Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

remove SDK term from gRPC authz (#28843)

Browse Source
pull/28878/head
Ashitha Santhosh 3 years ago committed by GitHub
parent 3e8e229308
commit 1fee3d72be
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 203 additions and 201 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      BUILD
  2. 110
      CMakeLists.txt
  3. 4
      Makefile
  4. 48
      build_autogenerated.yaml
  5. 2
      config.m4
  6. 2
      config.w32
  7. 2
      doc/environment_variables.md
  8. 4
      gRPC-C++.podspec
  9. 8
      gRPC-Core.podspec
  10. 4
      grpc.gemspec
  11. 6
      grpc.gyp
  12. 8
      include/grpc/grpc_security.h
  13. 4
      package.xml
  14. 6
      src/core/lib/security/authorization/grpc_authorization_policy_provider.cc
  15. 4
      src/core/lib/security/authorization/grpc_authorization_policy_provider.h
  16. 30
      src/core/lib/security/authorization/grpc_server_authz_filter.cc
  17. 12
      src/core/lib/security/authorization/grpc_server_authz_filter.h
  18. 2
      src/core/lib/security/authorization/rbac_translator.cc
  19. 14
      src/core/lib/surface/init.cc
  20. 2
      src/python/grpcio/grpc_core_dependencies.py
  21. 16
      test/core/end2end/end2end_tests.cc
  22. 2
      test/core/end2end/generate_tests.bzl
  23. 4
      test/core/end2end/tests/grpc_authz.cc
  24. 2
      test/core/security/rbac_translator_test.cc
  25. 4
      test/cpp/end2end/BUILD
  26. 44
      test/cpp/end2end/grpc_authz_end2end_test.cc
  27. 4
      tools/doxygen/Doxyfile.c++.internal
  28. 4
      tools/doxygen/Doxyfile.core.internal
  29. 48
      tools/run_tests/generated/tests.json

4
BUILD
Unescape View File

@ -3564,13 +3564,13 @@ grpc_cc_library(
srcs = [
"src/core/lib/security/authorization/authorization_policy_provider_vtable.cc",
"src/core/lib/security/authorization/evaluate_args.cc",
"src/core/lib/security/authorization/sdk_server_authz_filter.cc",
"src/core/lib/security/authorization/grpc_server_authz_filter.cc",
],
hdrs = [
"src/core/lib/security/authorization/authorization_engine.h",
"src/core/lib/security/authorization/authorization_policy_provider.h",
"src/core/lib/security/authorization/evaluate_args.h",
"src/core/lib/security/authorization/sdk_server_authz_filter.h",
"src/core/lib/security/authorization/grpc_server_authz_filter.h",
],
external_deps = [
"absl/strings",

110
CMakeLists.txt generated
Unescape View File

@ -872,6 +872,7 @@ if(gRPC_BUILD_TESTS)
add_dependencies(buildtests_cxx google_mesh_ca_certificate_provider_factory_test)
add_dependencies(buildtests_cxx grpc_authorization_engine_test)
add_dependencies(buildtests_cxx grpc_authorization_policy_provider_test)
add_dependencies(buildtests_cxx grpc_authz_end2end_test)
add_dependencies(buildtests_cxx grpc_cli)
add_dependencies(buildtests_cxx grpc_tls_certificate_distributor_test)
add_dependencies(buildtests_cxx grpc_tls_certificate_provider_test)
@ -957,7 +958,6 @@ if(gRPC_BUILD_TESTS)
add_dependencies(buildtests_cxx retry_throttle_test)
add_dependencies(buildtests_cxx rls_end2end_test)
add_dependencies(buildtests_cxx rls_lb_config_parser_test)
add_dependencies(buildtests_cxx sdk_authz_end2end_test)
add_dependencies(buildtests_cxx secure_auth_context_test)
add_dependencies(buildtests_cxx seq_test)
add_dependencies(buildtests_cxx server_builder_plugin_test)
@ -1287,6 +1287,7 @@ add_library(end2end_tests
test/core/end2end/tests/filter_latency.cc
test/core/end2end/tests/filter_status_code.cc
test/core/end2end/tests/graceful_server_shutdown.cc
test/core/end2end/tests/grpc_authz.cc
test/core/end2end/tests/high_initial_seqno.cc
test/core/end2end/tests/hpack_size.cc
test/core/end2end/tests/idempotent_request.cc
@ -1339,7 +1340,6 @@ add_library(end2end_tests
test/core/end2end/tests/retry_transparent_goaway.cc
test/core/end2end/tests/retry_transparent_max_concurrent_streams.cc
test/core/end2end/tests/retry_transparent_not_sent_on_wire.cc
test/core/end2end/tests/sdk_authz.cc
test/core/end2end/tests/server_finishes_request.cc
test/core/end2end/tests/server_streaming.cc
test/core/end2end/tests/shutdown_finishes_calls.cc
@ -2112,9 +2112,9 @@ add_library(grpc
src/core/lib/security/authorization/authorization_policy_provider_vtable.cc
src/core/lib/security/authorization/evaluate_args.cc
src/core/lib/security/authorization/grpc_authorization_engine.cc
src/core/lib/security/authorization/grpc_server_authz_filter.cc
src/core/lib/security/authorization/matchers.cc
src/core/lib/security/authorization/rbac_policy.cc
src/core/lib/security/authorization/sdk_server_authz_filter.cc
src/core/lib/security/context/security_context.cc
src/core/lib/security/credentials/alts/alts_credentials.cc
src/core/lib/security/credentials/alts/check_gcp_environment.cc
@ -2759,7 +2759,7 @@ add_library(grpc_unsecure
src/core/lib/resource_quota/trace.cc
src/core/lib/security/authorization/authorization_policy_provider_vtable.cc
src/core/lib/security/authorization/evaluate_args.cc
src/core/lib/security/authorization/sdk_server_authz_filter.cc
src/core/lib/security/authorization/grpc_server_authz_filter.cc
src/core/lib/security/context/security_context.cc
src/core/lib/security/credentials/composite/composite_credentials.cc
src/core/lib/security/credentials/credentials.cc
@ -11059,6 +11059,57 @@ target_link_libraries(grpc_authorization_policy_provider_test
)
endif()
if(gRPC_BUILD_TESTS)
add_executable(grpc_authz_end2end_test
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.h
src/core/lib/security/authorization/grpc_authorization_policy_provider.cc
src/core/lib/security/authorization/rbac_translator.cc
src/cpp/server/authorization_policy_provider.cc
test/cpp/end2end/grpc_authz_end2end_test.cc
test/cpp/end2end/test_service_impl.cc
third_party/googletest/googletest/src/gtest-all.cc
third_party/googletest/googlemock/src/gmock-all.cc
)
target_include_directories(grpc_authz_end2end_test
PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}
${CMAKE_CURRENT_SOURCE_DIR}/include
${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
${_gRPC_RE2_INCLUDE_DIR}
${_gRPC_SSL_INCLUDE_DIR}
${_gRPC_UPB_GENERATED_DIR}
${_gRPC_UPB_GRPC_GENERATED_DIR}
${_gRPC_UPB_INCLUDE_DIR}
${_gRPC_XXHASH_INCLUDE_DIR}
${_gRPC_ZLIB_INCLUDE_DIR}
third_party/googletest/googletest/include
third_party/googletest/googletest
third_party/googletest/googlemock/include
third_party/googletest/googlemock
${_gRPC_PROTO_GENS_DIR}
)
target_link_libraries(grpc_authz_end2end_test
${_gRPC_PROTOBUF_LIBRARIES}
${_gRPC_ALLTARGETS_LIBRARIES}
grpc++_test_util
)
endif()
if(gRPC_BUILD_TESTS)
@ -14464,57 +14515,6 @@ target_link_libraries(rls_lb_config_parser_test
)
endif()
if(gRPC_BUILD_TESTS)
add_executable(sdk_authz_end2end_test
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.h
src/core/lib/security/authorization/grpc_authorization_policy_provider.cc
src/core/lib/security/authorization/rbac_translator.cc
src/cpp/server/authorization_policy_provider.cc
test/cpp/end2end/sdk_authz_end2end_test.cc
test/cpp/end2end/test_service_impl.cc
third_party/googletest/googletest/src/gtest-all.cc
third_party/googletest/googlemock/src/gmock-all.cc
)
target_include_directories(sdk_authz_end2end_test
PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}
${CMAKE_CURRENT_SOURCE_DIR}/include
${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
${_gRPC_RE2_INCLUDE_DIR}
${_gRPC_SSL_INCLUDE_DIR}
${_gRPC_UPB_GENERATED_DIR}
${_gRPC_UPB_GRPC_GENERATED_DIR}
${_gRPC_UPB_INCLUDE_DIR}
${_gRPC_XXHASH_INCLUDE_DIR}
${_gRPC_ZLIB_INCLUDE_DIR}
third_party/googletest/googletest/include
third_party/googletest/googletest
third_party/googletest/googlemock/include
third_party/googletest/googlemock
${_gRPC_PROTO_GENS_DIR}
)
target_link_libraries(sdk_authz_end2end_test
${_gRPC_PROTOBUF_LIBRARIES}
${_gRPC_ALLTARGETS_LIBRARIES}
grpc++_test_util
)
endif()
if(gRPC_BUILD_TESTS)

