diff --git a/BUILD b/BUILD index a08213fe96f..1a9fb581cb5 100644 --- a/BUILD +++ b/BUILD @@ -3059,7 +3059,6 @@ grpc_cc_library( language = "c++", deps = [ "gpr_base", - "grpc_base", "grpc_matchers", "grpc_rbac_engine", "grpc_secure", diff --git a/grpc.def b/grpc.def index 8c5d3d17407..c45009c63f9 100644 --- a/grpc.def +++ b/grpc.def @@ -162,7 +162,6 @@ EXPORTS grpc_xds_credentials_create grpc_xds_server_credentials_create grpc_authorization_policy_provider_static_data_create - grpc_authorization_policy_provider_file_watcher_create grpc_authorization_policy_provider_release grpc_raw_byte_buffer_create grpc_raw_compressed_byte_buffer_create diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index 2902100f1cb..9edd70f39d7 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -1109,24 +1109,6 @@ grpc_authorization_policy_provider_static_data_create( const char* authz_policy, grpc_status_code* code, const char** error_details); -/** - * EXPERIMENTAL - Subject to change. - * Creates a grpc_authorization_policy_provider by watching for SDK - * authorization policy changes in filesystem. - * - authz_policy is the file path of SDK authorization policy. - * - refresh_interval_sec is the amount of time the internal thread would wait - * before checking for file updates. - * - code is the error status code on failure. On success, it equals - * GRPC_STATUS_OK. - * - error_details contains details about the error if any. If the - * initialization is successful, it will be null. Caller must use gpr_free to - * destroy this string. - */ -GRPCAPI grpc_authorization_policy_provider* -grpc_authorization_policy_provider_file_watcher_create( - const char* authz_policy_path, unsigned int refresh_interval_sec, - grpc_status_code* code, const char** error_details); - /** * EXPERIMENTAL - Subject to change. * Releases grpc_authorization_policy_provider object. The creator of diff --git a/include/grpcpp/security/authorization_policy_provider.h b/include/grpcpp/security/authorization_policy_provider.h index 883dc1a03c7..b3258b2fa11 100644 --- a/include/grpcpp/security/authorization_policy_provider.h +++ b/include/grpcpp/security/authorization_policy_provider.h @@ -20,7 +20,7 @@ #include #include -// TODO(yihuazhang): remove the forward declarations here and include +// TODO(yihuazhang): remove the forward declaration here and include // directly once the insecure builds are cleaned up. typedef struct grpc_authorization_policy_provider grpc_authorization_policy_provider; @@ -61,31 +61,6 @@ class StaticDataAuthorizationPolicyProvider grpc_authorization_policy_provider* c_provider_ = nullptr; }; -// Implementation obtains authorization policy by watching for changes in -// filesystem. -class FileWatcherAuthorizationPolicyProvider - : public AuthorizationPolicyProviderInterface { - public: - static std::shared_ptr Create( - const std::string& authz_policy_path, unsigned int refresh_interval_sec, - grpc::Status* status); - - // Use factory method "Create" to create an instance of - // FileWatcherAuthorizationPolicyProvider. - explicit FileWatcherAuthorizationPolicyProvider( - grpc_authorization_policy_provider* provider) - : c_provider_(provider) {} - - ~FileWatcherAuthorizationPolicyProvider() override; - - grpc_authorization_policy_provider* c_provider() override { - return c_provider_; - } - - private: - grpc_authorization_policy_provider* c_provider_ = nullptr; -}; - } // namespace experimental } // namespace grpc diff --git a/src/core/lib/security/authorization/authorization_policy_provider.h b/src/core/lib/security/authorization/authorization_policy_provider.h index 7db900676bb..0268a2c5960 100644 --- a/src/core/lib/security/authorization/authorization_policy_provider.h +++ b/src/core/lib/security/authorization/authorization_policy_provider.h @@ -27,7 +27,7 @@ struct grpc_authorization_policy_provider grpc_core::RefCountedPtr allow_engine; grpc_core::RefCountedPtr deny_engine; }; - virtual AuthorizationEngines engines() = 0; + virtual AuthorizationEngines engines() const = 0; }; #endif // GRPC_CORE_LIB_SECURITY_AUTHORIZATION_AUTHORIZATION_POLICY_PROVIDER_H diff --git a/src/core/lib/security/authorization/grpc_authorization_engine.h b/src/core/lib/security/authorization/grpc_authorization_engine.h index 773dbd269c6..c482f79f92a 100644 --- a/src/core/lib/security/authorization/grpc_authorization_engine.h +++ b/src/core/lib/security/authorization/grpc_authorization_engine.h @@ -38,9 +38,6 @@ class GrpcAuthorizationEngine : public AuthorizationEngine { Rbac::Action action() { return action_; } - // Required only for testing purpose. - size_t num_policies() { return policies_.size(); } - // Evaluates incoming request against RBAC policy and makes a decision to // whether allow/deny this request. Decision Evaluate(const EvaluateArgs& args) const override; diff --git a/src/core/lib/security/authorization/grpc_authorization_policy_provider.cc b/src/core/lib/security/authorization/grpc_authorization_policy_provider.cc index c7236aac409..7a0c77e9f53 100644 --- a/src/core/lib/security/authorization/grpc_authorization_policy_provider.cc +++ b/src/core/lib/security/authorization/grpc_authorization_policy_provider.cc @@ -19,14 +19,10 @@ #include #include -#include "src/core/lib/iomgr/load_file.h" #include "src/core/lib/security/authorization/grpc_authorization_engine.h" -#include "src/core/lib/slice/slice_internal.h" namespace grpc_core { -extern TraceFlag grpc_sdk_authz_trace; - absl::StatusOr> StaticDataAuthorizationPolicyProvider::Create(absl::string_view authz_policy) { auto policies_or = GenerateRbacPolicies(authz_policy); @@ -44,113 +40,6 @@ StaticDataAuthorizationPolicyProvider::StaticDataAuthorizationPolicyProvider( deny_engine_(MakeRefCounted( std::move(policies.deny_policy))) {} -namespace { - -absl::StatusOr ReadPolicyFromFile(absl::string_view policy_path) { - grpc_slice policy_slice = grpc_empty_slice(); - grpc_error_handle error = - grpc_load_file(std::string(policy_path).c_str(), 0, &policy_slice); - if (error != GRPC_ERROR_NONE) { - absl::Status status = - absl::InvalidArgumentError(grpc_error_std_string(error)); - GRPC_ERROR_UNREF(error); - return status; - } - std::string policy_contents(StringViewFromSlice(policy_slice)); - grpc_slice_unref_internal(policy_slice); - return policy_contents; -} - -gpr_timespec TimeoutSecondsToDeadline(int64_t seconds) { - return gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC), - gpr_time_from_seconds(seconds, GPR_TIMESPAN)); -} - -} // namespace - -absl::StatusOr> -FileWatcherAuthorizationPolicyProvider::Create( - absl::string_view authz_policy_path, unsigned int refresh_interval_sec) { - GPR_ASSERT(!authz_policy_path.empty()); - GPR_ASSERT(refresh_interval_sec > 0); - absl::Status status; - auto provider = MakeRefCounted( - authz_policy_path, refresh_interval_sec, &status); - if (!status.ok()) return status; - return provider; -} - -FileWatcherAuthorizationPolicyProvider::FileWatcherAuthorizationPolicyProvider( - absl::string_view authz_policy_path, unsigned int refresh_interval_sec, - absl::Status* status) - : authz_policy_path_(std::string(authz_policy_path)), - refresh_interval_sec_(refresh_interval_sec) { - gpr_event_init(&shutdown_event_); - // Initial read is done synchronously. - *status = ForceUpdate(); - if (!status->ok()) { - return; - } - auto thread_lambda = [](void* arg) { - WeakRefCountedPtr provider( - static_cast(arg)); - GPR_ASSERT(provider != nullptr); - while (true) { - void* value = gpr_event_wait( - &provider->shutdown_event_, - TimeoutSecondsToDeadline(provider->refresh_interval_sec_)); - if (value != nullptr) { - return; - } - absl::Status status = provider->ForceUpdate(); - if (GRPC_TRACE_FLAG_ENABLED(grpc_sdk_authz_trace) && !status.ok()) { - gpr_log(GPR_ERROR, - "authorization policy reload status. code=%d error_details=%s", - status.code(), std::string(status.message()).c_str()); - } - } - }; - refresh_thread_ = absl::make_unique( - "FileWatcherAuthorizationPolicyProvider_refreshing_thread", thread_lambda, - WeakRef().release()); - refresh_thread_->Start(); -} - -absl::Status FileWatcherAuthorizationPolicyProvider::ForceUpdate() { - absl::StatusOr file_contents = - ReadPolicyFromFile(authz_policy_path_); - if (!file_contents.ok()) { - return file_contents.status(); - } - if (file_contents_ == *file_contents) { - return absl::OkStatus(); - } - file_contents_ = std::move(*file_contents); - auto rbac_policies_or = GenerateRbacPolicies(file_contents_); - if (!rbac_policies_or.ok()) { - return rbac_policies_or.status(); - } - grpc_core::MutexLock lock(&mu_); - allow_engine_ = MakeRefCounted( - std::move(rbac_policies_or->allow_policy)); - deny_engine_ = MakeRefCounted( - std::move(rbac_policies_or->deny_policy)); - if (GRPC_TRACE_FLAG_ENABLED(grpc_sdk_authz_trace)) { - gpr_log(GPR_INFO, - "authorization policy reload status: successfully loaded new " - "policy\n%s", - file_contents_.c_str()); - } - return absl::OkStatus(); -} - -void FileWatcherAuthorizationPolicyProvider::Orphan() { - gpr_event_set(&shutdown_event_, reinterpret_cast(1)); - if (refresh_thread_ != nullptr) { - refresh_thread_->Join(); - } -} - } // namespace grpc_core // Wrapper APIs declared in grpc_security.h @@ -168,22 +57,8 @@ grpc_authorization_policy_provider_static_data_create( gpr_strdup(std::string(provider_or.status().message()).c_str()); return nullptr; } - return provider_or->release(); -} - -grpc_authorization_policy_provider* -grpc_authorization_policy_provider_file_watcher_create( - const char* authz_policy_path, unsigned int refresh_interval_sec, - grpc_status_code* code, const char** error_details) { - GPR_ASSERT(authz_policy_path != nullptr); - auto provider_or = grpc_core::FileWatcherAuthorizationPolicyProvider::Create( - authz_policy_path, refresh_interval_sec); - if (!provider_or.ok()) { - *code = static_cast(provider_or.status().code()); - *error_details = - gpr_strdup(std::string(provider_or.status().message()).c_str()); - return nullptr; - } + *code = GRPC_STATUS_OK; + *error_details = nullptr; return provider_or->release(); } diff --git a/src/core/lib/security/authorization/grpc_authorization_policy_provider.h b/src/core/lib/security/authorization/grpc_authorization_policy_provider.h index 44b74a37895..4e80ac60b66 100644 --- a/src/core/lib/security/authorization/grpc_authorization_policy_provider.h +++ b/src/core/lib/security/authorization/grpc_authorization_policy_provider.h @@ -21,8 +21,6 @@ #include "absl/status/statusor.h" -#include "src/core/lib/gprpp/sync.h" -#include "src/core/lib/gprpp/thd.h" #include "src/core/lib/security/authorization/authorization_policy_provider.h" #include "src/core/lib/security/authorization/rbac_translator.h" @@ -38,11 +36,9 @@ class StaticDataAuthorizationPolicyProvider static absl::StatusOr> Create(absl::string_view authz_policy); - // Use factory method "Create" to create an instance of - // StaticDataAuthorizationPolicyProvider. explicit StaticDataAuthorizationPolicyProvider(RbacPolicies policies); - AuthorizationEngines engines() override { + AuthorizationEngines engines() const override { return {allow_engine_, deny_engine_}; } @@ -53,50 +49,8 @@ class StaticDataAuthorizationPolicyProvider RefCountedPtr deny_engine_; }; -// Provider class will get SDK Authorization policy from provided file path. -// This policy will be translated to Envoy RBAC policies and used to initialize -// allow and deny AuthorizationEngine objects. This provider will periodically -// load file contents in specified path, and upon modification update the engine -// instances with new policy configuration. During reload if the file contents -// are invalid or there are I/O errors, we will skip that particular update and -// log error status. The authorization decisions will be made using the latest -// valid policy. -class FileWatcherAuthorizationPolicyProvider - : public grpc_authorization_policy_provider { - public: - static absl::StatusOr> - Create(absl::string_view authz_policy_path, - unsigned int refresh_interval_sec); - - // Use factory method "Create" to create an instance of - // FileWatcherAuthorizationPolicyProvider. - FileWatcherAuthorizationPolicyProvider(absl::string_view