rbac_translator_test.cc
Go to the documentation of this file.
1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include "src/core/lib/security/authorization/rbac_translator.h"
16 
17 #include <gmock/gmock.h>
18 #include <gtest/gtest.h>
19 
20 namespace grpc_core {
21 
22 namespace {
23 
24 MATCHER_P3(EqualsPrincipalName, expected_matcher_type, expected_matcher_value,
25  is_regex, "") {
26  return arg->type == Rbac::Principal::RuleType::kPrincipalName &&
27  arg->string_matcher.value().type() == expected_matcher_type &&
28  is_regex
29  ? arg->string_matcher.value().regex_matcher()->pattern() ==
30  expected_matcher_value
31  : arg->string_matcher.value().string_matcher() ==
32  expected_matcher_value;
33 }
34 
35 MATCHER_P3(EqualsPath, expected_matcher_type, expected_matcher_value, is_regex,
36  "") {
37  return arg->type == Rbac::Permission::RuleType::kPath &&
38  arg->string_matcher.type() == expected_matcher_type && is_regex
39  ? arg->string_matcher.regex_matcher()->pattern() ==
40  expected_matcher_value
41  : arg->string_matcher.string_matcher() == expected_matcher_value;
42 }
43 
44 MATCHER_P4(EqualsHeader, expected_name, expected_matcher_type,
45  expected_matcher_value, is_regex, "") {
46  return arg->type == Rbac::Permission::RuleType::kHeader &&
47  arg->header_matcher.name() == expected_name &&
48  arg->header_matcher.type() == expected_matcher_type && is_regex
49  ? arg->header_matcher.regex_matcher()->pattern() ==
50  expected_matcher_value
51  : arg->header_matcher.string_matcher() == expected_matcher_value;
52 }
53 
54 } // namespace
55 
56 TEST(GenerateRbacPoliciesTest, InvalidPolicy) {
57  const char* authz_policy =
58  "{"
59  " \"name\": \"authz-policy\",,"
60  "}";
61  auto rbac_policies = GenerateRbacPolicies(authz_policy);
62  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
63  EXPECT_THAT(
64  std::string(rbac_policies.status().message()),
65  ::testing::StartsWith("Failed to parse gRPC authorization policy."));
66 }
67 
68 TEST(GenerateRbacPoliciesTest, MissingAuthorizationPolicyName) {
69  const char* authz_policy = "{}";
70  auto rbac_policies = GenerateRbacPolicies(authz_policy);
71  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
72  EXPECT_EQ(rbac_policies.status().message(), "\"name\" field is not present.");
73 }
74 
75 TEST(GenerateRbacPoliciesTest, IncorrectAuthorizationPolicyNameType) {
76  const char* authz_policy =
77  "{"
78  " \"name\": [\"authz_policy\"]"
79  "}";
80  auto rbac_policies = GenerateRbacPolicies(authz_policy);
81  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
82  EXPECT_EQ(rbac_policies.status().message(), "\"name\" is not a string.");
83 }
84 
85 TEST(GenerateRbacPoliciesTest, MissingAllowRules) {
86  const char* authz_policy =
87  "{"
88  " \"name\": \"authz_policy\""
89  "}";
90  auto rbac_policies = GenerateRbacPolicies(authz_policy);
91  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
92  EXPECT_EQ(rbac_policies.status().message(),
93  "\"allow_rules\" is not present.");
94 }
95 
96 TEST(GenerateRbacPoliciesTest, MissingDenyRules) {
97  const char* authz_policy =
98  "{"
99  " \"name\": \"authz\","
100  " \"allow_rules\": ["
101  " {"
102  " \"name\": \"allow_policy\""
103  " }"
104  " ]"
105  "}";
106  auto rbac_policies = GenerateRbacPolicies(authz_policy);
107  ASSERT_TRUE(rbac_policies.ok());
108  EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::kDeny);
