authorization_matchers_test.cc
Go to the documentation of this file.
1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include <grpc/support/port_platform.h>
16 
17 #include <list>
18 
19 #include <gmock/gmock.h>
20 #include <gtest/gtest.h>
21 
22 #include <grpc/grpc_security_constants.h>
23 
24 #include "src/core/lib/security/authorization/evaluate_args.h"
25 #include "src/core/lib/security/authorization/matchers.h"
26 #include "test/core/util/evaluate_args_test_util.h"
27 
28 namespace grpc_core {
29 
30 class AuthorizationMatchersTest : public ::testing::Test {
31  protected:
32  EvaluateArgsTestUtil args_;
33 };
34 
35 TEST_F(AuthorizationMatchersTest, AlwaysAuthorizationMatcher) {
36  EvaluateArgs args = args_.MakeEvaluateArgs();
37  AlwaysAuthorizationMatcher matcher;
38  EXPECT_TRUE(matcher.Matches(args));
39 }
40 
41 TEST_F(AuthorizationMatchersTest, AndAuthorizationMatcherSuccessfulMatch) {
42  args_.AddPairToMetadata("foo", "bar");
43  args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
44  EvaluateArgs args = args_.MakeEvaluateArgs();
45  std::vector<std::unique_ptr<Rbac::Permission>> rules;
46  rules.push_back(absl::make_unique<Rbac::Permission>(
47  Rbac::Permission::MakeHeaderPermission(
48  HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
49  /*matcher=*/"bar")
50  .value())));
51  rules.push_back(absl::make_unique<Rbac::Permission>(
52  Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
53  auto matcher = AuthorizationMatcher::Create(
54  Rbac::Permission::MakeAndPermission(std::move(rules)));
55  EXPECT_TRUE(matcher->Matches(args));
56 }
57 
58 TEST_F(AuthorizationMatchersTest, AndAuthorizationMatcherFailedMatch) {
59  args_.AddPairToMetadata("foo", "not_bar");
60  args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
61  EvaluateArgs args = args_.MakeEvaluateArgs();
62  std::vector<std::unique_ptr<Rbac::Permission>> rules;
63  rules.push_back(absl::make_unique<Rbac::Permission>(
64  Rbac::Permission::MakeHeaderPermission(
65  HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
66  /*matcher=*/"bar")
67  .value())));
68  rules.push_back(absl::make_unique<Rbac::Permission>(
69  Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
70  auto matcher = AuthorizationMatcher::Create(
71  Rbac::Permission(Rbac::Permission::MakeAndPermission(std::move(rules))));
72  // Header rule fails. Expected value "bar", got "not_bar" for key "foo".
73  EXPECT_FALSE(matcher->Matches(args));
74 }
75 
76 TEST_F(AuthorizationMatchersTest, OrAuthorizationMatcherSuccessfulMatch) {
77  args_.AddPairToMetadata("foo", "bar");
78  args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
79  EvaluateArgs args = args_.MakeEvaluateArgs();
80  std::vector<std::unique_ptr<Rbac::Permission>> rules;
81  rules.push_back(absl::make_unique<Rbac::Permission>(
82  Rbac::Permission::MakeHeaderPermission(
83  HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
84  /*matcher=*/"bar")
85  .value())));
86  rules.push_back(absl::make_unique<Rbac::Permission>(
87  Rbac::Permission::MakeDestPortPermission(/*port=*/456)));
88  auto matcher = AuthorizationMatcher::Create(
89  Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))));
90  // Matches as header rule matches even though port rule fails.
91  EXPECT_TRUE(matcher->Matches(args));
92 }
93 
94 TEST_F(AuthorizationMatchersTest, OrAuthorizationMatcherFailedMatch) {
95  args_.AddPairToMetadata("foo", "not_bar");
96  EvaluateArgs args = args_.MakeEvaluateArgs();
97  std::vector<std::unique_ptr<Rbac::Permission>> rules;
98  rules.push_back(absl::make_unique<Rbac::Permission>(
99  Rbac::Permission::MakeHeaderPermission(
100  HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
101  /*matcher=*/"bar")
102  .value())));
103  auto matcher = AuthorizationMatcher::Create(
104  Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))));
105  // Header rule fails. Expected value "bar", got "not_bar" for key "foo".
