1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <grpc/support/port_platform.h>
16
17 #include <list>
18
19 #include <gmock/gmock.h>
20 #include <gtest/gtest.h>
21
22 #include "src/core/lib/security/authorization/evaluate_args.h"
23 #include "src/core/lib/security/authorization/matchers.h"
24 #include "test/core/util/evaluate_args_test_util.h"
25
26 namespace grpc_core {
27
28 class AuthorizationMatchersTest : public ::testing::Test {
29 protected:
30 EvaluateArgsTestUtil args_;
31 };
32
TEST_F(AuthorizationMatchersTest,AlwaysAuthorizationMatcher)33 TEST_F(AuthorizationMatchersTest, AlwaysAuthorizationMatcher) {
34 EvaluateArgs args = args_.MakeEvaluateArgs();
35 AlwaysAuthorizationMatcher matcher;
36 EXPECT_TRUE(matcher.Matches(args));
37 }
38
TEST_F(AuthorizationMatchersTest,NotAlwaysAuthorizationMatcher)39 TEST_F(AuthorizationMatchersTest, NotAlwaysAuthorizationMatcher) {
40 EvaluateArgs args = args_.MakeEvaluateArgs();
41 AlwaysAuthorizationMatcher matcher(/*not_rule=*/true);
42 EXPECT_FALSE(matcher.Matches(args));
43 }
44
TEST_F(AuthorizationMatchersTest,AndAuthorizationMatcherSuccessfulMatch)45 TEST_F(AuthorizationMatchersTest, AndAuthorizationMatcherSuccessfulMatch) {
46 args_.AddPairToMetadata("foo", "bar");
47 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
48 EvaluateArgs args = args_.MakeEvaluateArgs();
49 std::vector<std::unique_ptr<Rbac::Permission>> rules;
50 rules.push_back(absl::make_unique<Rbac::Permission>(
51 Rbac::Permission::RuleType::kHeader,
52 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
53 /*matcher=*/"bar")
54 .value()));
55 rules.push_back(absl::make_unique<Rbac::Permission>(
56 Rbac::Permission::RuleType::kDestPort, /*port=*/123));
57 AndAuthorizationMatcher matcher(std::move(rules));
58 EXPECT_TRUE(matcher.Matches(args));
59 }
60
TEST_F(AuthorizationMatchersTest,AndAuthorizationMatcherFailedMatch)61 TEST_F(AuthorizationMatchersTest, AndAuthorizationMatcherFailedMatch) {
62 args_.AddPairToMetadata("foo", "not_bar");
63 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
64 EvaluateArgs args = args_.MakeEvaluateArgs();
65 std::vector<std::unique_ptr<Rbac::Permission>> rules;
66 rules.push_back(absl::make_unique<Rbac::Permission>(
67 Rbac::Permission::RuleType::kHeader,
68 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
69 /*matcher=*/"bar")
70 .value()));
71 rules.push_back(absl::make_unique<Rbac::Permission>(
72 Rbac::Permission::RuleType::kDestPort, /*port=*/123));
73 AndAuthorizationMatcher matcher(std::move(rules));
74 // Header rule fails. Expected value "bar", got "not_bar" for key "foo".
75 EXPECT_FALSE(matcher.Matches(args));
76 }
77
TEST_F(AuthorizationMatchersTest,NotAndAuthorizationMatcher)78 TEST_F(AuthorizationMatchersTest, NotAndAuthorizationMatcher) {
79 args_.AddPairToMetadata(":path", "/expected/foo");
80 EvaluateArgs args = args_.MakeEvaluateArgs();
81 StringMatcher string_matcher =
82 StringMatcher::Create(StringMatcher::Type::kExact,
83 /*matcher=*/"/expected/foo",
84 /*case_sensitive=*/false)
85 .value();
86 std::vector<std::unique_ptr<Rbac::Permission>> ids;
87 ids.push_back(absl::make_unique<Rbac::Permission>(
88 Rbac::Permission::RuleType::kPath, std::move(string_matcher)));
89 AndAuthorizationMatcher matcher(std::move(ids), /*not_rule=*/true);
90 EXPECT_FALSE(matcher.Matches(args));
91 }
92
TEST_F(AuthorizationMatchersTest,OrAuthorizationMatcherSuccessfulMatch)93 TEST_F(AuthorizationMatchersTest, OrAuthorizationMatcherSuccessfulMatch) {
94 args_.AddPairToMetadata("foo", "bar");
95 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
96 EvaluateArgs args = args_.MakeEvaluateArgs();
97 HeaderMatcher header_matcher =
98 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
99 /*matcher=*/"bar")
100 .value();
101 std::vector<std::unique_ptr<Rbac::Permission>> rules;
102 rules.push_back(absl::make_unique<Rbac::Permission>(
103 Rbac::Permission::RuleType::kHeader, header_matcher));
104 rules.push_back(absl::make_unique<Rbac::Permission>(
105 Rbac::Permission::RuleType::kDestPort, /*port=*/456));
106 OrAuthorizationMatcher matcher(std::move(rules));
107 // Matches as header rule matches even though port rule fails.
