1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <gmock/gmock.h>
16 #include <grpc/grpc_security_constants.h>
17 #include <grpc/support/port_platform.h>
18 #include <gtest/gtest.h>
19
20 #include <list>
21
22 #include "src/core/lib/security/authorization/evaluate_args.h"
23 #include "src/core/lib/security/authorization/matchers.h"
24 #include "test/core/test_util/evaluate_args_test_util.h"
25
26 namespace grpc_core {
27
28 class AuthorizationMatchersTest : public ::testing::Test {
29 protected:
30 EvaluateArgsTestUtil args_;
31 };
32
TEST_F(AuthorizationMatchersTest,AlwaysAuthorizationMatcher)33 TEST_F(AuthorizationMatchersTest, AlwaysAuthorizationMatcher) {
34 EvaluateArgs args = args_.MakeEvaluateArgs();
35 AlwaysAuthorizationMatcher matcher;
36 EXPECT_TRUE(matcher.Matches(args));
37 }
38
TEST_F(AuthorizationMatchersTest,AndAuthorizationMatcherSuccessfulMatch)39 TEST_F(AuthorizationMatchersTest, AndAuthorizationMatcherSuccessfulMatch) {
40 args_.AddPairToMetadata("foo", "bar");
41 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
42 EvaluateArgs args = args_.MakeEvaluateArgs();
43 std::vector<std::unique_ptr<Rbac::Permission>> rules;
44 rules.push_back(
45 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
46 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
47 /*matcher=*/"bar")
48 .value())));
49 rules.push_back(std::make_unique<Rbac::Permission>(
50 Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
51 auto matcher = AuthorizationMatcher::Create(
52 Rbac::Permission::MakeAndPermission(std::move(rules)));
53 EXPECT_TRUE(matcher->Matches(args));
54 }
55
TEST_F(AuthorizationMatchersTest,AndAuthorizationMatcherFailedMatch)56 TEST_F(AuthorizationMatchersTest, AndAuthorizationMatcherFailedMatch) {
57 args_.AddPairToMetadata("foo", "not_bar");
58 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
59 EvaluateArgs args = args_.MakeEvaluateArgs();
60 std::vector<std::unique_ptr<Rbac::Permission>> rules;
61 rules.push_back(
62 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
63 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
64 /*matcher=*/"bar")
65 .value())));
66 rules.push_back(std::make_unique<Rbac::Permission>(
67 Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
68 auto matcher = AuthorizationMatcher::Create(
69 Rbac::Permission(Rbac::Permission::MakeAndPermission(std::move(rules))));
70 // Header rule fails. Expected value "bar", got "not_bar" for key "foo".
71 EXPECT_FALSE(matcher->Matches(args));
72 }
73
TEST_F(AuthorizationMatchersTest,OrAuthorizationMatcherSuccessfulMatch)74 TEST_F(AuthorizationMatchersTest, OrAuthorizationMatcherSuccessfulMatch) {
75 args_.AddPairToMetadata("foo", "bar");
76 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
77 EvaluateArgs args = args_.MakeEvaluateArgs();
78 std::vector<std::unique_ptr<Rbac::Permission>> rules;
79 rules.push_back(
80 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
81 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
82 /*matcher=*/"bar")
83 .value())));
84 rules.push_back(std::make_unique<Rbac::Permission>(
85 Rbac::Permission::MakeDestPortPermission(/*port=*/456)));
86 auto matcher = AuthorizationMatcher::Create(
87 Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))));
88 // Matches as header rule matches even though port rule fails.
89 EXPECT_TRUE(matcher->Matches(args));
90 }
91
TEST_F(AuthorizationMatchersTest,OrAuthorizationMatcherFailedMatch)92 TEST_F(AuthorizationMatchersTest, OrAuthorizationMatcherFailedMatch) {
93 args_.AddPairToMetadata("foo", "not_bar");
94 EvaluateArgs args = args_.MakeEvaluateArgs();
95 std::vector<std::unique_ptr<Rbac::Permission>> rules;
96 rules.push_back(
97 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
98 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
99 /*matcher=*/"bar")
100 .value())));
101 auto matcher = AuthorizationMatcher::Create(
102 Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))));
103 // Header rule fails. Expected value "bar", got "not_bar" for key "foo".