4
Makefile generated
Unescape View File

@ -1559,9 +1559,9 @@ LIBGRPC_SRC = \
src/core/lib/security/authorization/authorization_policy_provider_vtable.cc \
src/core/lib/security/authorization/evaluate_args.cc \
src/core/lib/security/authorization/grpc_authorization_engine.cc \
src/core/lib/security/authorization/grpc_server_authz_filter.cc \
src/core/lib/security/authorization/matchers.cc \
src/core/lib/security/authorization/rbac_policy.cc \
src/core/lib/security/authorization/sdk_server_authz_filter.cc \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/credentials/alts/alts_credentials.cc \
src/core/lib/security/credentials/alts/check_gcp_environment.cc \
@ -2053,7 +2053,7 @@ LIBGRPC_UNSECURE_SRC = \
src/core/lib/resource_quota/trace.cc \
src/core/lib/security/authorization/authorization_policy_provider_vtable.cc \
src/core/lib/security/authorization/evaluate_args.cc \
src/core/lib/security/authorization/sdk_server_authz_filter.cc \
src/core/lib/security/authorization/grpc_server_authz_filter.cc \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/credentials/composite/composite_credentials.cc \
src/core/lib/security/credentials/credentials.cc \

48
build_autogenerated.yaml generated
Unescape View File

@ -199,6 +199,7 @@ libs:
- test/core/end2end/tests/filter_latency.cc
- test/core/end2end/tests/filter_status_code.cc
- test/core/end2end/tests/graceful_server_shutdown.cc
- test/core/end2end/tests/grpc_authz.cc
- test/core/end2end/tests/high_initial_seqno.cc
- test/core/end2end/tests/hpack_size.cc
- test/core/end2end/tests/idempotent_request.cc
@ -251,7 +252,6 @@ libs:
- test/core/end2end/tests/retry_transparent_goaway.cc
- test/core/end2end/tests/retry_transparent_max_concurrent_streams.cc
- test/core/end2end/tests/retry_transparent_not_sent_on_wire.cc
- test/core/end2end/tests/sdk_authz.cc
- test/core/end2end/tests/server_finishes_request.cc
- test/core/end2end/tests/server_streaming.cc
- test/core/end2end/tests/shutdown_finishes_calls.cc
@ -959,9 +959,9 @@ libs:
- src/core/lib/security/authorization/authorization_policy_provider.h
- src/core/lib/security/authorization/evaluate_args.h
- src/core/lib/security/authorization/grpc_authorization_engine.h
- src/core/lib/security/authorization/grpc_server_authz_filter.h
- src/core/lib/security/authorization/matchers.h
- src/core/lib/security/authorization/rbac_policy.h
- src/core/lib/security/authorization/sdk_server_authz_filter.h
- src/core/lib/security/context/security_context.h
- src/core/lib/security/credentials/alts/alts_credentials.h
- src/core/lib/security/credentials/alts/check_gcp_environment.h
@ -1612,9 +1612,9 @@ libs:
- src/core/lib/security/authorization/authorization_policy_provider_vtable.cc
- src/core/lib/security/authorization/evaluate_args.cc
- src/core/lib/security/authorization/grpc_authorization_engine.cc
- src/core/lib/security/authorization/grpc_server_authz_filter.cc
- src/core/lib/security/authorization/matchers.cc
- src/core/lib/security/authorization/rbac_policy.cc
- src/core/lib/security/authorization/sdk_server_authz_filter.cc
- src/core/lib/security/context/security_context.cc
- src/core/lib/security/credentials/alts/alts_credentials.cc
- src/core/lib/security/credentials/alts/check_gcp_environment.cc
@ -2134,7 +2134,7 @@ libs:
- src/core/lib/security/authorization/authorization_engine.h
- src/core/lib/security/authorization/authorization_policy_provider.h
- src/core/lib/security/authorization/evaluate_args.h
- src/core/lib/security/authorization/sdk_server_authz_filter.h
- src/core/lib/security/authorization/grpc_server_authz_filter.h
- src/core/lib/security/context/security_context.h
- src/core/lib/security/credentials/channel_creds_registry.h
- src/core/lib/security/credentials/composite/composite_credentials.h
@ -2441,7 +2441,7 @@ libs:
- src/core/lib/resource_quota/trace.cc
- src/core/lib/security/authorization/authorization_policy_provider_vtable.cc
- src/core/lib/security/authorization/evaluate_args.cc
- src/core/lib/security/authorization/sdk_server_authz_filter.cc
- src/core/lib/security/authorization/grpc_server_authz_filter.cc
- src/core/lib/security/context/security_context.cc
- src/core/lib/security/credentials/composite/composite_credentials.cc
- src/core/lib/security/credentials/credentials.cc
@ -6090,6 +6090,25 @@ targets:
- test/core/security/grpc_authorization_policy_provider_test.cc
deps:
- grpc_test_util
- name: grpc_authz_end2end_test
gtest: true
build: test
language: c++
headers:
- src/core/lib/security/authorization/grpc_authorization_policy_provider.h
- src/core/lib/security/authorization/rbac_translator.h
- test/cpp/end2end/test_service_impl.h
src:
- src/proto/grpc/testing/echo.proto
- src/proto/grpc/testing/echo_messages.proto
- src/proto/grpc/testing/simple_messages.proto
- src/core/lib/security/authorization/grpc_authorization_policy_provider.cc
- src/core/lib/security/authorization/rbac_translator.cc
- src/cpp/server/authorization_policy_provider.cc
- test/cpp/end2end/grpc_authz_end2end_test.cc
- test/cpp/end2end/test_service_impl.cc
deps:
- grpc++_test_util
- name: grpc_cli
build: test
run: false
@ -7510,25 +7529,6 @@ targets:
- test/core/client_channel/rls_lb_config_parser_test.cc
deps:
- grpc_test_util
- name: sdk_authz_end2end_test
gtest: true
build: test
language: c++
headers:
- src/core/lib/security/authorization/grpc_authorization_policy_provider.h
- src/core/lib/security/authorization/rbac_translator.h
- test/cpp/end2end/test_service_impl.h
src:
- src/proto/grpc/testing/echo.proto
- src/proto/grpc/testing/echo_messages.proto
- src/proto/grpc/testing/simple_messages.proto
- src/core/lib/security/authorization/grpc_authorization_policy_provider.cc
- src/core/lib/security/authorization/rbac_translator.cc
- src/cpp/server/authorization_policy_provider.cc
- test/cpp/end2end/sdk_authz_end2end_test.cc
- test/cpp/end2end/test_service_impl.cc
deps:
- grpc++_test_util
- name: secure_auth_context_test
gtest: true
build: test