authz_policy_path, - unsigned int refresh_interval_sec, - absl::Status* status); - - void Orphan() override; - - AuthorizationEngines engines() override { - grpc_core::MutexLock lock(&mu_); - return {allow_engine_, deny_engine_}; - } - - private: - // Force an update from the file system regardless of the interval. - absl::Status ForceUpdate(); - - std::string authz_policy_path_; - std::string file_contents_; - unsigned int refresh_interval_sec_; - - std::unique_ptr refresh_thread_; - gpr_event shutdown_event_; - - grpc_core::Mutex mu_; - // Engines created using authz_policy_. - RefCountedPtr allow_engine_ ABSL_GUARDED_BY(mu_); - RefCountedPtr deny_engine_ ABSL_GUARDED_BY(mu_); -}; +// TODO(ashithasantosh): Add implementation for file watcher authorization +// policy provider. } // namespace grpc_core diff --git a/src/cpp/server/authorization_policy_provider.cc b/src/cpp/server/authorization_policy_provider.cc index 8dab33ddc3e..e5b51a59446 100644 --- a/src/cpp/server/authorization_policy_provider.cc +++ b/src/cpp/server/authorization_policy_provider.cc @@ -14,7 +14,6 @@ #include #include -#include #include namespace grpc { @@ -23,7 +22,7 @@ namespace experimental { std::shared_ptr StaticDataAuthorizationPolicyProvider::Create(const std::string& authz_policy, grpc::Status* status) { - grpc_status_code code = GRPC_STATUS_OK; + grpc_status_code code; const char* error_details; grpc_authorization_policy_provider* provider = grpc_authorization_policy_provider_static_data_create( @@ -42,28 +41,5 @@ StaticDataAuthorizationPolicyProvider:: grpc_authorization_policy_provider_release(c_provider_); } -std::shared_ptr -FileWatcherAuthorizationPolicyProvider::Create( - const std::string& authz_policy_path, unsigned int refresh_interval_sec, - grpc::Status* status) { - grpc_status_code code = GRPC_STATUS_OK; - const char* error_details; - grpc_authorization_policy_provider* provider = - grpc_authorization_policy_provider_file_watcher_create( - authz_policy_path.c_str(), refresh_interval_sec, &code, - &error_details); - if (code != GRPC_STATUS_OK) { - *status = grpc::Status(static_cast(code), error_details); - gpr_free(const_cast(error_details)); - return nullptr; - } - return std::make_shared(provider); -} - -FileWatcherAuthorizationPolicyProvider:: - ~FileWatcherAuthorizationPolicyProvider() { - grpc_authorization_policy_provider_release(c_provider_); -} - } // namespace experimental } // namespace grpc diff --git a/src/ruby/ext/grpc/rb_grpc_imports.generated.c b/src/ruby/ext/grpc/rb_grpc_imports.generated.c index 874a5e9e9f7..d5683ecb4ca 100644 --- a/src/ruby/ext/grpc/rb_grpc_imports.generated.c +++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.c @@ -185,7 +185,6 @@ grpc_tls_server_authorization_check_config_release_type grpc_tls_server_authoriz grpc_xds_credentials_create_type grpc_xds_credentials_create_import; grpc_xds_server_credentials_create_type grpc_xds_server_credentials_create_import; grpc_authorization_policy_provider_static_data_create_type grpc_authorization_policy_provider_static_data_create_import; -grpc_authorization_policy_provider_file_watcher_create_type grpc_authorization_policy_provider_file_watcher_create_import; grpc_authorization_policy_provider_release_type grpc_authorization_policy_provider_release_import; grpc_raw_byte_buffer_create_type grpc_raw_byte_buffer_create_import; grpc_raw_compressed_byte_buffer_create_type grpc_raw_compressed_byte_buffer_create_import; @@ -475,7 +474,6 @@ void grpc_rb_load_imports(HMODULE library) { grpc_xds_credentials_create_import = (grpc_xds_credentials_create_type) GetProcAddress(library, "grpc_xds_credentials_create"); grpc_xds_server_credentials_create_import = (grpc_xds_server_credentials_create_type) GetProcAddress(library, "grpc_xds_server_credentials_create"); grpc_authorization_policy_provider_static_data_create_import = (grpc_authorization_policy_provider_static_data_create_type) GetProcAddress(library, "grpc_authorization_policy_provider_static_data_create"); - grpc_authorization_policy_provider_file_watcher_create_import = (grpc_authorization_policy_provider_file_watcher_create_type) GetProcAddress(library, "grpc_authorization_policy_provider_file_watcher_create"); grpc_authorization_policy_provider_release_import = (grpc_authorization_policy_provider_release_type) GetProcAddress(library, "grpc_authorization_policy_provider_release"); grpc_raw_byte_buffer_create_import = (grpc_raw_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_byte_buffer_create"); grpc_raw_compressed_byte_buffer_create_import = (grpc_raw_compressed_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_compressed_byte_buffer_create"); diff --git a/src/ruby/ext/grpc/rb_grpc_imports.generated.h b/src/ruby/ext/grpc/rb_grpc_imports.generated.h index 4667bce7a43..7e5c21ada7e 100644 --- a/src/ruby/ext/grpc/rb_grpc_imports.generated.h +++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.h @@ -530,9 +530,6 @@ extern grpc_xds_server_credentials_create_type grpc_xds_server_credentials_creat typedef grpc_authorization_policy_provider*(*grpc_authorization_policy_provider_static_data_create_type)(const char* authz_policy, grpc_status_code* code, const char** error_details); extern grpc_authorization_policy_provider_static_data_create_type grpc_authorization_policy_provider_static_data_create_import; #define grpc_authorization_policy_provider_static_data_create grpc_authorization_policy_provider_static_data_create_import -typedef grpc_authorization_policy_provider*(*grpc_authorization_policy_provider_file_watcher_create_type)(const char* authz_policy_path, unsigned int refresh_interval_sec, grpc_status_code* code, const char** error_details); -extern grpc_authorization_policy_provider_file_watcher_create_type grpc_authorization_policy_provider_file_watcher_create_import; -#define grpc_authorization_policy_provider_file_watcher_create grpc_authorization_policy_provider_file_watcher_create_import typedef void(*grpc_authorization_policy_provider_release_type)(grpc_authorization_policy_provider* provider); extern grpc_authorization_policy_provider_release_type