104 EXPECT_FALSE(matcher->Matches(args));
105 }
106
TEST_F(AuthorizationMatchersTest,NotAuthorizationMatcherSuccessfulMatch)107 TEST_F(AuthorizationMatchersTest, NotAuthorizationMatcherSuccessfulMatch) {
108 args_.AddPairToMetadata(":path", "/different/foo");
109 EvaluateArgs args = args_.MakeEvaluateArgs();
110 auto matcher = AuthorizationMatcher::Create(Rbac::Principal(
111 Rbac::Principal::MakeNotPrincipal(Rbac::Principal::MakePathPrincipal(
112 StringMatcher::Create(StringMatcher::Type::kExact,
113 /*matcher=*/"/expected/foo",
114 /*case_sensitive=*/false)
115 .value()))));
116 EXPECT_TRUE(matcher->Matches(args));
117 }
118
TEST_F(AuthorizationMatchersTest,NotAuthorizationMatcherFailedMatch)119 TEST_F(AuthorizationMatchersTest, NotAuthorizationMatcherFailedMatch) {
120 args_.AddPairToMetadata(":path", "/expected/foo");
121 EvaluateArgs args = args_.MakeEvaluateArgs();
122 auto matcher = AuthorizationMatcher::Create(Rbac::Principal(
123 Rbac::Principal::MakeNotPrincipal(Rbac::Principal::MakePathPrincipal(
124 StringMatcher::Create(StringMatcher::Type::kExact,
125 /*matcher=*/"/expected/foo",
126 /*case_sensitive=*/false)
127 .value()))));
128 EXPECT_FALSE(matcher->Matches(args));
129 }
130
TEST_F(AuthorizationMatchersTest,HybridAuthorizationMatcherSuccessfulMatch)131 TEST_F(AuthorizationMatchersTest, HybridAuthorizationMatcherSuccessfulMatch) {
132 args_.AddPairToMetadata("foo", "bar");
133 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
134 EvaluateArgs args = args_.MakeEvaluateArgs();
135 std::vector<std::unique_ptr<Rbac::Permission>> sub_and_rules;
136 sub_and_rules.push_back(
137 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
138 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
139 /*matcher=*/"bar")
140 .value())));
141 std::vector<std::unique_ptr<Rbac::Permission>> sub_or_rules;
142 sub_or_rules.push_back(std::make_unique<Rbac::Permission>(
143 Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
144 std::vector<std::unique_ptr<Rbac::Permission>> and_rules;
145 and_rules.push_back(std::make_unique<Rbac::Permission>(
146 Rbac::Permission::MakeAndPermission(std::move(sub_and_rules))));
147 and_rules.push_back(std::make_unique<Rbac::Permission>(
148 Rbac::Permission::MakeOrPermission(std::move(std::move(sub_or_rules)))));
149 auto matcher = AuthorizationMatcher::Create(Rbac::Permission(
150 Rbac::Permission::MakeAndPermission(std::move(and_rules))));
151 EXPECT_TRUE(matcher->Matches(args));
152 }
153
TEST_F(AuthorizationMatchersTest,HybridAuthorizationMatcherFailedMatch)154 TEST_F(AuthorizationMatchersTest, HybridAuthorizationMatcherFailedMatch) {
155 args_.AddPairToMetadata("foo", "bar");
156 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
157 EvaluateArgs args = args_.MakeEvaluateArgs();
158 std::vector<std::unique_ptr<Rbac::Permission>> sub_and_rules;
159 sub_and_rules.push_back(
160 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
161 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
162 /*matcher=*/"bar")
163 .value())));
164 sub_and_rules.push_back(
165 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
166 HeaderMatcher::Create(/*name=*/"absent_key",
167 HeaderMatcher::Type::kExact,
168 /*matcher=*/"some_value")
169 .value())));
170 std::vector<std::unique_ptr<Rbac::Permission>> sub_or_rules;
171 sub_or_rules.push_back(std::make_unique<Rbac::Permission>(
172 Rbac::Permission::MakeDestPortPermission(/*port=*/123)));
173 std::vector<std::unique_ptr<Rbac::Permission>> and_rules;
174 and_rules.push_back(std::make_unique<Rbac::Permission>(
175 Rbac::Permission::MakeAndPermission(std::move(sub_and_rules))));
176 and_rules.push_back(std::make_unique<Rbac::Permission>(
177 Rbac::Permission::MakeOrPermission(std::move(std::move(sub_or_rules)))));
178 auto matcher = AuthorizationMatcher::Create(Rbac::Permission(
179 Rbac::Permission::MakeAndPermission(std::move(and_rules))));
180 // Fails as "absent_key" header was not present.
