PolicyMatcher policyMatcher1 = PolicyMatcher.create(POLICY_NAME, permission, principal);
    AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE + 1, false));
    authMatcher = AuthenticatedMatcher.create(StringMatcher.forContains("TEST.google.fr"));
    principal = OrMatcher.create(headerMatcher, authMatcher);
    CidrMatcher ip1 = CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24);
    DestinationIpMatcher destIpMatcher = DestinationIpMatcher.create(ip1);
    permission = OrMatcher.create(destIpMatcher, pathMatcher);
    PolicyMatcher policyMatcher2 = PolicyMatcher.create(POLICY_NAME + "-2", permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(ImmutableList.of(policyMatcher1, policyMatcher2), Action.DENY));
    AuthDecision decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.DENY);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used : AuthenticatedMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher) PathMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher) DestinationIpMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher) CidrMatcher(io.grpc.xds.internal.Matchers.CidrMatcher) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Example 2 with PathMatcher

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method pathMatcher.

@Test
public void pathMatcher() {
    PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
    OrMatcher permission = OrMatcher.create(AlwaysTrueMatcher.INSTANCE);
    OrMatcher principal = OrMatcher.create(pathMatcher);
    PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.DENY));
    AuthDecision decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.DENY);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used : PathMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Example 3 with PathMatcher

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method authenticatedMatcher.

@Test
public void authenticatedMatcher() throws Exception {
    AuthenticatedMatcher authMatcher = AuthenticatedMatcher.create(StringMatcher.forExact("*.test.google.fr", false));
    PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
    OrMatcher permission = OrMatcher.create(authMatcher);
    OrMatcher principal = OrMatcher.create(pathMatcher);
    PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
    AuthDecision decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.ALLOW);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
    X509Certificate[] certs = { TestUtils.loadX509Cert("badserver.pem") };
    when(sslSession.getPeerCertificates()).thenReturn(certs);
    decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.DENY);
    assertThat(decision.matchingPolicyName()).isEqualTo(null);
    X509Certificate mockCert = mock(X509Certificate.class);
    when(sslSession.getPeerCertificates()).thenReturn(new X509Certificate[] { mockCert });
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
    when(mockCert.getSubjectDN()).thenReturn(mock(Principal.class));
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
    when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "*.test.google.fr")));
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
    when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(6, "*.test.google.fr")));
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
    when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(10, "*.test.google.fr")));
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
    when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "google.com"), Arrays.asList(6, "*.test.google.fr")));
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
    when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(6, "*.test.google.fr"), Arrays.asList(2, "google.com")));
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
    when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "*.test.google.fr"), Arrays.asList(6, "google.com")));
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
    when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "*.test.google.fr"), Arrays.asList(6, "google.com"), Arrays.asList(6, "*.test.google.fr")));
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
    // match any authenticated connection if StringMatcher not set in AuthenticatedMatcher
    permission = OrMatcher.create(AuthenticatedMatcher.create(null));
    policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
    when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(6, "random")));
    engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
    // not match any unauthenticated connection
    Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, new InetSocketAddress(IP_ADDR2, PORT)).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress(IP_ADDR1, PORT)).build();
    when(serverCall.getAttributes()).thenReturn(attributes);
    assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
    doThrow(new SSLPeerUnverifiedException("bad")).when(sslSession).getPeerCertificates();
    decision = engine.evaluate(HEADER, serverCall);
    assertThat(decision.decision()).isEqualTo(Action.DENY);
    assertThat(decision.matchingPolicyName()).isEqualTo(null);
}
Also used : AuthenticatedMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher) PathMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher) AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) InetSocketAddress(java.net.InetSocketAddress) SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException) Attributes(io.grpc.Attributes) X509Certificate(java.security.cert.X509Certificate) Principal(java.security.Principal) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Example 4 with PathMatcher

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method matchersEqualHashcode.

