grpc_authorization_policy_provider_test.cc
Go to the documentation of this file.
1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include <grpc/support/port_platform.h>
16 
17 #include "src/core/lib/security/authorization/grpc_authorization_policy_provider.h"
18 
19 #include <gmock/gmock.h>
20 #include <gtest/gtest.h>
21 
22 #include <grpc/grpc_security.h>
23 
24 #include "src/core/lib/security/authorization/grpc_authorization_engine.h"
25 #include "test/core/util/test_config.h"
26 #include "test/core/util/tls_utils.h"
27 
28 #define VALID_POLICY_PATH_1 \
29  "test/core/security/authorization/test_policies/valid_policy_1.json"
30 #define VALID_POLICY_PATH_2 \
31  "test/core/security/authorization/test_policies/valid_policy_2.json"
32 #define INVALID_POLICY_PATH \
33  "test/core/security/authorization/test_policies/invalid_policy.json"
34 
35 namespace grpc_core {
36 
37 TEST(AuthorizationPolicyProviderTest, StaticDataInitializationSuccessful) {
38  auto provider = StaticDataAuthorizationPolicyProvider::Create(
39  testing::GetFileContents(VALID_POLICY_PATH_1));
40  ASSERT_TRUE(provider.ok());
41  auto engines = (*provider)->engines();
42  auto* allow_engine =
43  dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
44  ASSERT_NE(allow_engine, nullptr);
45  EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
46  EXPECT_EQ(allow_engine->num_policies(), 1);
47  auto* deny_engine =
48  dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
49  ASSERT_NE(deny_engine, nullptr);
50  EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
51  EXPECT_EQ(deny_engine->num_policies(), 1);
52 }
53 
54 TEST(AuthorizationPolicyProviderTest,
55  StaticDataInitializationFailedInvalidPolicy) {
56  auto provider = StaticDataAuthorizationPolicyProvider::Create(
57  testing::GetFileContents(INVALID_POLICY_PATH));
58  EXPECT_EQ(provider.status().code(), absl::StatusCode::kInvalidArgument);
59  EXPECT_EQ(provider.status().message(), "\"name\" field is not present.");
60 }
61 
62 TEST(AuthorizationPolicyProviderTest,
63  FileWatcherInitializationSuccessValidPolicy) {
64  auto tmp_authz_policy = absl::make_unique<testing::TmpFile>(
65  testing::GetFileContents(VALID_POLICY_PATH_1));
66  auto provider = FileWatcherAuthorizationPolicyProvider::Create(
67  tmp_authz_policy->name(), /*refresh_interval_sec=*/1);
68  ASSERT_TRUE(provider.ok());
69  auto engines = (*provider)->engines();
70  auto* allow_engine =
71  dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
72  ASSERT_NE(allow_engine, nullptr);
73  EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
74  EXPECT_EQ(allow_engine->num_policies(), 1);
75  auto* deny_engine =
76  dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
77  ASSERT_NE(deny_engine, nullptr);
78  EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
79  EXPECT_EQ(deny_engine->num_policies(), 1);
80 }
81 
82 TEST(AuthorizationPolicyProviderTest,
83  FileWatcherInitializationFailedInvalidPolicy) {
84  auto tmp_authz_policy = absl::make_unique<testing::TmpFile>(
85  testing::GetFileContents(INVALID_POLICY_PATH));
86  auto provider = FileWatcherAuthorizationPolicyProvider::Create(
87  tmp_authz_policy->name(), /*refresh_interval_sec=*/1);
88  EXPECT_EQ(provider.status().code(), absl::StatusCode::kInvalidArgument);
89  EXPECT_EQ(provider.status().message(), "\"name\" field is not present.");
90 }
91 
92 TEST(AuthorizationPolicyProviderTest, FileWatcherSuccessValidPolicyRefresh) {
93  auto tmp_authz_policy = absl::make_unique<testing::TmpFile>(
94  testing::GetFileContents(VALID_POLICY_PATH_1));
95  auto provider = FileWatcherAuthorizationPolicyProvider::Create(
96  tmp_authz_policy->name(), /*refresh_interval_sec=*/1);
97  ASSERT_TRUE(provider.ok());
98  auto engines = (*provider)->engines();
99  auto* allow_engine =
100  dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
101  ASSERT_NE(allow_engine, nullptr);
102  EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
103  EXPECT_EQ(allow_engine->num_policies(), 1);
104  auto* deny_engine =
105  dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
106  ASSERT_NE(deny_engine, nullptr);
107  EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
108  EXPECT_EQ(deny_engine->num_policies(), 1);
109  gpr_event on_reload_done;
110  gpr_event_init(&on_reload_done);
111  std::function<void(bool contents_changed, absl::Status status)> callback =
112  [&on_reload_done](bool contents_changed, absl::Status status) {
113  if (contents_changed) {
114  EXPECT_TRUE(status.ok());
115  gpr_event_set(&on_reload_done, reinterpret_cast<void*>(1));
116  }
117  };
118  dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
119  ->SetCallbackForTesting(std::move(callback));
120  // Rewrite the file with a different valid authorization policy.
