1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <list>
16
17 #include <gmock/gmock.h>
18 #include <gtest/gtest.h>
19
20 #include <grpc/grpc_security_constants.h>
21 #include <grpc/support/port_platform.h>
22
23 #include "src/core/lib/security/authorization/evaluate_args.h"
24 #include "src/core/lib/security/authorization/matchers.h"
25 #include "test/core/util/evaluate_args_test_util.h"
26
27 namespace grpc_core {
28
29 class AuthorizationMatchersTest : public ::testing::Test {
30 protected:
31 EvaluateArgsTestUtil args_;
32 };
33
TEST_F(AuthorizationMatchersTest,AlwaysAuthorizationMatcher)34 TEST_F(AuthorizationMatchersTest, AlwaysAuthorizationMatcher) {
35 EvaluateArgs args = args_.MakeEvaluateArgs();
36 AlwaysAuthorizationMatcher matcher;
37 EXPECT_TRUE(matcher.Matches(args));
38 }
39
TEST_F(AuthorizationMatchersTest,AndAuthorizationMatcherSuccessfulMatch)40 TEST_F(AuthorizationMatchersTest, AndAuthorizationMatcherSuccessfulMatch) {
41 args_.AddPairToMetadata("foo", "bar");
42 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
43 EvaluateArgs args = args_.MakeEvaluateArgs();
44 std::vector<std::unique_ptr<Rbac::Permission>> rules;
45 rules.push_back(
46 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
47 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
48 /*matcher=*/"bar")
49 .value())));
50 rules.push_back(std::make_unique<Rbac::Permission>(
51 Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
52 auto matcher = AuthorizationMatcher::Create(
53 Rbac::Permission::MakeAndPermission(std::move(rules)));
54 EXPECT_TRUE(matcher->Matches(args));
55 }
56
TEST_F(AuthorizationMatchersTest,AndAuthorizationMatcherFailedMatch)57 TEST_F(AuthorizationMatchersTest, AndAuthorizationMatcherFailedMatch) {
58 args_.AddPairToMetadata("foo", "not_bar");
59 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
60 EvaluateArgs args = args_.MakeEvaluateArgs();
61 std::vector<std::unique_ptr<Rbac::Permission>> rules;
62 rules.push_back(
63 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
64 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
65 /*matcher=*/"bar")
66 .value())));
67 rules.push_back(std::make_unique<Rbac::Permission>(
68 Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
69 auto matcher = AuthorizationMatcher::Create(
70 Rbac::Permission(Rbac::Permission::MakeAndPermission(std::move(rules))));
71 // Header rule fails. Expected value "bar", got "not_bar" for key "foo".
72 EXPECT_FALSE(matcher->Matches(args));
73 }
74
TEST_F(AuthorizationMatchersTest,OrAuthorizationMatcherSuccessfulMatch)75 TEST_F(AuthorizationMatchersTest, OrAuthorizationMatcherSuccessfulMatch) {
76 args_.AddPairToMetadata("foo", "bar");
77 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
78 EvaluateArgs args = args_.MakeEvaluateArgs();
79 std::vector<std::unique_ptr<Rbac::Permission>> rules;
80 rules.push_back(
81 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
82 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
83 /*matcher=*/"bar")
84 .value())));
85 rules.push_back(std::make_unique<Rbac::Permission>(
86 Rbac::Permission::MakeDestPortPermission(/*port=*/456)));
87 auto matcher = AuthorizationMatcher::Create(
88 Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))));
89 // Matches as header rule matches even though port rule fails.
90 EXPECT_TRUE(matcher->Matches(args));
91 }
92
TEST_F(AuthorizationMatchersTest,OrAuthorizationMatcherFailedMatch)93 TEST_F(AuthorizationMatchersTest, OrAuthorizationMatcherFailedMatch) {
94 args_.AddPairToMetadata("foo", "not_bar");
95 EvaluateArgs args = args_.MakeEvaluateArgs();
96 std::vector<std::unique_ptr<Rbac::Permission>> rules;
97 rules.push_back(
98 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
99 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
100 /*matcher=*/"bar")
101 .value())));
102 auto matcher = AuthorizationMatcher::Create(
103 Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))));
104 // Header rule fails. Expected value "bar", got "not_bar" for key "foo".