grpc_authorization_policy_provider_release_import; #define grpc_authorization_policy_provider_release grpc_authorization_policy_provider_release_import diff --git a/test/core/end2end/tests/sdk_authz.cc b/test/core/end2end/tests/sdk_authz.cc index 19e228bd4d5..6ab5e0b3192 100644 --- a/test/core/end2end/tests/sdk_authz.cc +++ b/test/core/end2end/tests/sdk_authz.cc @@ -27,7 +27,6 @@ #include "src/core/lib/security/credentials/credentials.h" #include "test/core/end2end/cq_verifier.h" #include "test/core/end2end/end2end_tests.h" -#include "test/core/util/tls_utils.h" static void* tag(intptr_t t) { return reinterpret_cast(t); } @@ -85,7 +84,7 @@ static void end_test(grpc_end2end_test_fixture* f) { grpc_completion_queue_destroy(f->shutdown_cq); } -static void test_allow_authorized_request(grpc_end2end_test_fixture f) { +static void test_allow_authorized_request(grpc_end2end_test_config config) { grpc_call* c; grpc_call* s; grpc_op ops[6]; @@ -100,6 +99,36 @@ static void test_allow_authorized_request(grpc_end2end_test_fixture f) { grpc_slice details = grpc_empty_slice(); int was_cancelled = 2; + const char* authz_policy = + "{" + " \"name\": \"authz\"," + " \"allow_rules\": [" + " {" + " \"name\": \"allow_foo\"," + " \"request\": {" + " \"paths\": [" + " \"*/foo\"" + " ]" + " }" + " }" + " ]" + "}"; + grpc_status_code code; + const char* error_details; + grpc_authorization_policy_provider* provider = + grpc_authorization_policy_provider_static_data_create(authz_policy, &code, + &error_details); + GPR_ASSERT(GRPC_STATUS_OK == code); + grpc_arg args[] = { + grpc_channel_arg_pointer_create( + const_cast(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider, + grpc_authorization_policy_provider_arg_vtable()), + }; + grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; + + grpc_end2end_test_fixture f = begin_test( + config, "test_allow_authorized_request", nullptr, &server_args); + grpc_authorization_policy_provider_release(provider); cq_verifier* cqv = cq_verifier_create(f.cq); gpr_timespec deadline = five_seconds_from_now(); @@ -188,9 +217,12 @@ static void test_allow_authorized_request(grpc_end2end_test_fixture f) { grpc_call_unref(c); grpc_call_unref(s); cq_verifier_destroy(cqv); + + end_test(&f); + config.tear_down_data(&f); } -static void test_deny_unauthorized_request(grpc_end2end_test_fixture f) { +static void test_deny_unauthorized_request(grpc_end2end_test_config config) { grpc_call* c; grpc_op ops[6]; grpc_op* op; @@ -201,11 +233,51 @@ static void test_deny_unauthorized_request(grpc_end2end_test_fixture f) { grpc_call_error error; grpc_slice details = grpc_empty_slice(); + const char* authz_policy = + "{" + " \"name\": \"authz\"," + " \"allow_rules\": [" + " {" + " \"name\": \"allow_foo\"," + " \"request\": {" + " \"paths\": [" + " \"*/foo\"" + " ]" + " }" + " }" + " ]," + " \"deny_rules\": [" + " {" + " \"name\": \"deny_bar\"," + " \"request\": {" + " \"paths\": [" + " \"*/bar\"" + " ]" + " }" + " }" + " ]" + "}"; + grpc_status_code code; + const char* error_details; + grpc_authorization_policy_provider* provider = + grpc_authorization_policy_provider_static_data_create(authz_policy, &code, + &error_details); + GPR_ASSERT(GRPC_STATUS_OK == code); + grpc_arg args[] = { + grpc_channel_arg_pointer_create( + const_cast(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider, + grpc_authorization_policy_provider_arg_vtable()), + }; + grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; + + grpc_end2end_test_fixture f = begin_test( + config, "test_deny_unauthorized_request", nullptr, &server_args); + grpc_authorization_policy_provider_release(provider); cq_verifier* cqv = cq_verifier_create(f.cq); gpr_timespec deadline = five_seconds_from_now(); c = grpc_channel_create_call(f.client, nullptr, GRPC_PROPAGATE_DEFAULTS, f.cq, - grpc_slice_from_static_string("/foo"), nullptr, + grpc_slice_from_static_string("/bar"), nullptr, deadline, nullptr); GPR_ASSERT(c); @@ -253,270 +325,23 @@ static void test_deny_unauthorized_request(grpc_end2end_test_fixture f) { grpc_call_unref(c); cq_verifier_destroy(cqv); -} - -static void test_static_init_allow_authorized_request( - grpc_end2end_test_config config) { - const char* authz_policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_status_code code = GRPC_STATUS_OK; - const char* error_details; - grpc_authorization_policy_provider* provider = - grpc_authorization_policy_provider_static_data_create(authz_policy, &code, - &error_details); - GPR_ASSERT(GRPC_STATUS_OK == code); - grpc_arg args[] = { - grpc_channel_arg_pointer_create( - const_cast(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider, - grpc_authorization_policy_provider_arg_vtable()), - }; - grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; - - grpc_end2end_test_fixture f = - begin_test(config, "test_static_init_allow_authorized_request", nullptr, - &server_args); - grpc_authorization_policy_provider_release(provider); - test_allow_authorized_request(f); - - end_test(&f); - config.tear_down_data(&f); -} - -static void test_static_init_deny_unauthorized_request( - grpc_end2end_test_config config) { - const char* authz_policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_bar\"," - " \"request\": {" - " \"paths\": [" - " \"*/bar\"" - " ]" - " }" - " }" - " ]," - " \"deny_rules\": [" - " {" - " \"name\": \"deny_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_status_code code = GRPC_STATUS_OK; - const char* error_details; - grpc_authorization_policy_provider* provider = - grpc_authorization_policy_provider_static_data_create(authz_policy, &code, - &error_details); - GPR_ASSERT(GRPC_STATUS_OK == code); - grpc_arg args[] = { - grpc_channel_arg_pointer_create( - const_cast(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider, - grpc_authorization_policy_provider_arg_vtable()), - }; - grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; - - grpc_end2end_test_fixture f = - begin_test(config, "test_static_init_deny_unauthorized_request", nullptr, - &server_args); - grpc_authorization_policy_provider_release(provider); - test_deny_unauthorized_request(f); end_test(&f); config.tear_down_data(&f); } -static