109  EXPECT_TRUE(rbac_policies.value().deny_policy.policies.empty());
110 }
111 
112 TEST(GenerateRbacPoliciesTest, IncorrectAllowRulesType) {
113  const char* authz_policy =
114  "{"
115  " \"name\": \"authz\","
116  " \"allow_rules\": {}"
117  "}";
118  auto rbac_policies = GenerateRbacPolicies(authz_policy);
119  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
120  EXPECT_EQ(rbac_policies.status().message(),
121  "\"allow_rules\" is not an array.");
122 }
123 
124 TEST(GenerateRbacPoliciesTest, IncorrectDenyRulesType) {
125  const char* authz_policy =
126  "{"
127  " \"name\": \"authz\","
128  " \"deny_rules\": 123"
129  "}";
130  auto rbac_policies = GenerateRbacPolicies(authz_policy);
131  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
132  EXPECT_EQ(rbac_policies.status().message(),
133  "\"deny_rules\" is not an array.");
134 }
135 
136 TEST(GenerateRbacPoliciesTest, IncorrectRuleType) {
137  const char* authz_policy =
138  "{"
139  " \"name\": \"authz\","
140  " \"allow_rules\": [\"rule-a\"]"
141  "}";
142  auto rbac_policies = GenerateRbacPolicies(authz_policy);
143  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
144  EXPECT_EQ(rbac_policies.status().message(),
145  "allow_rules 0: is not an object.");
146 }
147 
148 TEST(GenerateRbacPoliciesTest, MissingRuleNameField) {
149  const char* authz_policy =
150  "{"
151  " \"name\": \"authz\","
152  " \"allow_rules\": [{}]"
153  "}";
154  auto rbac_policies = GenerateRbacPolicies(authz_policy);
155  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
156  EXPECT_EQ(rbac_policies.status().message(),
157  "allow_rules 0: \"name\" is not present.");
158 }
159 
160 TEST(GenerateRbacPoliciesTest, IncorrectRuleNameType) {
161  const char* authz_policy =
162  "{"
163  " \"name\": \"authz\","
164  " \"allow_rules\": ["
165  " {"
166  " \"name\": 123"
167  " }"
168  " ]"
169  "}";
170  auto rbac_policies = GenerateRbacPolicies(authz_policy);
171  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
172  EXPECT_EQ(rbac_policies.status().message(),
173  "allow_rules 0: \"name\" is not a string.");
174 }
175 
176 TEST(GenerateRbacPoliciesTest, MissingSourceAndRequest) {
177  const char* authz_policy =
178  "{"
179  " \"name\": \"authz\","
180  " \"allow_rules\": ["
181  " {"
182  " \"name\": \"allow_policy\""
183  " }"
184  " ]"
185  "}";
186  auto rbac_policies = GenerateRbacPolicies(authz_policy);
187  ASSERT_TRUE(rbac_policies.ok());
188  EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
189  EXPECT_THAT(
190  rbac_policies.value().allow_policy.policies,
191  ::testing::ElementsAre(::testing::Pair(
192  "authz_allow_policy",
193  ::testing::AllOf(
194  ::testing::Field(
195  &Rbac::Policy::permissions,
196  ::testing::Field(&Rbac::Permission::type,
197  Rbac::Permission::RuleType::kAny)),
198  ::testing::Field(
199  &Rbac::Policy::principals,
200  ::testing::Field(&Rbac::Principal::type,
201  Rbac::Principal::RuleType::kAny))))));
202 }
203 
204 TEST(GenerateRbacPoliciesTest, EmptySourceAndRequest) {
205  const char* authz_policy =
206  "{"
207  " \"name\": \"authz\","
208  " \"allow_rules\": ["
209  " {"
210  " \"name\": \"allow_policy\","
211  " \"source\": {},"
212  " \"request\": {}"
213  " }"
214  " ]"
215  "}";
216  auto rbac_policies = GenerateRbacPolicies(authz_policy);
217  ASSERT_TRUE(rbac_policies.ok());
218  EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
