Search in sources :

Example 11 with PolicyMatcher

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher in project grpc-java by grpc.

the class GrpcAuthorizationEngineTest method headerMatcher_aliasAuthorityAndHost.

@Test
public void headerMatcher_aliasAuthorityAndHost() {
    AuthHeaderMatcher headerMatcher = AuthHeaderMatcher.create(Matchers.HeaderMatcher.forExactValue("Host", "google.com", false));
    OrMatcher principal = OrMatcher.create(headerMatcher);
    OrMatcher permission = OrMatcher.create(InvertMatcher.create(DestinationPortMatcher.create(PORT + 1)));
    PolicyMatcher policyMatcher = PolicyMatcher.create(POLICY_NAME, permission, principal);
    GrpcAuthorizationEngine engine = new GrpcAuthorizationEngine(AuthConfig.create(Collections.singletonList(policyMatcher), Action.ALLOW));
    when(serverCall.getAuthority()).thenReturn("google.com");
    AuthDecision decision = engine.evaluate(new Metadata(), serverCall);
    assertThat(decision.decision()).isEqualTo(Action.ALLOW);
    assertThat(decision.matchingPolicyName()).isEqualTo(POLICY_NAME);
}
Also used : AuthDecision(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision) OrMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher) Metadata(io.grpc.Metadata) AuthHeaderMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Example 12 with PolicyMatcher

use of io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher in project grpc-java by grpc.

the class RbacFilterTest method testAuthorizationInterceptor.

@SuppressWarnings("unchecked")
@Test
public void testAuthorizationInterceptor() {
    ServerCallHandler<Void, Void> mockHandler = mock(ServerCallHandler.class);
    ServerCall<Void, Void> mockServerCall = mock(ServerCall.class);
    Attributes attr = Attributes.newBuilder().set(Grpc.TRANSPORT_ATTR_LOCAL_ADDR, new InetSocketAddress("1::", 20)).build();
    when(mockServerCall.getAttributes()).thenReturn(attr);
    PolicyMatcher policyMatcher = PolicyMatcher.create("policy-matcher", OrMatcher.create(DestinationPortMatcher.create(99999)), OrMatcher.create(AlwaysTrueMatcher.INSTANCE));
    AuthConfig authconfig = AuthConfig.create(Collections.singletonList(policyMatcher), GrpcAuthorizationEngine.Action.ALLOW);
    new RbacFilter().buildServerInterceptor(RbacConfig.create(authconfig), null).interceptCall(mockServerCall, new Metadata(), mockHandler);
    verify(mockHandler, never()).startCall(eq(mockServerCall), any(Metadata.class));
    ArgumentCaptor<Status> captor = ArgumentCaptor.forClass(Status.class);
    verify(mockServerCall).close(captor.capture(), any(Metadata.class));
    assertThat(captor.getValue().getCode()).isEqualTo(Status.PERMISSION_DENIED.getCode());
    assertThat(captor.getValue().getDescription()).isEqualTo("Access Denied");
    verify(mockServerCall).getAttributes();
    verifyNoMoreInteractions(mockServerCall);
    authconfig = AuthConfig.create(Collections.singletonList(policyMatcher), GrpcAuthorizationEngine.Action.DENY);
    new RbacFilter().buildServerInterceptor(RbacConfig.create(authconfig), null).interceptCall(mockServerCall, new Metadata(), mockHandler);
    verify(mockHandler).startCall(eq(mockServerCall), any(Metadata.class));
}
Also used : Status(io.grpc.Status) InetSocketAddress(java.net.InetSocketAddress) Attributes(io.grpc.Attributes) Metadata(io.grpc.Metadata) AuthConfig(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig) PolicyMatcher(io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher) Test(org.junit.Test)

Aggregations

PolicyMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PolicyMatcher)12 Test (org.junit.Test)12 OrMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.OrMatcher)10 AuthDecision (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthDecision)9 AuthHeaderMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthHeaderMatcher)7 Metadata (io.grpc.Metadata)5 Attributes (io.grpc.Attributes)4 PathMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.PathMatcher)4 InetSocketAddress (java.net.InetSocketAddress)4 AuthConfig (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthConfig)3 AuthenticatedMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.AuthenticatedMatcher)3 DestinationIpMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationIpMatcher)3 CidrMatcher (io.grpc.xds.internal.Matchers.CidrMatcher)2 DestinationPortMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.DestinationPortMatcher)2 SourceIpMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.SourceIpMatcher)2 RBACPerRoute (io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute)1 ServerInterceptor (io.grpc.ServerInterceptor)1 Status (io.grpc.Status)1 InvertMatcher (io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.InvertMatcher)1 Principal (java.security.Principal)1