181 EXPECT_FALSE(matcher->Matches(args));
182 }
183
TEST_F(AuthorizationMatchersTest,ReqServerNameAuthorizationMatcherSuccessfulMatch)184 TEST_F(AuthorizationMatchersTest,
185 ReqServerNameAuthorizationMatcherSuccessfulMatch) {
186 EvaluateArgs args = args_.MakeEvaluateArgs();
187 ReqServerNameAuthorizationMatcher matcher(
188 StringMatcher::Create(StringMatcher::Type::kExact,
189 /*matcher=*/"")
190 .value());
191 EXPECT_TRUE(matcher.Matches(args));
192 }
193
TEST_F(AuthorizationMatchersTest,ReqServerNameAuthorizationMatcherFailedMatch)194 TEST_F(AuthorizationMatchersTest,
195 ReqServerNameAuthorizationMatcherFailedMatch) {
196 EvaluateArgs args = args_.MakeEvaluateArgs();
197 ReqServerNameAuthorizationMatcher matcher(
198 StringMatcher::Create(StringMatcher::Type::kExact,
199 /*matcher=*/"server1")
200 .value());
201 EXPECT_FALSE(matcher.Matches(args));
202 }
203
TEST_F(AuthorizationMatchersTest,PathAuthorizationMatcherSuccessfulMatch)204 TEST_F(AuthorizationMatchersTest, PathAuthorizationMatcherSuccessfulMatch) {
205 args_.AddPairToMetadata(":path", "expected/path");
206 EvaluateArgs args = args_.MakeEvaluateArgs();
207 PathAuthorizationMatcher matcher(
208 StringMatcher::Create(StringMatcher::Type::kExact,
209 /*matcher=*/"expected/path",
210 /*case_sensitive=*/false)
211 .value());
212 EXPECT_TRUE(matcher.Matches(args));
213 }
214
TEST_F(AuthorizationMatchersTest,PathAuthorizationMatcherFailedMatch)215 TEST_F(AuthorizationMatchersTest, PathAuthorizationMatcherFailedMatch) {
216 args_.AddPairToMetadata(":path", "different/path");
217 EvaluateArgs args = args_.MakeEvaluateArgs();
218 PathAuthorizationMatcher matcher(
219 StringMatcher::Create(StringMatcher::Type::kExact,
220 /*matcher=*/"expected/path",
221 /*case_sensitive=*/false)
222 .value());
223 EXPECT_FALSE(matcher.Matches(args));
224 }
225
TEST_F(AuthorizationMatchersTest,PathAuthorizationMatcherFailedMatchMissingPath)226 TEST_F(AuthorizationMatchersTest,
227 PathAuthorizationMatcherFailedMatchMissingPath) {
228 EvaluateArgs args = args_.MakeEvaluateArgs();
229 PathAuthorizationMatcher matcher(
230 StringMatcher::Create(StringMatcher::Type::kExact,
231 /*matcher=*/"expected/path",
232 /*case_sensitive=*/false)
233 .value());
234 EXPECT_FALSE(matcher.Matches(args));
235 }
236
TEST_F(AuthorizationMatchersTest,MetadataAuthorizationMatcherSuccessfulMatch)237 TEST_F(AuthorizationMatchersTest, MetadataAuthorizationMatcherSuccessfulMatch) {
238 EvaluateArgs args = args_.MakeEvaluateArgs();
239 MetadataAuthorizationMatcher matcher(/*invert=*/true);
240 EXPECT_TRUE(matcher.Matches(args));
241 }
242
TEST_F(AuthorizationMatchersTest,MetadataAuthorizationMatcherFailedMatch)243 TEST_F(AuthorizationMatchersTest, MetadataAuthorizationMatcherFailedMatch) {
244 EvaluateArgs args = args_.MakeEvaluateArgs();
245 MetadataAuthorizationMatcher matcher(/*invert=*/false);
246 EXPECT_FALSE(matcher.Matches(args));
247 }
248
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherSuccessfulMatch)249 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherSuccessfulMatch) {
250 args_.AddPairToMetadata("key123", "foo_xxx");
251 EvaluateArgs args = args_.MakeEvaluateArgs();
252 HeaderAuthorizationMatcher matcher(
253 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kPrefix,