void test_static_init_deny_request_no_match_in_policy( +static void test_deny_request_no_match_in_policy( grpc_end2end_test_config config) { - const char* authz_policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_bar\"," - " \"request\": {" - " \"paths\": [" - " \"*/bar\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_status_code code = GRPC_STATUS_OK; - const char* error_details; - grpc_authorization_policy_provider* provider = - grpc_authorization_policy_provider_static_data_create(authz_policy, &code, - &error_details); - GPR_ASSERT(GRPC_STATUS_OK == code); - grpc_arg args[] = { - grpc_channel_arg_pointer_create( - const_cast(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider, - grpc_authorization_policy_provider_arg_vtable()), - }; - grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; - - grpc_end2end_test_fixture f = - begin_test(config, "test_static_init_deny_request_no_match_in_policy", - nullptr, &server_args); - grpc_authorization_policy_provider_release(provider); - test_deny_unauthorized_request(f); - - end_test(&f); - config.tear_down_data(&f); -} - -static void test_file_watcher_init_allow_authorized_request( - grpc_end2end_test_config config) { - const char* authz_policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(authz_policy); - grpc_status_code code = GRPC_STATUS_OK; - const char* error_details; - grpc_authorization_policy_provider* provider = - grpc_authorization_policy_provider_file_watcher_create( - tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code, - &error_details); - GPR_ASSERT(GRPC_STATUS_OK == code); - grpc_arg args[] = { - grpc_channel_arg_pointer_create( - const_cast(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider, - grpc_authorization_policy_provider_arg_vtable()), - }; - grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; - - grpc_end2end_test_fixture f = - begin_test(config, "test_file_watcher_init_allow_authorized_request", - nullptr, &server_args); - grpc_authorization_policy_provider_release(provider); - test_allow_authorized_request(f); - - end_test(&f); - config.tear_down_data(&f); -} - -static void test_file_watcher_init_deny_unauthorized_request( - grpc_end2end_test_config config) { - const char* authz_policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_bar\"," - " \"request\": {" - " \"paths\": [" - " \"*/bar\"" - " ]" - " }" - " }" - " ]," - " \"deny_rules\": [" - " {" - " \"name\": \"deny_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(authz_policy); - grpc_status_code code = GRPC_STATUS_OK; - const char* error_details; - grpc_authorization_policy_provider* provider = - grpc_authorization_policy_provider_file_watcher_create( - tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code, - &error_details); - GPR_ASSERT(GRPC_STATUS_OK == code); - grpc_arg args[] = { - grpc_channel_arg_pointer_create( - const_cast(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider, - grpc_authorization_policy_provider_arg_vtable()), - }; - grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; - - grpc_end2end_test_fixture f = - begin_test(config, "test_file_watcher_init_deny_unauthorized_request", - nullptr, &server_args); - grpc_authorization_policy_provider_release(provider); - test_deny_unauthorized_request(f); - - end_test(&f); - config.tear_down_data(&f); -} - -static void test_file_watcher_init_deny_request_no_match_in_policy( - grpc_end2end_test_config config) { - const char* authz_policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_bar\"," - " \"request\": {" - " \"paths\": [" - " \"*/bar\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(authz_policy); - grpc_status_code code = GRPC_STATUS_OK; - const char* error_details; - grpc_authorization_policy_provider* provider = - grpc_authorization_policy_provider_file_watcher_create( - tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code, - &error_details); - GPR_ASSERT(GRPC_STATUS_OK == code); - grpc_arg args[] = { - grpc_channel_arg_pointer_create( - const_cast(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider, - grpc_authorization_policy_provider_arg_vtable()), - }; - grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; - - grpc_end2end_test_fixture f = begin_test( - config, "test_file_watcher_init_deny_request_no_match_in_policy", nullptr, - &server_args); - grpc_authorization_policy_provider_release(provider); - test_deny_unauthorized_request(f); - - end_test(&f); - config.tear_down_data(&f); -} + grpc_call* c; + grpc_op ops[6]; + grpc_op* op; + grpc_metadata_array initial_metadata_recv; + grpc_metadata_array trailing_metadata_recv; + grpc_status_code status; + const char* error_string = nullptr; + grpc_call_error error; + grpc_slice details = grpc_empty_slice(); -static void test_file_watcher_valid_policy_reload( - grpc_end2end_test_config config) { const char* authz_policy = "{" " \"name\": \"authz\"," @@ -531,13 +356,11 @@ static void test_file_watcher_valid_policy_reload( " }" " ]" "}"; - grpc_core::testing::TmpFile tmp_policy(authz_policy); - grpc_status_code code = GRPC_STATUS_OK; + grpc_status_code code; const char* error_details; grpc_authorization_policy_provider* provider = - grpc_authorization_policy_provider_file_watcher_create( - tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code, - &error_details); + grpc_authorization_policy_provider_static_data_create(authz_policy, &code, + &error_details); GPR_ASSERT(GRPC_STATUS_OK == code); grpc_arg args[] = { grpc_channel_arg_pointer_create( @@ -547,176 +370,69 @@ static void test_file_watcher_valid_policy_reload( grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; grpc_end2end_test_fixture f = begin_test( - config, "test_file_watcher_valid_policy_reload", nullptr, &server_args); + config, "test_deny_request_no_match_in_policy", nullptr, &server_args); grpc_authorization_policy_provider_release(provider); - test_allow_authorized_request(f); - // Replace existing policy in file with a different authorization