106  EXPECT_FALSE(matcher->Matches(args));
107 }
108 
109 TEST_F(AuthorizationMatchersTest, NotAuthorizationMatcherSuccessfulMatch) {
110  args_.AddPairToMetadata(":path", "/different/foo");
111  EvaluateArgs args = args_.MakeEvaluateArgs();
112  auto matcher = AuthorizationMatcher::Create(Rbac::Principal(
113  Rbac::Principal::MakeNotPrincipal(Rbac::Principal::MakePathPrincipal(
114  StringMatcher::Create(StringMatcher::Type::kExact,
115  /*matcher=*/"/expected/foo",
116  /*case_sensitive=*/false)
117  .value()))));
118  EXPECT_TRUE(matcher->Matches(args));
119 }
120 
121 TEST_F(AuthorizationMatchersTest, NotAuthorizationMatcherFailedMatch) {
122  args_.AddPairToMetadata(":path", "/expected/foo");
123  EvaluateArgs args = args_.MakeEvaluateArgs();
124  auto matcher = AuthorizationMatcher::Create(Rbac::Principal(
125  Rbac::Principal::MakeNotPrincipal(Rbac::Principal::MakePathPrincipal(
126  StringMatcher::Create(StringMatcher::Type::kExact,
127  /*matcher=*/"/expected/foo",
128  /*case_sensitive=*/false)
129  .value()))));
130  EXPECT_FALSE(matcher->Matches(args));
131 }
132 
133 TEST_F(AuthorizationMatchersTest, HybridAuthorizationMatcherSuccessfulMatch) {
134  args_.AddPairToMetadata("foo", "bar");
135  args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
136  EvaluateArgs args = args_.MakeEvaluateArgs();
137  std::vector<std::unique_ptr<Rbac::Permission>> sub_and_rules;
138  sub_and_rules.push_back(absl::make_unique<Rbac::Permission>(
139  Rbac::Permission::MakeHeaderPermission(
140  HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
141  /*matcher=*/"bar")
142  .value())));
143  std::vector<std::unique_ptr<Rbac::Permission>> sub_or_rules;
144  sub_or_rules.push_back(absl::make_unique<Rbac::Permission>(
145  Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
146  std::vector<std::unique_ptr<Rbac::Permission>> and_rules;
147  and_rules.push_back(absl::make_unique<Rbac::Permission>(
148  Rbac::Permission::MakeAndPermission(std::move(sub_and_rules))));
149  and_rules.push_back(absl::make_unique<Rbac::Permission>(
150  Rbac::Permission::MakeOrPermission(std::move(std::move(sub_or_rules)))));
151  auto matcher = AuthorizationMatcher::Create(Rbac::Permission(
152  Rbac::Permission::MakeAndPermission(std::move(and_rules))));
153  EXPECT_TRUE(matcher->Matches(args));
154 }
155 
156 TEST_F(AuthorizationMatchersTest, HybridAuthorizationMatcherFailedMatch) {
157  args_.AddPairToMetadata("foo", "bar");
158  args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
159  EvaluateArgs args = args_.MakeEvaluateArgs();
160  std::vector<std::unique_ptr<Rbac::Permission>> sub_and_rules;
161  sub_and_rules.push_back(absl::make_unique<Rbac::Permission>(
162  Rbac::Permission::MakeHeaderPermission(
163  HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
164  /*matcher=*/"bar")
165  .value())));
166  sub_and_rules.push_back(absl::make_unique<Rbac::Permission>(
167  Rbac::Permission::MakeHeaderPermission(
168  HeaderMatcher::Create(/*name=*/"absent_key",
169  HeaderMatcher::Type::kExact,
170  /*matcher=*/"some_value")
171  .value())));
172  std::vector<std::unique_ptr<Rbac::Permission>> sub_or_rules;
173  sub_or_rules.push_back(absl::make_unique<Rbac::Permission>(
174  Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
175  std::vector<std::unique_ptr<Rbac::Permission>> and_rules;
176  and_rules.push_back(absl::make_unique<Rbac::Permission>(
177  Rbac::Permission::MakeAndPermission(std::move(sub_and_rules))));
178  and_rules.push_back(absl::make_unique<Rbac::Permission>(
179  Rbac::Permission::MakeOrPermission(std::move(std::move(sub_or_rules)))));
180  auto matcher = AuthorizationMatcher::Create(Rbac::Permission(
181  Rbac::Permission::MakeAndPermission(std::move(and_rules))));
182  // Fails as "absent_key" header was not present.