2
config.m4 generated
Unescape View File

@ -621,9 +621,9 @@ if test "$PHP_GRPC" != "no"; then
src/core/lib/security/authorization/authorization_policy_provider_vtable.cc \
src/core/lib/security/authorization/evaluate_args.cc \
src/core/lib/security/authorization/grpc_authorization_engine.cc \
src/core/lib/security/authorization/grpc_server_authz_filter.cc \
src/core/lib/security/authorization/matchers.cc \
src/core/lib/security/authorization/rbac_policy.cc \
src/core/lib/security/authorization/sdk_server_authz_filter.cc \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/credentials/alts/alts_credentials.cc \
src/core/lib/security/credentials/alts/check_gcp_environment.cc \

2
config.w32 generated
Unescape View File

@ -587,9 +587,9 @@ if (PHP_GRPC != "no") {
"src\\core\\lib\\security\\authorization\\authorization_policy_provider_vtable.cc " +
"src\\core\\lib\\security\\authorization\\evaluate_args.cc " +
"src\\core\\lib\\security\\authorization\\grpc_authorization_engine.cc " +
"src\\core\\lib\\security\\authorization\\grpc_server_authz_filter.cc " +
"src\\core\\lib\\security\\authorization\\matchers.cc " +
"src\\core\\lib\\security\\authorization\\rbac_policy.cc " +
"src\\core\\lib\\security\\authorization\\sdk_server_authz_filter.cc " +
"src\\core\\lib\\security\\context\\security_context.cc " +
"src\\core\\lib\\security\\credentials\\alts\\alts_credentials.cc " +
"src\\core\\lib\\security\\credentials\\alts\\check_gcp_environment.cc " +

2
doc/environment_variables.md
Unescape View File

@ -81,7 +81,7 @@ some configuration as environment variables that can be set.
- rls_lb - traces the RLS load balancing policy
- round_robin - traces the round_robin load balancing policy
- queue_pluck
- sdk_authz - traces sdk authorization
- grpc_authz_api - traces gRPC authorization
- server_channel - lightweight trace of significant server channel events
- secure_endpoint - traces bytes flowing through encrypted channels
- subchannel - traces the connectivity state of subchannel

4
gRPC-C++.podspec generated
Unescape View File

@ -811,9 +811,9 @@ Pod::Spec.new do |s|
'src/core/lib/security/authorization/authorization_policy_provider.h',
'src/core/lib/security/authorization/evaluate_args.h',
'src/core/lib/security/authorization/grpc_authorization_engine.h',
'src/core/lib/security/authorization/grpc_server_authz_filter.h',
'src/core/lib/security/authorization/matchers.h',
'src/core/lib/security/authorization/rbac_policy.h',
'src/core/lib/security/authorization/sdk_server_authz_filter.h',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.h',
'src/core/lib/security/credentials/alts/check_gcp_environment.h',
@ -1609,9 +1609,9 @@ Pod::Spec.new do |s|
'src/core/lib/security/authorization/authorization_policy_provider.h',
'src/core/lib/security/authorization/evaluate_args.h',
'src/core/lib/security/authorization/grpc_authorization_engine.h',
'src/core/lib/security/authorization/grpc_server_authz_filter.h',
'src/core/lib/security/authorization/matchers.h',
'src/core/lib/security/authorization/rbac_policy.h',
'src/core/lib/security/authorization/sdk_server_authz_filter.h',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.h',
'src/core/lib/security/credentials/alts/check_gcp_environment.h',

8
gRPC-Core.podspec generated
Unescape View File

@ -1331,12 +1331,12 @@ Pod::Spec.new do |s|
'src/core/lib/security/authorization/evaluate_args.h',
'src/core/lib/security/authorization/grpc_authorization_engine.cc',
'src/core/lib/security/authorization/grpc_authorization_engine.h',
'src/core/lib/security/authorization/grpc_server_authz_filter.cc',
'src/core/lib/security/authorization/grpc_server_authz_filter.h',
'src/core/lib/security/authorization/matchers.cc',
'src/core/lib/security/authorization/matchers.h',
'src/core/lib/security/authorization/rbac_policy.cc',
'src/core/lib/security/authorization/rbac_policy.h',
'src/core/lib/security/authorization/sdk_server_authz_filter.cc',
'src/core/lib/security/authorization/sdk_server_authz_filter.h',
'src/core/lib/security/context/security_context.cc',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.cc',
@ -2207,9 +2207,9 @@ Pod::Spec.new do |s|
'src/core/lib/security/authorization/authorization_policy_provider.h',
'src/core/lib/security/authorization/evaluate_args.h',
'src/core/lib/security/authorization/grpc_authorization_engine.h',
'src/core/lib/security/authorization/grpc_server_authz_filter.h',
'src/core/lib/security/authorization/matchers.h',
'src/core/lib/security/authorization/rbac_policy.h',
'src/core/lib/security/authorization/sdk_server_authz_filter.h',
'src/core/lib/security/context/security_context.h',
'src/core/lib/security/credentials/alts/alts_credentials.h',
'src/core/lib/security/credentials/alts/check_gcp_environment.h',
@ -2451,6 +2451,7 @@ Pod::Spec.new do |s|
'test/core/end2end/tests/filter_latency.cc',
'test/core/end2end/tests/filter_status_code.cc',
'test/core/end2end/tests/graceful_server_shutdown.cc',
'test/core/end2end/tests/grpc_authz.cc',
'test/core/end2end/tests/high_initial_seqno.cc',
'test/core/end2end/tests/hpack_size.cc',
'test/core/end2end/tests/idempotent_request.cc',
@ -2503,7 +2504,6 @@ Pod::Spec.new do |s|
'test/core/end2end/tests/retry_transparent_goaway.cc',
'test/core/end2end/tests/retry_transparent_max_concurrent_streams.cc',
'test/core/end2end/tests/retry_transparent_not_sent_on_wire.cc',
'test/core/end2end/tests/sdk_authz.cc',
'test/core/end2end/tests/server_finishes_request.cc',
'test/core/end2end/tests/server_streaming.cc',
'test/core/end2end/tests/shutdown_finishes_calls.cc',