@Test
public void matchersEqualHashcode() throws Exception {
    PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
    AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue("foo", "bar", true));
    DestinationIpMatcher destinationIpMatcher = DestinationIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
    DestinationPortMatcher destinationPortMatcher = DestinationPortMatcher.create(PORT);
    GrpcAuthorizationEngine.DestinationPortRangeMatcher portRangeMatcher = GrpcAuthorizationEngine.DestinationPortRangeMatcher.create(PORT, PORT + 1);
    InvertMatcher invertMatcher = InvertMatcher.create(portRangeMatcher);
    GrpcAuthorizationEngine.RequestedServerNameMatcher requestedServerNameMatcher = GrpcAuthorizationEngine.RequestedServerNameMatcher.create(STRING_MATCHER);
    OrMatcher permission = OrMatcher.create(pathMatcher, headerMatcher, destinationIpMatcher, destinationPortMatcher, invertMatcher, requestedServerNameMatcher);
    AuthenticatedMatcher authenticatedMatcher = AuthenticatedMatcher.create(STRING_MATCHER);
    SourceIpMatcher sourceIpMatcher1 = SourceIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
    OrMatcher principal = OrMatcher.create(authenticatedMatcher, AndMatcher.create(sourceIpMatcher1, AlwaysTrueMatcher.INSTANCE));
    PolicyMatcher policyMatcher1 = PolicyMatcher.create("match", permission, principal);
    AuthConfig config1 = AuthConfig.create(Collections.singletonList(policyMatcher1), Action.ALLOW);
    PathMatcher pathMatcher2 = PathMatcher.create(STRING_MATCHER);
    AuthHeaderMatcher headerMatcher2 = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue("foo", "bar", true));
    DestinationIpMatcher destinationIpMatcher2 = DestinationIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
    DestinationPortMatcher destinationPortMatcher2 = DestinationPortMatcher.create(PORT);
    GrpcAuthorizationEngine.DestinationPortRangeMatcher portRangeMatcher2 = GrpcAuthorizationEngine.DestinationPortRangeMatcher.create(PORT, PORT + 1);
    InvertMatcher invertMatcher2 = InvertMatcher.create(portRangeMatcher2);
    GrpcAuthorizationEngine.RequestedServerNameMatcher requestedServerNameMatcher2 = GrpcAuthorizationEngine.RequestedServerNameMatcher.create(STRING_MATCHER);
    OrMatcher permission2 = OrMatcher.create(pathMatcher2, headerMatcher2, destinationIpMatcher2, destinationPortMatcher2, invertMatcher2, requestedServerNameMatcher2);
    AuthenticatedMatcher authenticatedMatcher2 = AuthenticatedMatcher.create(STRING_MATCHER);
    SourceIpMatcher sourceIpMatcher2 = SourceIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
    OrMatcher principal2 = OrMatcher.create(authenticatedMatcher2, AndMatcher.create(sourceIpMatcher2, AlwaysTrueMatcher.INSTANCE));
    PolicyMatcher policyMatcher2 = PolicyMatcher.create("match", permission2, principal2);
    AuthConfig config2 = AuthConfig.create(Collections.singletonList(policyMatcher2), Action.ALLOW);
    assertThat(config1).isEqualTo(config2);
    assertThat(config1.hashCode()).isEqualTo(config2.hashCode());
}
Also used : SourceIpMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.SourceIpMatcher) AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher) AuthConfig(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig) DestinationPortMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationPortMatcher) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) AuthenticatedMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher) PathMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher) InvertMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.InvertMatcher) DestinationIpMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) Test(org.junit.Test)

Aggregations

OrMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)4 PathMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher)4 PolicyMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)4 Test (org.junit.Test)4 AuthDecision (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)3 AuthenticatedMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher)3 AuthHeaderMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher)2 DestinationIpMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher)2 Attributes (io.grpc.Attributes)1 CidrMatcher (io.grpc.xds.internal.Matchers.CidrMatcher)1 AuthConfig (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig)1 DestinationPortMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationPortMatcher)1 InvertMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.InvertMatcher)1 SourceIpMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.SourceIpMatcher)1 InetSocketAddress (java.net.InetSocketAddress)1 Principal (java.security.Principal)1 X509Certificate (java.security.cert.X509Certificate)1 SSLPeerUnverifiedException (javax.net.ssl.SSLPeerUnverifiedException)1