105 EXPECT_FALSE(matcher->Matches(args));
106 }
107
TEST_F(AuthorizationMatchersTest,NotAuthorizationMatcherSuccessfulMatch)108 TEST_F(AuthorizationMatchersTest, NotAuthorizationMatcherSuccessfulMatch) {
109 args_.AddPairToMetadata(":path", "/different/foo");
110 EvaluateArgs args = args_.MakeEvaluateArgs();
111 auto matcher = AuthorizationMatcher::Create(Rbac::Principal(
112 Rbac::Principal::MakeNotPrincipal(Rbac::Principal::MakePathPrincipal(
113 StringMatcher::Create(StringMatcher::Type::kExact,
114 /*matcher=*/"/expected/foo",
115 /*case_sensitive=*/false)
116 .value()))));
117 EXPECT_TRUE(matcher->Matches(args));
118 }
119
TEST_F(AuthorizationMatchersTest,NotAuthorizationMatcherFailedMatch)120 TEST_F(AuthorizationMatchersTest, NotAuthorizationMatcherFailedMatch) {
121 args_.AddPairToMetadata(":path", "/expected/foo");
122 EvaluateArgs args = args_.MakeEvaluateArgs();
123 auto matcher = AuthorizationMatcher::Create(Rbac::Principal(
124 Rbac::Principal::MakeNotPrincipal(Rbac::Principal::MakePathPrincipal(
125 StringMatcher::Create(StringMatcher::Type::kExact,
126 /*matcher=*/"/expected/foo",
127 /*case_sensitive=*/false)
128 .value()))));
129 EXPECT_FALSE(matcher->Matches(args));
130 }
131
TEST_F(AuthorizationMatchersTest,HybridAuthorizationMatcherSuccessfulMatch)132 TEST_F(AuthorizationMatchersTest, HybridAuthorizationMatcherSuccessfulMatch) {
133 args_.AddPairToMetadata("foo", "bar");
134 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
135 EvaluateArgs args = args_.MakeEvaluateArgs();
136 std::vector<std::unique_ptr<Rbac::Permission>> sub_and_rules;
137 sub_and_rules.push_back(
138 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
139 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
140 /*matcher=*/"bar")
141 .value())));
142 std::vector<std::unique_ptr<Rbac::Permission>> sub_or_rules;
143 sub_or_rules.push_back(std::make_unique<Rbac::Permission>(
144 Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
145 std::vector<std::unique_ptr<Rbac::Permission>> and_rules;
146 and_rules.push_back(std::make_unique<Rbac::Permission>(
147 Rbac::Permission::MakeAndPermission(std::move(sub_and_rules))));
148 and_rules.push_back(std::make_unique<Rbac::Permission>(
149 Rbac::Permission::MakeOrPermission(std::move(std::move(sub_or_rules)))));
150 auto matcher = AuthorizationMatcher::Create(Rbac::Permission(
151 Rbac::Permission::MakeAndPermission(std::move(and_rules))));
152 EXPECT_TRUE(matcher->Matches(args));
153 }
154
TEST_F(AuthorizationMatchersTest,HybridAuthorizationMatcherFailedMatch)155 TEST_F(AuthorizationMatchersTest, HybridAuthorizationMatcherFailedMatch) {
156 args_.AddPairToMetadata("foo", "bar");
157 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
158 EvaluateArgs args = args_.MakeEvaluateArgs();
159 std::vector<std::unique_ptr<Rbac::Permission>> sub_and_rules;
160 sub_and_rules.push_back(
161 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
162 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
163 /*matcher=*/"bar")
164 .value())));
165 sub_and_rules.push_back(
166 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
167 HeaderMatcher::Create(/*name=*/"absent_key",
168 HeaderMatcher::Type::kExact,
169 /*matcher=*/"some_value")
170 .value())));
171 std::vector<std::unique_ptr<Rbac::Permission>> sub_or_rules;
172 sub_or_rules.push_back(std::make_unique<Rbac::Permission>(
173 Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
174 std::vector<std::unique_ptr<Rbac::Permission>> and_rules;
175 and_rules.push_back(std::make_unique<Rbac::Permission>(
176 Rbac::Permission::MakeAndPermission(std::move(sub_and_rules))));
177 and_rules.push_back(std::make_unique<Rbac::Permission>(
178 Rbac::Permission::MakeOrPermission(std::move(std::move(sub_or_rules)))));
179 auto matcher = AuthorizationMatcher::Create(Rbac::Permission(
180 Rbac::Permission::MakeAndPermission(std::move(and_rules))));
181 // Fails as "absent_key" header was not present.