4
grpc.gemspec generated
Unescape View File

@ -1250,12 +1250,12 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/security/authorization/evaluate_args.h )
s.files += %w( src/core/lib/security/authorization/grpc_authorization_engine.cc )
s.files += %w( src/core/lib/security/authorization/grpc_authorization_engine.h )
s.files += %w( src/core/lib/security/authorization/grpc_server_authz_filter.cc )
s.files += %w( src/core/lib/security/authorization/grpc_server_authz_filter.h )
s.files += %w( src/core/lib/security/authorization/matchers.cc )
s.files += %w( src/core/lib/security/authorization/matchers.h )
s.files += %w( src/core/lib/security/authorization/rbac_policy.cc )
s.files += %w( src/core/lib/security/authorization/rbac_policy.h )
s.files += %w( src/core/lib/security/authorization/sdk_server_authz_filter.cc )
s.files += %w( src/core/lib/security/authorization/sdk_server_authz_filter.h )
s.files += %w( src/core/lib/security/context/security_context.cc )
s.files += %w( src/core/lib/security/context/security_context.h )
s.files += %w( src/core/lib/security/credentials/alts/alts_credentials.cc )

6
grpc.gyp generated
Unescape View File

@ -329,6 +329,7 @@
'test/core/end2end/tests/filter_latency.cc',
'test/core/end2end/tests/filter_status_code.cc',
'test/core/end2end/tests/graceful_server_shutdown.cc',
'test/core/end2end/tests/grpc_authz.cc',
'test/core/end2end/tests/high_initial_seqno.cc',
'test/core/end2end/tests/hpack_size.cc',
'test/core/end2end/tests/idempotent_request.cc',
@ -381,7 +382,6 @@
'test/core/end2end/tests/retry_transparent_goaway.cc',
'test/core/end2end/tests/retry_transparent_max_concurrent_streams.cc',
'test/core/end2end/tests/retry_transparent_not_sent_on_wire.cc',
'test/core/end2end/tests/sdk_authz.cc',
'test/core/end2end/tests/server_finishes_request.cc',
'test/core/end2end/tests/server_streaming.cc',
'test/core/end2end/tests/shutdown_finishes_calls.cc',
@ -1015,9 +1015,9 @@
'src/core/lib/security/authorization/authorization_policy_provider_vtable.cc',
'src/core/lib/security/authorization/evaluate_args.cc',
'src/core/lib/security/authorization/grpc_authorization_engine.cc',
'src/core/lib/security/authorization/grpc_server_authz_filter.cc',
'src/core/lib/security/authorization/matchers.cc',
'src/core/lib/security/authorization/rbac_policy.cc',
'src/core/lib/security/authorization/sdk_server_authz_filter.cc',
'src/core/lib/security/context/security_context.cc',
'src/core/lib/security/credentials/alts/alts_credentials.cc',
'src/core/lib/security/credentials/alts/check_gcp_environment.cc',
@ -1482,7 +1482,7 @@
'src/core/lib/resource_quota/trace.cc',
'src/core/lib/security/authorization/authorization_policy_provider_vtable.cc',
'src/core/lib/security/authorization/evaluate_args.cc',
'src/core/lib/security/authorization/sdk_server_authz_filter.cc',
'src/core/lib/security/authorization/grpc_server_authz_filter.cc',
'src/core/lib/security/context/security_context.cc',
'src/core/lib/security/credentials/composite/composite_credentials.cc',
'src/core/lib/security/credentials/credentials.cc',

8
include/grpc/grpc_security.h
Unescape View File

@ -1192,9 +1192,9 @@ typedef struct grpc_authorization_policy_provider
/**
* EXPERIMENTAL - Subject to change.
* Creates a grpc_authorization_policy_provider using SDK authorization policy
* Creates a grpc_authorization_policy_provider using gRPC authorization policy
* from static string.
* - authz_policy is the input SDK authorization policy.
* - authz_policy is the input gRPC authorization policy.
* - code is the error status code on failure. On success, it equals
* GRPC_STATUS_OK.
* - error_details contains details about the error if any. If the
@ -1208,9 +1208,9 @@ grpc_authorization_policy_provider_static_data_create(
/**
* EXPERIMENTAL - Subject to change.
* Creates a grpc_authorization_policy_provider by watching for SDK
* Creates a grpc_authorization_policy_provider by watching for gRPC
* authorization policy changes in filesystem.
* - authz_policy is the file path of SDK authorization policy.
* - authz_policy is the file path of gRPC authorization policy.
* - refresh_interval_sec is the amount of time the internal thread would wait
* before checking for file updates.
* - code is the error status code on failure. On success, it equals

4
package.xml generated
Unescape View File

@ -1230,12 +1230,12 @@
<file baseinstalldir="/" name="src/core/lib/security/authorization/evaluate_args.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/authorization/grpc_authorization_engine.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/authorization/grpc_authorization_engine.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/authorization/grpc_server_authz_filter.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/authorization/grpc_server_authz_filter.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/authorization/matchers.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/authorization/matchers.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/authorization/rbac_policy.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/authorization/rbac_policy.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/authorization/sdk_server_authz_filter.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/authorization/sdk_server_authz_filter.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/context/security_context.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/context/security_context.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/alts/alts_credentials.cc" role="src" />

6
src/core/lib/security/authorization/grpc_authorization_policy_provider.cc
Unescape View File

@ -25,7 +25,7 @@
namespace grpc_core {
extern TraceFlag grpc_sdk_authz_trace;
extern TraceFlag grpc_authz_trace;
absl::StatusOr<RefCountedPtr<grpc_authorization_policy_provider>>
StaticDataAuthorizationPolicyProvider::Create(absl::string_view authz_policy) {
@ -103,7 +103,7 @@ FileWatcherAuthorizationPolicyProvider::FileWatcherAuthorizationPolicyProvider(
return;
}
absl::Status status = provider->ForceUpdate();
if (GRPC_TRACE_FLAG_ENABLED(grpc_sdk_authz_trace) && !status.ok()) {
if (GRPC_TRACE_FLAG_ENABLED(grpc_authz_trace) && !status.ok()) {
gpr_log(GPR_ERROR,
"authorization policy reload status. code=%d error_details=%s",
status.code(), std::string(status.message()).c_str());
@ -135,7 +135,7 @@ absl::Status FileWatcherAuthorizationPolicyProvider::ForceUpdate() {
std::move(rbac_policies_or->allow_policy));
deny_engine_ = MakeRefCounted<GrpcAuthorizationEngine>(
std::move(rbac_policies_or->deny_policy));
if (GRPC_TRACE_FLAG_ENABLED(grpc_sdk_authz_trace)) {
if (GRPC_TRACE_FLAG_ENABLED(grpc_authz_trace)) {
gpr_log(GPR_INFO,
"authorization policy reload status: successfully loaded new "
"policy\n%s",

4
src/core/lib/security/authorization/grpc_authorization_policy_provider.h
Unescape View File

