projects / platform / upstream / grpc.git / blob
? search:


e6dd4add847801527ebfaa85750b4e946c5b4622
[platform/upstream/grpc.git] / test / core / security / grpc_authorization_engine_test.cc
1 // Copyright 2021 gRPC authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <grpc/support/port_platform.h>
16
17 #include <gmock/gmock.h>
18 #include <gtest/gtest.h>
19
20 #include "src/core/lib/security/authorization/grpc_authorization_engine.h"
21
22 namespace grpc_core {
23
24 TEST(GrpcAuthorizationEngineTest, AllowEngineWithMatchingPolicy) {
25   Rbac::Policy policy1(
26       Rbac::Permission(Rbac::Permission::RuleType::kNot,
27                        Rbac::Permission(Rbac::Permission::RuleType::kAny)),
28       Rbac::Principal(Rbac::Principal::RuleType::kNot,
29                       Rbac::Principal(Rbac::Principal::RuleType::kAny)));
30   Rbac::Policy policy2((Rbac::Permission(Rbac::Permission::RuleType::kAny)),
31                        (Rbac::Principal(Rbac::Principal::RuleType::kAny)));
32   std::map<std::string, Rbac::Policy> policies;
33   policies["policy1"] = std::move(policy1);
34   policies["policy2"] = std::move(policy2);
35   Rbac rbac(Rbac::Action::kAllow, std::move(policies));
36   GrpcAuthorizationEngine engine(std::move(rbac));
37   AuthorizationEngine::Decision decision =
38       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
39   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
40   EXPECT_EQ(decision.matching_policy_name, "policy2");
41 }
42
43 TEST(GrpcAuthorizationEngineTest, AllowEngineWithNoMatchingPolicy) {
44   Rbac::Policy policy1(
45       Rbac::Permission(Rbac::Permission::RuleType::kNot,
46                        Rbac::Permission(Rbac::Permission::RuleType::kAny)),
47       Rbac::Principal(Rbac::Principal::RuleType::kNot,
48                       Rbac::Principal(Rbac::Principal::RuleType::kAny)));
49   std::map<std::string, Rbac::Policy> policies;
50   policies["policy1"] = std::move(policy1);
51   Rbac rbac(Rbac::Action::kAllow, std::move(policies));
52   GrpcAuthorizationEngine engine(std::move(rbac));
53   AuthorizationEngine::Decision decision =
54       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
55   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
56   EXPECT_TRUE(decision.matching_policy_name.empty());
57 }
58
59 TEST(GrpcAuthorizationEngineTest, AllowEngineWithEmptyPolicies) {
60   GrpcAuthorizationEngine engine(Rbac::Action::kAllow);
61   AuthorizationEngine::Decision decision =
62       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
63   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
64   EXPECT_TRUE(decision.matching_policy_name.empty());
65 }
66
67 TEST(GrpcAuthorizationEngineTest, DenyEngineWithMatchingPolicy) {
68   Rbac::Policy policy1(
69       Rbac::Permission(Rbac::Permission::RuleType::kNot,
70                        Rbac::Permission(Rbac::Permission::RuleType::kAny)),
71       Rbac::Principal(Rbac::Principal::RuleType::kNot,
72                       Rbac::Principal(Rbac::Principal::RuleType::kAny)));
73   Rbac::Policy policy2((Rbac::Permission(Rbac::Permission::RuleType::kAny)),
74                        (Rbac::Principal(Rbac::Principal::RuleType::kAny)));
75   std::map<std::string, Rbac::Policy> policies;
76   policies["policy1"] = std::move(policy1);
77   policies["policy2"] = std::move(policy2);
78   Rbac rbac(Rbac::Action::kDeny, std::move(policies));
79   GrpcAuthorizationEngine engine(std::move(rbac));
80   AuthorizationEngine::Decision decision =
81       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
82   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
83   EXPECT_EQ(decision.matching_policy_name, "policy2");
84 }
85
86 TEST(GrpcAuthorizationEngineTest, DenyEngineWithNoMatchingPolicy) {
87   Rbac::Policy policy1(
88       Rbac::Permission(Rbac::Permission::RuleType::kNot,
89                        Rbac::Permission(Rbac::Permission::RuleType::kAny)),
90       Rbac::Principal(Rbac::Principal::RuleType::kNot,
91                       Rbac::Principal(Rbac::Principal::RuleType::kAny)));
92   std::map<std::string, Rbac::Policy> policies;
93   policies["policy1"] = std::move(policy1);
94   Rbac rbac(Rbac::Action::kDeny, std::move(policies));
95   GrpcAuthorizationEngine engine(std::move(rbac));
96   AuthorizationEngine::Decision decision =
97       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
98   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
99   EXPECT_TRUE(decision.matching_policy_name.empty());
100 }
101
102 TEST(GrpcAuthorizationEngineTest, DenyEngineWithEmptyPolicies) {
103   GrpcAuthorizationEngine engine(Rbac::Action::kDeny);
104   AuthorizationEngine::Decision decision =
105       engine.Evaluate(EvaluateArgs(nullptr, nullptr));
106   EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
107   EXPECT_TRUE(decision.matching_policy_name.empty());
108 }
109
110 }  // namespace grpc_core
111
112 int main(int argc, char** argv) {
113   ::testing::InitGoogleTest(&argc, argv);
114   return RUN_ALL_TESTS();
115 }
Domain: System / Base;