183  EXPECT_FALSE(matcher->Matches(args));
184 }
185 
186 TEST_F(AuthorizationMatchersTest,
187  ReqServerNameAuthorizationMatcherSuccessfulMatch) {
188  EvaluateArgs args = args_.MakeEvaluateArgs();
189  ReqServerNameAuthorizationMatcher matcher(
190  StringMatcher::Create(StringMatcher::Type::kExact,
191  /*matcher=*/"")
192  .value());
193  EXPECT_TRUE(matcher.Matches(args));
194 }
195 
196 TEST_F(AuthorizationMatchersTest,
197  ReqServerNameAuthorizationMatcherFailedMatch) {
198  EvaluateArgs args = args_.MakeEvaluateArgs();
199  ReqServerNameAuthorizationMatcher matcher(
200  StringMatcher::Create(StringMatcher::Type::kExact,
201  /*matcher=*/"server1")
202  .value());
203  EXPECT_FALSE(matcher.Matches(args));
204 }
205 
206 TEST_F(AuthorizationMatchersTest, PathAuthorizationMatcherSuccessfulMatch) {
207  args_.AddPairToMetadata(":path", "expected/path");
208  EvaluateArgs args = args_.MakeEvaluateArgs();
209  PathAuthorizationMatcher matcher(
210  StringMatcher::Create(StringMatcher::Type::kExact,
211  /*matcher=*/"expected/path",
212  /*case_sensitive=*/false)
213  .value());
214  EXPECT_TRUE(matcher.Matches(args));
215 }
216 
217 TEST_F(AuthorizationMatchersTest, PathAuthorizationMatcherFailedMatch) {
218  args_.AddPairToMetadata(":path", "different/path");
219  EvaluateArgs args = args_.MakeEvaluateArgs();
220  PathAuthorizationMatcher matcher(
221  StringMatcher::Create(StringMatcher::Type::kExact,
222  /*matcher=*/"expected/path",
223  /*case_sensitive=*/false)
224  .value());
225  EXPECT_FALSE(matcher.Matches(args));
226 }
227 
228 TEST_F(AuthorizationMatchersTest,
229  PathAuthorizationMatcherFailedMatchMissingPath) {
230  EvaluateArgs args = args_.MakeEvaluateArgs();
231  PathAuthorizationMatcher matcher(
232  StringMatcher::Create(StringMatcher::Type::kExact,
233  /*matcher=*/"expected/path",
234  /*case_sensitive=*/false)
235  .value());
236  EXPECT_FALSE(matcher.Matches(args));
237 }
238 
239 TEST_F(AuthorizationMatchersTest, MetadataAuthorizationMatcherSuccessfulMatch) {
240  EvaluateArgs args = args_.MakeEvaluateArgs();
241  MetadataAuthorizationMatcher matcher(/*invert=*/true);
242  EXPECT_TRUE(matcher.Matches(args));
243 }
244 
245 TEST_F(AuthorizationMatchersTest, MetadataAuthorizationMatcherFailedMatch) {
246  EvaluateArgs args = args_.MakeEvaluateArgs();
247  MetadataAuthorizationMatcher matcher(/*invert=*/false);
248  EXPECT_FALSE(matcher.Matches(args));
249 }
250 
251 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherSuccessfulMatch) {
252  args_.AddPairToMetadata("key123", "foo_xxx");
253  EvaluateArgs args = args_.MakeEvaluateArgs();
254  HeaderAuthorizationMatcher matcher(
255  HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kPrefix,
256  /*matcher=*/"foo")
257  .value());
258  EXPECT_TRUE(matcher.Matches(args));
259 }
260 
261 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherFailedMatch) {
262  args_.AddPairToMetadata("key123", "foo");
263  EvaluateArgs args = args_.MakeEvaluateArgs();
264  HeaderAuthorizationMatcher matcher(
265  HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
266  /*matcher=*/"bar")
267  .value());
268  EXPECT_FALSE(matcher.Matches(args));
269 }
270 
271 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherMethodSuccess) {
272  args_.AddPairToMetadata(":method", "GET");
273  EvaluateArgs args = args_.MakeEvaluateArgs();
274  HeaderAuthorizationMatcher matcher(
275  HeaderMatcher::Create(/*name=*/":method", HeaderMatcher::Type::kExact,
276  /*matcher=*/"GET")
277  .value());
278  EXPECT_TRUE(matcher.Matches(args));
279 }
280 
281 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherMethodFail) {
282  args_.AddPairToMetadata(":method", "GET");
283  EvaluateArgs args = args_.MakeEvaluateArgs();
284  HeaderAuthorizationMatcher matcher(
285  HeaderMatcher::Create(/*name=*/":method", HeaderMatcher::Type::kExact,
286  /*matcher=*/"PUT")
287  .value());
288  EXPECT_FALSE(matcher.Matches(args));
289 }
290 
291 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherAuthoritySuccess) {
292  args_.AddPairToMetadata(":authority", "localhost");
293  EvaluateArgs args = args_.MakeEvaluateArgs();
294  HeaderAuthorizationMatcher matcher(
295  HeaderMatcher::Create(/*name=*/":authority", HeaderMatcher::Type::kExact,