@ -28,7 +28,7 @@
namespace grpc_core {
// Provider class will get SDK Authorization policy from string during
// Provider class will get gRPC Authorization policy from string during
// initialization. This policy will be translated to Envoy RBAC policies and
// used to initialize allow and deny AuthorizationEngine objects. This provider
// will return the same authorization engines everytime.
@ -53,7 +53,7 @@ class StaticDataAuthorizationPolicyProvider
RefCountedPtr<AuthorizationEngine> deny_engine_;
};
// Provider class will get SDK Authorization policy from provided file path.
// Provider class will get gRPC Authorization policy from provided file path.
// This policy will be translated to Envoy RBAC policies and used to initialize
// allow and deny AuthorizationEngine objects. This provider will periodically
// load file contents in specified path, and upon modification update the engine

30
src/core/lib/security/authorization/sdk_server_authz_filter.cc → src/core/lib/security/authorization/grpc_server_authz_filter.cc
Unescape View File

@ -14,7 +14,7 @@
#include <grpc/support/port_platform.h>
#include "src/core/lib/security/authorization/sdk_server_authz_filter.h"
#include "src/core/lib/security/authorization/grpc_server_authz_filter.h"
#include "src/core/lib/channel/promise_based_filter.h"
#include "src/core/lib/security/authorization/evaluate_args.h"
@ -22,16 +22,16 @@
namespace grpc_core {
TraceFlag grpc_sdk_authz_trace(false, "sdk_authz");
TraceFlag grpc_authz_trace(false, "grpc_authz_api");
SdkServerAuthzFilter::SdkServerAuthzFilter(
GrpcServerAuthzFilter::GrpcServerAuthzFilter(
RefCountedPtr<grpc_auth_context> auth_context, grpc_endpoint* endpoint,
RefCountedPtr<grpc_authorization_policy_provider> provider)
: auth_context_(std::move(auth_context)),
per_channel_evaluate_args_(auth_context_.get(), endpoint),
provider_(std::move(provider)) {}
absl::StatusOr<SdkServerAuthzFilter> SdkServerAuthzFilter::Create(
absl::StatusOr<GrpcServerAuthzFilter> GrpcServerAuthzFilter::Create(
const grpc_channel_args* args) {
grpc_auth_context* auth_context = grpc_find_auth_context_in_args(args);
grpc_authorization_policy_provider* provider =
@ -40,18 +40,18 @@ absl::StatusOr<SdkServerAuthzFilter> SdkServerAuthzFilter::Create(
if (provider == nullptr) {
return absl::InvalidArgumentError("Failed to get authorization provider.");
}
// grpc_endpoint isn't needed because the current SDK authorization policy
// grpc_endpoint isn't needed because the current gRPC authorization policy
// does not support any rules that requires looking for source or destination
// addresses.
return SdkServerAuthzFilter(
return GrpcServerAuthzFilter(
auth_context != nullptr ? auth_context->Ref() : nullptr,
/*endpoint=*/nullptr, provider->Ref());
}
bool SdkServerAuthzFilter::IsAuthorized(
bool GrpcServerAuthzFilter::IsAuthorized(
const ClientInitialMetadata& initial_metadata) {
EvaluateArgs args(initial_metadata.get(), &per_channel_evaluate_args_);
if (GRPC_TRACE_FLAG_ENABLED(grpc_sdk_authz_trace)) {
if (GRPC_TRACE_FLAG_ENABLED(grpc_authz_trace)) {
gpr_log(GPR_DEBUG,
"checking request: url_path=%s, transport_security_type=%s, "
"uri_sans=[%s], dns_sans=[%s], subject=%s",
@ -67,7 +67,7 @@ bool SdkServerAuthzFilter::IsAuthorized(
AuthorizationEngine::Decision decision =
engines.deny_engine->Evaluate(args);
if (decision.type == AuthorizationEngine::Decision::Type::kDeny) {
if (GRPC_TRACE_FLAG_ENABLED(grpc_sdk_authz_trace)) {
if (GRPC_TRACE_FLAG_ENABLED(grpc_authz_trace)) {
gpr_log(GPR_INFO, "chand=%p: request denied by policy %s.", this,
decision.matching_policy_name.c_str());
}
@ -78,21 +78,21 @@ bool SdkServerAuthzFilter::IsAuthorized(
AuthorizationEngine::Decision decision =
engines.allow_engine->Evaluate(args);
if (decision.type == AuthorizationEngine::Decision::Type::kAllow) {
if (GRPC_TRACE_FLAG_ENABLED(grpc_sdk_authz_trace)) {
if (GRPC_TRACE_FLAG_ENABLED(grpc_authz_trace)) {
gpr_log(GPR_DEBUG, "chand=%p: request allowed by policy %s.", this,
decision.matching_policy_name.c_str());
}
return true;
}
}
if (GRPC_TRACE_FLAG_ENABLED(grpc_sdk_authz_trace)) {
if (GRPC_TRACE_FLAG_ENABLED(grpc_authz_trace)) {
gpr_log(GPR_INFO, "chand=%p: request denied, no matching policy found.",
this);
}
return false;
}
ArenaPromise<TrailingMetadata> SdkServerAuthzFilter::MakeCallPromise(
ArenaPromise<TrailingMetadata> GrpcServerAuthzFilter::MakeCallPromise(
ClientInitialMetadata initial_metadata,
NextPromiseFactory next_promise_factory) {
if (!IsAuthorized(initial_metadata)) {
@ -102,8 +102,8 @@ ArenaPromise<TrailingMetadata> SdkServerAuthzFilter::MakeCallPromise(
return next_promise_factory(std::move(initial_metadata));
}
const grpc_channel_filter SdkServerAuthzFilter::kFilterVtable =
MakePromiseBasedFilter<SdkServerAuthzFilter, FilterEndpoint::kServer>(
"sdk-server-authz");
const grpc_channel_filter GrpcServerAuthzFilter::kFilterVtable =
MakePromiseBasedFilter<GrpcServerAuthzFilter, FilterEndpoint::kServer>(
"grpc-server-authz");
} // namespace grpc_core

12
src/core/lib/security/authorization/sdk_server_authz_filter.h → src/core/lib/security/authorization/grpc_server_authz_filter.h
Unescape View File

@ -12,8 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_SDK_SERVER_AUTHZ_FILTER_H
#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_SDK_SERVER_AUTHZ_FILTER_H
#ifndef GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_SERVER_AUTHZ_FILTER_H
#define GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_SERVER_AUTHZ_FILTER_H
#include <grpc/support/port_platform.h>
@ -22,11 +22,11 @@
namespace grpc_core {
class SdkServerAuthzFilter {
class GrpcServerAuthzFilter {
public:
static const grpc_channel_filter kFilterVtable;
static absl::StatusOr<SdkServerAuthzFilter> Create(
static absl::StatusOr<GrpcServerAuthzFilter> Create(
const grpc_channel_args* args);
ArenaPromise<TrailingMetadata> MakeCallPromise(
@ -34,7 +34,7 @@ class SdkServerAuthzFilter {
NextPromiseFactory next_promise_factory);
private:
SdkServerAuthzFilter(
GrpcServerAuthzFilter(
RefCountedPtr<grpc_auth_context> auth_context, grpc_endpoint* endpoint,
RefCountedPtr<grpc_authorization_policy_provider> provider);
@ -47,4 +47,4 @@ class SdkServerAuthzFilter {
} // namespace grpc_core
#endif // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_SDK_SERVER_AUTHZ_FILTER_H
#endif // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_GRPC_SERVER_AUTHZ_FILTER_H

