Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Correct enum naming style. (#26012)

Browse Source
pull/26010/head^2
Ashitha Santhosh 4 years ago committed by GitHub
parent f320107b5b
commit 16684bf11b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 365 additions and 360 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 32
      src/core/ext/xds/xds_api.cc
  2. 78
      src/core/lib/matchers/matchers.cc
  3. 56
      src/core/lib/matchers/matchers.h
  4. 34
      src/core/lib/security/authorization/matchers.cc
  5. 88
      src/core/lib/security/authorization/rbac_policy.cc
  6. 38
      src/core/lib/security/authorization/rbac_policy.h
  7. 40
      src/core/lib/security/authorization/rbac_translator.cc
  8. 6
      src/core/lib/security/credentials/xds/xds_credentials.cc
  9. 100
      test/core/security/authorization_matchers_test.cc
  10. 36
      test/core/security/matchers_test.cc
  11. 207
      test/core/security/rbac_translator_test.cc
  12. 10
      test/core/security/xds_credentials_test.cc

32
src/core/ext/xds/xds_api.cc
Unescape View File

@ -1231,7 +1231,7 @@ grpc_error* RoutePathMatchParse(const envoy_config_route_v3_RouteMatch* match,
return GRPC_ERROR_NONE;
}
}
type = StringMatcher::Type::PREFIX;
type = StringMatcher::Type::kPrefix;
match_string = std::string(prefix);
} else if (envoy_config_route_v3_RouteMatch_has_path(match)) {
absl::string_view path =
@ -1265,13 +1265,13 @@ grpc_error* RoutePathMatchParse(const envoy_config_route_v3_RouteMatch* match,
*ignore_route = true;
return GRPC_ERROR_NONE;
}
type = StringMatcher::Type::EXACT;
type = StringMatcher::Type::kExact;
match_string = std::string(path);
} else if (envoy_config_route_v3_RouteMatch_has_safe_regex(match)) {
const envoy_type_matcher_v3_RegexMatcher* regex_matcher =
envoy_config_route_v3_RouteMatch_safe_regex(match);
GPR_ASSERT(regex_matcher != nullptr);
type = StringMatcher::Type::SAFE_REGEX;
type = StringMatcher::Type::kSafeRegex;
match_string = UpbStringToStdString(
envoy_type_matcher_v3_RegexMatcher_regex(regex_matcher));
} else {
@ -1305,7 +1305,7 @@ grpc_error* RouteHeaderMatchersParse(
int64_t range_end = 0;
bool present_match = false;
if (envoy_config_route_v3_HeaderMatcher_has_exact_match(header)) {
type = HeaderMatcher::Type::EXACT;
type = HeaderMatcher::Type::kExact;
match_string = UpbStringToStdString(
envoy_config_route_v3_HeaderMatcher_exact_match(header));
} else if (envoy_config_route_v3_HeaderMatcher_has_safe_regex_match(
@ -1313,28 +1313,28 @@ grpc_error* RouteHeaderMatchersParse(
const envoy_type_matcher_v3_RegexMatcher* regex_matcher =
envoy_config_route_v3_HeaderMatcher_safe_regex_match(header);
GPR_ASSERT(regex_matcher != nullptr);
type = HeaderMatcher::Type::SAFE_REGEX;
type = HeaderMatcher::Type::kSafeRegex;
match_string = UpbStringToStdString(
envoy_type_matcher_v3_RegexMatcher_regex(regex_matcher));
} else if (envoy_config_route_v3_HeaderMatcher_has_range_match(header)) {
type = HeaderMatcher::Type::RANGE;
type = HeaderMatcher::Type::kRange;
const envoy_type_v3_Int64Range* range_matcher =
envoy_config_route_v3_HeaderMatcher_range_match(header);
range_start = envoy_type_v3_Int64Range_start(range_matcher);
range_end = envoy_type_v3_Int64Range_end(range_matcher);
} else if (envoy_config_route_v3_HeaderMatcher_has_present_match(header)) {
type = HeaderMatcher::Type::PRESENT;
type = HeaderMatcher::Type::kPresent;
present_match = envoy_config_route_v3_HeaderMatcher_present_match(header);
} else if (envoy_config_route_v3_HeaderMatcher_has_prefix_match(header)) {
type = HeaderMatcher::Type::PREFIX;
type = HeaderMatcher::Type::kPrefix;
match_string = UpbStringToStdString(
envoy_config_route_v3_HeaderMatcher_prefix_match(header));
} else if (envoy_config_route_v3_HeaderMatcher_has_suffix_match(header)) {
type = HeaderMatcher::Type::SUFFIX;
type = HeaderMatcher::Type::kSuffix;
match_string = UpbStringToStdString(
envoy_config_route_v3_HeaderMatcher_suffix_match(header));
} else if (envoy_config_route_v3_HeaderMatcher_has_contains_match(header)) {
type = HeaderMatcher::Type::CONTAINS;
type = HeaderMatcher::Type::kContains;
match_string = UpbStringToStdString(
envoy_config_route_v3_HeaderMatcher_contains_match(header));
} else {
@ -1796,31 +1796,31 @@ grpc_error* CommonTlsContextParse(
std::string matcher;
if (envoy_type_matcher_v3_StringMatcher_has_exact(
subject_alt_names_matchers[i])) {
type = StringMatcher::Type::EXACT;
type = StringMatcher::Type::kExact;
matcher =
UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_exact(
subject_alt_names_matchers[i]));
} else if (envoy_type_matcher_v3_StringMatcher_has_prefix(
subject_alt_names_matchers[i])) {
type = StringMatcher::Type::PREFIX;
type = StringMatcher::Type::kPrefix;
matcher =
UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_prefix(
subject_alt_names_matchers[i]));
} else if (envoy_type_matcher_v3_StringMatcher_has_suffix(
subject_alt_names_matchers[i])) {
type = StringMatcher::Type::SUFFIX;
type = StringMatcher::Type::kSuffix;
matcher =
UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_suffix(
subject_alt_names_matchers[i]));
} else if (envoy_type_matcher_v3_StringMatcher_has_contains(
subject_alt_names_matchers[i])) {
type = StringMatcher::Type::CONTAINS;
type = StringMatcher::Type::kContains;
matcher =
UpbStringToStdString(envoy_type_matcher_v3_StringMatcher_contains(
subject_alt_names_matchers[i]));
} else if (envoy_type_matcher_v3_StringMatcher_has_safe_regex(
subject_alt_names_matchers[i])) {
type = StringMatcher::Type::SAFE_REGEX;
type = StringMatcher::Type::kSafeRegex;
auto* regex_matcher = envoy_type_matcher_v3_StringMatcher_safe_regex(
subject_alt_names_matchers[i]);
matcher = UpbStringToStdString(
@ -1840,7 +1840,7 @@ grpc_error* CommonTlsContextParse(
string_matcher.status().message())
.c_str());
}
if (type == StringMatcher::Type::SAFE_REGEX && ignore_case) {
if (type == StringMatcher::Type::kSafeRegex && ignore_case) {
return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"StringMatcher: ignore_case has no effect for SAFE_REGEX.");
}

