• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include <grpc/support/port_platform.h>
16 
17 #include <gmock/gmock.h>
18 #include <gtest/gtest.h>
19 
20 #include "src/core/lib/security/authorization/grpc_authorization_engine.h"
21 
22 namespace grpc_core {
23 
TEST(GrpcAuthorizationEngineTest,AllowEngineWithMatchingPolicy)24 TEST(GrpcAuthorizationEngineTest, AllowEngineWithMatchingPolicy) {
25   Rbac::Policy policy1(
26       Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true),
27       Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true));
28   Rbac::Policy policy2((Rbac::Permission(Rbac::Permission::RuleType::kAny)),
29                        (Rbac::Principal(Rbac::Principal::RuleType::kAny)));
30   std::map<std::string, Rbac::Policy> policies;
31   policies["policy1"] = std::move(policy1);
32   policies["policy2"] = std::move(policy2);
33   Rbac rbac(Rbac::Action::kAllow, std::move(policies));
34   GrpcAuthorizationEngine engine(std::move(rbac));
35   AuthorizationEngine::Decision decision =
36       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
37   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
38   EXPECT_EQ(decision.matching_policy_name, "policy2");
39 }
40 
TEST(GrpcAuthorizationEngineTest,AllowEngineWithNoMatchingPolicy)41 TEST(GrpcAuthorizationEngineTest, AllowEngineWithNoMatchingPolicy) {
42   Rbac::Policy policy1(
43       Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true),
44       Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true));
45   std::map<std::string, Rbac::Policy> policies;
46   policies["policy1"] = std::move(policy1);
47   Rbac rbac(Rbac::Action::kAllow, std::move(policies));
48   GrpcAuthorizationEngine engine(std::move(rbac));
49   AuthorizationEngine::Decision decision =
50       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
51   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
52   EXPECT_TRUE(decision.matching_policy_name.empty());
53 }
54 
TEST(GrpcAuthorizationEngineTest,AllowEngineWithEmptyPolicies)55 TEST(GrpcAuthorizationEngineTest, AllowEngineWithEmptyPolicies) {
56   GrpcAuthorizationEngine engine(Rbac::Action::kAllow);
57   AuthorizationEngine::Decision decision =
58       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
59   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
60   EXPECT_TRUE(decision.matching_policy_name.empty());
61 }
62 
TEST(GrpcAuthorizationEngineTest,DenyEngineWithMatchingPolicy)63 TEST(GrpcAuthorizationEngineTest, DenyEngineWithMatchingPolicy) {
64   Rbac::Policy policy1(
65       Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true),
66       Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true));
67   Rbac::Policy policy2((Rbac::Permission(Rbac::Permission::RuleType::kAny)),
68                        (Rbac::Principal(Rbac::Principal::RuleType::kAny)));
69   std::map<std::string, Rbac::Policy> policies;
70   policies["policy1"] = std::move(policy1);
71   policies["policy2"] = std::move(policy2);
72   Rbac rbac(Rbac::Action::kDeny, std::move(policies));
73   GrpcAuthorizationEngine engine(std::move(rbac));
74   AuthorizationEngine::Decision decision =
75       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
76   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
77   EXPECT_EQ(decision.matching_policy_name, "policy2");
78 }
79 
TEST(GrpcAuthorizationEngineTest,DenyEngineWithNoMatchingPolicy)80 TEST(GrpcAuthorizationEngineTest, DenyEngineWithNoMatchingPolicy) {
81   Rbac::Policy policy1(
82       Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true),
83       Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true));
84   std::map<std::string, Rbac::Policy> policies;
85   policies["policy1"] = std::move(policy1);
86   Rbac rbac(Rbac::Action::kDeny, std::move(policies));
87   GrpcAuthorizationEngine engine(std::move(rbac));
88   AuthorizationEngine::Decision decision =
89       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
90   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
91   EXPECT_TRUE(decision.matching_policy_name.empty());
92 }
93 
TEST(GrpcAuthorizationEngineTest,DenyEngineWithEmptyPolicies)94 TEST(GrpcAuthorizationEngineTest, DenyEngineWithEmptyPolicies) {
95   GrpcAuthorizationEngine engine(Rbac::Action::kDeny);
96   AuthorizationEngine::Decision decision =
97       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
98   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
99   EXPECT_TRUE(decision.matching_policy_name.empty());
100 }
101 
102 }  // namespace grpc_core
103 
main(int argc,char ** argv)104 int main(int argc, char** argv) {
105   ::testing::InitGoogleTest(&argc, argv);
106   return RUN_ALL_TESTS();
107 }
108