219  EXPECT_THAT(
220  rbac_policies.value().allow_policy.policies,
221  ::testing::ElementsAre(::testing::Pair(
222  "authz_allow_policy",
223  ::testing::AllOf(
224  ::testing::Field(
225  &Rbac::Policy::permissions,
226  ::testing::Field(&Rbac::Permission::type,
227  Rbac::Permission::RuleType::kAny)),
228  ::testing::Field(
229  &Rbac::Policy::principals,
230  ::testing::Field(&Rbac::Principal::type,
231  Rbac::Principal::RuleType::kAny))))));
232 }
233 
234 TEST(GenerateRbacPoliciesTest, IncorrectSourceType) {
235  const char* authz_policy =
236  "{"
237  " \"name\": \"authz\","
238  " \"allow_rules\": ["
239  " {"
240  " \"name\": \"allow_policy\","
241  " \"source\": 111"
242  " }"
243  " ]"
244  "}";
245  auto rbac_policies = GenerateRbacPolicies(authz_policy);
246  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
247  EXPECT_EQ(rbac_policies.status().message(),
248  "allow_rules 0: \"source\" is not an object.");
249 }
250 
251 TEST(GenerateRbacPoliciesTest, IncorrectPrincipalsType) {
252  const char* authz_policy =
253  "{"
254  " \"name\": \"authz\","
255  " \"allow_rules\": ["
256  " {"
257  " \"name\": \"allow_policy\","
258  " \"source\": {"
259  " \"principals\": ["
260  " \"*\","
261  " 123"
262  " ]"
263  " }"
264  " }"
265  " ]"
266  "}";
267  auto rbac_policies = GenerateRbacPolicies(authz_policy);
268  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
269  EXPECT_EQ(rbac_policies.status().message(),
270  "allow_rules 0: \"principals\" 1: is not a string.");
271 }
272 
273 TEST(GenerateRbacPoliciesTest, ParseSourceSuccess) {
274  const char* authz_policy =
275  "{"
276  " \"name\": \"authz\","
277  " \"allow_rules\": ["
278  " {"
279  " \"name\": \"allow_policy\","
280  " \"source\": {"
281  " \"principals\": ["
282  " \"spiffe://foo.abc\","
283  " \"spiffe://bar*\","
284  " \"*baz\","
285  " \"spiffe://abc.*.com\""
286  " ]"
287  " }"
288  " }"
289  " ],"
290  " \"deny_rules\": ["
291  " {"
292  " \"name\": \"deny_policy\","
293  " \"source\": {"
294  " \"principals\": ["
295  " \"*\""
296  " ]"
297  " }"
298  " }"
299  " ]"
300  "}";
301  auto rbac_policies = GenerateRbacPolicies(authz_policy);
302  ASSERT_TRUE(rbac_policies.ok());
303  EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
304  EXPECT_THAT(rbac_policies.value().allow_policy.policies,
305  ::testing::ElementsAre(::testing::Pair(
306  "authz_allow_policy",
307  ::testing::AllOf(
308  ::testing::Field(
309  &Rbac::Policy::permissions,
310  ::testing::Field(&Rbac::Permission::type,
311  Rbac::Permission::RuleType::kAny)),
312  ::testing::Field(
313  &Rbac::Policy::principals,
314  ::testing::AllOf(
315  ::testing::Field(&Rbac::Principal::type,
316  Rbac::Principal::RuleType::kAnd),
317  ::testing::Field(
318  &Rbac::Principal::principals,
319  ::testing::ElementsAre(::testing::AllOf(
320  ::testing::Pointee(::testing::Field(
321  &Rbac::Principal::type,
322  Rbac::Principal::RuleType::kOr)),
323  ::testing::Pointee(::testing::Field(
324  &Rbac::Principal::principals,
325  ::testing::ElementsAre(
326  EqualsPrincipalName(
327  StringMatcher::Type::kExact,
328  "spiffe://foo.abc", false),
329  EqualsPrincipalName(
330  StringMatcher::Type::kPrefix,
331  "spiffe://bar", false),
332  EqualsPrincipalName(
333  StringMatcher::Type::kSuffix,
334  "baz", false),
335  EqualsPrincipalName(
336  StringMatcher::Type::kExact,
337  "spiffe://abc.*.com",