78
src/core/lib/matchers/matchers.cc
Unescape View File

@ -31,7 +31,7 @@ namespace grpc_core {
absl::StatusOr<StringMatcher> StringMatcher::Create(Type type,
absl::string_view matcher,
bool case_sensitive) {
if (type == Type::SAFE_REGEX) {
if (type == Type::kSafeRegex) {
RE2::Options options;
options.set_case_sensitive(case_sensitive);
auto regex_matcher = absl::make_unique<RE2>(std::string(matcher), options);
@ -51,13 +51,13 @@ StringMatcher::StringMatcher(Type type, absl::string_view matcher,
StringMatcher::StringMatcher(std::unique_ptr<RE2> regex_matcher,
bool case_sensitive)
: type_(Type::SAFE_REGEX),
: type_(Type::kSafeRegex),
regex_matcher_(std::move(regex_matcher)),
case_sensitive_(case_sensitive) {}
StringMatcher::StringMatcher(const StringMatcher& other)
: type_(other.type_), case_sensitive_(other.case_sensitive_) {
if (type_ == Type::SAFE_REGEX) {
if (type_ == Type::kSafeRegex) {
RE2::Options options;
options.set_case_sensitive(other.case_sensitive_);
regex_matcher_ =
@ -69,7 +69,7 @@ StringMatcher::StringMatcher(const StringMatcher& other)
StringMatcher& StringMatcher::operator=(const StringMatcher& other) {
type_ = other.type_;
if (type_ == Type::SAFE_REGEX) {
if (type_ == Type::kSafeRegex) {
RE2::Options options;
options.set_case_sensitive(other.case_sensitive_);
regex_matcher_ =
@ -83,7 +83,7 @@ StringMatcher& StringMatcher::operator=(const StringMatcher& other) {
StringMatcher::StringMatcher(StringMatcher&& other) noexcept
: type_(other.type_), case_sensitive_(other.case_sensitive_) {
if (type_ == Type::SAFE_REGEX) {
if (type_ == Type::kSafeRegex) {
regex_matcher_ = std::move(other.regex_matcher_);
} else {
string_matcher_ = std::move(other.string_matcher_);
@ -92,7 +92,7 @@ StringMatcher::StringMatcher(StringMatcher&& other) noexcept
StringMatcher& StringMatcher::operator=(StringMatcher&& other) noexcept {
type_ = other.type_;
if (type_ == Type::SAFE_REGEX) {
if (type_ == Type::kSafeRegex) {
regex_matcher_ = std::move(other.regex_matcher_);
} else {
string_matcher_ = std::move(other.string_matcher_);
@ -105,7 +105,7 @@ bool StringMatcher::operator==(const StringMatcher& other) const {
if (type_ != other.type_ || case_sensitive_ != other.case_sensitive_) {
return false;
}
if (type_ == Type::SAFE_REGEX) {
if (type_ == Type::kSafeRegex) {
return regex_matcher_->pattern() == other.regex_matcher_->pattern();
} else {
return string_matcher_ == other.string_matcher_;
@ -114,22 +114,22 @@ bool StringMatcher::operator==(const StringMatcher& other) const {
bool StringMatcher::Match(absl::string_view value) const {
switch (type_) {
case Type::EXACT:
case Type::kExact:
return case_sensitive_ ? value == string_matcher_
: absl::EqualsIgnoreCase(value, string_matcher_);
case StringMatcher::Type::PREFIX:
case StringMatcher::Type::kPrefix:
return case_sensitive_
? absl::StartsWith(value, string_matcher_)
: absl::StartsWithIgnoreCase(value, string_matcher_);
case StringMatcher::Type::SUFFIX:
case StringMatcher::Type::kSuffix:
return case_sensitive_ ? absl::EndsWith(value, string_matcher_)
: absl::EndsWithIgnoreCase(value, string_matcher_);
case StringMatcher::Type::CONTAINS:
case StringMatcher::Type::kContains:
return case_sensitive_
? absl::StrContains(value, string_matcher_)
: absl::StrContains(absl::AsciiStrToLower(value),
absl::AsciiStrToLower(string_matcher_));
case StringMatcher::Type::SAFE_REGEX:
case StringMatcher::Type::kSafeRegex:
return RE2::FullMatch(std::string(value), *regex_matcher_);
default:
return false;
@ -138,19 +138,19 @@ bool StringMatcher::Match(absl::string_view value) const {
std::string StringMatcher::ToString() const {
switch (type_) {
case Type::EXACT:
case Type::kExact:
return absl::StrFormat("StringMatcher{exact=%s%s}", string_matcher_,
case_sensitive_ ? "" : ", case_sensitive=false");
case Type::PREFIX:
case Type::kPrefix:
return absl::StrFormat("StringMatcher{prefix=%s%s}", string_matcher_,
case_sensitive_ ? "" : ", case_sensitive=false");
case Type::SUFFIX:
case Type::kSuffix:
return absl::StrFormat("StringMatcher{suffix=%s%s}", string_matcher_,
case_sensitive_ ? "" : ", case_sensitive=false");
case Type::CONTAINS:
case Type::kContains:
return absl::StrFormat("StringMatcher{contains=%s%s}", string_matcher_,
case_sensitive_ ? "" : ", case_sensitive=false");
case Type::SAFE_REGEX:
case Type::kSafeRegex:
return absl::StrFormat("StringMatcher{safe_regex=%s%s}",
regex_matcher_->pattern(),
case_sensitive_ ? "" : ", case_sensitive=false");
@ -177,7 +177,7 @@ absl::StatusOr<HeaderMatcher> HeaderMatcher::Create(
}
return HeaderMatcher(name, type, std::move(string_matcher.value()),
invert_match);
} else if (type == Type::RANGE) {
} else if (type == Type::kRange) {
if (range_start > range_end) {
return absl::InvalidArgumentError(
"Invalid range specifier specified: end cannot be smaller than "
@ -199,7 +199,7 @@ HeaderMatcher::HeaderMatcher(absl::string_view name, Type type,
HeaderMatcher::HeaderMatcher(absl::string_view name, int64_t range_start,
int64_t range_end, bool invert_match)
: name_(name),
type_(Type::RANGE),
type_(Type::kRange),
range_start_(range_start),
range_end_(range_end),
invert_match_(invert_match) {}
@ -207,7 +207,7 @@ HeaderMatcher::HeaderMatcher(absl::string_view name, int64_t range_start,
HeaderMatcher::HeaderMatcher(absl::string_view name, bool present_match,
bool invert_match)
: name_(name),
type_(Type::PRESENT),
type_(Type::kPresent),
present_match_(present_match),
invert_match_(invert_match) {}
@ -216,11 +216,11 @@ HeaderMatcher::HeaderMatcher(const HeaderMatcher& other)
type_(other.type_),
invert_match_(other.invert_match_) {
switch (type_) {
case Type::RANGE:
case Type::kRange:
range_start_ = other.range_start_;
range_end_ = other.range_end_;
break;
case Type::PRESENT:
case Type::kPresent:
present_match_ = other.present_match_;
break;
default:
@ -233,11 +233,11 @@ HeaderMatcher& HeaderMatcher::operator=(const HeaderMatcher& other) {
type_ = other.type_;
invert_match_ = other.invert_match_;
switch (type_) {
case Type::RANGE:
case Type::kRange:
range_start_ = other.range_start_;
range_end_ = other.range_end_;
break;
case Type::PRESENT:
case Type::kPresent:
present_match_ = other.present_match_;
break;
default:
@ -251,11 +251,11 @@ HeaderMatcher::HeaderMatcher(HeaderMatcher&& other) noexcept
type_(other.type_),
invert_match_(other.invert_match_) {
switch (type_) {
case Type::RANGE:
case Type::kRange:
range_start_ = other.range_start_;
range_end_ = other.range_end_;
break;
case Type::PRESENT:
case Type::kPresent:
present_match_ = other.present_match_;
break;
default:
@ -268,11 +268,11 @@ HeaderMatcher& HeaderMatcher::operator=(HeaderMatcher&& other) noexcept {
type_ = other.type_;
invert_match_ = other.invert_match_;
switch (type_) {
case Type::RANGE:
case Type::kRange:
range_start_ = other.range_start_;
range_end_ = other.range_end_;
break;
case Type::PRESENT:
case Type::kPresent:
present_match_ = other.present_match_;
break;
default:
@ -286,10 +286,10 @@ bool HeaderMatcher::operator==(const HeaderMatcher& other) const {
if (type_ != other.type_) return false;
if (invert_match_ != other.invert_match_) return false;
switch (type_) {
case Type::RANGE:
case Type::kRange:
return range_start_ == other.range_start_ &&
range_end_ == other.range_end_;
case Type::PRESENT:
case Type::kPresent:
return present_match_ == other.present_match_;
default:
return matcher_ == other.matcher_;
@ -299,12 +299,12 @@ bool HeaderMatcher::operator==(const HeaderMatcher& other) const {
bool HeaderMatcher::Match(
const absl::optional<absl::string_view>& value) const {
bool match;
if (type_ == Type::PRESENT) {
if (type_ == Type::kPresent) {
match = value.has_value() == present_match_;
} else if (!value.has_value()) {
// All other types fail to match if field is not present.
match = false;
} else if (type_ == Type::RANGE) {
} else if (type_ == Type::kRange) {
int64_t int_value;
match = absl::SimpleAtoi(value.value(), &int_value) &&
int_value >= range_start_ && int_value < range_end_;
@ -316,19 +316,19 @@ bool HeaderMatcher::Match(
std::string HeaderMatcher::ToString() const {
switch (type_) {
case Type::RANGE:
case Type::kRange:
return absl::StrFormat("HeaderMatcher{%s %srange=[%d, %d]}", name_,
invert_match_ ? "not " : "", range_start_,
range_end_);
case Type::PRESENT:
case Type::kPresent:
return absl::StrFormat("HeaderMatcher{%s %spresent=%s}", name_,
invert_match_ ? "not " : "",
present_match_ ? "true" : "false");
case Type::EXACT:
case Type::PREFIX:
case Type::SUFFIX:
case Type::SAFE_REGEX:
case Type::CONTAINS:
case Type::kExact:
case Type::kPrefix:
case Type::kSuffix:
case Type::kSafeRegex:
case Type::kContains:
return absl::StrFormat("HeaderMatcher{%s %s%s}", name_,
invert_match_ ? "not " : "", matcher_.ToString());
default:

56
src/core/lib/matchers/matchers.h
Unescape View File

@ -31,11 +31,11 @@ namespace grpc_core {
class StringMatcher {
public:
enum class Type {
EXACT, // value stored in string_matcher_ field
PREFIX, // value stored in string_matcher_ field
SUFFIX, // value stored in string_matcher_ field
SAFE_REGEX, // pattern stored in regex_matcher_ field
CONTAINS, // value stored in string_matcher_ field
kExact, // value stored in string_matcher_ field
kPrefix, // value stored in string_matcher_ field
kSuffix, // value stored in string_matcher_ field
kSafeRegex, // pattern stored in regex_matcher_ field
kContains, // value stored in string_matcher_ field
};
// Creates StringMatcher instance. Returns error status on failure.
@ -56,10 +56,10 @@ class StringMatcher {
Type type() const { return type_; }
// Valid for EXACT, PREFIX, SUFFIX and CONTAINS
// Valid for kExact, kPrefix, kSuffix and kContains.
const std::string& string_matcher() const { return string_matcher_; }
// Valid for SAFE_REGEX
// Valid for kSafeRegex.
RE2* regex_matcher() const { return regex_matcher_.get(); }
bool case_sensitive() const { return case_sensitive_; }
@ -68,7 +68,7 @@ class StringMatcher {
StringMatcher(Type type, absl::string_view matcher, bool case_sensitive);
StringMatcher(std::unique_ptr<RE2> regex_matcher, bool case_sensitive);
Type type_ = Type::EXACT;
Type type_ = Type::kExact;
std::string string_matcher_;
std::unique_ptr<RE2> regex_matcher_;
bool case_sensitive_ = true;
@ -77,32 +77,32 @@ class StringMatcher {
class HeaderMatcher {
public:
enum class Type {
EXACT, // value stored in StringMatcher field
PREFIX, // value stored in StringMatcher field
SUFFIX, // value stored in StringMatcher field
SAFE_REGEX, // value stored in StringMatcher field
CONTAINS, // value stored in StringMatcher field
RANGE, // uses range_start and range_end fields
PRESENT, // uses present_match field
kExact, // value stored in StringMatcher field
kPrefix, // value stored in StringMatcher field
kSuffix, // value stored in StringMatcher field
kSafeRegex, // value stored in StringMatcher field
kContains, // value stored in StringMatcher field
kRange, // uses range_start and range_end fields
kPresent, // uses present_match field
};
// Make sure that the first five HeaderMatcher::Type enum values match up to
// the corresponding StringMatcher::Type enum values, so that it's safe to
// convert by casting when delegating to StringMatcher.
static_assert(static_cast<StringMatcher::Type>(Type::EXACT) ==
StringMatcher::Type::EXACT,
static_assert(static_cast<StringMatcher::Type>(Type::kExact) ==
StringMatcher::Type::kExact,
"");
static_assert(static_cast<StringMatcher::Type>(Type::PREFIX) ==
StringMatcher::Type::PREFIX,
static_assert(static_cast<StringMatcher::Type>(Type::kPrefix) ==
StringMatcher::Type::kPrefix,
"");
static_assert(static_cast<StringMatcher::Type>(Type::SUFFIX) ==
StringMatcher::Type::SUFFIX,
static_assert(static_cast<StringMatcher::Type>(Type::kSuffix) ==
StringMatcher::Type::kSuffix,
"");
static_assert(static_cast<StringMatcher::Type>(Type::SAFE_REGEX) ==
StringMatcher::Type::SAFE_REGEX,
static_assert(static_cast<StringMatcher::Type>(Type::kSafeRegex) ==
StringMatcher::Type::kSafeRegex,
"");
static_assert(static_cast<StringMatcher::Type>(Type::CONTAINS) ==
StringMatcher::Type::CONTAINS,
static_assert(static_cast<StringMatcher::Type>(Type::kContains) ==
StringMatcher::Type::kContains,
"");
// Creates HeaderMatcher instance. Returns error status on failure.
@ -124,12 +124,12 @@ class HeaderMatcher {
Type type() const { return type_; }
// Valid for EXACT, PREFIX, SUFFIX and CONTAINS
// Valid for kExact, kPrefix, kSuffix and kContains.
const std::string& string_matcher() const {
return matcher_.string_matcher();
}
// Valid for SAFE_REGEX
// Valid for kSafeRegex.
RE2* regex_matcher() const { return matcher_.regex_matcher(); }
bool Match(const absl::optional<absl::string_view>& value) const;
@ -147,7 +147,7 @@ class HeaderMatcher {
HeaderMatcher(absl::string_view name, bool present_match, bool invert_match);
std::string name_;
Type type_ = Type::EXACT;
Type type_ = Type::kExact;
StringMatcher matcher_;
int64_t range_start_;
int64_t range_end_;