108 EXPECT_TRUE(matcher.Matches(args));
109 }
110
TEST_F(AuthorizationMatchersTest,OrAuthorizationMatcherFailedMatch)111 TEST_F(AuthorizationMatchersTest, OrAuthorizationMatcherFailedMatch) {
112 args_.AddPairToMetadata("foo", "not_bar");
113 EvaluateArgs args = args_.MakeEvaluateArgs();
114 std::vector<std::unique_ptr<Rbac::Permission>> rules;
115 rules.push_back(absl::make_unique<Rbac::Permission>(
116 Rbac::Permission::RuleType::kHeader,
117 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
118 /*matcher=*/"bar")
119 .value()));
120 OrAuthorizationMatcher matcher(std::move(rules));
121 // Header rule fails. Expected value "bar", got "not_bar" for key "foo".
122 EXPECT_FALSE(matcher.Matches(args));
123 }
124
TEST_F(AuthorizationMatchersTest,NotOrAuthorizationMatcher)125 TEST_F(AuthorizationMatchersTest, NotOrAuthorizationMatcher) {
126 args_.AddPairToMetadata("foo", "not_bar");
127 EvaluateArgs args = args_.MakeEvaluateArgs();
128 std::vector<std::unique_ptr<Rbac::Permission>> rules;
129 rules.push_back(absl::make_unique<Rbac::Permission>(
130 Rbac::Permission::RuleType::kHeader,
131 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
132 /*matcher=*/"bar")
133 .value()));
134 OrAuthorizationMatcher matcher(std::move(rules), /*not_rule=*/true);
135 EXPECT_TRUE(matcher.Matches(args));
136 }
137
TEST_F(AuthorizationMatchersTest,HybridAuthorizationMatcherSuccessfulMatch)138 TEST_F(AuthorizationMatchersTest, HybridAuthorizationMatcherSuccessfulMatch) {
139 args_.AddPairToMetadata("foo", "bar");
140 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
141 EvaluateArgs args = args_.MakeEvaluateArgs();
142 std::vector<std::unique_ptr<Rbac::Permission>> sub_and_rules;
143 sub_and_rules.push_back(absl::make_unique<Rbac::Permission>(
144 Rbac::Permission::RuleType::kHeader,
145 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
146 /*matcher=*/"bar")
147 .value()));
148 std::vector<std::unique_ptr<Rbac::Permission>> sub_or_rules;
149 sub_or_rules.push_back(absl::make_unique<Rbac::Permission>(
150 Rbac::Permission::RuleType::kDestPort, /*port=*/123));
151 std::vector<std::unique_ptr<Rbac::Permission>> and_rules;
152 and_rules.push_back(absl::make_unique<Rbac::Permission>(
153 Rbac::Permission::RuleType::kAnd, std::move(sub_and_rules)));
154 and_rules.push_back(absl::make_unique<Rbac::Permission>(
155 Rbac::Permission::RuleType::kOr, std::move(std::move(sub_or_rules))));
156 AndAuthorizationMatcher matcher(std::move(and_rules));
157 EXPECT_TRUE(matcher.Matches(args));
158 }
159
TEST_F(AuthorizationMatchersTest,HybridAuthorizationMatcherFailedMatch)160 TEST_F(AuthorizationMatchersTest, HybridAuthorizationMatcherFailedMatch) {
161 args_.AddPairToMetadata("foo", "bar");
162 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
163 EvaluateArgs args = args_.MakeEvaluateArgs();
164 std::vector<std::unique_ptr<Rbac::Permission>> sub_and_rules;
165 sub_and_rules.push_back(absl::make_unique<Rbac::Permission>(
166 Rbac::Permission::RuleType::kHeader,
167 HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
168 /*matcher=*/"bar")
169 .value()));
170 sub_and_rules.push_back(absl::make_unique<Rbac::Permission>(
171 Rbac::Permission::RuleType::kHeader,
172 HeaderMatcher::Create(/*name=*/"absent_key", HeaderMatcher::Type::kExact,
173 /*matcher=*/"some_value")
174 .value()));
175 std::vector<std::unique_ptr<Rbac::Permission>> sub_or_rules;
176 sub_or_rules.push_back(absl::make_unique<Rbac::Permission>(
177 Rbac::Permission::RuleType::kDestPort, /*port=*/123));
178 std::vector<std::unique_ptr<Rbac::Permission>> and_rules;
179 and_rules.push_back(absl::make_unique<Rbac::Permission>(
180 Rbac::Permission::RuleType::kAnd, std::move(sub_and_rules)));
181 and_rules.push_back(absl::make_unique<Rbac::Permission>(
182 Rbac::Permission::RuleType::kOr, std::move(std::move(sub_or_rules))));
183 AndAuthorizationMatcher matcher(std::move(and_rules));
184 // Fails as "absent_key" header was not present.