182 EXPECT_FALSE(matcher->Matches(args));
183 }
184
TEST_F(AuthorizationMatchersTest,ReqServerNameAuthorizationMatcherSuccessfulMatch)185 TEST_F(AuthorizationMatchersTest,
186 ReqServerNameAuthorizationMatcherSuccessfulMatch) {
187 EvaluateArgs args = args_.MakeEvaluateArgs();
188 ReqServerNameAuthorizationMatcher matcher(
189 StringMatcher::Create(StringMatcher::Type::kExact,
190 /*matcher=*/"")
191 .value());
192 EXPECT_TRUE(matcher.Matches(args));
193 }
194
TEST_F(AuthorizationMatchersTest,ReqServerNameAuthorizationMatcherFailedMatch)195 TEST_F(AuthorizationMatchersTest,
196 ReqServerNameAuthorizationMatcherFailedMatch) {
197 EvaluateArgs args = args_.MakeEvaluateArgs();
198 ReqServerNameAuthorizationMatcher matcher(
199 StringMatcher::Create(StringMatcher::Type::kExact,
200 /*matcher=*/"server1")
201 .value());
202 EXPECT_FALSE(matcher.Matches(args));
203 }
204
TEST_F(AuthorizationMatchersTest,PathAuthorizationMatcherSuccessfulMatch)205 TEST_F(AuthorizationMatchersTest, PathAuthorizationMatcherSuccessfulMatch) {
206 args_.AddPairToMetadata(":path", "expected/path");
207 EvaluateArgs args = args_.MakeEvaluateArgs();
208 PathAuthorizationMatcher matcher(
209 StringMatcher::Create(StringMatcher::Type::kExact,
210 /*matcher=*/"expected/path",
211 /*case_sensitive=*/false)
212 .value());
213 EXPECT_TRUE(matcher.Matches(args));
214 }
215
TEST_F(AuthorizationMatchersTest,PathAuthorizationMatcherFailedMatch)216 TEST_F(AuthorizationMatchersTest, PathAuthorizationMatcherFailedMatch) {
217 args_.AddPairToMetadata(":path", "different/path");
218 EvaluateArgs args = args_.MakeEvaluateArgs();
219 PathAuthorizationMatcher matcher(
220 StringMatcher::Create(StringMatcher::Type::kExact,
221 /*matcher=*/"expected/path",
222 /*case_sensitive=*/false)
223 .value());
224 EXPECT_FALSE(matcher.Matches(args));
225 }
226
TEST_F(AuthorizationMatchersTest,PathAuthorizationMatcherFailedMatchMissingPath)227 TEST_F(AuthorizationMatchersTest,
228 PathAuthorizationMatcherFailedMatchMissingPath) {
229 EvaluateArgs args = args_.MakeEvaluateArgs();
230 PathAuthorizationMatcher matcher(
231 StringMatcher::Create(StringMatcher::Type::kExact,
232 /*matcher=*/"expected/path",
233 /*case_sensitive=*/false)
234 .value());
235 EXPECT_FALSE(matcher.Matches(args));
236 }
237
TEST_F(AuthorizationMatchersTest,MetadataAuthorizationMatcherSuccessfulMatch)238 TEST_F(AuthorizationMatchersTest, MetadataAuthorizationMatcherSuccessfulMatch) {
239 EvaluateArgs args = args_.MakeEvaluateArgs();
240 MetadataAuthorizationMatcher matcher(/*invert=*/true);
241 EXPECT_TRUE(matcher.Matches(args));
242 }
243
TEST_F(AuthorizationMatchersTest,MetadataAuthorizationMatcherFailedMatch)244 TEST_F(AuthorizationMatchersTest, MetadataAuthorizationMatcherFailedMatch) {
245 EvaluateArgs args = args_.MakeEvaluateArgs();
246 MetadataAuthorizationMatcher matcher(/*invert=*/false);
247 EXPECT_FALSE(matcher.Matches(args));
248 }
249
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherSuccessfulMatch)250 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherSuccessfulMatch) {
251 args_.AddPairToMetadata("key123", "foo_xxx");
252 EvaluateArgs args = args_.MakeEvaluateArgs();
253 HeaderAuthorizationMatcher matcher(
254 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kPrefix,