338  false)))))))))))));
339  EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::kDeny);
340  EXPECT_THAT(
341  rbac_policies.value().deny_policy.policies,
342  ::testing::ElementsAre(::testing::Pair(
343  "authz_deny_policy",
344  ::testing::AllOf(
345  ::testing::Field(
346  &Rbac::Policy::permissions,
347  ::testing::Field(&Rbac::Permission::type,
348  Rbac::Permission::RuleType::kAny)),
349  ::testing::Field(
350  &Rbac::Policy::principals,
351  ::testing::AllOf(
352  ::testing::Field(&Rbac::Principal::type,
353  Rbac::Principal::RuleType::kAnd),
354  ::testing::Field(
355  &Rbac::Principal::principals,
356  ::testing::ElementsAre(::testing::AllOf(
357  ::testing::Pointee(::testing::Field(
358  &Rbac::Principal::type,
359  Rbac::Principal::RuleType::kOr)),
360  ::testing::Pointee(::testing::Field(
361  &Rbac::Principal::principals,
362  ::testing::ElementsAre(EqualsPrincipalName(
363  StringMatcher::Type::kSafeRegex, ".+",
364  true)))))))))))));
365 }
366 
367 TEST(GenerateRbacPoliciesTest, IncorrectRequestType) {
368  const char* authz_policy =
369  "{"
370  " \"name\": \"authz\","
371  " \"deny_rules\": ["
372  " {"
373  " \"name\": \"deny_policy\","
374  " \"request\": 111"
375  " }"
376  " ]"
377  "}";
378  auto rbac_policies = GenerateRbacPolicies(authz_policy);
379  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
380  EXPECT_EQ(rbac_policies.status().message(),
381  "deny_rules 0: \"request\" is not an object.");
382 }
383 
384 TEST(GenerateRbacPoliciesTest, IncorrectPathType) {
385  const char* authz_policy =
386  "{"
387  " \"name\": \"authz\","
388  " \"deny_rules\": ["
389  " {"
390  " \"name\": \"allow_policy\","
391  " \"request\": {"
392  " \"paths\": ["
393  " \"path-a\","
394  " 123"
395  " ]"
396  " }"
397  " }"
398  " ]"
399  "}";
400  auto rbac_policies = GenerateRbacPolicies(authz_policy);
401  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
402  EXPECT_EQ(rbac_policies.status().message(),
403  "deny_rules 0: \"paths\" 1: is not a string.");
404 }
405 
406 TEST(GenerateRbacPoliciesTest, ParseRequestPathsSuccess) {
407  const char* authz_policy =
408  "{"
409  " \"name\": \"authz\","
410  " \"allow_rules\": ["
411  " {"
412  " \"name\": \"allow_policy\","
413  " \"request\": {"
414  " \"paths\": ["
415  " \"*\""
416  " ]"
417  " }"
418  " }"
419  " ],"
420  " \"deny_rules\": ["
421  " {"
422  " \"name\": \"deny_policy\","
423  " \"request\": {"
424  " \"paths\": ["
425  " \"path-foo\","
426  " \"path-bar*\","
427  " \"*baz\""
428  " ]"
429  " }"
430  " }"
431  " ]"
432  "}";
433  auto rbac_policies = GenerateRbacPolicies(authz_policy);
434  ASSERT_TRUE(rbac_policies.ok());
435  EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::kDeny);
436  EXPECT_THAT(
437  rbac_policies.value().deny_policy.policies,
438  ::testing::ElementsAre(::testing::Pair(
439  "authz_deny_policy",
440  ::testing::AllOf(
441  ::testing::Field(
442  &Rbac::Policy::principals,
443  ::testing::Field(&Rbac::Principal::type,
444  Rbac::Principal::RuleType::kAny)),
445  ::testing::Field(
446  &Rbac::Policy::permissions,
447  ::testing::AllOf(
448  ::testing::Field(&Rbac::Permission::type,
449  Rbac::Permission::RuleType::kAnd),
450  ::testing::Field(
451  &Rbac::Permission::permissions,
452  ::testing::ElementsAre(::testing::AllOf(
453  ::testing::Pointee(::testing::Field(
454  &Rbac::Permission::type,
455  Rbac::Permission::RuleType::kOr)),