185 EXPECT_FALSE(matcher.Matches(args));
186 }
187
TEST_F(AuthorizationMatchersTest,PathAuthorizationMatcherSuccessfulMatch)188 TEST_F(AuthorizationMatchersTest, PathAuthorizationMatcherSuccessfulMatch) {
189 args_.AddPairToMetadata(":path", "expected/path");
190 EvaluateArgs args = args_.MakeEvaluateArgs();
191 PathAuthorizationMatcher matcher(
192 StringMatcher::Create(StringMatcher::Type::kExact,
193 /*matcher=*/"expected/path",
194 /*case_sensitive=*/false)
195 .value());
196 EXPECT_TRUE(matcher.Matches(args));
197 }
198
TEST_F(AuthorizationMatchersTest,PathAuthorizationMatcherFailedMatch)199 TEST_F(AuthorizationMatchersTest, PathAuthorizationMatcherFailedMatch) {
200 args_.AddPairToMetadata(":path", "different/path");
201 EvaluateArgs args = args_.MakeEvaluateArgs();
202 PathAuthorizationMatcher matcher(
203 StringMatcher::Create(StringMatcher::Type::kExact,
204 /*matcher=*/"expected/path",
205 /*case_sensitive=*/false)
206 .value());
207 EXPECT_FALSE(matcher.Matches(args));
208 }
209
TEST_F(AuthorizationMatchersTest,NotPathAuthorizationMatcher)210 TEST_F(AuthorizationMatchersTest, NotPathAuthorizationMatcher) {
211 args_.AddPairToMetadata(":path", "expected/path");
212 EvaluateArgs args = args_.MakeEvaluateArgs();
213 PathAuthorizationMatcher matcher(
214 StringMatcher::Create(StringMatcher::Type::kExact, "expected/path", false)
215 .value(),
216 /*not_rule=*/true);
217 EXPECT_FALSE(matcher.Matches(args));
218 }
219
TEST_F(AuthorizationMatchersTest,PathAuthorizationMatcherFailedMatchMissingPath)220 TEST_F(AuthorizationMatchersTest,
221 PathAuthorizationMatcherFailedMatchMissingPath) {
222 EvaluateArgs args = args_.MakeEvaluateArgs();
223 PathAuthorizationMatcher matcher(
224 StringMatcher::Create(StringMatcher::Type::kExact,
225 /*matcher=*/"expected/path",
226 /*case_sensitive=*/false)
227 .value());
228 EXPECT_FALSE(matcher.Matches(args));
229 }
230
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherSuccessfulMatch)231 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherSuccessfulMatch) {
232 args_.AddPairToMetadata("key123", "foo_xxx");
233 EvaluateArgs args = args_.MakeEvaluateArgs();
234 HeaderAuthorizationMatcher matcher(
235 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kPrefix,
236 /*matcher=*/"foo")
237 .value());
238 EXPECT_TRUE(matcher.Matches(args));
239 }
240
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherFailedMatch)241 TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherFailedMatch) {
242 args_.AddPairToMetadata("key123", "foo");
243 EvaluateArgs args = args_.MakeEvaluateArgs();
244 HeaderAuthorizationMatcher matcher(
245 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
246 /*matcher=*/"bar")
247 .value());
248 EXPECT_FALSE(matcher.Matches(args));
249 }
250
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherFailedMatchMultivaluedHeader)251 TEST_F(AuthorizationMatchersTest,
252 HeaderAuthorizationMatcherFailedMatchMultivaluedHeader) {
253 args_.AddPairToMetadata("key123", "foo");
254 args_.AddPairToMetadata("key123", "bar");
255 EvaluateArgs args = args_.MakeEvaluateArgs();
256 HeaderAuthorizationMatcher matcher(
257 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
258 /*matcher=*/"foo")
259 .value());
260 EXPECT_FALSE(matcher.Matches(args));
261 }
262
TEST_F(AuthorizationMatchersTest,HeaderAuthorizationMatcherFailedMatchMissingHeader)263 TEST_F(AuthorizationMatchersTest,
264 HeaderAuthorizationMatcherFailedMatchMissingHeader) {