121  tmp_authz_policy->RewriteFile(testing::GetFileContents(VALID_POLICY_PATH_2));
122  // Wait for the provider's refresh thread to read the updated files.
123  ASSERT_EQ(
124  gpr_event_wait(&on_reload_done, gpr_inf_future(GPR_CLOCK_MONOTONIC)),
125  reinterpret_cast<void*>(1));
126  engines = (*provider)->engines();
127  allow_engine =
128  dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
129  ASSERT_NE(allow_engine, nullptr);
130  EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
131  EXPECT_EQ(allow_engine->num_policies(), 2);
132  deny_engine =
133  dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
134  ASSERT_NE(deny_engine, nullptr);
135  EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
136  EXPECT_EQ(deny_engine->num_policies(), 0);
137  dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
138  ->SetCallbackForTesting(nullptr);
139 }
140 
141 TEST(AuthorizationPolicyProviderTest,
142  FileWatcherInvalidPolicyRefreshSkipReload) {
143  auto tmp_authz_policy = absl::make_unique<testing::TmpFile>(
144  testing::GetFileContents(VALID_POLICY_PATH_1));
145  auto provider = FileWatcherAuthorizationPolicyProvider::Create(
146  tmp_authz_policy->name(), /*refresh_interval_sec=*/1);
147  ASSERT_TRUE(provider.ok());
148  auto engines = (*provider)->engines();
149  auto* allow_engine =
150  dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
151  ASSERT_NE(allow_engine, nullptr);
152  EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
153  EXPECT_EQ(allow_engine->num_policies(), 1);
154  auto* deny_engine =
155  dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
156  ASSERT_NE(deny_engine, nullptr);
157  EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
158  EXPECT_EQ(deny_engine->num_policies(), 1);
159  gpr_event on_reload_done;
160  gpr_event_init(&on_reload_done);
161  std::function<void(bool contents_changed, absl::Status status)> callback =
162  [&on_reload_done](bool contents_changed, absl::Status status) {
163  if (contents_changed) {
164  EXPECT_EQ(status.code(), absl::StatusCode::kInvalidArgument);
165  EXPECT_EQ(status.message(), "\"name\" field is not present.");
166  gpr_event_set(&on_reload_done, reinterpret_cast<void*>(1));
167  }
168  };
169  dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
170  ->SetCallbackForTesting(std::move(callback));
171  // Skips the following policy update, and continues to use the valid policy.
172  tmp_authz_policy->RewriteFile(testing::GetFileContents(INVALID_POLICY_PATH));
173  // Wait for the provider's refresh thread to read the updated files.