456  ::testing::Pointee(::testing::Field(
457  &Rbac::Permission::permissions,
458  ::testing::ElementsAre(
459  EqualsPath(StringMatcher::Type::kExact,
460  "path-foo", false),
461  EqualsPath(StringMatcher::Type::kPrefix,
462  "path-bar", false),
463  EqualsPath(StringMatcher::Type::kSuffix,
464  "baz", false)))))))))))));
465  EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
466  EXPECT_THAT(
467  rbac_policies.value().allow_policy.policies,
468  ::testing::ElementsAre(::testing::Pair(
469  "authz_allow_policy",
470  ::testing::AllOf(
471  ::testing::Field(
472  &Rbac::Policy::principals,
473  ::testing::Field(&Rbac::Principal::type,
474  Rbac::Principal::RuleType::kAny)),
475  ::testing::Field(
476  &Rbac::Policy::permissions,
477  ::testing::AllOf(
478  ::testing::Field(&Rbac::Permission::type,
479  Rbac::Permission::RuleType::kAnd),
480  ::testing::Field(
481  &Rbac::Permission::permissions,
482  ::testing::ElementsAre(::testing::AllOf(
483  ::testing::Pointee(::testing::Field(
484  &Rbac::Permission::type,
485  Rbac::Permission::RuleType::kOr)),
486  ::testing::Pointee(::testing::Field(
487  &Rbac::Permission::permissions,
488  ::testing::ElementsAre(EqualsPath(
489  StringMatcher::Type::kSafeRegex, ".+",
490  true)))))))))))));
491 }
492 
493 TEST(GenerateRbacPoliciesTest, IncorrectHeaderType) {
494  const char* authz_policy =
495  "{"
496  " \"name\": \"authz\","
497  " \"deny_rules\": ["
498  " {"
499  " \"name\": \"allow_policy\","
500  " \"request\": {"
501  " \"headers\": ["
502  " \"header-a\""
503  " ]"
504  " }"
505  " }"
506  " ]"
507  "}";
508  auto rbac_policies = GenerateRbacPolicies(authz_policy);
509  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
510  EXPECT_EQ(rbac_policies.status().message(),
511  "deny_rules 0: \"headers\" 0: is not an object.");
512 }
513 
514 TEST(GenerateRbacPoliciesTest, UnsupportedGrpcHeaders) {
515  const char* authz_policy =
516  "{"
517  " \"name\": \"authz\","
518  " \"deny_rules\": ["
519  " {"
520  " \"name\": \"policy\","
521  " \"request\": {"
522  " \"headers\": ["
523  " {"
524  " \"key\": \"grpc-xxx\","
525  " \"values\": ["
526  " \"*\""
527  " ]"
528  " }"
529  " ]"
530  " }"
531  " }"
532  " ]"
533  "}";
534  auto rbac_policies = GenerateRbacPolicies(authz_policy);
535  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
536  EXPECT_EQ(rbac_policies.status().message(),
537  "deny_rules 0: \"headers\" 0: Unsupported \"key\" grpc-xxx.");
538 }
539 
540 TEST(GenerateRbacPoliciesTest, UnsupportedPseudoHeaders) {
541  const char* authz_policy =
542  "{"
543  " \"name\": \"authz\","
544  " \"allow_rules\": ["
545  " {"
546  " \"name\": \"policy\","
547  " \"request\": {"
548  " \"headers\": ["
549  " {"
550  " \"key\": \":method\","
551  " \"values\": ["
552  " \"*\""
553  " ]"
554  " }"
555  " ]"
556  " }"
557  " }"
558  " ]"
559  "}";
560  auto rbac_policies = GenerateRbacPolicies(authz_policy);
561  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
562  EXPECT_EQ(rbac_policies.status().message(),
563  "allow_rules 0: \"headers\" 0: Unsupported \"key\" :method.");
564 }
565 
566 TEST(GenerateRbacPoliciesTest, UnsupportedHostHeader) {
567  const char* authz_policy =
568  "{"
569  " \"name\": \"authz\","
570  " \"allow_rules\": ["
571  " {"
572  " \"name\": \"policy\","
573  " \"request\": {"
574  " \"headers\": ["
575  " {"
576  " \"key\": \"Host\","
577  " \"values\": ["