254 /*matcher=*/"foo")
255 .value());
256 EXPECT_TRUE(matcher.Matches(args));
257 }
258
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherFailedMatch)259 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherFailedMatch) {
260 args_.AddPairToMetadata("key123", "foo");
261 EvaluateArgs args = args_.MakeEvaluateArgs();
262 HeaderAuthorizationMatcher matcher(
263 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
264 /*matcher=*/"bar")
265 .value());
266 EXPECT_FALSE(matcher.Matches(args));
267 }
268
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherMethodSuccess)269 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherMethodSuccess) {
270 args_.AddPairToMetadata(":method", "GET");
271 EvaluateArgs args = args_.MakeEvaluateArgs();
272 HeaderAuthorizationMatcher matcher(
273 HeaderMatcher::Create(/*name=*/":method", HeaderMatcher::Type::kExact,
274 /*matcher=*/"GET")
275 .value());
276 EXPECT_TRUE(matcher.Matches(args));
277 }
278
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherMethodFail)279 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherMethodFail) {
280 args_.AddPairToMetadata(":method", "GET");
281 EvaluateArgs args = args_.MakeEvaluateArgs();
282 HeaderAuthorizationMatcher matcher(
283 HeaderMatcher::Create(/*name=*/":method", HeaderMatcher::Type::kExact,
284 /*matcher=*/"PUT")
285 .value());
286 EXPECT_FALSE(matcher.Matches(args));
287 }
288
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherAuthoritySuccess)289 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherAuthoritySuccess) {
290 args_.AddPairToMetadata(":authority", "localhost");
291 EvaluateArgs args = args_.MakeEvaluateArgs();
292 HeaderAuthorizationMatcher matcher(
293 HeaderMatcher::Create(/*name=*/":authority", HeaderMatcher::Type::kExact,
294 /*matcher=*/"localhost")
295 .value());
296 EXPECT_TRUE(matcher.Matches(args));
297 }
298
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherAuthorityFail)299 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherAuthorityFail) {
300 args_.AddPairToMetadata(":authority", "localhost");
301 EvaluateArgs args = args_.MakeEvaluateArgs();
302 HeaderAuthorizationMatcher matcher(
303 HeaderMatcher::Create(/*name=*/":authority", HeaderMatcher::Type::kExact,
304 /*matcher=*/"bad_authority")
305 .value());
306 EXPECT_FALSE(matcher.Matches(args));
307 }
308
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherPathSuccess)309 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherPathSuccess) {
310 args_.AddPairToMetadata(":path", "/expected/path");
311 EvaluateArgs args = args_.MakeEvaluateArgs();
312 HeaderAuthorizationMatcher matcher(
313 HeaderMatcher::Create(/*name=*/":path", HeaderMatcher::Type::kExact,
314 /*matcher=*/"/expected/path")
315 .value());
316 EXPECT_TRUE(matcher.Matches(args));
317 }
318
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherPathFail)319 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherPathFail) {
320 args_.AddPairToMetadata(":path", "/expected/path");
321 EvaluateArgs args = args_.MakeEvaluateArgs();
322 HeaderAuthorizationMatcher matcher(
323 HeaderMatcher::Create(/*name=*/":path", HeaderMatcher::Type::kExact,
324 /*matcher=*/"/unexpected/path")
325 .value());