265 EvaluateArgs args = args_.MakeEvaluateArgs();
266 HeaderAuthorizationMatcher matcher(
267 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kSuffix,
268 /*matcher=*/"foo")
269 .value());
270 EXPECT_FALSE(matcher.Matches(args));
271 }
272
TEST_F(AuthorizationMatchersTest,NotHeaderAuthorizationMatcher)273 TEST_F(AuthorizationMatchersTest, NotHeaderAuthorizationMatcher) {
274 args_.AddPairToMetadata("key123", "foo");
275 EvaluateArgs args = args_.MakeEvaluateArgs();
276 HeaderAuthorizationMatcher matcher(
277 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
278 /*matcher=*/"bar")
279 .value(),
280 /*not_rule=*/true);
281 EXPECT_TRUE(matcher.Matches(args));
282 }
283
TEST_F(AuthorizationMatchersTest,PortAuthorizationMatcherSuccessfulMatch)284 TEST_F(AuthorizationMatchersTest, PortAuthorizationMatcherSuccessfulMatch) {
285 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
286 EvaluateArgs args = args_.MakeEvaluateArgs();
287 PortAuthorizationMatcher matcher(/*port=*/123);
288 EXPECT_TRUE(matcher.Matches(args));
289 }
290
TEST_F(AuthorizationMatchersTest,PortAuthorizationMatcherFailedMatch)291 TEST_F(AuthorizationMatchersTest, PortAuthorizationMatcherFailedMatch) {
292 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
293 EvaluateArgs args = args_.MakeEvaluateArgs();
294 PortAuthorizationMatcher matcher(/*port=*/456);
295 EXPECT_FALSE(matcher.Matches(args));
296 }
297
TEST_F(AuthorizationMatchersTest,NotPortAuthorizationMatcher)298 TEST_F(AuthorizationMatchersTest, NotPortAuthorizationMatcher) {
299 args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
300 EvaluateArgs args = args_.MakeEvaluateArgs();
301 PortAuthorizationMatcher matcher(/*port=*/123, /*not_rule=*/true);
302 EXPECT_FALSE(matcher.Matches(args));
303 }
304
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherUnAuthenticatedConnection)305 TEST_F(AuthorizationMatchersTest,
306 AuthenticatedMatcherUnAuthenticatedConnection) {
307 EvaluateArgs args = args_.MakeEvaluateArgs();
308 AuthenticatedAuthorizationMatcher matcher(
309 StringMatcher::Create(StringMatcher::Type::kExact,
310 /*matcher=*/"foo.com",
311 /*case_sensitive=*/false)
312 .value());
313 EXPECT_FALSE(matcher.Matches(args));
314 }
315
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherAuthenticatedConnectionMatcherUnset)316 TEST_F(AuthorizationMatchersTest,
317 AuthenticatedMatcherAuthenticatedConnectionMatcherUnset) {
318 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
319 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
320 EvaluateArgs args = args_.MakeEvaluateArgs();
321 AuthenticatedAuthorizationMatcher matcher(
322 StringMatcher::Create(StringMatcher::Type::kExact,
323 /*matcher=*/"",
324 /*case_sensitive=*/false)
325 .value());
326 EXPECT_TRUE(matcher.Matches(args));
327 }
328
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherSuccessfulSpiffeIdMatches)329 TEST_F(AuthorizationMatchersTest,
330 AuthenticatedMatcherSuccessfulSpiffeIdMatches) {
331 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
332 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
333 args_.AddPropertyToAuthContext(GRPC_PEER_SPIFFE_ID_PROPERTY_NAME,
334 "spiffe://foo.abc");
335 EvaluateArgs args = args_.MakeEvaluateArgs();
336 AuthenticatedAuthorizationMatcher matcher(
337 StringMatcher::Create(StringMatcher::Type::kExact,
338 /*matcher=*/"spiffe://foo.abc",
339 /*case_sensitive=*/false)
340 .value());
341 EXPECT_TRUE(matcher.Matches(args));