296  /*matcher=*/"localhost")
297  .value());
298  EXPECT_TRUE(matcher.Matches(args));
299 }
300 
301 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherAuthorityFail) {
302  args_.AddPairToMetadata(":authority", "localhost");
303  EvaluateArgs args = args_.MakeEvaluateArgs();
304  HeaderAuthorizationMatcher matcher(
305  HeaderMatcher::Create(/*name=*/":authority", HeaderMatcher::Type::kExact,
306  /*matcher=*/"bad_authority")
307  .value());
308  EXPECT_FALSE(matcher.Matches(args));
309 }
310 
311 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherPathSuccess) {
312  args_.AddPairToMetadata(":path", "/expected/path");
313  EvaluateArgs args = args_.MakeEvaluateArgs();
314  HeaderAuthorizationMatcher matcher(
315  HeaderMatcher::Create(/*name=*/":path", HeaderMatcher::Type::kExact,
316  /*matcher=*/"/expected/path")
317  .value());
318  EXPECT_TRUE(matcher.Matches(args));
319 }
320 
321 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherPathFail) {
322  args_.AddPairToMetadata(":path", "/expected/path");
323  EvaluateArgs args = args_.MakeEvaluateArgs();
324  HeaderAuthorizationMatcher matcher(
325  HeaderMatcher::Create(/*name=*/":path", HeaderMatcher::Type::kExact,
326  /*matcher=*/"/unexpected/path")
327  .value());
328  EXPECT_FALSE(matcher.Matches(args));
329 }
330 
331 TEST_F(AuthorizationMatchersTest,
332  HeaderAuthorizationMatcherFailedMatchMultivaluedHeader) {
333  args_.AddPairToMetadata("key123", "foo");
334  args_.AddPairToMetadata("key123", "bar");
335  EvaluateArgs args = args_.MakeEvaluateArgs();
336  HeaderAuthorizationMatcher matcher(
337  HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
338  /*matcher=*/"foo")
339  .value());
340  EXPECT_FALSE(matcher.Matches(args));
341 }
342 
343 TEST_F(AuthorizationMatchersTest,
344  HeaderAuthorizationMatcherFailedMatchMissingHeader) {
345  EvaluateArgs args = args_.MakeEvaluateArgs();
346  HeaderAuthorizationMatcher matcher(
347  HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kSuffix,
348  /*matcher=*/"foo")
349  .value());
350  EXPECT_FALSE(matcher.Matches(args));
351 }
352 
353 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherDestIpSuccessfulMatch) {
354  args_.SetLocalEndpoint("ipv4:1.2.3.4:123");
355  EvaluateArgs args = args_.MakeEvaluateArgs();
356  IpAuthorizationMatcher matcher(
357  IpAuthorizationMatcher::Type::kDestIp,
358  Rbac::CidrRange(/*address_prefix=*/"1.7.8.9", /*prefix_len=*/8));
359  EXPECT_TRUE(matcher.Matches(args));
360 }
361 
362 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherDestIpFailedMatch) {
363  args_.SetLocalEndpoint("ipv4:1.2.3.4:123");
364  EvaluateArgs args = args_.MakeEvaluateArgs();
365  IpAuthorizationMatcher matcher(
366  IpAuthorizationMatcher::Type::kDestIp,
367  Rbac::CidrRange(/*address_prefix=*/"1.2.3.9", /*prefix_len=*/32));
368  EXPECT_FALSE(matcher.Matches(args));
369 }
370 
371 TEST_F(AuthorizationMatchersTest,
372  IpAuthorizationMatcherSourceIpSuccessfulMatch) {
373  args_.SetPeerEndpoint("ipv6:[1:2:3::]:456");
374  EvaluateArgs args = args_.MakeEvaluateArgs();
375  IpAuthorizationMatcher matcher(
376  IpAuthorizationMatcher::Type::kSourceIp,
377  Rbac::CidrRange(/*address_prefix=*/"1:3:4::", /*prefix_len=*/16));
378  EXPECT_TRUE(matcher.Matches(args));
379 }
380 
381 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherSourceIpFailedMatch) {
382  args_.SetPeerEndpoint("ipv6:[1:2::3::]:456");
383  EvaluateArgs args = args_.MakeEvaluateArgs();
384  IpAuthorizationMatcher matcher(
385  IpAuthorizationMatcher::Type::kSourceIp,
386  Rbac::CidrRange(/*address_prefix=*/"1:3::", /*prefix_len=*/48));
387  EXPECT_FALSE(matcher.Matches(args));
388 }
389 
390 TEST_F(AuthorizationMatchersTest,
391  IpAuthorizationMatcherRemoteIpSuccessfulMatch) {
392  args_.SetPeerEndpoint("ipv6:[1:2:3::]:456");
393  EvaluateArgs args = args_.MakeEvaluateArgs();
394  IpAuthorizationMatcher matcher(
395  IpAuthorizationMatcher::Type::kRemoteIp,
396  Rbac::CidrRange(/*address_prefix=*/"1:2:4::", /*prefix_len=*/32));
397  EXPECT_TRUE(matcher.Matches(args));
398 }
399 
400 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherRemoteIpFailedMatch) {
401  args_.SetPeerEndpoint("ipv6:[1:2::]:456");