34
src/core/lib/security/authorization/matchers.cc
Unescape View File

@ -45,27 +45,27 @@ bool AuthenticatedMatchesHelper(const EvaluateArgs& args,
std::unique_ptr<AuthorizationMatcher> AuthorizationMatcher::Create(
Rbac::Permission permission) {
switch (permission.type) {
case Rbac::Permission::RuleType::AND:
case Rbac::Permission::RuleType::kAnd:
return absl::make_unique<AndAuthorizationMatcher>(
std::move(permission.permissions), permission.not_rule);
case Rbac::Permission::RuleType::OR:
case Rbac::Permission::RuleType::kOr:
return absl::make_unique<OrAuthorizationMatcher>(
std::move(permission.permissions), permission.not_rule);
case Rbac::Permission::RuleType::ANY:
case Rbac::Permission::RuleType::kAny:
return absl::make_unique<AlwaysAuthorizationMatcher>(permission.not_rule);
case Rbac::Permission::RuleType::HEADER:
case Rbac::Permission::RuleType::kHeader:
return absl::make_unique<HeaderAuthorizationMatcher>(
std::move(permission.header_matcher), permission.not_rule);
case Rbac::Permission::RuleType::PATH:
case Rbac::Permission::RuleType::kPath:
return absl::make_unique<PathAuthorizationMatcher>(
std::move(permission.string_matcher), permission.not_rule);
case Rbac::Permission::RuleType::DEST_IP:
case Rbac::Permission::RuleType::kDestIp:
return absl::make_unique<IpAuthorizationMatcher>(std::move(permission.ip),
permission.not_rule);
case Rbac::Permission::RuleType::DEST_PORT:
case Rbac::Permission::RuleType::kDestPort:
return absl::make_unique<PortAuthorizationMatcher>(permission.port,
permission.not_rule);
case Rbac::Permission::RuleType::REQ_SERVER_NAME:
case Rbac::Permission::RuleType::kReqServerName:
return absl::make_unique<ReqServerNameAuthorizationMatcher>(
std::move(permission.string_matcher), permission.not_rule);
}
@ -75,26 +75,26 @@ std::unique_ptr<AuthorizationMatcher> AuthorizationMatcher::Create(
std::unique_ptr<AuthorizationMatcher> AuthorizationMatcher::Create(
Rbac::Principal principal) {
switch (principal.type) {
case Rbac::Principal::RuleType::AND:
case Rbac::Principal::RuleType::kAnd:
return absl::make_unique<AndAuthorizationMatcher>(
std::move(principal.principals), principal.not_rule);
case Rbac::Principal::RuleType::OR:
case Rbac::Principal::RuleType::kOr:
return absl::make_unique<OrAuthorizationMatcher>(
std::move(principal.principals), principal.not_rule);
case Rbac::Principal::RuleType::ANY:
case Rbac::Principal::RuleType::kAny:
return absl::make_unique<AlwaysAuthorizationMatcher>(principal.not_rule);
case Rbac::Principal::RuleType::PRINCIPAL_NAME:
case Rbac::Principal::RuleType::kPrincipalName:
return absl::make_unique<AuthenticatedAuthorizationMatcher>(
std::move(principal.string_matcher), principal.not_rule);
case Rbac::Principal::RuleType::SOURCE_IP:
case Rbac::Principal::RuleType::DIRECT_REMOTE_IP:
case Rbac::Principal::RuleType::REMOTE_IP:
case Rbac::Principal::RuleType::kSourceIp:
case Rbac::Principal::RuleType::kDirectRemoteIp:
case Rbac::Principal::RuleType::kRemoteIp:
return absl::make_unique<IpAuthorizationMatcher>(std::move(principal.ip),
principal.not_rule);
case Rbac::Principal::RuleType::HEADER:
case Rbac::Principal::RuleType::kHeader:
return absl::make_unique<HeaderAuthorizationMatcher>(
std::move(principal.header_matcher), principal.not_rule);
case Rbac::Principal::RuleType::PATH:
case Rbac::Principal::RuleType::kPath:
return absl::make_unique<PathAuthorizationMatcher>(
std::move(principal.string_matcher), principal.not_rule);
}

