use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher in project grpc-java by grpc.
the class GrpcAuthorizationEngineTest method headerMatcher_aliasAuthorityAndHost.
@Test
public void headerMatcher_aliasAuthorityAndHost() {
AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue("Host", "google.com", false));
OrMatcher principal = OrMatcher.create(headerMatcher);
OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
when(serverCall.getAuthority()).thenReturn("google.com");
AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
assertThat(decision.decision()).isEqualTo(Action.ALLOW);
assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher in project grpc-java by grpc.
the class RbacFilterTest method testAuthorizationInterceptor.
@SuppressWarnings("unchecked")
@Test
public void testAuthorizationInterceptor() {
ServerCallHandler<Void, Void> mockHandler = mock(ServerCallHandler.class);
ServerCall<Void, Void> mockServerCall = mock(ServerCall.class);
Attributes attr = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("1::", 20)).build();
when(mockServerCall.getAttributes()).thenReturn(attr);
PolicyMatcher policyMatcher = PolicyMatcher.create("policy-matcher", OrMatcher.create(DestinationPortMatcher.create(99999)), OrMatcher.create(AlwaysTrueMatcher.INSTANCE));
AuthConfig authconfig = AuthConfig.create(Collections.singletonList(policyMatcher), GrpcAuthorizationEngine.Action.ALLOW);
new RbacFilter().buildServerInterceptor(RbacConfig.create(authconfig), null).interceptCall(mockServerCall, new Metadata(), mockHandler);
verify(mockHandler, never()).startCall(eq(mockServerCall), any(Metadata.class));
ArgumentCaptor<Status> captor = ArgumentCaptor.forClass(Status.class);
verify(mockServerCall).close(captor.capture(), any(Metadata.class));
assertThat(captor.getValue().getCode()).isEqualTo(Status.PERMISSION_DENIED.getCode());
assertThat(captor.getValue().getDescription()).isEqualTo("Access Denied");
verify(mockServerCall).getAttributes();
verifyNoMoreInteractions(mockServerCall);
authconfig = AuthConfig.create(Collections.singletonList(policyMatcher), GrpcAuthorizationEngine.Action.DENY);
new RbacFilter().buildServerInterceptor(RbacConfig.create(authconfig), null).interceptCall(mockServerCall, new Metadata(), mockHandler);
verify(mockHandler).startCall(eq(mockServerCall), any(Metadata.class));
}
Aggregations