402  EvaluateArgs args = args_.MakeEvaluateArgs();
403  IpAuthorizationMatcher matcher(
404  IpAuthorizationMatcher::Type::kRemoteIp,
405  Rbac::CidrRange(/*address_prefix=*/"1:3::", /*prefix_len=*/32));
406  EXPECT_FALSE(matcher.Matches(args));
407 }
408 
409 TEST_F(AuthorizationMatchersTest,
410  IpAuthorizationMatcherDirectRemoteIpSuccessfulMatch) {
411  args_.SetPeerEndpoint("ipv4:1.2.3.4:123");
412  EvaluateArgs args = args_.MakeEvaluateArgs();
413  IpAuthorizationMatcher matcher(
414  IpAuthorizationMatcher::Type::kDirectRemoteIp,
415  Rbac::CidrRange(/*address_prefix=*/"1.7.8.9", /*prefix_len=*/8));
416  EXPECT_TRUE(matcher.Matches(args));
417 }
418 
419 TEST_F(AuthorizationMatchersTest,
420  IpAuthorizationMatcherDirectRemoteIpFailedMatch) {
421  args_.SetPeerEndpoint("ipv4:1.2.3.4:123");
422  EvaluateArgs args = args_.MakeEvaluateArgs();
423  IpAuthorizationMatcher matcher(
424  IpAuthorizationMatcher::Type::kDirectRemoteIp,
425  Rbac::CidrRange(/*address_prefix=*/"1.7.8.9", /*prefix_len=*/16));
426  EXPECT_FALSE(matcher.Matches(args));
427 }
428 
429 TEST_F(AuthorizationMatchersTest, PortAuthorizationMatcherSuccessfulMatch) {
430  args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
431  EvaluateArgs args = args_.MakeEvaluateArgs();
432  PortAuthorizationMatcher matcher(/*port=*/123);
433  EXPECT_TRUE(matcher.Matches(args));
434 }
435 
436 TEST_F(AuthorizationMatchersTest, PortAuthorizationMatcherFailedMatch) {
437  args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
438  EvaluateArgs args = args_.MakeEvaluateArgs();
439  PortAuthorizationMatcher matcher(/*port=*/456);
440  EXPECT_FALSE(matcher.Matches(args));
441 }
442 
443 TEST_F(AuthorizationMatchersTest,
444  AuthenticatedMatcherUnAuthenticatedConnection) {
445  EvaluateArgs args = args_.MakeEvaluateArgs();
446  AuthenticatedAuthorizationMatcher matcher(
447  StringMatcher::Create(StringMatcher::Type::kExact,
448  /*matcher=*/"foo.com",
449  /*case_sensitive=*/false)
450  .value());
451  EXPECT_FALSE(matcher.Matches(args));
452 }
453 
454 TEST_F(AuthorizationMatchersTest,
455  AuthenticatedMatcherAuthenticatedConnectionMatcherUnset) {
456  args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
457  GRPC_SSL_TRANSPORT_SECURITY_TYPE);
458  EvaluateArgs args = args_.MakeEvaluateArgs();
459  AuthenticatedAuthorizationMatcher matcher(/*auth=*/absl::nullopt);
460  EXPECT_TRUE(matcher.Matches(args));
461 }
462 
463 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherSuccessfulUriSanMatches) {
464  args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
465  GRPC_TLS_TRANSPORT_SECURITY_TYPE);
466  args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
467  "spiffe://foo.abc");
468  args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
469  "https://foo.domain.com");
470  EvaluateArgs args = args_.MakeEvaluateArgs();
471  AuthenticatedAuthorizationMatcher matcher(
472  StringMatcher::Create(StringMatcher::Type::kExact,
473  /*matcher=*/"spiffe://foo.abc",
474  /*case_sensitive=*/false)
475  .value());
476  EXPECT_TRUE(matcher.Matches(args));
477 }
478 
479 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedUriSanMatches) {
480  args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
481  GRPC_TLS_TRANSPORT_SECURITY_TYPE);
482  args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
483  "spiffe://bar.abc");
484  EvaluateArgs args = args_.MakeEvaluateArgs();
485  AuthenticatedAuthorizationMatcher matcher(
486  StringMatcher::Create(StringMatcher::Type::kExact,
487  /*matcher=*/"spiffe://foo.abc",
488  /*case_sensitive=*/false)
489  .value());
490  EXPECT_FALSE(matcher.Matches(args));
491 }
492 
493 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherSuccessfulDnsSanMatches) {
494  args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
495  GRPC_SSL_TRANSPORT_SECURITY_TYPE);
496  args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
497  "spiffe://bar.abc");
498  args_.AddPropertyToAuthContext(GRPC_PEER_DNS_PROPERTY_NAME,
499  "foo.test.domain.com");
500  args_.AddPropertyToAuthContext(GRPC_PEER_DNS_PROPERTY_NAME,
501  "bar.test.domain.com");
502  EvaluateArgs args = args_.MakeEvaluateArgs();
503  // No match found in URI SANs, finds match in DNS SANs.