88
src/core/lib/security/authorization/rbac_policy.cc
Unescape View File

@ -40,7 +40,7 @@ Rbac& Rbac::operator=(Rbac&& other) noexcept {
std::string Rbac::ToString() const {
std::vector<std::string> contents;
contents.push_back(absl::StrFormat(
"Rbac action=%s{", action == Rbac::Action::ALLOW ? "Allow" : "Deny"));
"Rbac action=%s{", action == Rbac::Action::kAllow ? "Allow" : "Deny"));
for (const auto& p : policies) {
contents.push_back(absl::StrFormat("{\n policy_name=%s\n%s\n}", p.first,
p.second.ToString()));
@ -100,20 +100,20 @@ Rbac::Permission::Permission(Permission::RuleType type, int port, bool not_rule)
Rbac::Permission::Permission(Rbac::Permission&& other) noexcept
: type(other.type), not_rule(other.not_rule) {
switch (type) {
case RuleType::AND:
case RuleType::OR:
case RuleType::kAnd:
case RuleType::kOr:
permissions = std::move(other.permissions);
break;
case RuleType::ANY:
case RuleType::kAny:
break;
case RuleType::HEADER:
case RuleType::kHeader:
header_matcher = std::move(other.header_matcher);
break;
case RuleType::PATH:
case RuleType::REQ_SERVER_NAME:
case RuleType::kPath:
case RuleType::kReqServerName:
string_matcher = std::move(other.string_matcher);
break;
case RuleType::DEST_IP:
case RuleType::kDestIp:
ip = std::move(other.ip);
break;
default:
@ -126,20 +126,20 @@ Rbac::Permission& Rbac::Permission::operator=(
type = other.type;
not_rule = other.not_rule;
switch (type) {
case RuleType::AND:
case RuleType::OR:
case RuleType::kAnd:
case RuleType::kOr:
permissions = std::move(other.permissions);
break;
case RuleType::ANY:
case RuleType::kAny:
break;
case RuleType::HEADER:
case RuleType::kHeader:
header_matcher = std::move(other.header_matcher);
break;
case RuleType::PATH:
case RuleType::REQ_SERVER_NAME:
case RuleType::kPath:
case RuleType::kReqServerName:
string_matcher = std::move(other.string_matcher);
break;
case RuleType::DEST_IP:
case RuleType::kDestIp:
ip = std::move(other.ip);
break;
default:
@ -150,7 +150,7 @@ Rbac::Permission& Rbac::Permission::operator=(
std::string Rbac::Permission::ToString() const {
switch (type) {
case RuleType::AND: {
case RuleType::kAnd: {
std::vector<std::string> contents;
contents.reserve(permissions.size());
for (const auto& permission : permissions) {
@ -159,7 +159,7 @@ std::string Rbac::Permission::ToString() const {
return absl::StrFormat("%sand=[%s]", not_rule ? "not " : "",
absl::StrJoin(contents, ","));
}
case RuleType::OR: {
case RuleType::kOr: {
std::vector<std::string> contents;
contents.reserve(permissions.size());
for (const auto& permission : permissions) {
@ -168,20 +168,20 @@ std::string Rbac::Permission::ToString() const {
return absl::StrFormat("%sor=[%s]", not_rule ? "not " : "",
absl::StrJoin(contents, ","));
}
case RuleType::ANY:
case RuleType::kAny:
return absl::StrFormat("%sany", not_rule ? "not " : "");
case RuleType::HEADER:
case RuleType::kHeader:
return absl::StrFormat("%sheader=%s", not_rule ? "not " : "",
header_matcher.ToString());
case RuleType::PATH:
case RuleType::kPath:
return absl::StrFormat("%spath=%s", not_rule ? "not " : "",
string_matcher.ToString());
case RuleType::DEST_IP:
case RuleType::kDestIp:
return absl::StrFormat("%sdest_ip=%s", not_rule ? "not " : "",
ip.ToString());
case RuleType::DEST_PORT:
case RuleType::kDestPort:
return absl::StrFormat("%sdest_port=%d", not_rule ? "not " : "", port);
case RuleType::REQ_SERVER_NAME:
case RuleType::kReqServerName:
return absl::StrFormat("%srequested_server_name=%s",
not_rule ? "not " : "", string_matcher.ToString());
default:
@ -216,17 +216,17 @@ Rbac::Principal::Principal(Principal::RuleType type,
Rbac::Principal::Principal(Rbac::Principal&& other) noexcept
: type(other.type), not_rule(other.not_rule) {
switch (type) {
case RuleType::AND:
case RuleType::OR:
case RuleType::kAnd:
case RuleType::kOr:
principals = std::move(other.principals);
break;
case RuleType::ANY:
case RuleType::kAny:
break;
case RuleType::HEADER:
case RuleType::kHeader:
header_matcher = std::move(other.header_matcher);
break;
case RuleType::PRINCIPAL_NAME:
case RuleType::PATH:
case RuleType::kPrincipalName:
case RuleType::kPath:
string_matcher = std::move(other.string_matcher);
break;
default:
@ -238,17 +238,17 @@ Rbac::Principal& Rbac::Principal::operator=(Rbac::Principal&& other) noexcept {
type = other.type;
not_rule = other.not_rule;
switch (type) {
case RuleType::AND:
case RuleType::OR:
case RuleType::kAnd:
case RuleType::kOr:
principals = std::move(other.principals);
break;
case RuleType::ANY:
case RuleType::kAny:
break;
case RuleType::HEADER:
case RuleType::kHeader:
header_matcher = std::move(other.header_matcher);
break;
case RuleType::PRINCIPAL_NAME:
case RuleType::PATH:
case RuleType::kPrincipalName:
case RuleType::kPath:
string_matcher = std::move(other.string_matcher);
break;
default:
@ -259,7 +259,7 @@ Rbac::Principal& Rbac::Principal::operator=(Rbac::Principal&& other) noexcept {
std::string Rbac::Principal::ToString() const {
switch (type) {
case RuleType::AND: {
case RuleType::kAnd: {
std::vector<std::string> contents;
contents.reserve(principals.size());
for (const auto& principal : principals) {
@ -268,7 +268,7 @@ std::string Rbac::Principal::ToString() const {
return absl::StrFormat("%sand=[%s]", not_rule ? "not " : "",
absl::StrJoin(contents, ","));
}
case RuleType::OR: {
case RuleType::kOr: {
std::vector<std::string> contents;
contents.reserve(principals.size());
for (const auto& principal : principals) {
@ -277,24 +277,24 @@ std::string Rbac::Principal::ToString() const {
return absl::StrFormat("%sor=[%s]", not_rule ? "not " : "",
absl::StrJoin(contents, ","));
}
case RuleType::ANY:
case RuleType::kAny:
return absl::StrFormat("%sany", not_rule ? "not " : "");
case RuleType::PRINCIPAL_NAME:
case RuleType::kPrincipalName:
return absl::StrFormat("%sprincipal_name=%s", not_rule ? "not " : "",
string_matcher.ToString());
case RuleType::SOURCE_IP:
case RuleType::kSourceIp:
return absl::StrFormat("%ssource_ip=%s", not_rule ? "not " : "",
ip.ToString());
case RuleType::DIRECT_REMOTE_IP:
case RuleType::kDirectRemoteIp:
return absl::StrFormat("%sdirect_remote_ip=%s", not_rule ? "not " : "",
ip.ToString());
case RuleType::REMOTE_IP:
case RuleType::kRemoteIp:
return absl::StrFormat("%sremote_ip=%s", not_rule ? "not " : "",
ip.ToString());
case RuleType::HEADER:
case RuleType::kHeader:
return absl::StrFormat("%sheader=%s", not_rule ? "not " : "",
header_matcher.ToString());
case RuleType::PATH:
case RuleType::kPath:
return absl::StrFormat("%spath=%s", not_rule ? "not " : "",
string_matcher.ToString());
default:

38
src/core/lib/security/authorization/rbac_policy.h
Unescape View File

@ -27,8 +27,8 @@ namespace grpc_core {
// https://github.com/envoyproxy/envoy/blob/release/v1.17/api/envoy/config/rbac/v3/rbac.proto]
struct Rbac {
enum class Action {
ALLOW,
DENY,
kAllow,
kDeny,
};
struct CidrRange {
@ -47,14 +47,14 @@ struct Rbac {
// TODO(ashithasantosh): Add metadata field to Permission and Principal.
struct Permission {
enum class RuleType {
AND,
OR,
ANY,
HEADER,
PATH,
DEST_IP,
DEST_PORT,
REQ_SERVER_NAME,
kAnd,
kOr,
kAny,
kHeader,
kPath,
kDestIp,
kDestPort,
kReqServerName,
};
Permission() = default;
@ -92,15 +92,15 @@ struct Rbac {
struct Principal {
enum class RuleType {
AND,
OR,
ANY,
PRINCIPAL_NAME,
SOURCE_IP,
DIRECT_REMOTE_IP,
REMOTE_IP,
HEADER,
PATH,
kAnd,
kOr,
kAny,
kPrincipalName,
kSourceIp,
kDirectRemoteIp,
kRemoteIp,
kHeader,
kPath,
};
Principal() = default;

40
src/core/lib/security/authorization/rbac_translator.cc
Unescape View File

@ -29,16 +29,16 @@ namespace {
absl::string_view GetMatcherType(absl::string_view value,
StringMatcher::Type* type) {
if (value == "*") {
*type = StringMatcher::Type::PREFIX;
*type = StringMatcher::Type::kPrefix;
return "";
} else if (absl::StartsWith(value, "*")) {
*type = StringMatcher::Type::SUFFIX;
*type = StringMatcher::Type::kSuffix;
return absl::StripPrefix(value, "*");
} else if (absl::EndsWith(value, "*")) {
*type = StringMatcher::Type::PREFIX;
*type = StringMatcher::Type::kPrefix;
return absl::StripSuffix(value, "*");
}
*type = StringMatcher::Type::EXACT;
*type = StringMatcher::Type::kExact;
return value;
}
@ -71,10 +71,10 @@ absl::StatusOr<Rbac::Principal> ParsePrincipalsArray(const Json& json) {
matcher_or.status().message()));
}
principal_names.push_back(absl::make_unique<Rbac::Principal>(
Rbac::Principal::RuleType::PRINCIPAL_NAME,
Rbac::Principal::RuleType::kPrincipalName,
std::move(matcher_or.value())));
}
return Rbac::Principal(Rbac::Principal::RuleType::OR,
return Rbac::Principal(Rbac::Principal::RuleType::kOr,
std::move(principal_names));
}
@ -93,9 +93,9 @@ absl::StatusOr<Rbac::Principal> ParsePeer(const Json& json) {
}
}
if (peer.empty()) {
return Rbac::Principal(Rbac::Principal::RuleType::ANY);
return Rbac::Principal(Rbac::Principal::RuleType::kAny);
}
return Rbac::Principal(Rbac::Principal::RuleType::AND, std::move(peer));
return Rbac::Principal(Rbac::Principal::RuleType::kAnd, std::move(peer));
}
absl::StatusOr<Rbac::Permission> ParseHeaderValues(
@ -117,9 +117,9 @@ absl::StatusOr<Rbac::Permission> ParseHeaderValues(
absl::StrCat("\"values\" ", i, ": ", matcher_or.status().message()));
}
values.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER, std::move(matcher_or.value())));
Rbac::Permission::RuleType::kHeader, std::move(matcher_or.value())));
}
return Rbac::Permission(Rbac::Permission::RuleType::OR, std::move(values));
return Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(values));
}
absl::StatusOr<Rbac::Permission> ParseHeaders(const Json& json) {
@ -165,7 +165,7 @@ absl::StatusOr<Rbac::Permission> ParseHeadersArray(const Json& json) {
headers.push_back(
absl::make_unique<Rbac::Permission>(std::move(headers_or.value())));
}
return Rbac::Permission(Rbac::Permission::RuleType::AND, std::move(headers));
return Rbac::Permission(Rbac::Permission::RuleType::kAnd, std::move(headers));
}
absl::StatusOr<Rbac::Permission> ParsePathsArray(const Json& json) {
@ -183,9 +183,9 @@ absl::StatusOr<Rbac::Permission> ParsePathsArray(const Json& json) {
absl::StrCat("\"paths\" ", i, ": ", matcher_or.status().message()));
}
paths.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::PATH, std::move(matcher_or.value())));
Rbac::Permission::RuleType::kPath, std::move(matcher_or.value())));
}
return Rbac::Permission(Rbac::Permission::RuleType::OR, std::move(paths));
return Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(paths));
}
absl::StatusOr<Rbac::Permission> ParseRequest(const Json& json) {
@ -215,9 +215,9 @@ absl::StatusOr<Rbac::Permission> ParseRequest(const Json& json) {
}
}
if (request.empty()) {
return Rbac::Permission(Rbac::Permission::RuleType::ANY);
return Rbac::Permission(Rbac::Permission::RuleType::kAny);
}
return Rbac::Permission(Rbac::Permission::RuleType::AND, std::move(request));
return Rbac::Permission(Rbac::Permission::RuleType::kAnd, std::move(request));
}
absl::StatusOr<Rbac::Policy> ParseRules(const Json& json) {
@ -231,7 +231,7 @@ absl::StatusOr<Rbac::Policy> ParseRules(const Json& json) {
if (!peer_or.ok()) return peer_or.status();
principals = std::move(peer_or.value());
} else {
principals = Rbac::Principal(Rbac::Principal::RuleType::ANY);
principals = Rbac::Principal(Rbac::Principal::RuleType::kAny);
}
Rbac::Permission permissions;
it = json.object_value().find("request");
@ -243,7 +243,7 @@ absl::StatusOr<Rbac::Policy> ParseRules(const Json& json) {
if (!request_or.ok()) return request_or.status();
permissions = std::move(request_or.value());
} else {
permissions = Rbac::Permission(Rbac::Permission::RuleType::ANY);
permissions = Rbac::Permission(Rbac::Permission::RuleType::kAny);
}
return Rbac::Policy(std::move(permissions), std::move(principals));
}
@ -283,14 +283,14 @@ absl::StatusOr<Rbac> ParseDenyRulesArray(const Json& json,
absl::string_view name) {
auto policies_or = ParseRulesArray(json, name);
if (!policies_or.ok()) return policies_or.status();
return Rbac(Rbac::Action::DENY, std::move(policies_or.value()));
return Rbac(Rbac::Action::kDeny, std::move(policies_or.value()));
}
absl::StatusOr<Rbac> ParseAllowRulesArray(const Json& json,
absl::string_view name) {
auto policies_or = ParseRulesArray(json, name);
if (!policies_or.ok()) return policies_or.status();
return Rbac(Rbac::Action::ALLOW, std::move(policies_or.value()));
return Rbac(Rbac::Action::kAllow, std::move(policies_or.value()));
}
} // namespace
@ -332,7 +332,7 @@ absl::StatusOr<RbacPolicies> GenerateRbacPolicies(
}
rbac_policies.deny_policy = std::move(deny_policy_or.value());
} else {
rbac_policies.deny_policy.action = Rbac::Action::DENY;
rbac_policies.deny_policy.action = Rbac::Action::kDeny;
}
it = json.mutable_object()->find("allow_rules");
if (it == json.mutable_object()->end()) {