326 EXPECT_FALSE(matcher.Matches(args));
327 }
328
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherFailedMatchMultivaluedHeader)329 TEST_F(AuthorizationMatchersTest,
330 HeaderAuthorizationMatcherFailedMatchMultivaluedHeader) {
331 args_.AddPairToMetadata("key123", "foo");
332 args_.AddPairToMetadata("key123", "bar");
333 EvaluateArgs args = args_.MakeEvaluateArgs();
334 HeaderAuthorizationMatcher matcher(
335 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
336 /*matcher=*/"foo")
337 .value());
338 EXPECT_FALSE(matcher.Matches(args));
339 }
340
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherFailedMatchMissingHeader)341 TEST_F(AuthorizationMatchersTest,
342 HeaderAuthorizationMatcherFailedMatchMissingHeader) {
343 EvaluateArgs args = args_.MakeEvaluateArgs();
344 HeaderAuthorizationMatcher matcher(
345 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kSuffix,
346 /*matcher=*/"foo")
347 .value());
348 EXPECT_FALSE(matcher.Matches(args));
349 }
350
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherDestIpSuccessfulMatch)351 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherDestIpSuccessfulMatch) {
352 args_.SetLocalEndpoint("ipv4:1.2.3.4:123");
353 EvaluateArgs args = args_.MakeEvaluateArgs();
354 IpAuthorizationMatcher matcher(
355 IpAuthorizationMatcher::Type::kDestIp,
356 Rbac::CidrRange(/*address_prefix=*/"1.7.8.9", /*prefix_len=*/8));
357 EXPECT_TRUE(matcher.Matches(args));
358 }
359
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherDestIpFailedMatch)360 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherDestIpFailedMatch) {
361 args_.SetLocalEndpoint("ipv4:1.2.3.4:123");
362 EvaluateArgs args = args_.MakeEvaluateArgs();
363 IpAuthorizationMatcher matcher(
364 IpAuthorizationMatcher::Type::kDestIp,
365 Rbac::CidrRange(/*address_prefix=*/"1.2.3.9", /*prefix_len=*/32));
366 EXPECT_FALSE(matcher.Matches(args));
367 }
368
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherSourceIpSuccessfulMatch)369 TEST_F(AuthorizationMatchersTest,
370 IpAuthorizationMatcherSourceIpSuccessfulMatch) {
371 args_.SetPeerEndpoint("ipv6:[1:2:3::]:456");
372 EvaluateArgs args = args_.MakeEvaluateArgs();
373 IpAuthorizationMatcher matcher(
374 IpAuthorizationMatcher::Type::kSourceIp,
375 Rbac::CidrRange(/*address_prefix=*/"1:3:4::", /*prefix_len=*/16));
376 EXPECT_TRUE(matcher.Matches(args));
377 }
378
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherSourceIpFailedMatch)379 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherSourceIpFailedMatch) {
380 args_.SetPeerEndpoint("ipv6:[1:2::3::]:456");
381 EvaluateArgs args = args_.MakeEvaluateArgs();
382 IpAuthorizationMatcher matcher(
383 IpAuthorizationMatcher::Type::kSourceIp,
384 Rbac::CidrRange(/*address_prefix=*/"1:3::", /*prefix_len=*/48));
385 EXPECT_FALSE(matcher.Matches(args));
386 }
387
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherRemoteIpSuccessfulMatch)388 TEST_F(AuthorizationMatchersTest,
389 IpAuthorizationMatcherRemoteIpSuccessfulMatch) {
390 args_.SetPeerEndpoint("ipv6:[1:2:3::]:456");
391 EvaluateArgs args = args_.MakeEvaluateArgs();
392 IpAuthorizationMatcher matcher(
393 IpAuthorizationMatcher::Type::kRemoteIp,
394 Rbac::CidrRange(/*address_prefix=*/"1:2:4::", /*prefix_len=*/32));