504  AuthenticatedAuthorizationMatcher matcher(
505  StringMatcher::Create(StringMatcher::Type::kExact,
506  /*matcher=*/"bar.test.domain.com",
507  /*case_sensitive=*/false)
508  .value());
509  EXPECT_TRUE(matcher.Matches(args));
510 }
511 
512 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedDnsSanMatches) {
513  args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
514  GRPC_SSL_TRANSPORT_SECURITY_TYPE);
515  args_.AddPropertyToAuthContext(GRPC_PEER_DNS_PROPERTY_NAME,
516  "foo.test.domain.com");
517  EvaluateArgs args = args_.MakeEvaluateArgs();
518  AuthenticatedAuthorizationMatcher matcher(
519  StringMatcher::Create(StringMatcher::Type::kExact,
520  /*matcher=*/"bar.test.domain.com",
521  /*case_sensitive=*/false)
522  .value());
523  EXPECT_FALSE(matcher.Matches(args));
524 }
525 
526 TEST_F(AuthorizationMatchersTest,
527  AuthenticatedMatcherSuccessfulSubjectMatches) {
528  args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
529  GRPC_TLS_TRANSPORT_SECURITY_TYPE);
530  args_.AddPropertyToAuthContext(GRPC_X509_SUBJECT_PROPERTY_NAME,
531  "CN=abc,OU=Google");
532  EvaluateArgs args = args_.MakeEvaluateArgs();
533  // No match found in URI SANs and DNS SANs, finds match in Subject.
534  AuthenticatedAuthorizationMatcher matcher(
535  StringMatcher::Create(StringMatcher::Type::kExact,
536  /*matcher=*/"CN=abc,OU=Google",
537  /*case_sensitive=*/false)
538  .value());
539  EXPECT_TRUE(matcher.Matches(args));
540 }
541 
542 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedSubjectMatches) {
543  args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
544  GRPC_SSL_TRANSPORT_SECURITY_TYPE);
545  args_.AddPropertyToAuthContext(GRPC_X509_SUBJECT_PROPERTY_NAME,
546  "CN=abc,OU=Google");
547  EvaluateArgs args = args_.MakeEvaluateArgs();
548  AuthenticatedAuthorizationMatcher matcher(
549  StringMatcher::Create(StringMatcher::Type::kExact,
550  /*matcher=*/"CN=def,OU=Google",
551  /*case_sensitive=*/false)
552  .value());
553  EXPECT_FALSE(matcher.Matches(args));
554 }
555 
556 TEST_F(
557  AuthorizationMatchersTest,
558  AuthenticatedMatcherWithoutClientCertMatchesSuccessfullyOnEmptyPrincipal) {
559  args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
560  GRPC_TLS_TRANSPORT_SECURITY_TYPE);
561  EvaluateArgs args = args_.MakeEvaluateArgs();
562  AuthenticatedAuthorizationMatcher matcher(
563  StringMatcher::Create(StringMatcher::Type::kExact,
564  /*matcher=*/"")
565  .value());
566  EXPECT_TRUE(matcher.Matches(args));
567 }
568 
569 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedNothingMatches) {
570  args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
571  GRPC_SSL_TRANSPORT_SECURITY_TYPE);
572  EvaluateArgs args = args_.MakeEvaluateArgs();
573  AuthenticatedAuthorizationMatcher matcher(
574  StringMatcher::Create(StringMatcher::Type::kExact,
575  /*matcher=*/"foo",
576  /*case_sensitive=*/false)
577  .value());
578  EXPECT_FALSE(matcher.Matches(args));
579 }
580 
581 TEST_F(AuthorizationMatchersTest, PolicyAuthorizationMatcherSuccessfulMatch) {
582  args_.AddPairToMetadata("key123", "foo");
583  EvaluateArgs args = args_.MakeEvaluateArgs();
584  std::vector<std::unique_ptr<Rbac::Permission>> rules;
585  rules.push_back(absl::make_unique<Rbac::Permission>(
586  Rbac::Permission::MakeHeaderPermission(
587  HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
588  /*matcher=*/"foo")
589  .value())));
590  PolicyAuthorizationMatcher matcher(Rbac::Policy(
591  Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))),
592  Rbac::Principal::MakeAnyPrincipal()));
593  EXPECT_TRUE(matcher.Matches(args));
594 }
595 
596 TEST_F(AuthorizationMatchersTest, PolicyAuthorizationMatcherFailedMatch) {
597  args_.AddPairToMetadata("key123", "foo");
598  EvaluateArgs args = args_.MakeEvaluateArgs();