578  " \"*\""
579  " ]"
580  " }"
581  " ]"
582  " }"
583  " }"
584  " ]"
585  "}";
586  auto rbac_policies = GenerateRbacPolicies(authz_policy);
587  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
588  EXPECT_EQ(rbac_policies.status().message(),
589  "allow_rules 0: \"headers\" 0: Unsupported \"key\" Host.");
590 }
591 
592 TEST(GenerateRbacPoliciesTest, EmptyHeaderValuesList) {
593  const char* authz_policy =
594  "{"
595  " \"name\": \"authz\","
596  " \"allow_rules\": ["
597  " {"
598  " \"name\": \"allow_policy_1\","
599  " \"request\": {"
600  " \"headers\": ["
601  " {"
602  " \"key\": \"key-a\","
603  " \"values\": ["
604  " ]"
605  " }"
606  " ]"
607  " }"
608  " }"
609  " ]"
610  "}";
611  auto rbac_policies = GenerateRbacPolicies(authz_policy);
612  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
613  EXPECT_EQ(rbac_policies.status().message(),
614  "allow_rules 0: \"headers\" 0: \"values\" list is empty.");
615 }
616 
617 TEST(GenerateRbacPoliciesTest, ParseRequestHeadersSuccess) {
618  const char* authz_policy =
619  "{"
620  " \"name\": \"authz\","
621  " \"allow_rules\": ["
622  " {"
623  " \"name\": \"allow_policy\","
624  " \"request\": {"
625  " \"headers\": ["
626  " {"
627  " \"key\": \"key-1\","
628  " \"values\": ["
629  " \"*\""
630  " ]"
631  " },"
632  " {"
633  " \"key\": \"key-2\","
634  " \"values\": ["
635  " \"foo\","
636  " \"bar*\","
637  " \"*baz\""
638  " ]"
639  " }"
640  " ]"
641  " }"
642  " }"
643  " ]"
644  "}";
645  auto rbac_policies = GenerateRbacPolicies(authz_policy);
646  ASSERT_TRUE(rbac_policies.ok());
647  EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::kDeny);
648  EXPECT_TRUE(rbac_policies.value().deny_policy.policies.empty());
649  EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
650  EXPECT_THAT(
651  rbac_policies.value().allow_policy.policies,
652  ::testing::ElementsAre(::testing::Pair(
653  "authz_allow_policy",
654  ::testing::AllOf(
655  ::testing::Field(
656  &Rbac::Policy::principals,
657  ::testing::Field(&Rbac::Principal::type,
658  Rbac::Principal::RuleType::kAny)),
659  ::testing::Field(
660  &Rbac::Policy::permissions,
661  ::testing::AllOf(
662  ::testing::Field(&Rbac::Permission::type,
663  Rbac::Permission::RuleType::kAnd),
664  ::testing::Field(
665  &Rbac::Permission::permissions,
666  ::testing::ElementsAre(::testing::AllOf(
667  ::testing::Pointee(::testing::Field(
668  &Rbac::Permission::type,
669  Rbac::Permission::RuleType::kAnd)),
670  ::testing::Pointee(::testing::Field(
671  &Rbac::Permission::permissions,
672  ::testing::ElementsAre(
673  ::testing::AllOf(
674  ::testing::Pointee(::testing::Field(
675  &Rbac::Permission::type,
676  Rbac::Permission::RuleType::kOr)),
677  ::testing::Pointee(::testing::Field(
678  &Rbac::Permission::permissions,
679  ::testing::ElementsAre(
680  EqualsHeader(
681  "key-1",
682  HeaderMatcher::Type::
683  kSafeRegex,
684  ".+", true))))),
685  ::testing::AllOf(
686  ::testing::Pointee(::testing::Field(
687  &Rbac::Permission::type,
688  Rbac::Permission::RuleType::kOr)),
689  ::testing::Pointee(::testing::Field(
690  &Rbac::Permission::permissions,
691  ::testing::ElementsAre(
692  EqualsHeader("key-2",
693  HeaderMatcher::
694  Type::kExact,
695  "foo", false),
696  EqualsHeader(
697  "key-2",
698  HeaderMatcher::Type::
699  kPrefix,
700  "bar", false),
701  EqualsHeader(
702  "key-2",
703  HeaderMatcher::Type::
