1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "src/core/lib/security/authorization/grpc_authorization_policy_provider.h"
16
17 #include <gmock/gmock.h>
18 #include <grpc/grpc_security.h>
19 #include <grpc/support/port_platform.h>
20 #include <gtest/gtest.h>
21
22 #include "src/core/lib/security/authorization/grpc_authorization_engine.h"
23 #include "test/core/test_util/test_config.h"
24 #include "test/core/test_util/tls_utils.h"
25
26 #define VALID_POLICY_PATH_1 \
27 "test/core/security/authorization/test_policies/valid_policy_1.json"
28 #define VALID_POLICY_PATH_2 \
29 "test/core/security/authorization/test_policies/valid_policy_2.json"
30 #define INVALID_POLICY_PATH \
31 "test/core/security/authorization/test_policies/invalid_policy.json"
32
33 namespace grpc_core {
34
TEST(AuthorizationPolicyProviderTest,StaticDataInitializationSuccessful)35 TEST(AuthorizationPolicyProviderTest, StaticDataInitializationSuccessful) {
36 auto provider = StaticDataAuthorizationPolicyProvider::Create(
37 testing::GetFileContents(VALID_POLICY_PATH_1));
38 ASSERT_TRUE(provider.ok());
39 auto engines = (*provider)->engines();
40 auto* allow_engine =
41 dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
42 ASSERT_NE(allow_engine, nullptr);
43 EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
44 EXPECT_EQ(allow_engine->num_policies(), 1);
45 auto* deny_engine =
46 dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
47 ASSERT_NE(deny_engine, nullptr);
48 EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
49 EXPECT_EQ(deny_engine->num_policies(), 1);
50 }
51
TEST(AuthorizationPolicyProviderTest,StaticDataInitializationFailedInvalidPolicy)52 TEST(AuthorizationPolicyProviderTest,
53 StaticDataInitializationFailedInvalidPolicy) {
54 auto provider = StaticDataAuthorizationPolicyProvider::Create(
55 testing::GetFileContents(INVALID_POLICY_PATH));
56 EXPECT_EQ(provider.status().code(), absl::StatusCode::kInvalidArgument);
57 EXPECT_EQ(provider.status().message(), "\"name\" field is not present.");
58 }
59
TEST(AuthorizationPolicyProviderTest,FileWatcherInitializationSuccessValidPolicy)60 TEST(AuthorizationPolicyProviderTest,
61 FileWatcherInitializationSuccessValidPolicy) {
62 auto tmp_authz_policy = std::make_unique<testing::TmpFile>(
63 testing::GetFileContents(VALID_POLICY_PATH_1));
64 auto provider = FileWatcherAuthorizationPolicyProvider::Create(
65 tmp_authz_policy->name(), /*refresh_interval_sec=*/1);
66 ASSERT_TRUE(provider.ok());
67 auto engines = (*provider)->engines();
68 auto* allow_engine =
69 dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
70 ASSERT_NE(allow_engine, nullptr);
71 EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
72 EXPECT_EQ(allow_engine->num_policies(), 1);
73 auto* deny_engine =
74 dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
75 ASSERT_NE(deny_engine, nullptr);
76 EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
77 EXPECT_EQ(deny_engine->num_policies(), 1);
78 }
79
TEST(AuthorizationPolicyProviderTest,FileWatcherInitializationFailedInvalidPolicy)80 TEST(AuthorizationPolicyProviderTest,
81 FileWatcherInitializationFailedInvalidPolicy) {
82 auto tmp_authz_policy = std::make_unique<testing::TmpFile>(
83 testing::GetFileContents(INVALID_POLICY_PATH));
84 auto provider = FileWatcherAuthorizationPolicyProvider::Create(
85 tmp_authz_policy->name(), /*refresh_interval_sec=*/1);
86 EXPECT_EQ(provider.status().code(), absl::StatusCode::kInvalidArgument);
87 EXPECT_EQ(provider.status().message(), "\"name\" field is not present.");
88 }
89
TEST(AuthorizationPolicyProviderTest,FileWatcherSuccessValidPolicyRefresh)90 TEST(AuthorizationPolicyProviderTest, FileWatcherSuccessValidPolicyRefresh) {
91 auto tmp_authz_policy = std::make_unique<testing::TmpFile>(
92 testing::GetFileContents(VALID_POLICY_PATH_1));
93 auto provider = FileWatcherAuthorizationPolicyProvider::Create(
94 tmp_authz_policy->name(), /*refresh_interval_sec=*/1);
95 ASSERT_TRUE(provider.ok());
96 auto engines = (*provider)->engines();
97 auto* allow_engine =
98 dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
99 ASSERT_NE(allow_engine, nullptr);
100 EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
101 EXPECT_EQ(allow_engine->num_policies(), 1);
102 auto* deny_engine =
103 dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
104 ASSERT_NE(deny_engine, nullptr);
105 EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
106 EXPECT_EQ(deny_engine->num_policies(), 1);
107 gpr_event on_reload_done;
108 gpr_event_init(&on_reload_done);
109 std::function<void(bool contents_changed, absl::Status status)> callback =
110 [&on_reload_done](bool contents_changed, absl::Status status) {
111 if (contents_changed) {
112 EXPECT_TRUE(status.ok());
113 gpr_event_set(&on_reload_done, reinterpret_cast<void*>(1));
114 }
115 };
116 dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
117 ->SetCallbackForTesting(std::move(callback));
118 // Rewrite the file with a different valid authorization policy.