395 EXPECT_TRUE(matcher.Matches(args));
396 }
397
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherRemoteIpFailedMatch)398 TEST_F(AuthorizationMatchersTest, IpAuthorizationMatcherRemoteIpFailedMatch) {
399 args_.SetPeerEndpoint("ipv6:[1:2::]:456");
400 EvaluateArgs args = args_.MakeEvaluateArgs();
401 IpAuthorizationMatcher matcher(
402 IpAuthorizationMatcher::Type::kRemoteIp,
403 Rbac::CidrRange(/*address_prefix=*/"1:3::", /*prefix_len=*/32));
404 EXPECT_FALSE(matcher.Matches(args));
405 }
406
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherDirectRemoteIpSuccessfulMatch)407 TEST_F(AuthorizationMatchersTest,
408 IpAuthorizationMatcherDirectRemoteIpSuccessfulMatch) {
409 args_.SetPeerEndpoint("ipv4:1.2.3.4:123");
410 EvaluateArgs args = args_.MakeEvaluateArgs();
411 IpAuthorizationMatcher matcher(
412 IpAuthorizationMatcher::Type::kDirectRemoteIp,
413 Rbac::CidrRange(/*address_prefix=*/"1.7.8.9", /*prefix_len=*/8));
414 EXPECT_TRUE(matcher.Matches(args));
415 }
416
TEST_F(AuthorizationMatchersTest,IpAuthorizationMatcherDirectRemoteIpFailedMatch)417 TEST_F(AuthorizationMatchersTest,
418 IpAuthorizationMatcherDirectRemoteIpFailedMatch) {
419 args_.SetPeerEndpoint("ipv4:1.2.3.4:123");
420 EvaluateArgs args = args_.MakeEvaluateArgs();
421 IpAuthorizationMatcher matcher(
422 IpAuthorizationMatcher::Type::kDirectRemoteIp,
423 Rbac::CidrRange(/*address_prefix=*/"1.7.8.9", /*prefix_len=*/16));
424 EXPECT_FALSE(matcher.Matches(args));
425 }
426
TEST_F(AuthorizationMatchersTest,PortAuthorizationMatcherSuccessfulMatch)427 TEST_F(AuthorizationMatchersTest, PortAuthorizationMatcherSuccessfulMatch) {
428 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
429 EvaluateArgs args = args_.MakeEvaluateArgs();
430 PortAuthorizationMatcher matcher(/*port=*/123);
431 EXPECT_TRUE(matcher.Matches(args));
432 }
433
TEST_F(AuthorizationMatchersTest,PortAuthorizationMatcherFailedMatch)434 TEST_F(AuthorizationMatchersTest, PortAuthorizationMatcherFailedMatch) {
435 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
436 EvaluateArgs args = args_.MakeEvaluateArgs();
437 PortAuthorizationMatcher matcher(/*port=*/456);
438 EXPECT_FALSE(matcher.Matches(args));
439 }
440
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherUnAuthenticatedConnection)441 TEST_F(AuthorizationMatchersTest,
442 AuthenticatedMatcherUnAuthenticatedConnection) {
443 EvaluateArgs args = args_.MakeEvaluateArgs();
444 AuthenticatedAuthorizationMatcher matcher(
445 StringMatcher::Create(StringMatcher::Type::kExact,
446 /*matcher=*/"foo.com",
447 /*case_sensitive=*/false)
448 .value());
449 EXPECT_FALSE(matcher.Matches(args));
450 }
451
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherAuthenticatedConnectionMatcherUnset)452 TEST_F(AuthorizationMatchersTest,
453 AuthenticatedMatcherAuthenticatedConnectionMatcherUnset) {
454 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
455 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
456 EvaluateArgs args = args_.MakeEvaluateArgs();
457 AuthenticatedAuthorizationMatcher matcher(/*auth=*/absl::nullopt);
458 EXPECT_TRUE(matcher.Matches(args));
459 }
460
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherSuccessfulUriSanMatches)461 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherSuccessfulUriSanMatches) {
462 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
463 GRPC_TLS_TRANSPORT_SECURITY_TYPE);
464 args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
465 "spiffe://foo.abc");
466 args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
467 "https://foo.domain.com");
468 EvaluateArgs args = args_.MakeEvaluateArgs();
469 AuthenticatedAuthorizationMatcher matcher(
470 StringMatcher::Create(StringMatcher::Type::kExact,
471 /*matcher=*/"spiffe://foo.abc",
472 /*case_sensitive=*/false)
473 .value());
474 EXPECT_TRUE(matcher.Matches(args));
475 }
476
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherFailedUriSanMatches)477 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedUriSanMatches) {
478 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
479 GRPC_TLS_TRANSPORT_SECURITY_TYPE);
480 args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
481 "spiffe://bar.abc");
482 EvaluateArgs args = args_.MakeEvaluateArgs();
483 AuthenticatedAuthorizationMatcher matcher(
484 StringMatcher::Create(StringMatcher::Type::kExact,
485 /*matcher=*/"spiffe://foo.abc",
486 /*case_sensitive=*/false)
487 .value());
488 EXPECT_FALSE(matcher.Matches(args));
489 }
490
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherSuccessfulDnsSanMatches)491 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherSuccessfulDnsSanMatches) {
492 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
493 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
494 args_.AddPropertyToAuthContext(GRPC_PEER_URI_PROPERTY_NAME,
495 "spiffe://bar.abc");
496 args_.AddPropertyToAuthContext(GRPC_PEER_DNS_PROPERTY_NAME,
497 "foo.test.domain.com");
498 args_.AddPropertyToAuthContext(GRPC_PEER_DNS_PROPERTY_NAME,
499 "bar.test.domain.com");
500 EvaluateArgs args = args_.MakeEvaluateArgs();
501 // No match found in URI SANs, finds match in DNS SANs.
502 AuthenticatedAuthorizationMatcher matcher(
503 StringMatcher::Create(StringMatcher::Type::kExact,
504 /*matcher=*/"bar.test.domain.com",
505 /*case_sensitive=*/false)
506 .value());
507 EXPECT_TRUE(matcher.Matches(args));
508 }
509
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherFailedDnsSanMatches)510 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedDnsSanMatches) {
511 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
512 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
513 args_.AddPropertyToAuthContext(GRPC_PEER_DNS_PROPERTY_NAME,
514 "foo.test.domain.com");
515 EvaluateArgs args = args_.MakeEvaluateArgs();
516 AuthenticatedAuthorizationMatcher matcher(
517 StringMatcher::Create(StringMatcher::Type::kExact,
518 /*matcher=*/"bar.test.domain.com",
519 /*case_sensitive=*/false)
520 .value());
521 EXPECT_FALSE(matcher.Matches(args));
522 }
523
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherSuccessfulSubjectMatches)524 TEST_F(AuthorizationMatchersTest,
525 AuthenticatedMatcherSuccessfulSubjectMatches) {
526 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
527 GRPC_TLS_TRANSPORT_SECURITY_TYPE);
528 args_.AddPropertyToAuthContext(GRPC_X509_SUBJECT_PROPERTY_NAME,
529 "CN=abc,OU=Google");
530 EvaluateArgs args = args_.MakeEvaluateArgs();
531 // No match found in URI SANs and DNS SANs, finds match in Subject.