255 /*matcher=*/"foo")
256 .value());
257 EXPECT_TRUE(matcher.Matches(args));
258 }
259
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherFailedMatch)260 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherFailedMatch) {
261 args_.AddPairToMetadata("key123", "foo");
262 EvaluateArgs args = args_.MakeEvaluateArgs();
263 HeaderAuthorizationMatcher matcher(
264 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
265 /*matcher=*/"bar")
266 .value());
267 EXPECT_FALSE(matcher.Matches(args));
268 }
269
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherMethodSuccess)270 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherMethodSuccess) {
271 args_.AddPairToMetadata(":method", "GET");
272 EvaluateArgs args = args_.MakeEvaluateArgs();
273 HeaderAuthorizationMatcher matcher(
274 HeaderMatcher::Create(/*name=*/":method", HeaderMatcher::Type::kExact,
275 /*matcher=*/"GET")
276 .value());
277 EXPECT_TRUE(matcher.Matches(args));
278 }
279
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherMethodFail)280 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherMethodFail) {
281 args_.AddPairToMetadata(":method", "GET");
282 EvaluateArgs args = args_.MakeEvaluateArgs();
283 HeaderAuthorizationMatcher matcher(
284 HeaderMatcher::Create(/*name=*/":method", HeaderMatcher::Type::kExact,
285 /*matcher=*/"PUT")
286 .value());
287 EXPECT_FALSE(matcher.Matches(args));
288 }
289
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherAuthoritySuccess)290 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherAuthoritySuccess) {
291 args_.AddPairToMetadata(":authority", "localhost");
292 EvaluateArgs args = args_.MakeEvaluateArgs();
293 HeaderAuthorizationMatcher matcher(
294 HeaderMatcher::Create(/*name=*/":authority", HeaderMatcher::Type::kExact,
295 /*matcher=*/"localhost")
296 .value());
297 EXPECT_TRUE(matcher.Matches(args));
298 }
299
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherAuthorityFail)300 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherAuthorityFail) {
301 args_.AddPairToMetadata(":authority", "localhost");
302 EvaluateArgs args = args_.MakeEvaluateArgs();
303 HeaderAuthorizationMatcher matcher(
304 HeaderMatcher::Create(/*name=*/":authority", HeaderMatcher::Type::kExact,
305 /*matcher=*/"bad_authority")
306 .value());
307 EXPECT_FALSE(matcher.Matches(args));
308 }
309
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherPathSuccess)310 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherPathSuccess) {
311 args_.AddPairToMetadata(":path", "/expected/path");
312 EvaluateArgs args = args_.MakeEvaluateArgs();
313 HeaderAuthorizationMatcher matcher(
314 HeaderMatcher::Create(/*name=*/":path", HeaderMatcher::Type::kExact,
315 /*matcher=*/"/expected/path")
316 .value());
317 EXPECT_TRUE(matcher.Matches(args));
318 }
319
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherPathFail)320 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherPathFail) {
321 args_.AddPairToMetadata(":path", "/expected/path");
322 EvaluateArgs args = args_.MakeEvaluateArgs();
323 HeaderAuthorizationMatcher matcher(
324 HeaderMatcher::Create(/*name=*/":path", HeaderMatcher::Type::kExact,
325 /*matcher=*/"/unexpected/path")
326 .value());
