1 // Copyright 2021 gRPC authors.
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
7 // http://www.apache.org/licenses/LICENSE-2.0
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
15 #include <grpc/support/port_platform.h>
17 #include <gmock/gmock.h>
18 #include <gtest/gtest.h>
20 #include "src/core/lib/security/authorization/grpc_authorization_engine.h"
24 TEST(GrpcAuthorizationEngineTest, AllowEngineWithMatchingPolicy) {
26 Rbac::Permission(Rbac::Permission::RuleType::kNot,
27 Rbac::Permission(Rbac::Permission::RuleType::kAny)),
28 Rbac::Principal(Rbac::Principal::RuleType::kNot,
29 Rbac::Principal(Rbac::Principal::RuleType::kAny)));
30 Rbac::Policy policy2((Rbac::Permission(Rbac::Permission::RuleType::kAny)),
31 (Rbac::Principal(Rbac::Principal::RuleType::kAny)));
32 std::map<std::string, Rbac::Policy> policies;
33 policies["policy1"] = std::move(policy1);
34 policies["policy2"] = std::move(policy2);
35 Rbac rbac(Rbac::Action::kAllow, std::move(policies));
36 GrpcAuthorizationEngine engine(std::move(rbac));
37 AuthorizationEngine::Decision decision =
38 engine.Evaluate(EvaluateArgs(nullptr, nullptr));
39 EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
40 EXPECT_EQ(decision.matching_policy_name, "policy2");
43 TEST(GrpcAuthorizationEngineTest, AllowEngineWithNoMatchingPolicy) {
45 Rbac::Permission(Rbac::Permission::RuleType::kNot,
46 Rbac::Permission(Rbac::Permission::RuleType::kAny)),
47 Rbac::Principal(Rbac::Principal::RuleType::kNot,
48 Rbac::Principal(Rbac::Principal::RuleType::kAny)));
49 std::map<std::string, Rbac::Policy> policies;
50 policies["policy1"] = std::move(policy1);
51 Rbac rbac(Rbac::Action::kAllow, std::move(policies));
52 GrpcAuthorizationEngine engine(std::move(rbac));
53 AuthorizationEngine::Decision decision =
54 engine.Evaluate(EvaluateArgs(nullptr, nullptr));
55 EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
56 EXPECT_TRUE(decision.matching_policy_name.empty());
59 TEST(GrpcAuthorizationEngineTest, AllowEngineWithEmptyPolicies) {
60 GrpcAuthorizationEngine engine(Rbac::Action::kAllow);
61 AuthorizationEngine::Decision decision =
62 engine.Evaluate(EvaluateArgs(nullptr, nullptr));
63 EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
64 EXPECT_TRUE(decision.matching_policy_name.empty());
67 TEST(GrpcAuthorizationEngineTest, DenyEngineWithMatchingPolicy) {
69 Rbac::Permission(Rbac::Permission::RuleType::kNot,
70 Rbac::Permission(Rbac::Permission::RuleType::kAny)),
71 Rbac::Principal(Rbac::Principal::RuleType::kNot,
72 Rbac::Principal(Rbac::Principal::RuleType::kAny)));
73 Rbac::Policy policy2((Rbac::Permission(Rbac::Permission::RuleType::kAny)),
74 (Rbac::Principal(Rbac::Principal::RuleType::kAny)));
75 std::map<std::string, Rbac::Policy> policies;
76 policies["policy1"] = std::move(policy1);
77 policies["policy2"] = std::move(policy2);
78 Rbac rbac(Rbac::Action::kDeny, std::move(policies));
79 GrpcAuthorizationEngine engine(std::move(rbac));
80 AuthorizationEngine::Decision decision =
81 engine.Evaluate(EvaluateArgs(nullptr, nullptr));
82 EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
83 EXPECT_EQ(decision.matching_policy_name, "policy2");
86 TEST(GrpcAuthorizationEngineTest, DenyEngineWithNoMatchingPolicy) {
88 Rbac::Permission(Rbac::Permission::RuleType::kNot,
89 Rbac::Permission(Rbac::Permission::RuleType::kAny)),
90 Rbac::Principal(Rbac::Principal::RuleType::kNot,
91 Rbac::Principal(Rbac::Principal::RuleType::kAny)));
92 std::map<std::string, Rbac::Policy> policies;
93 policies["policy1"] = std::move(policy1);
94 Rbac rbac(Rbac::Action::kDeny, std::move(policies));
95 GrpcAuthorizationEngine engine(std::move(rbac));
96 AuthorizationEngine::Decision decision =
97 engine.Evaluate(EvaluateArgs(nullptr, nullptr));
98 EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
99 EXPECT_TRUE(decision.matching_policy_name.empty());
102 TEST(GrpcAuthorizationEngineTest, DenyEngineWithEmptyPolicies) {
103 GrpcAuthorizationEngine engine(Rbac::Action::kDeny);
104 AuthorizationEngine::Decision decision =
105 engine.Evaluate(EvaluateArgs(nullptr, nullptr));
106 EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
107 EXPECT_TRUE(decision.matching_policy_name.empty());
110 } // namespace grpc_core
112 int main(int argc, char** argv) {
113 ::testing::InitGoogleTest(&argc, argv);
114 return RUN_ALL_TESTS();