532 AuthenticatedAuthorizationMatcher matcher(
533 StringMatcher::Create(StringMatcher::Type::kExact,
534 /*matcher=*/"CN=abc,OU=Google",
535 /*case_sensitive=*/false)
536 .value());
537 EXPECT_TRUE(matcher.Matches(args));
538 }
539
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherFailedSubjectMatches)540 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedSubjectMatches) {
541 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
542 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
543 args_.AddPropertyToAuthContext(GRPC_X509_SUBJECT_PROPERTY_NAME,
544 "CN=abc,OU=Google");
545 EvaluateArgs args = args_.MakeEvaluateArgs();
546 AuthenticatedAuthorizationMatcher matcher(
547 StringMatcher::Create(StringMatcher::Type::kExact,
548 /*matcher=*/"CN=def,OU=Google",
549 /*case_sensitive=*/false)
550 .value());
551 EXPECT_FALSE(matcher.Matches(args));
552 }
553
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherWithoutClientCertMatchesSuccessfullyOnEmptyPrincipal)554 TEST_F(
555 AuthorizationMatchersTest,
556 AuthenticatedMatcherWithoutClientCertMatchesSuccessfullyOnEmptyPrincipal) {
557 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
558 GRPC_TLS_TRANSPORT_SECURITY_TYPE);
559 EvaluateArgs args = args_.MakeEvaluateArgs();
560 AuthenticatedAuthorizationMatcher matcher(
561 StringMatcher::Create(StringMatcher::Type::kExact,
562 /*matcher=*/"")
563 .value());
564 EXPECT_TRUE(matcher.Matches(args));
565 }
566
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherFailedNothingMatches)567 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedNothingMatches) {
568 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
569 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
570 EvaluateArgs args = args_.MakeEvaluateArgs();
571 AuthenticatedAuthorizationMatcher matcher(
572 StringMatcher::Create(StringMatcher::Type::kExact,
573 /*matcher=*/"foo",
574 /*case_sensitive=*/false)
575 .value());
576 EXPECT_FALSE(matcher.Matches(args));
577 }
578
TEST_F(AuthorizationMatchersTest,PolicyAuthorizationMatcherSuccessfulMatch)579 TEST_F(AuthorizationMatchersTest, PolicyAuthorizationMatcherSuccessfulMatch) {
580 args_.AddPairToMetadata("key123", "foo");
581 EvaluateArgs args = args_.MakeEvaluateArgs();
582 std::vector<std::unique_ptr<Rbac::Permission>> rules;
583 rules.push_back(
584 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
585 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
586 /*matcher=*/"foo")
587 .value())));
588 PolicyAuthorizationMatcher matcher(Rbac::Policy(
589 Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))),
590 Rbac::Principal::MakeAnyPrincipal()));
591 EXPECT_TRUE(matcher.Matches(args));
592 }
593
TEST_F(AuthorizationMatchersTest,PolicyAuthorizationMatcherFailedMatch)594 TEST_F(AuthorizationMatchersTest, PolicyAuthorizationMatcherFailedMatch) {
595 args_.AddPairToMetadata("key123", "foo");
596 EvaluateArgs args = args_.MakeEvaluateArgs();
597 std::vector<std::unique_ptr<Rbac::Permission>> rules;
598 rules.push_back(
599 std::make_unique<Rbac::Permission>(Rbac::Permission::MakeHeaderPermission(
600 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
601 /*matcher=*/"bar")
602 .value())));
603 PolicyAuthorizationMatcher matcher(Rbac::Policy(
604 Rbac::Permission(Rbac::Permission::MakeOrPermission(std::move(rules))),
605 Rbac::Principal::MakeAnyPrincipal()));
606 EXPECT_FALSE(matcher.Matches(args));
607 }
608
609 } // namespace grpc_core
610
main(int argc,char ** argv)611 int main(int argc, char** argv) {
612 ::testing::InitGoogleTest(&argc, argv);
613 grpc_init();
614 int ret = RUN_ALL_TESTS();
615 grpc_shutdown();
616 return ret;
617 }
618