6
src/core/lib/security/credentials/xds/xds_credentials.cc
Unescape View File

@ -40,13 +40,13 @@ bool XdsVerifySubjectAlternativeNames(
if (matchers.empty()) return true;
for (size_t i = 0; i < subject_alternative_names_size; ++i) {
for (const auto& matcher : matchers) {
if (matcher.type() == StringMatcher::Type::EXACT) {
// For EXACT match, use DNS rules for verifying SANs
if (matcher.type() == StringMatcher::Type::kExact) {
// For Exact match, use DNS rules for verifying SANs
// TODO(zhenlian): Right now, the SSL layer does not save the type of
// the SAN, so we are doing a DNS style verification for all SANs when
// the type is EXACT. When we expose the SAN type, change this to only
// do this verification when the SAN type is DNS and match type is
// EXACT. For all other cases, we should use matcher.Match().
// kExact. For all other cases, we should use matcher.Match().
if (VerifySubjectAlternativeName(subject_alternative_names[i],
matcher.string_matcher())) {
return true;

100
test/core/security/authorization_matchers_test.cc
Unescape View File

@ -48,12 +48,12 @@ TEST_F(AuthorizationMatchersTest, AndAuthorizationMatcherSuccessfulMatch) {
EvaluateArgs args = args_.MakeEvaluateArgs();
std::vector<std::unique_ptr<Rbac::Permission>> rules;
rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::EXACT,
Rbac::Permission::RuleType::kHeader,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
/*matcher=*/"bar")
.value()));
rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::DEST_PORT, /*port=*/123));
Rbac::Permission::RuleType::kDestPort, /*port=*/123));
AndAuthorizationMatcher matcher(std::move(rules));
EXPECT_TRUE(matcher.Matches(args));
}
@ -64,12 +64,12 @@ TEST_F(AuthorizationMatchersTest, AndAuthorizationMatcherFailedMatch) {
EvaluateArgs args = args_.MakeEvaluateArgs();
std::vector<std::unique_ptr<Rbac::Permission>> rules;
rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::EXACT,
Rbac::Permission::RuleType::kHeader,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
/*matcher=*/"bar")
.value()));
rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::DEST_PORT, /*port=*/123));
Rbac::Permission::RuleType::kDestPort, /*port=*/123));
AndAuthorizationMatcher matcher(std::move(rules));
// Header rule fails. Expected value "bar", got "not_bar" for key "foo".
EXPECT_FALSE(matcher.Matches(args));
@ -79,13 +79,13 @@ TEST_F(AuthorizationMatchersTest, NotAndAuthorizationMatcher) {
args_.AddPairToMetadata(":path", "/expected/foo");
EvaluateArgs args = args_.MakeEvaluateArgs();
StringMatcher string_matcher =
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"/expected/foo",
/*case_sensitive=*/false)
.value();
std::vector<std::unique_ptr<Rbac::Permission>> ids;
ids.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::PATH, std::move(string_matcher)));
Rbac::Permission::RuleType::kPath, std::move(string_matcher)));
AndAuthorizationMatcher matcher(std::move(ids), /*not_rule=*/true);
EXPECT_FALSE(matcher.Matches(args));
}
@ -95,14 +95,14 @@ TEST_F(AuthorizationMatchersTest, OrAuthorizationMatcherSuccessfulMatch) {
args_.SetLocalEndpoint("ipv4:255.255.255.255:123");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderMatcher header_matcher =
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::EXACT,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
/*matcher=*/"bar")
.value();
std::vector<std::unique_ptr<Rbac::Permission>> rules;
rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER, header_matcher));
Rbac::Permission::RuleType::kHeader, header_matcher));
rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::DEST_PORT, /*port=*/456));
Rbac::Permission::RuleType::kDestPort, /*port=*/456));
OrAuthorizationMatcher matcher(std::move(rules));
// Matches as header rule matches even though port rule fails.
EXPECT_TRUE(matcher.Matches(args));
@ -113,8 +113,8 @@ TEST_F(AuthorizationMatchersTest, OrAuthorizationMatcherFailedMatch) {
EvaluateArgs args = args_.MakeEvaluateArgs();
std::vector<std::unique_ptr<Rbac::Permission>> rules;
rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::EXACT,
Rbac::Permission::RuleType::kHeader,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
/*matcher=*/"bar")
.value()));
OrAuthorizationMatcher matcher(std::move(rules));
@ -127,8 +127,8 @@ TEST_F(AuthorizationMatchersTest, NotOrAuthorizationMatcher) {
EvaluateArgs args = args_.MakeEvaluateArgs();
std::vector<std::unique_ptr<Rbac::Permission>> rules;
rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::EXACT,
Rbac::Permission::RuleType::kHeader,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
/*matcher=*/"bar")
.value()));
OrAuthorizationMatcher matcher(std::move(rules), /*not_rule=*/true);
@ -141,18 +141,18 @@ TEST_F(AuthorizationMatchersTest, HybridAuthorizationMatcherSuccessfulMatch) {
EvaluateArgs args = args_.MakeEvaluateArgs();
std::vector<std::unique_ptr<Rbac::Permission>> sub_and_rules;
sub_and_rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::EXACT,
Rbac::Permission::RuleType::kHeader,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
/*matcher=*/"bar")
.value()));
std::vector<std::unique_ptr<Rbac::Permission>> sub_or_rules;
sub_or_rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::DEST_PORT, /*port=*/123));
Rbac::Permission::RuleType::kDestPort, /*port=*/123));
std::vector<std::unique_ptr<Rbac::Permission>> and_rules;
and_rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::AND, std::move(sub_and_rules)));
Rbac::Permission::RuleType::kAnd, std::move(sub_and_rules)));
and_rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::OR, std::move(std::move(sub_or_rules))));
Rbac::Permission::RuleType::kOr, std::move(std::move(sub_or_rules))));
AndAuthorizationMatcher matcher(std::move(and_rules));
EXPECT_TRUE(matcher.Matches(args));
}
@ -163,23 +163,23 @@ TEST_F(AuthorizationMatchersTest, HybridAuthorizationMatcherFailedMatch) {
EvaluateArgs args = args_.MakeEvaluateArgs();
std::vector<std::unique_ptr<Rbac::Permission>> sub_and_rules;
sub_and_rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::EXACT,
Rbac::Permission::RuleType::kHeader,
HeaderMatcher::Create(/*name=*/"foo", HeaderMatcher::Type::kExact,
/*matcher=*/"bar")
.value()));
sub_and_rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER,
HeaderMatcher::Create(/*name=*/"absent_key", HeaderMatcher::Type::EXACT,
Rbac::Permission::RuleType::kHeader,
HeaderMatcher::Create(/*name=*/"absent_key", HeaderMatcher::Type::kExact,
/*matcher=*/"some_value")
.value()));
std::vector<std::unique_ptr<Rbac::Permission>> sub_or_rules;
sub_or_rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::DEST_PORT, /*port=*/123));
Rbac::Permission::RuleType::kDestPort, /*port=*/123));
std::vector<std::unique_ptr<Rbac::Permission>> and_rules;
and_rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::AND, std::move(sub_and_rules)));
Rbac::Permission::RuleType::kAnd, std::move(sub_and_rules)));
and_rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::OR, std::move(std::move(sub_or_rules))));
Rbac::Permission::RuleType::kOr, std::move(std::move(sub_or_rules))));
AndAuthorizationMatcher matcher(std::move(and_rules));
// Fails as "absent_key" header was not present.
EXPECT_FALSE(matcher.Matches(args));
@ -189,7 +189,7 @@ TEST_F(AuthorizationMatchersTest, PathAuthorizationMatcherSuccessfulMatch) {
args_.AddPairToMetadata(":path", "expected/path");
EvaluateArgs args = args_.MakeEvaluateArgs();
PathAuthorizationMatcher matcher(
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"expected/path",
/*case_sensitive=*/false)
.value());
@ -200,7 +200,7 @@ TEST_F(AuthorizationMatchersTest, PathAuthorizationMatcherFailedMatch) {
args_.AddPairToMetadata(":path", "different/path");
EvaluateArgs args = args_.MakeEvaluateArgs();
PathAuthorizationMatcher matcher(
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"expected/path",
/*case_sensitive=*/false)
.value());
@ -211,7 +211,7 @@ TEST_F(AuthorizationMatchersTest, NotPathAuthorizationMatcher) {
args_.AddPairToMetadata(":path", "expected/path");
EvaluateArgs args = args_.MakeEvaluateArgs();
PathAuthorizationMatcher matcher(
StringMatcher::Create(StringMatcher::Type::EXACT, "expected/path", false)
StringMatcher::Create(StringMatcher::Type::kExact, "expected/path", false)
.value(),
/*not_rule=*/true);
EXPECT_FALSE(matcher.Matches(args));
@ -221,7 +221,7 @@ TEST_F(AuthorizationMatchersTest,
PathAuthorizationMatcherFailedMatchMissingPath) {
EvaluateArgs args = args_.MakeEvaluateArgs();
PathAuthorizationMatcher matcher(
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"expected/path",
/*case_sensitive=*/false)
.value());
@ -232,7 +232,7 @@ TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherSuccessfulMatch) {
args_.AddPairToMetadata("key123", "foo_xxx");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::PREFIX,
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kPrefix,
/*matcher=*/"foo")
.value());
EXPECT_TRUE(matcher.Matches(args));
@ -242,7 +242,7 @@ TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherFailedMatch) {
args_.AddPairToMetadata("key123", "foo");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::EXACT,
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
/*matcher=*/"bar")
.value());
EXPECT_FALSE(matcher.Matches(args));
@ -254,7 +254,7 @@ TEST_F(AuthorizationMatchersTest,
args_.AddPairToMetadata("key123", "bar");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::EXACT,
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
/*matcher=*/"foo")
.value());
EXPECT_FALSE(matcher.Matches(args));
@ -264,7 +264,7 @@ TEST_F(AuthorizationMatchersTest,
HeaderAuthorizationMatcherFailedMatchMissingHeader) {
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::SUFFIX,
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kSuffix,
/*matcher=*/"foo")
.value());
EXPECT_FALSE(matcher.Matches(args));
@ -274,7 +274,7 @@ TEST_F(AuthorizationMatchersTest, NotHeaderAuthorizationMatcher) {
args_.AddPairToMetadata("key123", "foo");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::EXACT,
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
/*matcher=*/"bar")
.value(),
/*not_rule=*/true);
@ -306,7 +306,7 @@ TEST_F(AuthorizationMatchersTest,
AuthenticatedMatcherUnAuthenticatedConnection) {
EvaluateArgs args = args_.MakeEvaluateArgs();
AuthenticatedAuthorizationMatcher matcher(
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"foo.com",
/*case_sensitive=*/false)
.value());
@ -319,7 +319,7 @@ TEST_F(AuthorizationMatchersTest,
GRPC_SSL_TRANSPORT_SECURITY_TYPE);
EvaluateArgs args = args_.MakeEvaluateArgs();
AuthenticatedAuthorizationMatcher matcher(
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"",
/*case_sensitive=*/false)
.value());
@ -334,7 +334,7 @@ TEST_F(AuthorizationMatchersTest,
"spiffe://foo.abc");
EvaluateArgs args = args_.MakeEvaluateArgs();
AuthenticatedAuthorizationMatcher matcher(
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"spiffe://foo.abc",
/*case_sensitive=*/false)
.value());
@ -348,7 +348,7 @@ TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedSpiffeIdMatches) {
"spiffe://bar.abc");
EvaluateArgs args = args_.MakeEvaluateArgs();
AuthenticatedAuthorizationMatcher matcher(
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"spiffe://foo.abc",
/*case_sensitive=*/false)
.value());
@ -360,7 +360,7 @@ TEST_F(AuthorizationMatchersTest, AuthenticatedMatcherFailedNothingMatches) {
GRPC_SSL_TRANSPORT_SECURITY_TYPE);
EvaluateArgs args = args_.MakeEvaluateArgs();
AuthenticatedAuthorizationMatcher matcher(
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"foo",
/*case_sensitive=*/false)
.value());
@ -372,7 +372,7 @@ TEST_F(AuthorizationMatchersTest, NotAuthenticatedMatcher) {
GRPC_SSL_TRANSPORT_SECURITY_TYPE);
EvaluateArgs args = args_.MakeEvaluateArgs();
AuthenticatedAuthorizationMatcher matcher(
StringMatcher::Create(StringMatcher::Type::EXACT, /*matcher=*/"foo",
StringMatcher::Create(StringMatcher::Type::kExact, /*matcher=*/"foo",
/*case_sensitive=*/false)
.value(),
/*not_rule=*/true);
@ -384,13 +384,13 @@ TEST_F(AuthorizationMatchersTest, PolicyAuthorizationMatcherSuccessfulMatch) {
EvaluateArgs args = args_.MakeEvaluateArgs();
std::vector<std::unique_ptr<Rbac::Permission>> rules;
rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER,
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::EXACT,
Rbac::Permission::RuleType::kHeader,
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
/*matcher=*/"foo")
.value()));
PolicyAuthorizationMatcher matcher(Rbac::Policy(
Rbac::Permission(Rbac::Permission::RuleType::OR, std::move(rules)),
Rbac::Principal(Rbac::Principal::RuleType::ANY)));
Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(rules)),
Rbac::Principal(Rbac::Principal::RuleType::kAny)));
EXPECT_TRUE(matcher.Matches(args));
}
@ -399,13 +399,13 @@ TEST_F(AuthorizationMatchersTest, PolicyAuthorizationMatcherFailedMatch) {
EvaluateArgs args = args_.MakeEvaluateArgs();
std::vector<std::unique_ptr<Rbac::Permission>> rules;
rules.push_back(absl::make_unique<Rbac::Permission>(
Rbac::Permission::RuleType::HEADER,
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::EXACT,
Rbac::Permission::RuleType::kHeader,
HeaderMatcher::Create(/*name=*/"key123", HeaderMatcher::Type::kExact,
/*matcher=*/"bar")
.value()));
PolicyAuthorizationMatcher matcher(Rbac::Policy(
Rbac::Permission(Rbac::Permission::RuleType::OR, std::move(rules)),
Rbac::Principal(Rbac::Principal::RuleType::ANY)));
Rbac::Permission(Rbac::Permission::RuleType::kOr, std::move(rules)),
Rbac::Principal(Rbac::Principal::RuleType::kAny)));
EXPECT_FALSE(matcher.Matches(args));
}