2
src/core/lib/security/authorization/rbac_translator.cc
Unescape View File

@ -319,7 +319,7 @@ absl::StatusOr<RbacPolicies> GenerateRbacPolicies(
Json json = Json::Parse(authz_policy, &error);
if (error != GRPC_ERROR_NONE) {
absl::Status status = absl::InvalidArgumentError(
absl::StrCat("Failed to parse SDK authorization policy. Error: ",
absl::StrCat("Failed to parse gRPC authorization policy. Error: ",
grpc_error_std_string(error)));
GRPC_ERROR_UNREF(error);
return status;

14
src/core/lib/surface/init.cc
Unescape View File

@ -46,7 +46,7 @@
#include "src/core/lib/iomgr/iomgr.h"
#include "src/core/lib/iomgr/timer_manager.h"
#include "src/core/lib/profiling/timers.h"
#include "src/core/lib/security/authorization/sdk_server_authz_filter.h"
#include "src/core/lib/security/authorization/grpc_server_authz_filter.h"
#include "src/core/lib/security/context/security_context.h"
#include "src/core/lib/security/credentials/credentials.h"
#include "src/core/lib/security/credentials/plugin/plugin_credentials.h"
@ -104,14 +104,14 @@ static bool maybe_prepend_server_auth_filter(
return true;
}
static bool maybe_prepend_sdk_server_authz_filter(
static bool maybe_prepend_grpc_server_authz_filter(
grpc_core::ChannelStackBuilder* builder) {
const grpc_channel_args* args = builder->channel_args();
const auto* provider =
grpc_channel_args_find_pointer<grpc_authorization_policy_provider>(
args, GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER);
if (provider != nullptr) {
builder->PrependFilter(&grpc_core::SdkServerAuthzFilter::kFilterVtable,
builder->PrependFilter(&grpc_core::GrpcServerAuthzFilter::kFilterVtable,
nullptr);
}
return true;
@ -129,11 +129,11 @@ void RegisterSecurityFilters(CoreConfiguration::Builder* builder) {
maybe_prepend_client_auth_filter);
builder->channel_init()->RegisterStage(GRPC_SERVER_CHANNEL, INT_MAX - 1,
maybe_prepend_server_auth_filter);
// Register the SdkServerAuthzFilter with a priority less than
// server_auth_filter to allow server_auth_filter on which the sdk filter
// Register the GrpcServerAuthzFilter with a priority less than
// server_auth_filter to allow server_auth_filter on which the grpc filter
// depends on to be higher on the channel stack.
builder->channel_init()->RegisterStage(GRPC_SERVER_CHANNEL, INT_MAX - 2,
maybe_prepend_sdk_server_authz_filter);
builder->channel_init()->RegisterStage(
GRPC_SERVER_CHANNEL, INT_MAX - 2, maybe_prepend_grpc_server_authz_filter);
}
} // namespace grpc_core

2
src/python/grpcio/grpc_core_dependencies.py generated
Unescape View File

@ -596,9 +596,9 @@ CORE_SOURCE_FILES = [
'src/core/lib/security/authorization/authorization_policy_provider_vtable.cc',
'src/core/lib/security/authorization/evaluate_args.cc',
'src/core/lib/security/authorization/grpc_authorization_engine.cc',
'src/core/lib/security/authorization/grpc_server_authz_filter.cc',
'src/core/lib/security/authorization/matchers.cc',
'src/core/lib/security/authorization/rbac_policy.cc',
'src/core/lib/security/authorization/sdk_server_authz_filter.cc',
'src/core/lib/security/context/security_context.cc',
'src/core/lib/security/credentials/alts/alts_credentials.cc',
'src/core/lib/security/credentials/alts/check_gcp_environment.cc',

16
test/core/end2end/end2end_tests.cc generated
Unescape View File

@ -81,6 +81,8 @@ extern void filter_status_code(grpc_end2end_test_config config);
extern void filter_status_code_pre_init(void);
extern void graceful_server_shutdown(grpc_end2end_test_config config);
extern void graceful_server_shutdown_pre_init(void);
extern void grpc_authz(grpc_end2end_test_config config);
extern void grpc_authz_pre_init(void);
extern void high_initial_seqno(grpc_end2end_test_config config);
extern void high_initial_seqno_pre_init(void);
extern void hpack_size(grpc_end2end_test_config config);
@ -185,8 +187,6 @@ extern void retry_transparent_max_concurrent_streams(grpc_end2end_test_config co
extern void retry_transparent_max_concurrent_streams_pre_init(void);
extern void retry_transparent_not_sent_on_wire(grpc_end2end_test_config config);
extern void retry_transparent_not_sent_on_wire_pre_init(void);
extern void sdk_authz(grpc_end2end_test_config config);
extern void sdk_authz_pre_init(void);
extern void server_finishes_request(grpc_end2end_test_config config);
extern void server_finishes_request_pre_init(void);
extern void server_streaming(grpc_end2end_test_config config);
@ -241,6 +241,7 @@ void grpc_end2end_tests_pre_init(void) {
filter_latency_pre_init();
filter_status_code_pre_init();
graceful_server_shutdown_pre_init();
grpc_authz_pre_init();
high_initial_seqno_pre_init();
hpack_size_pre_init();
idempotent_request_pre_init();
@ -293,7 +294,6 @@ void grpc_end2end_tests_pre_init(void) {
retry_transparent_goaway_pre_init();
retry_transparent_max_concurrent_streams_pre_init();
retry_transparent_not_sent_on_wire_pre_init();
sdk_authz_pre_init();
server_finishes_request_pre_init();
server_streaming_pre_init();
shutdown_finishes_calls_pre_init();
@ -342,6 +342,7 @@ void grpc_end2end_tests(int argc, char **argv,
filter_latency(config);
filter_status_code(config);
graceful_server_shutdown(config);
grpc_authz(config);
high_initial_seqno(config);
hpack_size(config);
idempotent_request(config);
@ -394,7 +395,6 @@ void grpc_end2end_tests(int argc, char **argv,
retry_transparent_goaway(config);
retry_transparent_max_concurrent_streams(config);
retry_transparent_not_sent_on_wire(config);
sdk_authz(config);
server_finishes_request(config);
server_streaming(config);
shutdown_finishes_calls(config);
@ -515,6 +515,10 @@ void grpc_end2end_tests(int argc, char **argv,
graceful_server_shutdown(config);
continue;
}
if (0 == strcmp("grpc_authz", argv[i])) {
grpc_authz(config);
continue;
}
if (0 == strcmp("high_initial_seqno", argv[i])) {
high_initial_seqno(config);
continue;
@ -723,10 +727,6 @@ void grpc_end2end_tests(int argc, char **argv,
retry_transparent_not_sent_on_wire(config);
continue;
}
if (0 == strcmp("sdk_authz", argv[i])) {
sdk_authz(config);
continue;
}
if (0 == strcmp("server_finishes_request", argv[i])) {
server_finishes_request(config);
continue;