327 EXPECT_FALSE(matcher.Matches(args));
328 }
329
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherFailedMatchMultivaluedHeader)330 TEST_F(AuthorizationMatchersTest,
331 HeaderAuthorizationMatcherFailedMatchMultivaluedHeader) {
332 args_.AddPairToMetadata("key123", "foo");
333 args_.AddPairToMetadata("key123", "bar");
334 EvaluateArgs args = args_.MakeEvaluateArgs();
335 HeaderAuthorizationMatcher matcher(
336 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
337 /*matcher=*/"foo")
338 .value());
339 EXPECT_FALSE(matcher.Matches(args));
340 }
341
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherFailedMatchMissingHeader)342 TEST_F(AuthorizationMatchersTest,
343 HeaderAuthorizationMatcherFailedMatchMissingHeader) {
344 EvaluateArgs args = args_.MakeEvaluateArgs();
345 HeaderAuthorizationMatcher matcher(
346 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kSuffix,
347 /*matcher=*/"foo")
348 .value());
349 EXPECT_FALSE(matcher.Matches(args));
350 }
351
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherDestIpSuccessfulMatch)352 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherDestIpSuccessfulMatch) {
353 args_.SetLocalEndpoint("ipv4:1.2.3.4:123");
354 EvaluateArgs args = args_.MakeEvaluateArgs();
355 IpAuthorizationMatcher matcher(
356 IpAuthorizationMatcher::Type::kDestIp,
357 Rbac::CidrRange(/*address_prefix=*/"1.7.8.9", /*prefix_len=*/8));
358 EXPECT_TRUE(matcher.Matches(args));
359 }
360
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherDestIpFailedMatch)361 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherDestIpFailedMatch) {
362 args_.SetLocalEndpoint("ipv4:1.2.3.4:123");
363 EvaluateArgs args = args_.MakeEvaluateArgs();
364 IpAuthorizationMatcher matcher(
365 IpAuthorizationMatcher::Type::kDestIp,
366 Rbac::CidrRange(/*address_prefix=*/"1.2.3.9", /*prefix_len=*/32));
367 EXPECT_FALSE(matcher.Matches(args));
368 }
369
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherSourceIpSuccessfulMatch)370 TEST_F(AuthorizationMatchersTest,
371 IpAuthorizationMatcherSourceIpSuccessfulMatch) {
372 args_.SetPeerEndpoint("ipv6:[1:2:3::]:456");
373 EvaluateArgs args = args_.MakeEvaluateArgs();
374 IpAuthorizationMatcher matcher(
375 IpAuthorizationMatcher::Type::kSourceIp,
376 Rbac::CidrRange(/*address_prefix=*/"1:3:4::", /*prefix_len=*/16));
377 EXPECT_TRUE(matcher.Matches(args));
378 }
379
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherSourceIpFailedMatch)380 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherSourceIpFailedMatch) {
381 args_.SetPeerEndpoint("ipv6:[1:2::3::]:456");
382 EvaluateArgs args = args_.MakeEvaluateArgs();
383 IpAuthorizationMatcher matcher(
384 IpAuthorizationMatcher::Type::kSourceIp,
385 Rbac::CidrRange(/*address_prefix=*/"1:3::", /*prefix_len=*/48));
386 EXPECT_FALSE(matcher.Matches(args));
387 }
388
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherRemoteIpSuccessfulMatch)389 TEST_F(AuthorizationMatchersTest,
390 IpAuthorizationMatcherRemoteIpSuccessfulMatch) {
391 args_.SetPeerEndpoint("ipv6:[1:2:3::]:456");
392 EvaluateArgs args = args_.MakeEvaluateArgs();
393 IpAuthorizationMatcher matcher(
394 IpAuthorizationMatcher::Type::kRemoteIp,
395 Rbac::CidrRange(/*address_prefix=*/"1:2:4::", /*prefix_len=*/32));