36
test/core/security/matchers_test.cc
Unescape View File

@ -20,7 +20,7 @@ namespace grpc_core {
TEST(StringMatcherTest, ExactMatchCaseSensitive) {
auto string_matcher =
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"exact", /*case_sensitive=*/true);
ASSERT_TRUE(string_matcher.ok());
EXPECT_TRUE(string_matcher->Match("exact"));
@ -30,7 +30,7 @@ TEST(StringMatcherTest, ExactMatchCaseSensitive) {
TEST(StringMatcherTest, ExactMatchCaseInsensitive) {
auto string_matcher =
StringMatcher::Create(StringMatcher::Type::EXACT,
StringMatcher::Create(StringMatcher::Type::kExact,
/*matcher=*/"exact", /*case_sensitive=*/false);
ASSERT_TRUE(string_matcher.ok());
EXPECT_TRUE(string_matcher->Match("Exact"));
@ -38,7 +38,7 @@ TEST(StringMatcherTest, ExactMatchCaseInsensitive) {
}
TEST(StringMatcherTest, PrefixMatchCaseSensitive) {
auto string_matcher = StringMatcher::Create(StringMatcher::Type::PREFIX,
auto string_matcher = StringMatcher::Create(StringMatcher::Type::kPrefix,
/*matcher=*/"prefix",
/*case_sensitive=*/true);
ASSERT_TRUE(string_matcher.ok());
@ -49,7 +49,7 @@ TEST(StringMatcherTest, PrefixMatchCaseSensitive) {
}
TEST(StringMatcherTest, PrefixMatchCaseInsensitive) {
auto string_matcher = StringMatcher::Create(StringMatcher::Type::PREFIX,
auto string_matcher = StringMatcher::Create(StringMatcher::Type::kPrefix,
/*matcher=*/"prefix",
/*case_sensitive=*/false);
ASSERT_TRUE(string_matcher.ok());
@ -59,7 +59,7 @@ TEST(StringMatcherTest, PrefixMatchCaseInsensitive) {
}
TEST(StringMatcherTest, SuffixMatchCaseSensitive) {
auto string_matcher = StringMatcher::Create(StringMatcher::Type::SUFFIX,
auto string_matcher = StringMatcher::Create(StringMatcher::Type::kSuffix,
/*matcher=*/"suffix",
/*case_sensitive=*/true);
ASSERT_TRUE(string_matcher.ok());
@ -70,7 +70,7 @@ TEST(StringMatcherTest, SuffixMatchCaseSensitive) {
}
TEST(StringMatcherTest, SuffixMatchCaseInSensitive) {
auto string_matcher = StringMatcher::Create(StringMatcher::Type::SUFFIX,
auto string_matcher = StringMatcher::Create(StringMatcher::Type::kSuffix,
/*matcher=*/"suffix",
/*case_sensitive=*/false);
ASSERT_TRUE(string_matcher.ok());
@ -80,7 +80,7 @@ TEST(StringMatcherTest, SuffixMatchCaseInSensitive) {
}
TEST(StringMatcherTest, InvalidRegex) {
auto string_matcher = StringMatcher::Create(StringMatcher::Type::SAFE_REGEX,
auto string_matcher = StringMatcher::Create(StringMatcher::Type::kSafeRegex,
/*matcher=*/"a[b-a]",
/*case_sensitive=*/true);
EXPECT_FALSE(string_matcher.ok());
@ -90,7 +90,7 @@ TEST(StringMatcherTest, InvalidRegex) {
}
TEST(StringMatcherTest, SafeRegexMatchCaseSensitive) {
auto string_matcher = StringMatcher::Create(StringMatcher::Type::SAFE_REGEX,
auto string_matcher = StringMatcher::Create(StringMatcher::Type::kSafeRegex,
/*matcher=*/"regex.*",
/*case_sensitive=*/true);
ASSERT_TRUE(string_matcher.ok());
@ -101,7 +101,7 @@ TEST(StringMatcherTest, SafeRegexMatchCaseSensitive) {
}
TEST(StringMatcherTest, SafeRegexMatchCaseInSensitive) {
auto string_matcher = StringMatcher::Create(StringMatcher::Type::SAFE_REGEX,
auto string_matcher = StringMatcher::Create(StringMatcher::Type::kSafeRegex,
/*matcher=*/"regex.*",
/*case_sensitive=*/false);
ASSERT_TRUE(string_matcher.ok());
@ -112,7 +112,7 @@ TEST(StringMatcherTest, SafeRegexMatchCaseInSensitive) {
}
TEST(StringMatcherTest, ContainsMatchCaseSensitive) {
auto string_matcher = StringMatcher::Create(StringMatcher::Type::CONTAINS,
auto string_matcher = StringMatcher::Create(StringMatcher::Type::kContains,
/*matcher=*/"contains",
/*case_sensitive=*/true);
ASSERT_TRUE(string_matcher.ok());
@ -123,7 +123,7 @@ TEST(StringMatcherTest, ContainsMatchCaseSensitive) {
}
TEST(StringMatcherTest, ContainsMatchCaseInSensitive) {
auto string_matcher = StringMatcher::Create(StringMatcher::Type::CONTAINS,
auto string_matcher = StringMatcher::Create(StringMatcher::Type::kContains,
/*matcher=*/"contains",
/*case_sensitive=*/false);
ASSERT_TRUE(string_matcher.ok());
@ -134,7 +134,7 @@ TEST(StringMatcherTest, ContainsMatchCaseInSensitive) {
TEST(HeaderMatcherTest, StringMatcher) {
auto header_matcher =
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::EXACT,
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::kExact,
/*matcher=*/"exact");
ASSERT_TRUE(header_matcher.ok());
EXPECT_TRUE(header_matcher->Match("exact"));
@ -144,7 +144,7 @@ TEST(HeaderMatcherTest, StringMatcher) {
TEST(HeaderMatcherTest, StringMatcherWithInvertMatch) {
auto header_matcher =
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::EXACT,
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::kExact,
/*matcher=*/"exact",
/*range_start=*/0, /*range_end=*/0,
/*present_match=*/false, /*invert_match=*/true);
@ -156,7 +156,7 @@ TEST(HeaderMatcherTest, StringMatcherWithInvertMatch) {
TEST(HeaderMatcherTest, InvalidRegex) {
auto header_matcher =
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::SAFE_REGEX,
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::kSafeRegex,
/*matcher=*/"a[b-a]",
/*range_start=*/0, /*range_end=*/0,
/*present_match=*/false, /*invert_match=*/true);
@ -168,7 +168,7 @@ TEST(HeaderMatcherTest, InvalidRegex) {
TEST(HeaderMatcherTest, RangeMatcherValidRange) {
auto header_matcher =
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::RANGE,
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::kRange,
/*matcher=*/"", /*range_start=*/10,
/*range_end*/ 20);
ASSERT_TRUE(header_matcher.ok());
@ -180,7 +180,7 @@ TEST(HeaderMatcherTest, RangeMatcherValidRange) {
TEST(HeaderMatcherTest, RangeMatcherInvalidRange) {
auto header_matcher =
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::RANGE,
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::kRange,
/*matcher=*/"", /*range_start=*/20,
/*range_end*/ 10);
EXPECT_FALSE(header_matcher.ok());
@ -192,7 +192,7 @@ TEST(HeaderMatcherTest, RangeMatcherInvalidRange) {
TEST(HeaderMatcherTest, PresentMatcherTrue) {
auto header_matcher =
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::PRESENT,
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::kPresent,
/*matcher=*/"", /*range_start=*/0,
/*range_end=*/0, /*present_match=*/true);
ASSERT_TRUE(header_matcher.ok());
@ -202,7 +202,7 @@ TEST(HeaderMatcherTest, PresentMatcherTrue) {
TEST(HeaderMatcherTest, PresentMatcherFalse) {
auto header_matcher =
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::PRESENT,
HeaderMatcher::Create(/*name=*/"key", HeaderMatcher::Type::kPresent,
/*matcher=*/"", /*range_start=*/0,
/*range_end=*/0, /*present_match=*/false);
ASSERT_TRUE(header_matcher.ok());