policy. - authz_policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_bar\"," - " \"request\": {" - " \"paths\": [" - " \"*/bar\"" - " ]" - " }" - " }" - " ]," - " \"deny_rules\": [" - " {" - " \"name\": \"deny_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]" - "}"; - tmp_policy.RewriteFile(authz_policy); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - test_deny_unauthorized_request(f); + cq_verifier* cqv = cq_verifier_create(f.cq); - end_test(&f); - config.tear_down_data(&f); -} + gpr_timespec deadline = five_seconds_from_now(); + c = grpc_channel_create_call(f.client, nullptr, GRPC_PROPAGATE_DEFAULTS, f.cq, + grpc_slice_from_static_string("/bar"), nullptr, + deadline, nullptr); + GPR_ASSERT(c); -static void test_file_watcher_invalid_policy_skip_reload( - grpc_end2end_test_config config) { - const char* authz_policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(authz_policy); - grpc_status_code code = GRPC_STATUS_OK; - const char* error_details; - grpc_authorization_policy_provider* provider = - grpc_authorization_policy_provider_file_watcher_create( - tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code, - &error_details); - GPR_ASSERT(GRPC_STATUS_OK == code); - grpc_arg args[] = { - grpc_channel_arg_pointer_create( - const_cast(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider, - grpc_authorization_policy_provider_arg_vtable()), - }; - grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; + grpc_metadata_array_init(&initial_metadata_recv); + grpc_metadata_array_init(&trailing_metadata_recv); - grpc_end2end_test_fixture f = - begin_test(config, "test_file_watcher_invalid_policy_skip_reload", - nullptr, &server_args); - grpc_authorization_policy_provider_release(provider); - test_allow_authorized_request(f); - // Replace exisiting policy in file with an invalid policy. - authz_policy = "{}"; - tmp_policy.RewriteFile(authz_policy); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - test_allow_authorized_request(f); + memset(ops, 0, sizeof(ops)); + op = ops; + op->op = GRPC_OP_SEND_INITIAL_METADATA; + op->data.send_initial_metadata.count = 0; + op->flags = 0; + op->reserved = nullptr; + op++; + op->op = GRPC_OP_SEND_CLOSE_FROM_CLIENT; + op->flags = 0; + op->reserved = nullptr; + op++; + op->op = GRPC_OP_RECV_INITIAL_METADATA; + op->data.recv_initial_metadata.recv_initial_metadata = &initial_metadata_recv; + op->flags = 0; + op->reserved = nullptr; + op++; + op->op = GRPC_OP_RECV_STATUS_ON_CLIENT; + op->data.recv_status_on_client.trailing_metadata = &trailing_metadata_recv; + op->data.recv_status_on_client.status = &status; + op->data.recv_status_on_client.status_details = &details; + op->data.recv_status_on_client.error_string = &error_string; + op->flags = 0; + op->reserved = nullptr; + op++; + error = grpc_call_start_batch(c, ops, static_cast(op - ops), tag(1), + nullptr); + GPR_ASSERT(GRPC_CALL_OK == error); + CQ_EXPECT_COMPLETION(cqv, tag(1), 1); + cq_verify(cqv); - end_test(&f); - config.tear_down_data(&f); -} + GPR_ASSERT(GRPC_STATUS_PERMISSION_DENIED == status); + GPR_ASSERT(0 == + grpc_slice_str_cmp(details, "Unauthorized RPC request rejected.")); -static void test_file_watcher_recovers_from_failure( - grpc_end2end_test_config config) { - const char* authz_policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(authz_policy); - grpc_status_code code = GRPC_STATUS_OK; - const char* error_details; - grpc_authorization_policy_provider* provider = - grpc_authorization_policy_provider_file_watcher_create( - tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code, - &error_details); - GPR_ASSERT(GRPC_STATUS_OK == code); - grpc_arg args[] = { - grpc_channel_arg_pointer_create( - const_cast(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider, - grpc_authorization_policy_provider_arg_vtable()), - }; - grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args}; + grpc_slice_unref(details); + gpr_free(const_cast(error_string)); + grpc_metadata_array_destroy(&initial_metadata_recv); + grpc_metadata_array_destroy(&trailing_metadata_recv); - grpc_end2end_test_fixture f = begin_test( - config, "test_file_watcher_valid_policy_reload", nullptr, &server_args); - grpc_authorization_policy_provider_release(provider); - test_allow_authorized_request(f); - // Replace exisiting policy in file with an invalid policy. - authz_policy = "{}"; - tmp_policy.RewriteFile(authz_policy); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - test_allow_authorized_request(f); - // Recover from reload errors, by replacing invalid policy in file with a - // valid policy. - authz_policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_bar\"," - " \"request\": {" - " \"paths\": [" - " \"*/bar\"" - " ]" - " }" - " }" - " ]," - " \"deny_rules\": [" - " {" - " \"name\": \"deny_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]" - "}"; - tmp_policy.RewriteFile(authz_policy); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - test_deny_unauthorized_request(f); + grpc_call_unref(c); + cq_verifier_destroy(cqv); end_test(&f); config.tear_down_data(&f); } void sdk_authz(grpc_end2end_test_config config) { - test_static_init_allow_authorized_request(config); - test_static_init_deny_unauthorized_request(config); - test_static_init_deny_request_no_match_in_policy(config); - test_file_watcher_init_allow_authorized_request(config); - test_file_watcher_init_deny_unauthorized_request(config); - test_file_watcher_init_deny_request_no_match_in_policy(config); - test_file_watcher_valid_policy_reload(config); - test_file_watcher_invalid_policy_skip_reload(config); - test_file_watcher_recovers_from_failure(config); + test_allow_authorized_request(config); + test_deny_unauthorized_request(config); + test_deny_request_no_match_in_policy(config); } void sdk_authz_pre_init(void) {} diff --git a/test/core/security/BUILD b/test/core/security/BUILD index 0290b0b1334..613fcb82679 100644 --- a/test/core/security/BUILD +++ b/test/core/security/BUILD @@ -454,11 +454,6 @@ grpc_cc_test( grpc_cc_test( name = "grpc_authorization_policy_provider_test", srcs = ["grpc_authorization_policy_provider_test.cc"], - data = [ - "//test/core/security/authorization/test_policies:invalid_policy.json", - "//test/core/security/authorization/test_policies:valid_policy_1.json", - "//test/core/security/authorization/test_policies:valid_policy_2.json", - ], external_deps = ["gtest"], language = "C++", deps = [ diff --git a/test/core/security/authorization/test_policies/BUILD b/test/core/security/authorization/test_policies/BUILD deleted file mode 100644 index 9b4963555a2..00000000000 --- a/test/core/security/authorization/test_policies/BUILD +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2021 gRPC authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -licenses(["notice"]) # Apache v2 - -exports_files([ - "invalid_policy.json", - "valid_policy_1.json", - "valid_policy_2.json", -]) diff --git a/test/core/security/authorization/test_policies/invalid_policy.json b/test/core/security/authorization/test_policies/invalid_policy.json deleted file mode 100644 index 0967ef424bc..00000000000 --- a/test/core/security/authorization/test_policies/invalid_policy.json +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/test/core/security/authorization/test_policies/valid_policy_1.json b/test/core/security/authorization/test_policies/valid_policy_1.json deleted file mode 100644 index 7f277df7803..00000000000 --- a/test/core/security/authorization/test_policies/valid_policy_1.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "name": "authz", - "allow_rules": - [ - { - "name": "allow_echo", - "request": - { - "paths": - [ - "*/Echo" - ], - "headers": - [ - { - "key": "key-foo", - "values": ["foo1", "foo2"] - }, - { - "key": "key-bar", - "values": ["bar1"] - } - ] - } - } - ], - "deny_rules": - [ - { - "name": "deny_clientstreamingecho", - "request": - { - "paths": - [ - "*/ClientStreamingEcho" - ] - } - } - ] -} diff --git a/test/core/security/authorization/test_policies/valid_policy_2.json b/test/core/security/authorization/test_policies/valid_policy_2.json deleted file mode 100644 index 4337ed42ea9..00000000000 --- a/test/core/security/authorization/test_policies/valid_policy_2.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "name": "authz", - "allow_rules": - [ - { - "name": "allow_foo", - "request": - { - "paths": - [ - "*/foo" - ] - } - }, - { - "name": "allow_bar", - "request": - { - "paths": - [ - "*/bar" - ] - } - } - ] -} diff --git a/test/core/security/grpc_authorization_policy_provider_test.cc b/test/core/security/grpc_authorization_policy_provider_test.cc index 3f1c87c8564..f298a352239 100644 --- a/test/core/security/grpc_authorization_policy_provider_test.cc +++ b/test/core/security/grpc_authorization_policy_provider_test.cc @@ -23,197 +23,43 @@ #include "src/core/lib/security/authorization/grpc_authorization_engine.h" #include "test/core/util/test_config.h" -#include "test/core/util/tls_utils.h" - -#define VALID_POLICY_PATH_1 \ - "test/core/security/authorization/test_policies/valid_policy_1.json" -#define VALID_POLICY_PATH_2 \ - "test/core/security/authorization/test_policies/valid_policy_2.json" -#define INVALID_POLICY_PATH \ - "test/core/security/authorization/test_policies/invalid_policy.json" namespace grpc_core { TEST(AuthorizationPolicyProviderTest, StaticDataInitializationSuccessful) { - auto provider = StaticDataAuthorizationPolicyProvider::Create( - testing::GetFileContents(VALID_POLICY_PATH_1)); + const char* authz_policy = + "{" + " \"name\": \"authz\"," + " \"allow_rules\": [" + " {" + " \"name\": \"allow_policy\"" + " }" + " ]" + "}"; + auto provider = StaticDataAuthorizationPolicyProvider::Create(authz_policy); ASSERT_TRUE(provider.ok()); auto engines = (*provider)->engines(); - auto* allow_engine = - dynamic_cast(engines.allow_engine.get()); - ASSERT_NE(allow_engine, nullptr); - EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow); - EXPECT_EQ(allow_engine->num_policies(), 1); - auto* deny_engine = - dynamic_cast(engines.deny_engine.get()); - ASSERT_NE(deny_engine, nullptr); - EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny); - EXPECT_EQ(deny_engine->num_policies(), 1); + ASSERT_NE(engines.allow_engine, nullptr); + EXPECT_EQ(dynamic_cast(engines.allow_engine.get()) + ->action(), + Rbac::Action::kAllow); + ASSERT_NE(engines.deny_engine, nullptr); + EXPECT_EQ(dynamic_cast(engines.deny_engine.get()) + ->action(), + Rbac::Action::kDeny); } TEST(AuthorizationPolicyProviderTest, StaticDataInitializationFailedInvalidPolicy) { - auto provider = StaticDataAuthorizationPolicyProvider::Create( - testing::GetFileContents(INVALID_POLICY_PATH)); - EXPECT_EQ(provider.status().code(), absl::StatusCode::kInvalidArgument); - EXPECT_EQ(provider.status().message(), "\"name\" field is not present."); -} - -TEST(AuthorizationPolicyProviderTest, - FileWatcherInitializationSuccessValidPolicy) { - auto tmp_authz_policy = absl::make_unique( - testing::GetFileContents(VALID_POLICY_PATH_1)); - auto provider = FileWatcherAuthorizationPolicyProvider::Create( - tmp_authz_policy->name(), /*refresh_interval_sec=*/1); - ASSERT_TRUE(provider.ok()); - auto engines = (*provider)->engines(); - auto* allow_engine = - dynamic_cast(engines.allow_engine.get()); - ASSERT_NE(allow_engine, nullptr); - EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow); - EXPECT_EQ(allow_engine->num_policies(), 1); - auto* deny_engine = - dynamic_cast(engines.deny_engine.get()); - ASSERT_NE(deny_engine, nullptr); - EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny); - EXPECT_EQ(deny_engine->num_policies(), 1); -} - -TEST(AuthorizationPolicyProviderTest, - FileWatcherInitializationFailedInvalidPolicy) { - auto tmp_authz_policy = absl::make_unique( - testing::GetFileContents(INVALID_POLICY_PATH)); - auto provider = FileWatcherAuthorizationPolicyProvider::Create( - tmp_authz_policy->name(), /*refresh_interval_sec=*/1); + const char* authz_policy = "{}"; + auto provider = StaticDataAuthorizationPolicyProvider::Create(authz_policy); EXPECT_EQ(provider.status().code(), absl::StatusCode::kInvalidArgument); EXPECT_EQ(provider.status().message(), "\"name\" field is not