396 EXPECT_TRUE(matcher.Matches(args));
397 }
398
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherRemoteIpFailedMatch)399 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherRemoteIpFailedMatch) {
400 args_.SetPeerEndpoint("ipv6:[1:2::]:456");
401 EvaluateArgs args = args_.MakeEvaluateArgs();
402 IpAuthorizationMatcher matcher(
403 IpAuthorizationMatcher::Type::kRemoteIp,
404 Rbac::CidrRange(/*address_prefix=*/"1:3::", /*prefix_len=*/32));
405 EXPECT_FALSE(matcher.Matches(args));
406 }
407
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherDirectRemoteIpSuccessfulMatch)408 TEST_F(AuthorizationMatchersTest,
409 IpAuthorizationMatcherDirectRemoteIpSuccessfulMatch) {
410 args_.SetPeerEndpoint("ipv4:1.2.3.4:123");
411 EvaluateArgs args = args_.MakeEvaluateArgs();
412 IpAuthorizationMatcher matcher(
413 IpAuthorizationMatcher::Type::kDirectRemoteIp,
414 Rbac::CidrRange(/*address_prefix=*/"1.7.8.9", /*prefix_len=*/8));
415 EXPECT_TRUE(matcher.Matches(args));
416 }
417
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherDirectRemoteIpFailedMatch)418 TEST_F(AuthorizationMatchersTest,
419 IpAuthorizationMatcherDirectRemoteIpFailedMatch) {
420 args_.SetPeerEndpoint("ipv4:1.2.3.4:123");
421 EvaluateArgs args = args_.MakeEvaluateArgs();
422 IpAuthorizationMatcher matcher(
423 IpAuthorizationMatcher::Type::kDirectRemoteIp,
424 Rbac::CidrRange(/*address_prefix=*/"1.7.8.9", /*prefix_len=*/16));
425 EXPECT_FALSE(matcher.Matches(args));
426 }
427
TEST_F(AuthorizationMatchersTest,PortAuthorizationMatcherSuccessfulMatch)428 TEST_F(AuthorizationMatchersTest, PortAuthorizationMatcherSuccessfulMatch) {
429 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
430 EvaluateArgs args = args_.MakeEvaluateArgs();
431 PortAuthorizationMatcher matcher(/*port=*/123);
432 EXPECT_TRUE(matcher.Matches(args));
433 }
434
TEST_F(AuthorizationMatchersTest,PortAuthorizationMatcherFailedMatch)435 TEST_F(AuthorizationMatchersTest, PortAuthorizationMatcherFailedMatch) {
436 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
437 EvaluateArgs args = args_.MakeEvaluateArgs();
438 PortAuthorizationMatcher matcher(/*port=*/456);
439 EXPECT_FALSE(matcher.Matches(args));
440 }
441
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherUnAuthenticatedConnection)442 TEST_F(AuthorizationMatchersTest,
443 AuthenticatedMatcherUnAuthenticatedConnection) {
444 EvaluateArgs args = args_.MakeEvaluateArgs();
445 AuthenticatedAuthorizationMatcher matcher(
446 StringMatcher::Create(StringMatcher::Type::kExact,
447 /*matcher=*/"foo.com",
448 /*case_sensitive=*/false)
449 .value());
450 EXPECT_FALSE(matcher.Matches(args));
451 }
452
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherAuthenticatedConnectionMatcherUnset)453 TEST_F(AuthorizationMatchersTest,
454 AuthenticatedMatcherAuthenticatedConnectionMatcherUnset) {
455 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
456 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
457 EvaluateArgs args = args_.MakeEvaluateArgs();
458 AuthenticatedAuthorizationMatcher matcher(/*auth=*/absl::nullopt);
459 EXPECT_TRUE(matcher.Matches(args));
460 }
461
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherSuccessfulUriSanMatches)462 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherSuccessfulUriSanMatches) {
463 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
464 GRPC_TLS_TRANSPORT_SECURITY_TYPE);
465 args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
466 "spiffe://foo.abc");
467 args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
468 "https://foo.domain.com");
469 EvaluateArgs args = args_.MakeEvaluateArgs();
470 AuthenticatedAuthorizationMatcher matcher(
471 StringMatcher::Create(StringMatcher::Type::kExact,
472 /*matcher=*/"spiffe://foo.abc",
473 /*case_sensitive=*/false)
474 .value());
475 EXPECT_TRUE(matcher.Matches(args));
476 }
477
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherFailedUriSanMatches)478 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedUriSanMatches) {
479 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
480 GRPC_TLS_TRANSPORT_SECURITY_TYPE);
481 args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
482 "spiffe://bar.abc");
483 EvaluateArgs args = args_.MakeEvaluateArgs();
484 AuthenticatedAuthorizationMatcher matcher(
485 StringMatcher::Create(StringMatcher::Type::kExact,
486 /*matcher=*/"spiffe://foo.abc",
487 /*case_sensitive=*/false)
488 .value());
489 EXPECT_FALSE(matcher.Matches(args));
490 }
491
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherSuccessfulDnsSanMatches)492 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherSuccessfulDnsSanMatches) {
493 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
494 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
495 args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
496 "spiffe://bar.abc");
497 args_.AddPropertyToAuthContext(GRPC_PEER_DNS_PROPERTY_NAME,
498 "foo.test.domain.com");
499 args_.AddPropertyToAuthContext(GRPC_PEER_DNS_PROPERTY_NAME,
500 "bar.test.domain.com");
501 EvaluateArgs args = args_.MakeEvaluateArgs();
502 // No match found in URI SANs, finds match in DNS SANs.
503 AuthenticatedAuthorizationMatcher matcher(
504 StringMatcher::Create(StringMatcher::Type::kExact,
505 /*matcher=*/"bar.test.domain.com",
506 /*case_sensitive=*/false)
507 .value());
508 EXPECT_TRUE(matcher.Matches(args));
509 }
510
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherFailedDnsSanMatches)511 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedDnsSanMatches) {
512 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
513 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
514 args_.AddPropertyToAuthContext(GRPC_PEER_DNS_PROPERTY_NAME,
515 "foo.test.domain.com");
516 EvaluateArgs args = args_.MakeEvaluateArgs();
517 AuthenticatedAuthorizationMatcher matcher(
518 StringMatcher::Create(StringMatcher::Type::kExact,
519 /*matcher=*/"bar.test.domain.com",
520 /*case_sensitive=*/false)
521 .value());
522 EXPECT_FALSE(matcher.Matches(args));
523 }
524
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherSuccessfulSubjectMatches)525 TEST_F(AuthorizationMatchersTest,
526 AuthenticatedMatcherSuccessfulSubjectMatches) {
527 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
528 GRPC_TLS_TRANSPORT_SECURITY_TYPE);
529 args_.AddPropertyToAuthContext(GRPC_X509_SUBJECT_PROPERTY_NAME,
530 "CN=abc,OU=Google");
531 EvaluateArgs args = args_.MakeEvaluateArgs();
532 // No match found in URI SANs and DNS SANs, finds match in Subject.