342 }
343
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherFailedSpiffeIdMatches)344 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedSpiffeIdMatches) {
345 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
346 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
347 args_.AddPropertyToAuthContext(GRPC_PEER_SPIFFE_ID_PROPERTY_NAME,
348 "spiffe://bar.abc");
349 EvaluateArgs args = args_.MakeEvaluateArgs();
350 AuthenticatedAuthorizationMatcher matcher(
351 StringMatcher::Create(StringMatcher::Type::kExact,
352 /*matcher=*/"spiffe://foo.abc",
353 /*case_sensitive=*/false)
354 .value());
355 EXPECT_FALSE(matcher.Matches(args));
356 }
357
TEST_F(AuthorizationMatchersTest,AuthenticatedMatcherFailedNothingMatches)358 TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedNothingMatches) {
359 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
360 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
361 EvaluateArgs args = args_.MakeEvaluateArgs();
362 AuthenticatedAuthorizationMatcher matcher(
363 StringMatcher::Create(StringMatcher::Type::kExact,
364 /*matcher=*/"foo",
365 /*case_sensitive=*/false)
366 .value());
367 EXPECT_FALSE(matcher.Matches(args));
368 }
369
TEST_F(AuthorizationMatchersTest,NotAuthenticatedMatcher)370 TEST_F(AuthorizationMatchersTest, NotAuthenticatedMatcher) {
371 args_.AddPropertyToAuthContext(GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
372 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
373 EvaluateArgs args = args_.MakeEvaluateArgs();
374 AuthenticatedAuthorizationMatcher matcher(
375 StringMatcher::Create(StringMatcher::Type::kExact, /*matcher=*/"foo",
376 /*case_sensitive=*/false)
377 .value(),
378 /*not_rule=*/true);
379 EXPECT_TRUE(matcher.Matches(args));
380 }
381
TEST_F(AuthorizationMatchersTest,PolicyAuthorizationMatcherSuccessfulMatch)382 TEST_F(AuthorizationMatchersTest, PolicyAuthorizationMatcherSuccessfulMatch) {
383 args_.AddPairToMetadata("key123", "foo");
384 EvaluateArgs args = args_.MakeEvaluateArgs();
385 std::vector<std::unique_ptr<Rbac::Permission>> rules;
386 rules.push_back(absl::make_unique<Rbac::Permission>(
387 Rbac::Permission::RuleType::kHeader,
388 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
389 /*matcher=*/"foo")
390 .value()));
391 PolicyAuthorizationMatcher matcher(Rbac::Policy(
392 Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(rules)),
393 Rbac::Principal(Rbac::Principal::RuleType::kAny)));
394 EXPECT_TRUE(matcher.Matches(args));
395 }
396
TEST_F(AuthorizationMatchersTest,PolicyAuthorizationMatcherFailedMatch)397 TEST_F(AuthorizationMatchersTest, PolicyAuthorizationMatcherFailedMatch) {
398 args_.AddPairToMetadata("key123", "foo");
399 EvaluateArgs args = args_.MakeEvaluateArgs();
400 std::vector<std::unique_ptr<Rbac::Permission>> rules;
401 rules.push_back(absl::make_unique<Rbac::Permission>(
402 Rbac::Permission::RuleType::kHeader,
403 HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
404 /*matcher=*/"bar")
405 .value()));
406 PolicyAuthorizationMatcher matcher(Rbac::Policy(
407 Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(rules)),
408 Rbac::Principal(Rbac::Principal::RuleType::kAny)));
409 EXPECT_FALSE(matcher.Matches(args));
410 }
411
412 } // namespace grpc_core
413
main(int argc,char ** argv)414 int main(int argc, char** argv) {
415 ::testing::InitGoogleTest(&argc, argv);
416 grpc_init();
417 int ret = RUN_ALL_TESTS();
418 grpc_shutdown();
419 return ret;
420 }
421