2
test/core/end2end/generate_tests.bzl
Unescape View File

@ -266,6 +266,7 @@ END2END_TESTS = {
"filter_init_fails": _test_options(),
"filter_context": _test_options(),
"graceful_server_shutdown": _test_options(exclude_inproc = True),
"grpc_authz": _test_options(secure = True),
"hpack_size": _test_options(
proxyable = False,
traceable = False,
@ -366,7 +367,6 @@ END2END_TESTS = {
# See b/151617965
short_name = "retry_transparent_mcs",
),
"sdk_authz": _test_options(secure = True),
"server_finishes_request": _test_options(),
"server_streaming": _test_options(needs_http2 = True),
"shutdown_finishes_calls": _test_options(),

4
test/core/end2end/tests/sdk_authz.cc → test/core/end2end/tests/grpc_authz.cc
Unescape View File

@ -707,7 +707,7 @@ static void test_file_watcher_recovers_from_failure(
config.tear_down_data(&f);
}
void sdk_authz(grpc_end2end_test_config config) {
void grpc_authz(grpc_end2end_test_config config) {
test_static_init_allow_authorized_request(config);
test_static_init_deny_unauthorized_request(config);
test_static_init_deny_request_no_match_in_policy(config);
@ -719,4 +719,4 @@ void sdk_authz(grpc_end2end_test_config config) {
test_file_watcher_recovers_from_failure(config);
}
void sdk_authz_pre_init(void) {}
void grpc_authz_pre_init(void) {}

2
test/core/security/rbac_translator_test.cc
Unescape View File

@ -62,7 +62,7 @@ TEST(GenerateRbacPoliciesTest, InvalidPolicy) {
EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
EXPECT_THAT(
std::string(rbac_policies.status().message()),
::testing::StartsWith("Failed to parse SDK authorization policy."));
::testing::StartsWith("Failed to parse gRPC authorization policy."));
}
TEST(GenerateRbacPoliciesTest, MissingAuthorizationPolicyName) {

4
test/cpp/end2end/BUILD
Unescape View File

@ -853,8 +853,8 @@ grpc_cc_test(
)
grpc_cc_test(
name = "sdk_authz_end2end_test",
srcs = ["sdk_authz_end2end_test.cc"],
name = "grpc_authz_end2end_test",
srcs = ["grpc_authz_end2end_test.cc"],
data = [
"//src/core/tsi/test_creds:ca.pem",
"//src/core/tsi/test_creds:client.key",

44
test/cpp/end2end/sdk_authz_end2end_test.cc → test/cpp/end2end/grpc_authz_end2end_test.cc
Unescape View File

@ -53,9 +53,9 @@ std::string ReadFile(const char* file_path) {
return file_contents;
}
class SdkAuthzEnd2EndTest : public ::testing::Test {
class GrpcAuthzEnd2EndTest : public ::testing::Test {
protected:
SdkAuthzEnd2EndTest()
GrpcAuthzEnd2EndTest()
: server_address_(
absl::StrCat("localhost:", grpc_pick_unused_port_or_die())) {
std::string root_cert = ReadFile(kCaCertPath);
@ -83,7 +83,7 @@ class SdkAuthzEnd2EndTest : public ::testing::Test {
channel_creds_ = grpc::experimental::TlsCredentials(channel_options);
}
~SdkAuthzEnd2EndTest() override { server_->Shutdown(); }
~GrpcAuthzEnd2EndTest() override { server_->Shutdown(); }
// Replaces existing credentials with insecure credentials.
void UseInsecureCredentials() {
@ -91,7 +91,7 @@ class SdkAuthzEnd2EndTest : public ::testing::Test {
channel_creds_ = InsecureChannelCredentials();
}
// Creates server with sdk authorization enabled when provider is not null.
// Creates server with gRPC authorization enabled when provider is not null.
void InitServer(
std::shared_ptr<experimental::AuthorizationPolicyProviderInterface>
provider) {
@ -145,7 +145,7 @@ class SdkAuthzEnd2EndTest : public ::testing::Test {
std::shared_ptr<ChannelCredentials> channel_creds_;
};
TEST_F(SdkAuthzEnd2EndTest,
TEST_F(GrpcAuthzEnd2EndTest,
StaticInitAllowsRpcRequestNoMatchInDenyMatchInAllow) {
std::string policy =
"{"
@ -193,7 +193,7 @@ TEST_F(SdkAuthzEnd2EndTest,
EXPECT_EQ(resp.message(), kMessage);
}
TEST_F(SdkAuthzEnd2EndTest, StaticInitDeniesRpcRequestNoMatchInAllowAndDeny) {
TEST_F(GrpcAuthzEnd2EndTest, StaticInitDeniesRpcRequestNoMatchInAllowAndDeny) {
std::string policy =
"{"
" \"name\": \"authz\","
@ -228,7 +228,8 @@ TEST_F(SdkAuthzEnd2EndTest, StaticInitDeniesRpcRequestNoMatchInAllowAndDeny) {
EXPECT_TRUE(resp.message().empty());
}
TEST_F(SdkAuthzEnd2EndTest, StaticInitDeniesRpcRequestMatchInDenyMatchInAllow) {
TEST_F(GrpcAuthzEnd2EndTest,
StaticInitDeniesRpcRequestMatchInDenyMatchInAllow) {
std::string policy =
"{"
" \"name\": \"authz\","
@ -258,7 +259,7 @@ TEST_F(SdkAuthzEnd2EndTest, StaticInitDeniesRpcRequestMatchInDenyMatchInAllow) {
EXPECT_TRUE(resp.message().empty());
}
TEST_F(SdkAuthzEnd2EndTest,
TEST_F(GrpcAuthzEnd2EndTest,
StaticInitDeniesRpcRequestMatchInDenyNoMatchInAllow) {
std::string policy =
"{"
@ -294,7 +295,7 @@ TEST_F(SdkAuthzEnd2EndTest,
EXPECT_TRUE(resp.message().empty());
}
TEST_F(SdkAuthzEnd2EndTest, StaticInitAllowsRpcRequestEmptyDenyMatchInAllow) {
TEST_F(GrpcAuthzEnd2EndTest, StaticInitAllowsRpcRequestEmptyDenyMatchInAllow) {
std::string policy =
"{"
" \"name\": \"authz\","
@ -331,7 +332,8 @@ TEST_F(SdkAuthzEnd2EndTest, StaticInitAllowsRpcRequestEmptyDenyMatchInAllow) {
EXPECT_EQ(resp.message(), kMessage);
}
TEST_F(SdkAuthzEnd2EndTest, StaticInitDeniesRpcRequestEmptyDenyNoMatchInAllow) {
TEST_F(GrpcAuthzEnd2EndTest,
StaticInitDeniesRpcRequestEmptyDenyNoMatchInAllow) {
std::string policy =
"{"
" \"name\": \"authz\","
@ -364,7 +366,7 @@ TEST_F(SdkAuthzEnd2EndTest, StaticInitDeniesRpcRequestEmptyDenyNoMatchInAllow) {
}
TEST_F(
SdkAuthzEnd2EndTest,
GrpcAuthzEnd2EndTest,
StaticInitDeniesRpcRequestWithPrincipalsFieldOnUnauthenticatedConnection) {
std::string policy =
"{"
@ -389,7 +391,7 @@ TEST_F(
EXPECT_TRUE(resp.message().empty());
}
TEST_F(SdkAuthzEnd2EndTest,
TEST_F(GrpcAuthzEnd2EndTest,
StaticInitAllowsRpcRequestWithPrincipalsFieldOnAuthenticatedConnection) {
std::string policy =
"{"
@ -412,7 +414,7 @@ TEST_F(SdkAuthzEnd2EndTest,
EXPECT_EQ(resp.message(), kMessage);
}
TEST_F(SdkAuthzEnd2EndTest,
TEST_F(GrpcAuthzEnd2EndTest,
FileWatcherInitAllowsRpcRequestNoMatchInDenyMatchInAllow) {
std::string policy =
"{"
@ -461,7 +463,7 @@ TEST_F(SdkAuthzEnd2EndTest,
EXPECT_EQ(resp.message(), kMessage);
}
TEST_F(SdkAuthzEnd2EndTest,
TEST_F(GrpcAuthzEnd2EndTest,
FileWatcherInitDeniesRpcRequestNoMatchInAllowAndDeny) {
std::string policy =
"{"
@ -498,7 +500,7 @@ TEST_F(SdkAuthzEnd2EndTest,
EXPECT_TRUE(resp.message().empty());
}
TEST_F(SdkAuthzEnd2EndTest,
TEST_F(GrpcAuthzEnd2EndTest,
FileWatcherInitDeniesRpcRequestMatchInDenyMatchInAllow) {
std::string policy =
"{"
@ -530,7 +532,7 @@ TEST_F(SdkAuthzEnd2EndTest,
EXPECT_TRUE(resp.message().empty());
}
TEST_F(SdkAuthzEnd2EndTest,
TEST_F(GrpcAuthzEnd2EndTest,
FileWatcherInitDeniesRpcRequestMatchInDenyNoMatchInAllow) {
std::string policy =
"{"
@ -567,7 +569,7 @@ TEST_F(SdkAuthzEnd2EndTest,
EXPECT_TRUE(resp.message().empty());
}
TEST_F(SdkAuthzEnd2EndTest,
TEST_F(GrpcAuthzEnd2EndTest,
FileWatcherInitAllowsRpcRequestEmptyDenyMatchInAllow) {
std::string policy =
"{"
@ -606,7 +608,7 @@ TEST_F(SdkAuthzEnd2EndTest,
EXPECT_EQ(resp.message(), kMessage);
}
TEST_F(SdkAuthzEnd2EndTest,
TEST_F(GrpcAuthzEnd2EndTest,
FileWatcherInitDeniesRpcRequestEmptyDenyNoMatchInAllow) {
std::string policy =
"{"
@ -640,7 +642,7 @@ TEST_F(SdkAuthzEnd2EndTest,
EXPECT_TRUE(resp.message().empty());
}
TEST_F(SdkAuthzEnd2EndTest, FileWatcherValidPolicyRefresh) {
TEST_F(GrpcAuthzEnd2EndTest, FileWatcherValidPolicyRefresh) {
std::string policy =
"{"
" \"name\": \"authz\","
@ -699,7 +701,7 @@ TEST_F(SdkAuthzEnd2EndTest, FileWatcherValidPolicyRefresh) {
EXPECT_TRUE(resp2.message().empty());
}
TEST_F(SdkAuthzEnd2EndTest, FileWatcherInvalidPolicyRefreshSkipsReload) {
TEST_F(GrpcAuthzEnd2EndTest, FileWatcherInvalidPolicyRefreshSkipsReload) {
std::string policy =
"{"
" \"name\": \"authz\","
@ -734,7 +736,7 @@ TEST_F(SdkAuthzEnd2EndTest, FileWatcherInvalidPolicyRefreshSkipsReload) {
EXPECT_EQ(resp2.message(), kMessage);
}
TEST_F(SdkAuthzEnd2EndTest, FileWatcherRecoversFromFailure) {
TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) {
std::string policy =
"{"
" \"name\": \"authz\","