174  ASSERT_EQ(
175  gpr_event_wait(&on_reload_done, gpr_inf_future(GPR_CLOCK_MONOTONIC)),
176  reinterpret_cast<void*>(1));
177  engines = (*provider)->engines();
178  allow_engine =
179  dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
180  ASSERT_NE(allow_engine, nullptr);
181  EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
182  EXPECT_EQ(allow_engine->num_policies(), 1);
183  deny_engine =
184  dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
185  ASSERT_NE(deny_engine, nullptr);
186  EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
187  EXPECT_EQ(deny_engine->num_policies(), 1);
188  dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
189  ->SetCallbackForTesting(nullptr);
190 }
191 
192 TEST(AuthorizationPolicyProviderTest, FileWatcherRecoversFromFailure) {
193  auto tmp_authz_policy = absl::make_unique<testing::TmpFile>(
194  testing::GetFileContents(VALID_POLICY_PATH_1));
195  auto provider = FileWatcherAuthorizationPolicyProvider::Create(
196  tmp_authz_policy->name(), /*refresh_interval_sec=*/1);
197  ASSERT_TRUE(provider.ok());
198  auto engines = (*provider)->engines();
199  auto* allow_engine =
200  dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
201  ASSERT_NE(allow_engine, nullptr);
202  EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
203  EXPECT_EQ(allow_engine->num_policies(), 1);
204  auto* deny_engine =
205  dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
206  ASSERT_NE(deny_engine, nullptr);
207  EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
208  EXPECT_EQ(deny_engine->num_policies(), 1);
209  gpr_event on_first_reload_done;
210  gpr_event_init(&on_first_reload_done);
211  std::function<void(bool contents_changed, absl::Status status)> callback1 =
212  [&on_first_reload_done](bool contents_changed, absl::Status status) {
213  if (contents_changed) {
214  EXPECT_EQ(status.code(), absl::StatusCode::kInvalidArgument);
215  EXPECT_EQ(status.message(), "\"name\" field is not present.");
216  gpr_event_set(&on_first_reload_done, reinterpret_cast<void*>(1));
217  }
218  };
219  dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
220  ->SetCallbackForTesting(std::move(callback1));
221  // Skips the following policy update, and continues to use the valid policy.
222  tmp_authz_policy->RewriteFile(testing::GetFileContents(INVALID_POLICY_PATH));
223  // Wait for the provider's refresh thread to read the updated files.
224  ASSERT_EQ(gpr_event_wait(&on_first_reload_done,
225  gpr_inf_future(GPR_CLOCK_MONOTONIC)),
226  reinterpret_cast<void*>(1));
227  engines = (*provider)->engines();
228  allow_engine =
229  dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
230  ASSERT_NE(allow_engine, nullptr);
231  EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
232  EXPECT_EQ(allow_engine->num_policies(), 1);
233  deny_engine =
234  dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
235  ASSERT_NE(deny_engine, nullptr);
236  EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
237  EXPECT_EQ(deny_engine->num_policies(), 1);
238  gpr_event on_second_reload_done;
239  gpr_event_init(&on_second_reload_done);
240  std::function<void(bool contents_changed, absl::Status status)> callback2 =
241  [&on_second_reload_done](bool contents_changed, absl::Status status) {
242  if (contents_changed) {
243  EXPECT_TRUE(status.ok());
244  gpr_event_set(&on_second_reload_done, reinterpret_cast<void*>(1));
245  }
246  };
247  dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
248  ->SetCallbackForTesting(std::move(callback2));
249  // Rewrite the file with a valid authorization policy.
250  tmp_authz_policy->RewriteFile(testing::GetFileContents(VALID_POLICY_PATH_2));
251  // Wait for the provider's refresh thread to read the updated files.
252  ASSERT_EQ(gpr_event_wait(&on_second_reload_done,
253  gpr_inf_future(GPR_CLOCK_MONOTONIC)),
254  reinterpret_cast<void*>(1));
255  engines = (*provider)->engines();
256  allow_engine =
257  dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
258  ASSERT_NE(allow_engine, nullptr);
259  EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
260  EXPECT_EQ(allow_engine->num_policies(), 2);
261  deny_engine =
262  dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
263  ASSERT_NE(deny_engine, nullptr);
264  EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
265  EXPECT_EQ(deny_engine->num_policies(), 0);
266  dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