533 AuthenticatedAuthorizationMatcher matcher(
534 StringMatcher::Create(StringMatcher::Type::kExact,
535 /*matcher=*/"CN=abc,OU=Google",
536 /*case_sensitive=*/false)
537 .value());
538 EXPECT_TRUE(matcher.Matches(args));
539 }
540
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherFailedSubjectMatches)541 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedSubjectMatches) {
542 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
543 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
544 args_.AddPropertyToAuthContext(GRPC_X509_SUBJECT_PROPERTY_NAME,
545 "CN=abc,OU=Google");
546 EvaluateArgs args = args_.MakeEvaluateArgs();
547 AuthenticatedAuthorizationMatcher matcher(
548 StringMatcher::Create(StringMatcher::Type::kExact,
549 /*matcher=*/"CN=def,OU=Google",
550 /*case_sensitive=*/false)
551 .value());
552 EXPECT_FALSE(matcher.Matches(args));
553 }
554
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherWithoutClientCertMatchesSuccessfullyOnEmptyPrincipal)555 TEST_F(
556 AuthorizationMatchersTest,
557 AuthenticatedMatcherWithoutClientCertMatchesSuccessfullyOnEmptyPrincipal) {
558 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
559 GRPC_TLS_TRANSPORT_SECURITY_TYPE);
560 EvaluateArgs args = args_.MakeEvaluateArgs();
561 AuthenticatedAuthorizationMatcher matcher(
562 StringMatcher::Create(StringMatcher::Type::kExact,
563 /*matcher=*/"")
564 .value());
565 EXPECT_TRUE(matcher.Matches(args));
566 }
567
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherFailedNothingMatches)568 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedNothingMatches) {
569 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
570 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
571 EvaluateArgs args = args_.MakeEvaluateArgs();
572 AuthenticatedAuthorizationMatcher matcher(
573 StringMatcher::Create(StringMatcher::Type::kExact,
574 /*matcher=*/"foo",
575 /*case_sensitive=*/false)
576 .value());
577 EXPECT_FALSE(matcher.Matches(args));
578 }
579
TEST_F(AuthorizationMatchersTest,PolicyAuthorizationMatcherSuccessfulMatch)580 TEST_F(AuthorizationMatchersTest, PolicyAuthorizationMatcherSuccessfulMatch) {
581 args_.AddPairToMetadata("key123", "foo");
582 EvaluateArgs args = args_.MakeEvaluateArgs();
583 std::vector<std::unique_ptr<Rbac::Permission>> rules;
584 rules.push_back(
585 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
586 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
587 /*matcher=*/"foo")
588 .value())));
589 PolicyAuthorizationMatcher matcher(Rbac::Policy(
590 Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))),
591 Rbac::Principal::MakeAnyPrincipal()));
592 EXPECT_TRUE(matcher.Matches(args));
593 }
594
TEST_F(AuthorizationMatchersTest,PolicyAuthorizationMatcherFailedMatch)595 TEST_F(AuthorizationMatchersTest, PolicyAuthorizationMatcherFailedMatch) {
596 args_.AddPairToMetadata("key123", "foo");
597 EvaluateArgs args = args_.MakeEvaluateArgs();
598 std::vector<std::unique_ptr<Rbac::Permission>> rules;
599 rules.push_back(
600 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
601 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
602 /*matcher=*/"bar")
603 .value())));
604 PolicyAuthorizationMatcher matcher(Rbac::Policy(
605 Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))),
606 Rbac::Principal::MakeAnyPrincipal()));
607 EXPECT_FALSE(matcher.Matches(args));
608 }
609
610 } // namespace grpc_core
611
main(int argc,char ** argv)612 int main(int argc, char** argv) {
613 ::testing::InitGoogleTest(&argc, argv);
614 grpc_init();
615 int ret = RUN_ALL_TESTS();
616 grpc_shutdown();
617 return ret;
618 }
619