599  std::vector<std::unique_ptr<Rbac::Permission>> rules;
600  rules.push_back(absl::make_unique<Rbac::Permission>(
601  Rbac::Permission::MakeHeaderPermission(
602  HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
603  /*matcher=*/"bar")
604  .value())));
605  PolicyAuthorizationMatcher matcher(Rbac::Policy(
606  Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))),
607  Rbac::Principal::MakeAnyPrincipal()));
608  EXPECT_FALSE(matcher.Matches(args));
609 }
610 
611 } // namespace grpc_core
612 
613 int main(int argc, char** argv) {
614  ::testing::InitGoogleTest(&argc, argv);
615  grpc_init();
616  int ret = RUN_ALL_TESTS();
617  grpc_shutdown();
618  return ret;
619 }
grpc_core::HeaderMatcher::Type::kSuffix
@ kSuffix
grpc_core::HeaderAuthorizationMatcher::Matches
bool Matches(const EvaluateArgs &args) const override
Definition: security/authorization/matchers.cc:145
EXPECT_FALSE
#define EXPECT_FALSE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1970
GRPC_PEER_DNS_PROPERTY_NAME
#define GRPC_PEER_DNS_PROPERTY_NAME
Definition: grpc_security_constants.h:48
grpc_core::EvaluateArgs
Definition: evaluate_args.h:34
grpc_core::AlwaysAuthorizationMatcher::Matches
bool Matches(const EvaluateArgs &) const override
Definition: security/authorization/matchers.h:59
grpc_core::Rbac::Permission::MakeHeaderPermission
static Permission MakeHeaderPermission(HeaderMatcher header_matcher)
Definition: rbac_policy.cc:113
grpc_core::AuthorizationMatcher::Create
static std::unique_ptr< AuthorizationMatcher > Create(Rbac::Permission permission)
Definition: security/authorization/matchers.cc:34
grpc_core::Rbac::Permission::MakeAndPermission
static Permission MakeAndPermission(std::vector< std::unique_ptr< Permission >> permissions)
Definition: rbac_policy.cc:83
grpc_core::Rbac::Principal::MakeAnyPrincipal
static Principal MakeAnyPrincipal()
Definition: rbac_policy.cc:279
grpc_core::HeaderMatcher::Type::kExact
@ kExact
grpc_core::PortAuthorizationMatcher::Matches
bool Matches(const EvaluateArgs &args) const override
Definition: security/authorization/matchers.cc:184
grpc_core::MetadataAuthorizationMatcher
Definition: security/authorization/matchers.h:99
grpc_core
Definition: call_metric_recorder.h:31
grpc_core::IpAuthorizationMatcher
Definition: security/authorization/matchers.h:128
GRPC_SSL_TRANSPORT_SECURITY_TYPE
#define GRPC_SSL_TRANSPORT_SECURITY_TYPE
Definition: grpc_security_constants.h:27
grpc_core::StringMatcher::Create
static absl::StatusOr< StringMatcher > Create(Type type, absl::string_view matcher, bool case_sensitive=true)
Definition: matchers/matchers.cc:34
grpc_core::IpAuthorizationMatcher::Type::kDirectRemoteIp
@ kDirectRemoteIp
args_
grpc_channel_args * args_
Definition: grpclb.cc:513
grpc_core::AuthenticatedAuthorizationMatcher
Definition: security/authorization/matchers.h:161
grpc_core::Rbac::Policy
Definition: rbac_policy.h:151
check_bazel_workspace.rules
dictionary rules
Definition: check_bazel_workspace.py:180
grpc_core::Rbac::Principal::MakePathPrincipal
static Principal MakePathPrincipal(StringMatcher string_matcher)
Definition: rbac_policy.cc:322
grpc_core::AuthorizationMatchersTest
Definition: authorization_matchers_test.cc:30
evaluate_args.h
testing::Test
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:402
grpc_core::PolicyAuthorizationMatcher
Definition: security/authorization/matchers.h:201
grpc_core::Rbac::Principal::MakeNotPrincipal
static Principal MakeNotPrincipal(Principal principal)
Definition: rbac_policy.cc:271
grpc_core::PathAuthorizationMatcher::Matches
bool Matches(const EvaluateArgs &args) const override
Definition: security/authorization/matchers.cc:223
evaluate_args_test_util.h
asyncio_get_stats.args
args
Definition: asyncio_get_stats.py:40
GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME
#define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME
Definition: grpc_security_constants.h:26
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
grpc_core::MetadataAuthorizationMatcher::Matches
bool Matches(const EvaluateArgs &) const override
Definition: security/authorization/matchers.h:109
grpc_core::AlwaysAuthorizationMatcher
Definition: security/authorization/matchers.h:55
matchers.h
GRPC_X509_SUBJECT_PROPERTY_NAME
#define GRPC_X509_SUBJECT_PROPERTY_NAME
Definition: grpc_security_constants.h:31
grpc_core::IpAuthorizationMatcher::Type::kDestIp
@ kDestIp
grpc_core::Rbac::Principal
Definition: rbac_policy.h:102
grpc_core::TEST_F
TEST_F(AuthorizationMatchersTest, AlwaysAuthorizationMatcher)
Definition: authorization_matchers_test.cc:35
RUN_ALL_TESTS
int RUN_ALL_TESTS() GTEST_MUST_USE_RESULT_
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2471
grpc_core::EvaluateArgsTestUtil
Definition: evaluate_args_test_util.h:29
grpc_core::HeaderMatcher::Type::kPrefix
@ kPrefix
grpc_core::PolicyAuthorizationMatcher::Matches
bool Matches(const EvaluateArgs &args) const override
Definition: security/authorization/matchers.cc:231
value
const char * value
Definition: hpack_parser_table.cc:165
grpc_core::IpAuthorizationMatcher::Matches
bool Matches(const EvaluateArgs &args) const override
Definition: security/authorization/matchers.cc:165
testing::InitGoogleTest
GTEST_API_ void InitGoogleTest(int *argc, char **argv)
Definition: bloaty/third_party/googletest/googletest/src/gtest.cc:6106
main
int main(int argc, char **argv)
Definition: authorization_matchers_test.cc:613
grpc_core::PortAuthorizationMatcher
Definition: security/authorization/matchers.h:149
grpc_core::Rbac::Permission::MakeOrPermission
static Permission MakeOrPermission(std::vector< std::unique_ptr< Permission >> permissions)
Definition: rbac_policy.cc:91
ret
UniquePtr< SSL_SESSION > ret
Definition: ssl_x509.cc:1029
grpc_core::HeaderMatcher::Create
static absl::StatusOr< HeaderMatcher > Create(absl::string_view name, Type type, absl::string_view matcher, int64_t range_start=0, int64_t range_end=0, bool present_match=false, bool invert_match=false)
Definition: matchers/matchers.cc:157
grpc_core::Rbac::CidrRange
Definition: rbac_policy.h:41
grpc_core::HeaderAuthorizationMatcher
Definition: security/authorization/matchers.h:116
grpc_security_constants.h
grpc_core::PathAuthorizationMatcher
Definition: security/authorization/matchers.h:187
grpc_core::StringMatcher::Type::kExact
@ kExact
grpc_core::AuthorizationMatchersTest::args_
EvaluateArgsTestUtil args_
Definition: authorization_matchers_test.cc:32
grpc_core::IpAuthorizationMatcher::Type::kSourceIp
@ kSourceIp
GRPC_TLS_TRANSPORT_SECURITY_TYPE
#define GRPC_TLS_TRANSPORT_SECURITY_TYPE
Definition: grpc_security_constants.h:28
EXPECT_TRUE
#define EXPECT_TRUE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1967
grpc_core::ReqServerNameAuthorizationMatcher
Definition: security/authorization/matchers.h:174
grpc_core::Rbac::Permission
Definition: rbac_policy.h:55
grpc_core::Rbac::Permission::MakeDestPortPermission
static Permission MakeDestPortPermission(int port)
Definition: rbac_policy.cc:136
grpc_init
GRPCAPI void grpc_init(void)
Definition: init.cc:146
grpc_core::AuthenticatedAuthorizationMatcher::Matches
bool Matches(const EvaluateArgs &args) const override
Definition: security/authorization/matchers.cc:188
grpc_core::IpAuthorizationMatcher::Type::kRemoteIp
@ kRemoteIp
GRPC_PEER_URI_PROPERTY_NAME
#define GRPC_PEER_URI_PROPERTY_NAME
Definition: grpc_security_constants.h:50
grpc_shutdown
GRPCAPI void grpc_shutdown(void)
Definition: init.cc:209
grpc_core::ReqServerNameAuthorizationMatcher::Matches
bool Matches(const EvaluateArgs &) const override
Definition: security/authorization/matchers.cc:218
port_platform.h

grpc
Author(s):
autogenerated on Fri May 16 2025 02:57:45