267  ->SetCallbackForTesting(nullptr);
268 }
269 
270 } // namespace grpc_core
271 
272 int main(int argc, char** argv) {
273  grpc::testing::TestEnvironment env(&argc, argv);
274  ::testing::InitGoogleTest(&argc, argv);
275  grpc_init();
276  int ret = RUN_ALL_TESTS();
277  grpc_shutdown();
278  return ret;
279 }
grpc_core::FileWatcherAuthorizationPolicyProvider
Definition: grpc_authorization_policy_provider.h:74
ASSERT_NE
#define ASSERT_NE(val1, val2)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2060
tls_utils.h
generate.env
env
Definition: generate.py:37
INVALID_POLICY_PATH
#define INVALID_POLICY_PATH
Definition: grpc_authorization_policy_provider_test.cc:32
grpc_core
Definition: call_metric_recorder.h:31
grpc_core::Rbac::Action::kDeny
@ kDeny
gpr_event_set
GPRAPI void gpr_event_set(gpr_event *ev, void *value)
Definition: sync.cc:59
grpc_core::TEST
TEST(AvlTest, NoOp)
Definition: avl_test.cc:21
status
absl::Status status
Definition: rls.cc:251
gpr_inf_future
GPRAPI gpr_timespec gpr_inf_future(gpr_clock_type type)
Definition: src/core/lib/gpr/time.cc:55
main
int main(int argc, char **argv)
Definition: grpc_authorization_policy_provider_test.cc:272
grpc_security.h
grpc_core::GrpcAuthorizationEngine
Definition: grpc_authorization_engine.h:39
EXPECT_EQ
#define EXPECT_EQ(a, b)
Definition: iomgr/time_averaged_stats_test.cc:27
grpc_core::StaticDataAuthorizationPolicyProvider::Create
static absl::StatusOr< RefCountedPtr< grpc_authorization_policy_provider > > Create(absl::string_view authz_policy)
Definition: grpc_authorization_policy_provider.cc:45
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
grpc_authorization_policy_provider.h
VALID_POLICY_PATH_2
#define VALID_POLICY_PATH_2
Definition: grpc_authorization_policy_provider_test.cc:30
absl::Status::message
absl::string_view message() const
Definition: third_party/abseil-cpp/absl/status/status.h:806
GPR_CLOCK_MONOTONIC
@ GPR_CLOCK_MONOTONIC
Definition: gpr_types.h:36
gpr_event_init
GPRAPI void gpr_event_init(gpr_event *ev)
Definition: sync.cc:54
callback
static void callback(void *arg, int status, int timeouts, struct hostent *host)
Definition: acountry.c:224
RUN_ALL_TESTS
int RUN_ALL_TESTS() GTEST_MUST_USE_RESULT_
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2471
gpr_event_wait
GPRAPI void * gpr_event_wait(gpr_event *ev, gpr_timespec abs_deadline)
Definition: sync.cc:73
absl::StatusCode::kInvalidArgument
@ kInvalidArgument
test_config.h
grpc_authorization_engine.h
VALID_POLICY_PATH_1
#define VALID_POLICY_PATH_1
Definition: grpc_authorization_policy_provider_test.cc:28
gpr_event
Definition: impl/codegen/sync_generic.h:31
testing::InitGoogleTest
GTEST_API_ void InitGoogleTest(int *argc, char **argv)
Definition: bloaty/third_party/googletest/googletest/src/gtest.cc:6106
absl::Status
Definition: third_party/abseil-cpp/absl/status/status.h:424
ret
UniquePtr< SSL_SESSION > ret
Definition: ssl_x509.cc:1029
grpc_core::Rbac::Action::kAllow
@ kAllow
grpc::testing::TestEnvironment
Definition: test/core/util/test_config.h:54
ASSERT_TRUE
#define ASSERT_TRUE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1973
absl::Status::ok
ABSL_MUST_USE_RESULT bool ok() const
Definition: third_party/abseil-cpp/absl/status/status.h:802
EXPECT_TRUE
#define EXPECT_TRUE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1967
callback2
static void callback2(void *arg, int status, int timeouts, struct hostent *host)
Definition: acountry.c:252
grpc_core::FileWatcherAuthorizationPolicyProvider::Create
static absl::StatusOr< RefCountedPtr< grpc_authorization_policy_provider > > Create(absl::string_view authz_policy_path, unsigned int refresh_interval_sec)
Definition: grpc_authorization_policy_provider.cc:86
grpc_init
GRPCAPI void grpc_init(void)
Definition: init.cc:146
function
std::function< bool(GrpcTool *, int, const char **, const CliCredentials &, GrpcToolOutputCallback)> function
Definition: grpc_tool.cc:250
absl::Status::code
absl::StatusCode code() const
Definition: third_party/abseil-cpp/absl/status/status.cc:233
grpc_core::testing::GetFileContents
std::string GetFileContents(const char *path)
Definition: test/core/util/tls_utils.cc:68
grpc_shutdown
GRPCAPI void grpc_shutdown(void)
Definition: init.cc:209
ASSERT_EQ
#define ASSERT_EQ(val1, val2)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2056
port_platform.h

grpc
Author(s):
autogenerated on Fri May 16 2025 02:58:44