119 tmp_authz_policy->RewriteFile(testing::GetFileContents(VALID_POLICY_PATH_2));
120 // Wait for the provider's refresh thread to read the updated files.
121 ASSERT_EQ(
122 gpr_event_wait(&on_reload_done, gpr_inf_future(GPR_CLOCK_MONOTONIC)),
123 reinterpret_cast<void*>(1));
124 engines = (*provider)->engines();
125 allow_engine =
126 dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
127 ASSERT_NE(allow_engine, nullptr);
128 EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
129 EXPECT_EQ(allow_engine->num_policies(), 2);
130 deny_engine =
131 dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
132 EXPECT_EQ(deny_engine, nullptr);
133 }
134
TEST(AuthorizationPolicyProviderTest,FileWatcherInvalidPolicyRefreshSkipReload)135 TEST(AuthorizationPolicyProviderTest,
136 FileWatcherInvalidPolicyRefreshSkipReload) {
137 auto tmp_authz_policy = std::make_unique<testing::TmpFile>(
138 testing::GetFileContents(VALID_POLICY_PATH_1));
139 auto provider = FileWatcherAuthorizationPolicyProvider::Create(
140 tmp_authz_policy->name(), /*refresh_interval_sec=*/1);
141 ASSERT_TRUE(provider.ok());
142 auto engines = (*provider)->engines();
143 auto* allow_engine =
144 dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
145 ASSERT_NE(allow_engine, nullptr);
146 EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
147 EXPECT_EQ(allow_engine->num_policies(), 1);
148 auto* deny_engine =
149 dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
150 ASSERT_NE(deny_engine, nullptr);
151 EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
152 EXPECT_EQ(deny_engine->num_policies(), 1);
153 gpr_event on_reload_done;
154 gpr_event_init(&on_reload_done);
155 std::function<void(bool contents_changed, absl::Status status)> callback =
156 [&on_reload_done](bool contents_changed, absl::Status status) {
157 if (contents_changed) {
158 EXPECT_EQ(status.code(), absl::StatusCode::kInvalidArgument);
159 EXPECT_EQ(status.message(), "\"name\" field is not present.");
160 gpr_event_set(&on_reload_done, reinterpret_cast<void*>(1));
161 }
162 };
163 dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
164 ->SetCallbackForTesting(std::move(callback));
165 // Skips the following policy update, and continues to use the valid policy.
166 tmp_authz_policy->RewriteFile(testing::GetFileContents(INVALID_POLICY_PATH));
167 // Wait for the provider's refresh thread to read the updated files.