704  kSuffix,
705  "baz",
706  false)))))))))))))))));
707 }
708 
709 TEST(GenerateRbacPoliciesTest, ParseRulesArraySuccess) {
710  const char* authz_policy =
711  "{"
712  " \"name\": \"authz\","
713  " \"allow_rules\": ["
714  " {"
715  " \"name\": \"allow_policy_1\","
716  " \"source\": {"
717  " \"principals\": ["
718  " \"spiffe://foo.abc\""
719  " ]"
720  " },"
721  " \"request\": {"
722  " \"paths\": ["
723  " \"foo\""
724  " ]"
725  " }"
726  " },"
727  " {"
728  " \"name\": \"allow_policy_2\""
729  " }"
730  " ]"
731  "}";
732  auto rbac_policies = GenerateRbacPolicies(authz_policy);
733  ASSERT_TRUE(rbac_policies.ok());
734  EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::kDeny);
735  EXPECT_TRUE(rbac_policies.value().deny_policy.policies.empty());
736  EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
737  EXPECT_THAT(
738  rbac_policies.value().allow_policy.policies,
739  ::testing::ElementsAre(
740  ::testing::Pair(
741  "authz_allow_policy_1",
742  ::testing::AllOf(
743  ::testing::Field(
744  &Rbac::Policy::permissions,
745  ::testing::AllOf(
746  ::testing::Field(&Rbac::Permission::type,
747  Rbac::Permission::RuleType::kAnd),
748  ::testing::Field(
749  &Rbac::Permission::permissions,
750  ::testing::ElementsAre(::testing::AllOf(
751  ::testing::Pointee(::testing::Field(
752  &Rbac::Permission::type,
753  Rbac::Permission::RuleType::kOr)),
754  ::testing::Pointee(::testing::Field(
755  &Rbac::Permission::permissions,
756  ::testing::ElementsAre(EqualsPath(
757  StringMatcher::Type::kExact, "foo",
758  false))))))))),
759  ::testing::Field(
760  &Rbac::Policy::principals,
761  ::testing::AllOf(
762  ::testing::Field(&Rbac::Principal::type,
763  Rbac::Principal::RuleType::kAnd),
764  ::testing::Field(
765  &Rbac::Principal::principals,
766  ::testing::ElementsAre(::testing::AllOf(
767  ::testing::Pointee(::testing::Field(
768  &Rbac::Principal::type,
769  Rbac::Principal::RuleType::kOr)),
770  ::testing::Pointee(::testing::Field(
771  &Rbac::Principal::principals,
772  ::testing::ElementsAre(
773  EqualsPrincipalName(
774  StringMatcher::Type::kExact,
775  "spiffe://foo.abc",
776  false))))))))))),
777  ::testing::Pair(
778  "authz_allow_policy_2",
779  ::testing::AllOf(
780  ::testing::Field(
781  &Rbac::Policy::permissions,
782  ::testing::Field(&Rbac::Permission::type,
783  Rbac::Permission::RuleType::kAny)),
784  ::testing::Field(
785  &Rbac::Policy::principals,
786  ::testing::Field(&Rbac::Principal::type,
787  Rbac::Principal::RuleType::kAny))))));
788 }
789 
790 } // namespace grpc_core
791 
792 int main(int argc, char** argv) {
793  ::testing::InitGoogleTest(&argc, argv);
794  return RUN_ALL_TESTS();
795 }
testing::Pointee
internal::PointeeMatcher< InnerMatcher > Pointee(const InnerMatcher &inner_matcher)
Definition: cares/cares/test/gmock-1.8.0/gmock/gmock.h:8691
MATCHER_P4
#define MATCHER_P4(name, p0, p1, p2, p3, description)
Definition: bloaty/third_party/googletest/googlemock/include/gmock/gmock-generated-matchers.h:485
grpc_core::Rbac::Policy::permissions
Permission permissions
Definition: rbac_policy.h:160
EXPECT_THAT
#define EXPECT_THAT(value, matcher)
grpc_core
Definition: call_metric_recorder.h:31
grpc_core::Rbac::Principal::RuleType::kPrincipalName
@ kPrincipalName
grpc_core::Rbac::Permission::permissions
std::vector< std::unique_ptr< Permission > > permissions
Definition: rbac_policy.h:97