207
test/core/security/rbac_translator_test.cc
Unescape View File

@ -23,20 +23,20 @@ namespace {
MATCHER_P2(EqualsPrincipalName, expected_matcher_type, expected_matcher_value,
"") {
return arg->type == Rbac::Principal::RuleType::PRINCIPAL_NAME &&
return arg->type == Rbac::Principal::RuleType::kPrincipalName &&
arg->string_matcher.type() == expected_matcher_type &&
arg->string_matcher.string_matcher() == expected_matcher_value;
}
MATCHER_P2(EqualsPath, expected_matcher_type, expected_matcher_value, "") {
return arg->type == Rbac::Permission::RuleType::PATH &&
return arg->type == Rbac::Permission::RuleType::kPath &&
arg->string_matcher.type() == expected_matcher_type &&
arg->string_matcher.string_matcher() == expected_matcher_value;
}
MATCHER_P3(EqualsHeader, expected_name, expected_matcher_type,
expected_matcher_value, "") {
return arg->type == Rbac::Permission::RuleType::HEADER &&
return arg->type == Rbac::Permission::RuleType::kHeader &&
arg->header_matcher.name() == expected_name &&
arg->header_matcher.type() == expected_matcher_type &&
arg->header_matcher.string_matcher() == expected_matcher_value;
@ -96,7 +96,7 @@ TEST(GenerateRbacPoliciesTest, MissingDenyRules) {
"}";
auto rbac_policies = GenerateRbacPolicies(authz_policy);
ASSERT_TRUE(rbac_policies.ok());
EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::DENY);
EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::kDeny);
EXPECT_TRUE(rbac_policies.value().deny_policy.policies.empty());
}
@ -176,19 +176,20 @@ TEST(GenerateRbacPoliciesTest, MissingSourceAndRequest) {
"}";
auto rbac_policies = GenerateRbacPolicies(authz_policy);
ASSERT_TRUE(rbac_policies.ok());
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::ALLOW);
EXPECT_THAT(rbac_policies.value().allow_policy.policies,
::testing::ElementsAre(::testing::Pair(
"authz_allow_policy",
::testing::AllOf(
::testing::Field(
&Rbac::Policy::permissions,
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::ANY)),
::testing::Field(
&Rbac::Policy::principals,
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::ANY))))));
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
EXPECT_THAT(
rbac_policies.value().allow_policy.policies,
::testing::ElementsAre(::testing::Pair(
"authz_allow_policy",
::testing::AllOf(
::testing::Field(
&Rbac::Policy::permissions,
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::kAny)),
::testing::Field(
&Rbac::Policy::principals,
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::kAny))))));
}
TEST(GenerateRbacPoliciesTest, EmptySourceAndRequest) {
@ -205,19 +206,20 @@ TEST(GenerateRbacPoliciesTest, EmptySourceAndRequest) {
"}";
auto rbac_policies = GenerateRbacPolicies(authz_policy);
ASSERT_TRUE(rbac_policies.ok());
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::ALLOW);
EXPECT_THAT(rbac_policies.value().allow_policy.policies,
::testing::ElementsAre(::testing::Pair(
"authz_allow_policy",
::testing::AllOf(
::testing::Field(
&Rbac::Policy::permissions,
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::ANY)),
::testing::Field(
&Rbac::Policy::principals,
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::ANY))))));
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
EXPECT_THAT(
rbac_policies.value().allow_policy.policies,
::testing::ElementsAre(::testing::Pair(
"authz_allow_policy",
::testing::AllOf(
::testing::Field(
&Rbac::Policy::permissions,
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::kAny)),
::testing::Field(
&Rbac::Policy::principals,
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::kAny))))));
}
TEST(GenerateRbacPoliciesTest, IncorrectSourceType) {
@ -289,7 +291,7 @@ TEST(GenerateRbacPoliciesTest, ParseSourceSuccess) {
"}";
auto rbac_policies = GenerateRbacPolicies(authz_policy);
ASSERT_TRUE(rbac_policies.ok());
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::ALLOW);
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
EXPECT_THAT(
rbac_policies.value().allow_policy.policies,
::testing::ElementsAre(::testing::Pair(
@ -298,33 +300,33 @@ TEST(GenerateRbacPoliciesTest, ParseSourceSuccess) {
::testing::Field(
&Rbac::Policy::permissions,
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::ANY)),
Rbac::Permission::RuleType::kAny)),
::testing::Field(
&Rbac::Policy::principals,
::testing::AllOf(
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::AND),
Rbac::Principal::RuleType::kAnd),
::testing::Field(
&Rbac::Principal::principals,
::testing::ElementsAre(::testing::AllOf(
::testing::Pointee(::testing::Field(
&Rbac::Principal::type,
Rbac::Principal::RuleType::OR)),
Rbac::Principal::RuleType::kOr)),
::testing::Pointee(::testing::Field(
&Rbac::Principal::principals,
::testing::ElementsAre(
EqualsPrincipalName(
StringMatcher::Type::EXACT,
StringMatcher::Type::kExact,
"spiffe://foo.abc"),
EqualsPrincipalName(
StringMatcher::Type::PREFIX,
StringMatcher::Type::kPrefix,
"spiffe://bar"),
EqualsPrincipalName(
StringMatcher::Type::SUFFIX, "baz"),
StringMatcher::Type::kSuffix, "baz"),
EqualsPrincipalName(
StringMatcher::Type::EXACT,
StringMatcher::Type::kExact,
"spiffe://abc.*.com")))))))))))));
EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::DENY);
EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::kDeny);
EXPECT_THAT(
rbac_policies.value().deny_policy.policies,
::testing::ElementsAre(::testing::Pair(
@ -333,22 +335,22 @@ TEST(GenerateRbacPoliciesTest, ParseSourceSuccess) {
::testing::Field(
&Rbac::Policy::permissions,
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::ANY)),
Rbac::Permission::RuleType::kAny)),
::testing::Field(
&Rbac::Policy::principals,
::testing::AllOf(
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::AND),
Rbac::Principal::RuleType::kAnd),
::testing::Field(
&Rbac::Principal::principals,
::testing::ElementsAre(::testing::AllOf(
::testing::Pointee(::testing::Field(
&Rbac::Principal::type,
Rbac::Principal::RuleType::OR)),
Rbac::Principal::RuleType::kOr)),
::testing::Pointee(::testing::Field(
&Rbac::Principal::principals,
::testing::ElementsAre(EqualsPrincipalName(
StringMatcher::Type::PREFIX,
StringMatcher::Type::kPrefix,
"")))))))))))));
}
@ -420,7 +422,7 @@ TEST(GenerateRbacPoliciesTest, ParseRequestPathsSuccess) {
"}";
auto rbac_policies = GenerateRbacPolicies(authz_policy);
ASSERT_TRUE(rbac_policies.ok());
EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::DENY);
EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::kDeny);
EXPECT_THAT(
rbac_policies.value().deny_policy.policies,
::testing::ElementsAre(::testing::Pair(
@ -429,52 +431,53 @@ TEST(GenerateRbacPoliciesTest, ParseRequestPathsSuccess) {
::testing::Field(
&Rbac::Policy::principals,
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::ANY)),
Rbac::Principal::RuleType::kAny)),
::testing::Field(
&Rbac::Policy::permissions,
::testing::AllOf(
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::AND),
Rbac::Permission::RuleType::kAnd),
::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(::testing::AllOf(
::testing::Pointee(::testing::Field(
&Rbac::Permission::type,
Rbac::Permission::RuleType::OR)),
Rbac::Permission::RuleType::kOr)),
::testing::Pointee(::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(
EqualsPath(StringMatcher::Type::EXACT,
EqualsPath(StringMatcher::Type::kExact,
"path-foo"),
EqualsPath(StringMatcher::Type::PREFIX,
EqualsPath(StringMatcher::Type::kPrefix,