168 ASSERT_EQ(
169 gpr_event_wait(&on_reload_done, gpr_inf_future(GPR_CLOCK_MONOTONIC)),
170 reinterpret_cast<void*>(1));
171 engines = (*provider)->engines();
172 allow_engine =
173 dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
174 ASSERT_NE(allow_engine, nullptr);
175 EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
176 EXPECT_EQ(allow_engine->num_policies(), 1);
177 deny_engine =
178 dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
179 ASSERT_NE(deny_engine, nullptr);
180 EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
181 EXPECT_EQ(deny_engine->num_policies(), 1);
182 dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
183 ->SetCallbackForTesting(nullptr);
184 }
185
TEST(AuthorizationPolicyProviderTest,FileWatcherRecoversFromFailure)186 TEST(AuthorizationPolicyProviderTest, FileWatcherRecoversFromFailure) {
187 auto tmp_authz_policy = std::make_unique<testing::TmpFile>(
188 testing::GetFileContents(VALID_POLICY_PATH_1));
189 auto provider = FileWatcherAuthorizationPolicyProvider::Create(
190 tmp_authz_policy->name(), /*refresh_interval_sec=*/1);
191 ASSERT_TRUE(provider.ok());
192 auto engines = (*provider)->engines();
193 auto* allow_engine =
194 dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
195 ASSERT_NE(allow_engine, nullptr);
196 EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
197 EXPECT_EQ(allow_engine->num_policies(), 1);
198 auto* deny_engine =
199 dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
200 ASSERT_NE(deny_engine, nullptr);
201 EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
202 EXPECT_EQ(deny_engine->num_policies(), 1);
203 gpr_event on_first_reload_done;
204 gpr_event_init(&on_first_reload_done);
205 std::function<void(bool contents_changed, absl::Status status)> callback1 =
206 [&on_first_reload_done](bool contents_changed, absl::Status status) {
207 if (contents_changed) {
208 EXPECT_EQ(status.code(), absl::StatusCode::kInvalidArgument);
209 EXPECT_EQ(status.message(), "\"name\" field is not present.");
210 gpr_event_set(&on_first_reload_done, reinterpret_cast<void*>(1));
211 }
212 };
213 dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
214 ->SetCallbackForTesting(std::move(callback1));
215 // Skips the following policy update, and continues to use the valid policy.
216 tmp_authz_policy->RewriteFile(testing::GetFileContents(INVALID_POLICY_PATH));
217 // Wait for the provider's refresh thread to read the updated files.
218 ASSERT_EQ(gpr_event_wait(&on_first_reload_done,
219 gpr_inf_future(GPR_CLOCK_MONOTONIC)),
220 reinterpret_cast<void*>(1));
221 engines = (*provider)->engines();
222 allow_engine =
223 dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
224 ASSERT_NE(allow_engine, nullptr);
225 EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
226 EXPECT_EQ(allow_engine->num_policies(), 1);
227 deny_engine =
228 dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
229 ASSERT_NE(deny_engine, nullptr);
230 EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny);
231 EXPECT_EQ(deny_engine->num_policies(), 1);
232 gpr_event on_second_reload_done;
233 gpr_event_init(&on_second_reload_done);
234 std::function<void(bool contents_changed, absl::Status status)> callback2 =
235 [&on_second_reload_done](bool contents_changed, absl::Status status) {
236 if (contents_changed) {
237 EXPECT_TRUE(status.ok());
238 gpr_event_set(&on_second_reload_done, reinterpret_cast<void*>(1));
239 }
240 };
241 dynamic_cast<FileWatcherAuthorizationPolicyProvider*>(provider->get())
242 ->SetCallbackForTesting(std::move(callback2));
243 // Rewrite the file with a valid authorization policy.
244 tmp_authz_policy->RewriteFile(testing::GetFileContents(VALID_POLICY_PATH_2));
245 // Wait for the provider's refresh thread to read the updated files.
246 ASSERT_EQ(gpr_event_wait(&on_second_reload_done,
247 gpr_inf_future(GPR_CLOCK_MONOTONIC)),
248 reinterpret_cast<void*>(1));
249 engines = (*provider)->engines();
250 allow_engine =
251 dynamic_cast<GrpcAuthorizationEngine*>(engines.allow_engine.get());
252 ASSERT_NE(allow_engine, nullptr);
253 EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow);
254 EXPECT_EQ(allow_engine->num_policies(), 2);
255 deny_engine =
256 dynamic_cast<GrpcAuthorizationEngine*>(engines.deny_engine.get());
257 EXPECT_EQ(deny_engine, nullptr);
258 }
259
260 } // namespace grpc_core
261
main(int argc,char ** argv)262 int main(int argc, char** argv) {
263 grpc::testing::TestEnvironment env(&argc, argv);
264 ::testing::InitGoogleTest(&argc, argv);
265 grpc_init();
266 int ret = RUN_ALL_TESTS();
267 grpc_shutdown();
268 return ret;
269 }
270