grpc_core::Rbac::Action::kDeny
@ kDeny
testing::internal::string
::std::string string
Definition: bloaty/third_party/protobuf/third_party/googletest/googletest/include/gtest/internal/gtest-port.h:881
grpc_core::Rbac::Permission::RuleType::kPath
@ kPath
arg::value
void * value
Definition: cmdline.cc:44
grpc_core::TEST
TEST(AvlTest, NoOp)
Definition: avl_test.cc:21
grpc_core::HeaderMatcher
Definition: matchers/matchers.h:79
grpc_core::Rbac::Principal::RuleType::kAny
@ kAny
grpc_core::Rbac::Principal::RuleType::kOr
@ kOr
grpc_core::StringMatcher::Type::kSuffix
@ kSuffix
EXPECT_EQ
#define EXPECT_EQ(a, b)
Definition: iomgr/time_averaged_stats_test.cc:27
testing::ElementsAre
internal::ElementsAreMatcher< ::testing::tuple<> > ElementsAre()
Definition: cares/cares/test/gmock-1.8.0/gmock/gmock.h:13040
grpc_core::Rbac::Permission::RuleType::kHeader
@ kHeader
arg::type
argtype type
Definition: cmdline.cc:43
grpc_core::Rbac::Principal::RuleType::kAnd
@ kAnd
grpc_core::HeaderMatcher::Type
Type
Definition: matchers/matchers.h:81
arg::name
const char * name
Definition: cmdline.cc:41
grpc_core::Rbac::Permission::RuleType::kAny
@ kAny
testing::StartsWith
PolymorphicMatcher< internal::StartsWithMatcher< internal::string > > StartsWith(const internal::string &prefix)
Definition: cares/cares/test/gmock-1.8.0/gmock/gmock.h:8810
arg
Definition: cmdline.cc:40
grpc_core::GenerateRbacPolicies
absl::StatusOr< RbacPolicies > GenerateRbacPolicies(absl::string_view authz_policy)
Definition: rbac_translator.cc:331
RUN_ALL_TESTS
int RUN_ALL_TESTS() GTEST_MUST_USE_RESULT_
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2471
grpc_core::Rbac::Permission::RuleType::kOr
@ kOr
grpc_core::Rbac::Policy::principals
Principal principals
Definition: rbac_policy.h:161
grpc_core::Rbac::Principal::principals
std::vector< std::unique_ptr< Principal > > principals
Definition: rbac_policy.h:146
grpc_core::Rbac::Permission::type
RuleType type
Definition: rbac_policy.h:90
testing::Pair
internal::PairMatcher< FirstMatcher, SecondMatcher > Pair(FirstMatcher first_matcher, SecondMatcher second_matcher)
Definition: cares/cares/test/gmock-1.8.0/gmock/gmock.h:9152
absl::StatusCode::kInvalidArgument
@ kInvalidArgument
testing::InitGoogleTest
GTEST_API_ void InitGoogleTest(int *argc, char **argv)
Definition: bloaty/third_party/googletest/googletest/src/gtest.cc:6106
MATCHER_P3
#define MATCHER_P3(name, p0, p1, p2, description)
Definition: bloaty/third_party/googletest/googlemock/include/gmock/gmock-generated-matchers.h:423
rbac_translator.h
grpc_core::Rbac::Action::kAllow
@ kAllow
ASSERT_TRUE
#define ASSERT_TRUE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1973
grpc_core::Rbac::Principal::type
RuleType type
Definition: rbac_policy.h:140
grpc_core::StringMatcher::Type::kExact
@ kExact
main
int main(int argc, char **argv)
Definition: rbac_translator_test.cc:792
check_package_name.expected_name
dictionary expected_name
Definition: check_package_name.py:67
testing::Field
grpc_core::StringMatcher::Type::kSafeRegex
@ kSafeRegex
EXPECT_TRUE
#define EXPECT_TRUE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1967
testing::AllOf
internal::AllOfResult2< M1, M2 >::type AllOf(M1 m1, M2 m2)
Definition: cares/cares/test/gmock-1.8.0/gmock/gmock.h:13472
grpc_core::StringMatcher::Type::kPrefix
@ kPrefix
grpc_core::Rbac::Permission::RuleType::kAnd
@ kAnd

grpc
Author(s):
autogenerated on Fri May 16 2025 02:59:59