"path-bar"),
EqualsPath(StringMatcher::Type::SUFFIX,
EqualsPath(StringMatcher::Type::kSuffix,
"baz")))))))))))));
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::ALLOW);
EXPECT_THAT(rbac_policies.value().allow_policy.policies,
::testing::ElementsAre(::testing::Pair(
"authz_allow_policy",
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
EXPECT_THAT(
rbac_policies.value().allow_policy.policies,
::testing::ElementsAre(::testing::Pair(
"authz_allow_policy",
::testing::AllOf(
::testing::Field(
&Rbac::Policy::principals,
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::kAny)),
::testing::Field(
&Rbac::Policy::permissions,
::testing::AllOf(
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::kAnd),
::testing::Field(
&Rbac::Policy::principals,
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::ANY)),
::testing::Field(
&Rbac::Policy::permissions,
::testing::AllOf(
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::AND),
::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(::testing::AllOf(
::testing::Pointee(::testing::Field(
&Rbac::Permission::type,
Rbac::Permission::RuleType::kOr)),
::testing::Pointee(::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(::testing::AllOf(
::testing::Pointee(::testing::Field(
&Rbac::Permission::type,
Rbac::Permission::RuleType::OR)),
::testing::Pointee(::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(EqualsPath(
StringMatcher::Type::PREFIX,
"")))))))))))));
::testing::ElementsAre(
EqualsPath(StringMatcher::Type::kPrefix,
"")))))))))))));
}
TEST(GenerateRbacPoliciesTest, IncorrectHeaderType) {
@ -657,9 +660,9 @@ TEST(GenerateRbacPoliciesTest, ParseRequestHeadersSuccess) {
"}";
auto rbac_policies = GenerateRbacPolicies(authz_policy);
ASSERT_TRUE(rbac_policies.ok());
EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::DENY);
EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::kDeny);
EXPECT_TRUE(rbac_policies.value().deny_policy.policies.empty());
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::ALLOW);
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
EXPECT_THAT(
rbac_policies.value().allow_policy.policies,
::testing::ElementsAre(::testing::Pair(
@ -668,51 +671,53 @@ TEST(GenerateRbacPoliciesTest, ParseRequestHeadersSuccess) {
::testing::Field(
&Rbac::Policy::principals,
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::ANY)),
Rbac::Principal::RuleType::kAny)),
::testing::Field(
&Rbac::Policy::permissions,
::testing::AllOf(
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::AND),
Rbac::Permission::RuleType::kAnd),
::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(::testing::AllOf(
::testing::Pointee(::testing::Field(
&Rbac::Permission::type,
Rbac::Permission::RuleType::AND)),
Rbac::Permission::RuleType::kAnd)),
::testing::Pointee(::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(
::testing::AllOf(
::testing::Pointee(::testing::Field(
&Rbac::Permission::type,
Rbac::Permission::RuleType::OR)),
Rbac::Permission::RuleType::kOr)),
::testing::Pointee(::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(
EqualsHeader("key-1",
HeaderMatcher::
Type::PREFIX,
""))))),
EqualsHeader(
"key-1",
HeaderMatcher::Type::
kPrefix,
""))))),
::testing::AllOf(
::testing::Pointee(::testing::Field(
&Rbac::Permission::type,
Rbac::Permission::RuleType::OR)),
Rbac::Permission::RuleType::kOr)),
::testing::Pointee(::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(
EqualsHeader("key-2",
HeaderMatcher::
Type::EXACT,
Type::kExact,
"foo"),
EqualsHeader("key-2",
HeaderMatcher::
Type::PREFIX,
"bar"),
EqualsHeader(
"key-2",
HeaderMatcher::Type::
SUFFIX,
kPrefix,
"bar"),
EqualsHeader(
"key-2",
HeaderMatcher::Type::
kSuffix,
"baz")))))))))))))))));
}
@ -741,9 +746,9 @@ TEST(GenerateRbacPoliciesTest, ParseRulesArraySuccess) {
"}";
auto rbac_policies = GenerateRbacPolicies(authz_policy);
ASSERT_TRUE(rbac_policies.ok());
EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::DENY);
EXPECT_EQ(rbac_policies.value().deny_policy.action, Rbac::Action::kDeny);
EXPECT_TRUE(rbac_policies.value().deny_policy.policies.empty());
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::ALLOW);
EXPECT_EQ(rbac_policies.value().allow_policy.action, Rbac::Action::kAllow);
EXPECT_THAT(
rbac_policies.value().allow_policy.policies,
::testing::ElementsAre(
@ -754,34 +759,34 @@ TEST(GenerateRbacPoliciesTest, ParseRulesArraySuccess) {
&Rbac::Policy::permissions,
::testing::AllOf(
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::AND),
Rbac::Permission::RuleType::kAnd),
::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(::testing::AllOf(
::testing::Pointee(::testing::Field(
&Rbac::Permission::type,
Rbac::Permission::RuleType::OR)),
Rbac::Permission::RuleType::kOr)),
::testing::Pointee(::testing::Field(
&Rbac::Permission::permissions,
::testing::ElementsAre(
EqualsPath(StringMatcher::Type::EXACT,
"foo"))))))))),
::testing::ElementsAre(EqualsPath(
StringMatcher::Type::kExact,
"foo"))))))))),
::testing::Field(
&Rbac::Policy::principals,
::testing::AllOf(
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::AND),
Rbac::Principal::RuleType::kAnd),
::testing::Field(
&Rbac::Principal::principals,
::testing::ElementsAre(::testing::AllOf(
::testing::Pointee(::testing::Field(
&Rbac::Principal::type,
Rbac::Principal::RuleType::OR)),
Rbac::Principal::RuleType::kOr)),
::testing::Pointee(::testing::Field(
&Rbac::Principal::principals,
::testing::ElementsAre(
EqualsPrincipalName(
StringMatcher::Type::EXACT,
StringMatcher::Type::kExact,
"spiffe://foo.abc"))))))))))),
::testing::Pair(
"authz_allow_policy_2",
@ -789,11 +794,11 @@ TEST(GenerateRbacPoliciesTest, ParseRulesArraySuccess) {
::testing::Field(
&Rbac::Policy::permissions,
::testing::Field(&Rbac::Permission::type,
Rbac::Permission::RuleType::ANY)),
Rbac::Permission::RuleType::kAny)),
::testing::Field(
&Rbac::Policy::principals,
::testing::Field(&Rbac::Principal::type,
Rbac::Principal::RuleType::ANY))))));
Rbac::Principal::RuleType::kAny))))));
}
} // namespace grpc_core

10
test/core/security/xds_credentials_test.cc
Unescape View File

@ -30,29 +30,29 @@ namespace testing {
namespace {
StringMatcher ExactMatcher(const char* string) {
return StringMatcher::Create(StringMatcher::Type::EXACT, string).value();
return StringMatcher::Create(StringMatcher::Type::kExact, string).value();
}
StringMatcher PrefixMatcher(const char* string, bool case_sensitive = true) {
return StringMatcher::Create(StringMatcher::Type::PREFIX, string,
return StringMatcher::Create(StringMatcher::Type::kPrefix, string,
case_sensitive)
.value();
}
StringMatcher SuffixMatcher(const char* string, bool case_sensitive = true) {
return StringMatcher::Create(StringMatcher::Type::SUFFIX, string,
return StringMatcher::Create(StringMatcher::Type::kSuffix, string,
case_sensitive)
.value();
}
StringMatcher ContainsMatcher(const char* string, bool case_sensitive = true) {
return StringMatcher::Create(StringMatcher::Type::CONTAINS, string,
return StringMatcher::Create(StringMatcher::Type::kContains, string,
case_sensitive)
.value();
}
StringMatcher SafeRegexMatcher(const char* string) {
return StringMatcher::Create(StringMatcher::Type::SAFE_REGEX, string).value();
return StringMatcher::Create(StringMatcher::Type::kSafeRegex, string).value();
}
TEST(XdsSanMatchingTest, EmptySansList) {

Write Preview
Loading…
Cancel
Save