use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher.
@Test
public void headerMatcher() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE, false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
HEADER.put(Metadata.Key.of(HEADER_KEY, Metadata.ASCII_STRING_MARSHALLER), HEADER_VALUE);
headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY, HEADER_VALUE + "," + HEADER_VALUE, false));
principal = OrMatcher.create(headerMatcher);
policyMatcher = PolicyMatcher.create(POLICY_NAME, OrMatcher.create(AlwaysTrueMatcher.INSTANCE), principal);
engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(HEADER_KEY + Metadata.BINARY_HEADER_SUFFIX, HEADER_VALUE, false));
principal = OrMatcher.create(headerMatcher);
policyMatcher = PolicyMatcher.create(POLICY_NAME, OrMatcher.create(AlwaysTrueMatcher.INSTANCE), principal);
engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method authenticatedMatcher.
@Test
public void authenticatedMatcher() throws Exception {
AuthenticatedMatcher authMatcher = AuthenticatedMatcher.create(StringMatcher.forExact("*.test.google.fr", false));
PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
OrMatcher permission = OrMatcher.create(authMatcher);
OrMatcher principal = OrMatcher.create(pathMatcher);
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
X509Certificate[] certs = { TestUtils.loadX509Cert("badserver.pem") };
when(sslSession.getPeerCertificates()).thenReturn(certs);
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(null);
X509Certificate mockCert = mock(X509Certificate.class);
when(sslSession.getPeerCertificates()).thenReturn(new X509Certificate[] { mockCert });
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
when(mockCert.getSubjectDN()).thenReturn(mock(Principal.class));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "*.test.google.fr")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(6, "*.test.google.fr")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(10, "*.test.google.fr")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "google.com"), Arrays.asList(6, "*.test.google.fr")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(6, "*.test.google.fr"), Arrays.asList(2, "google.com")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "*.test.google.fr"), Arrays.asList(6, "google.com")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(2, "*.test.google.fr"), Arrays.asList(6, "google.com"), Arrays.asList(6, "*.test.google.fr")));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
// match any authenticated connection if StringMatcher not set in AuthenticatedMatcher
permission = OrMatcher.create(AuthenticatedMatcher.create(null));
policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(Arrays.asList(6, "random")));
engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.ALLOW);
// not match any unauthenticated connection
Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, new InetSocketAddress(IP_ADDR2, PORT)).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress(IP_ADDR1, PORT)).build();
when(serverCall.getAttributes()).thenReturn(attributes);
assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
doThrow(new SSLPeerUnverifiedException("bad")).when(sslSession).getPeerCertificates();
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(null);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher_pathHeader.
@Test
public void headerMatcher_pathHeader() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue(":path", "/" + PATH, false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method matchersEqualHashcode.
@Test
public void matchersEqualHashcode() throws Exception {
PathMatcher pathMatcher = PathMatcher.create(STRING_MATCHER);
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue("foo", "bar", true));
DestinationIpMatcher destinationIpMatcher = DestinationIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
DestinationPortMatcher destinationPortMatcher = DestinationPortMatcher.create(PORT);
GrpcAuthorizationEngine.DestinationPortRangeMatcher portRangeMatcher = GrpcAuthorizationEngine.DestinationPortRangeMatcher.create(PORT, PORT + 1);
InvertMatcher invertMatcher = InvertMatcher.create(portRangeMatcher);
GrpcAuthorizationEngine.RequestedServerNameMatcher requestedServerNameMatcher = GrpcAuthorizationEngine.RequestedServerNameMatcher.create(STRING_MATCHER);
OrMatcher permission = OrMatcher.create(pathMatcher, headerMatcher, destinationIpMatcher, destinationPortMatcher, invertMatcher, requestedServerNameMatcher);
AuthenticatedMatcher authenticatedMatcher = AuthenticatedMatcher.create(STRING_MATCHER);
SourceIpMatcher sourceIpMatcher1 = SourceIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
OrMatcher principal = OrMatcher.create(authenticatedMatcher, AndMatcher.create(sourceIpMatcher1, AlwaysTrueMatcher.INSTANCE));
PolicyMatcher policyMatcher1 = PolicyMatcher.create("match", permission, principal);
AuthConfig config1 = AuthConfig.create(Collections.singletonList(policyMatcher1), Action.ALLOW);
PathMatcher pathMatcher2 = PathMatcher.create(STRING_MATCHER);
AuthHeaderMatcher headerMatcher2 = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue("foo", "bar", true));
DestinationIpMatcher destinationIpMatcher2 = DestinationIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
DestinationPortMatcher destinationPortMatcher2 = DestinationPortMatcher.create(PORT);
GrpcAuthorizationEngine.DestinationPortRangeMatcher portRangeMatcher2 = GrpcAuthorizationEngine.DestinationPortRangeMatcher.create(PORT, PORT + 1);
InvertMatcher invertMatcher2 = InvertMatcher.create(portRangeMatcher2);
GrpcAuthorizationEngine.RequestedServerNameMatcher requestedServerNameMatcher2 = GrpcAuthorizationEngine.RequestedServerNameMatcher.create(STRING_MATCHER);
OrMatcher permission2 = OrMatcher.create(pathMatcher2, headerMatcher2, destinationIpMatcher2, destinationPortMatcher2, invertMatcher2, requestedServerNameMatcher2);
AuthenticatedMatcher authenticatedMatcher2 = AuthenticatedMatcher.create(STRING_MATCHER);
SourceIpMatcher sourceIpMatcher2 = SourceIpMatcher.create(CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24));
OrMatcher principal2 = OrMatcher.create(authenticatedMatcher2, AndMatcher.create(sourceIpMatcher2, AlwaysTrueMatcher.INSTANCE));
PolicyMatcher policyMatcher2 = PolicyMatcher.create("match", permission2, principal2);
AuthConfig config2 = AuthConfig.create(Collections.singletonList(policyMatcher2), Action.ALLOW);
assertThat(config1).isEqualTo(config2);
assertThat(config1.hashCode()).isEqualTo(config2.hashCode());
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method ipMatcher.
@Test
public void ipMatcher() throws Exception {
CidrMatcher ip1 = CidrMatcher.create(InetAddress.getByName(IP_ADDR1), 24);
DestinationIpMatcher destIpMatcher = DestinationIpMatcher.create(ip1);
CidrMatcher ip2 = CidrMatcher.create(InetAddress.getByName(IP_ADDR2), 24);
SourceIpMatcher sourceIpMatcher = SourceIpMatcher.create(ip2);
DestinationPortMatcher portMatcher = DestinationPortMatcher.create(PORT);
OrMatcher permission = OrMatcher.create(AndMatcher.create(portMatcher, destIpMatcher));
OrMatcher principal = OrMatcher.create(sourceIpMatcher);
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
AuthDecision decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
Attributes attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, new InetSocketAddress(IP_ADDR2, PORT)).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress(IP_ADDR1, 2)).build();
when(serverCall.getAttributes()).thenReturn(attributes);
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(null);
attributes = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, null).set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("1.1.1.1", PORT)).build();
when(serverCall.getAttributes()).thenReturn(attributes);
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.DENY);
assertThat(decision.matchingPolicyName()).isEqualTo(null);
engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.DENY));
decision = engine.evaluate(HEADER, serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(null);
}
Aggregations