4
tools/doxygen/Doxyfile.c++.internal generated
Unescape View File

@ -2229,12 +2229,12 @@ src/core/lib/security/authorization/evaluate_args.cc \
src/core/lib/security/authorization/evaluate_args.h \
src/core/lib/security/authorization/grpc_authorization_engine.cc \
src/core/lib/security/authorization/grpc_authorization_engine.h \
src/core/lib/security/authorization/grpc_server_authz_filter.cc \
src/core/lib/security/authorization/grpc_server_authz_filter.h \
src/core/lib/security/authorization/matchers.cc \
src/core/lib/security/authorization/matchers.h \
src/core/lib/security/authorization/rbac_policy.cc \
src/core/lib/security/authorization/rbac_policy.h \
src/core/lib/security/authorization/sdk_server_authz_filter.cc \
src/core/lib/security/authorization/sdk_server_authz_filter.h \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/context/security_context.h \
src/core/lib/security/credentials/alts/alts_credentials.cc \

4
tools/doxygen/Doxyfile.core.internal generated
Unescape View File

@ -2024,12 +2024,12 @@ src/core/lib/security/authorization/evaluate_args.cc \
src/core/lib/security/authorization/evaluate_args.h \
src/core/lib/security/authorization/grpc_authorization_engine.cc \
src/core/lib/security/authorization/grpc_authorization_engine.h \
src/core/lib/security/authorization/grpc_server_authz_filter.cc \
src/core/lib/security/authorization/grpc_server_authz_filter.h \
src/core/lib/security/authorization/matchers.cc \
src/core/lib/security/authorization/matchers.h \
src/core/lib/security/authorization/rbac_policy.cc \
src/core/lib/security/authorization/rbac_policy.h \
src/core/lib/security/authorization/sdk_server_authz_filter.cc \
src/core/lib/security/authorization/sdk_server_authz_filter.h \
src/core/lib/security/context/security_context.cc \
src/core/lib/security/context/security_context.h \
src/core/lib/security/credentials/alts/alts_credentials.cc \

48
tools/run_tests/generated/tests.json generated
Unescape View File

@ -4549,6 +4549,30 @@
],
"uses_polling": true
},
{
"args": [],
"benchmark": false,
"ci_platforms": [
"linux",
"mac",
"posix",
"windows"
],
"cpu_cost": 1.0,
"exclude_configs": [],
"exclude_iomgrs": [],
"flaky": false,
"gtest": true,
"language": "c++",
"name": "grpc_authz_end2end_test",
"platforms": [
"linux",
"mac",
"posix",
"windows"
],
"uses_polling": true
},
{
"args": [],
"benchmark": false,
@ -6121,30 +6145,6 @@
],
"uses_polling": true
},
{
"args": [],
"benchmark": false,
"ci_platforms": [
"linux",
"mac",
"posix",
"windows"
],
"cpu_cost": 1.0,
"exclude_configs": [],
"exclude_iomgrs": [],
"flaky": false,
"gtest": true,
"language": "c++",
"name": "sdk_authz_end2end_test",
"platforms": [
"linux",
"mac",
"posix",
"windows"
],
"uses_polling": true
},
{
"args": [],
"benchmark": false,

Write Preview
Loading…
Cancel
Save