present."); } -TEST(AuthorizationPolicyProviderTest, FileWatcherSuccessValidPolicyRefresh) { - auto tmp_authz_policy = absl::make_unique( - testing::GetFileContents(VALID_POLICY_PATH_1)); - auto provider = FileWatcherAuthorizationPolicyProvider::Create( - tmp_authz_policy->name(), /*refresh_interval_sec=*/1); - ASSERT_TRUE(provider.ok()); - auto engines = (*provider)->engines(); - auto* allow_engine = - dynamic_cast(engines.allow_engine.get()); - ASSERT_NE(allow_engine, nullptr); - EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow); - EXPECT_EQ(allow_engine->num_policies(), 1); - auto* deny_engine = - dynamic_cast(engines.deny_engine.get()); - ASSERT_NE(deny_engine, nullptr); - EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny); - EXPECT_EQ(deny_engine->num_policies(), 1); - // Rewrite the file with a different valid authorization policy. - tmp_authz_policy->RewriteFile(testing::GetFileContents(VALID_POLICY_PATH_2)); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - engines = (*provider)->engines(); - allow_engine = - dynamic_cast(engines.allow_engine.get()); - ASSERT_NE(allow_engine, nullptr); - EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow); - EXPECT_EQ(allow_engine->num_policies(), 2); - deny_engine = - dynamic_cast(engines.deny_engine.get()); - ASSERT_NE(deny_engine, nullptr); - EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny); - EXPECT_EQ(deny_engine->num_policies(), 0); -} - -TEST(AuthorizationPolicyProviderTest, - FileWatcherInvalidPolicyRefreshSkipReload) { - auto tmp_authz_policy = absl::make_unique( - testing::GetFileContents(VALID_POLICY_PATH_1)); - auto provider = FileWatcherAuthorizationPolicyProvider::Create( - tmp_authz_policy->name(), /*refresh_interval_sec=*/1); - ASSERT_TRUE(provider.ok()); - auto engines = (*provider)->engines(); - auto* allow_engine = - dynamic_cast(engines.allow_engine.get()); - ASSERT_NE(allow_engine, nullptr); - EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow); - EXPECT_EQ(allow_engine->num_policies(), 1); - auto* deny_engine = - dynamic_cast(engines.deny_engine.get()); - ASSERT_NE(deny_engine, nullptr); - EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny); - EXPECT_EQ(deny_engine->num_policies(), 1); - // Skips the following policy update, and continues to use the valid policy. - tmp_authz_policy->RewriteFile(testing::GetFileContents(INVALID_POLICY_PATH)); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - engines = (*provider)->engines(); - allow_engine = - dynamic_cast(engines.allow_engine.get()); - ASSERT_NE(allow_engine, nullptr); - EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow); - EXPECT_EQ(allow_engine->num_policies(), 1); - deny_engine = - dynamic_cast(engines.deny_engine.get()); - ASSERT_NE(deny_engine, nullptr); - EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny); - EXPECT_EQ(deny_engine->num_policies(), 1); -} - -TEST(AuthorizationPolicyProviderTest, FileWatcherRecoversFromFailure) { - auto tmp_authz_policy = absl::make_unique( - testing::GetFileContents(VALID_POLICY_PATH_1)); - auto provider = FileWatcherAuthorizationPolicyProvider::Create( - tmp_authz_policy->name(), /*refresh_interval_sec=*/1); - ASSERT_TRUE(provider.ok()); - auto engines = (*provider)->engines(); - auto* allow_engine = - dynamic_cast(engines.allow_engine.get()); - ASSERT_NE(allow_engine, nullptr); - EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow); - EXPECT_EQ(allow_engine->num_policies(), 1); - auto* deny_engine = - dynamic_cast(engines.deny_engine.get()); - ASSERT_NE(deny_engine, nullptr); - EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny); - EXPECT_EQ(deny_engine->num_policies(), 1); - // Skips the following policy update, and continues to use the valid policy. - tmp_authz_policy->RewriteFile(testing::GetFileContents(INVALID_POLICY_PATH)); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - engines = (*provider)->engines(); - allow_engine = - dynamic_cast(engines.allow_engine.get()); - ASSERT_NE(allow_engine, nullptr); - EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow); - EXPECT_EQ(allow_engine->num_policies(), 1); - deny_engine = - dynamic_cast(engines.deny_engine.get()); - ASSERT_NE(deny_engine, nullptr); - EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny); - EXPECT_EQ(deny_engine->num_policies(), 1); - // Rewrite the file with a valid authorization policy. - tmp_authz_policy->RewriteFile(testing::GetFileContents(VALID_POLICY_PATH_2)); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - engines = (*provider)->engines(); - allow_engine = - dynamic_cast(engines.allow_engine.get()); - ASSERT_NE(allow_engine, nullptr); - EXPECT_EQ(allow_engine->action(), Rbac::Action::kAllow); - EXPECT_EQ(allow_engine->num_policies(), 2); - deny_engine = - dynamic_cast(engines.deny_engine.get()); - ASSERT_NE(deny_engine, nullptr); - EXPECT_EQ(deny_engine->action(), Rbac::Action::kDeny); - EXPECT_EQ(deny_engine->num_policies(), 0); -} - } // namespace grpc_core int main(int argc, char** argv) { - grpc::testing::TestEnvironment env(argc, argv); ::testing::InitGoogleTest(&argc, argv); - grpc_init(); - int ret = RUN_ALL_TESTS(); - grpc_shutdown(); - return ret; + return RUN_ALL_TESTS(); } diff --git a/test/core/surface/public_headers_must_be_c89.c b/test/core/surface/public_headers_must_be_c89.c index 209264fa56c..3e59b9e5c92 100644 --- a/test/core/surface/public_headers_must_be_c89.c +++ b/test/core/surface/public_headers_must_be_c89.c @@ -229,7 +229,6 @@ int main(int argc, char **argv) { printf("%lx", (unsigned long) grpc_xds_credentials_create); printf("%lx", (unsigned long) grpc_xds_server_credentials_create); printf("%lx", (unsigned long) grpc_authorization_policy_provider_static_data_create); - printf("%lx", (unsigned long) grpc_authorization_policy_provider_file_watcher_create); printf("%lx", (unsigned long) grpc_authorization_policy_provider_release); printf("%lx", (unsigned long) grpc_raw_byte_buffer_create); printf("%lx", (unsigned long) grpc_raw_compressed_byte_buffer_create); diff --git a/test/cpp/end2end/sdk_authz_end2end_test.cc b/test/cpp/end2end/sdk_authz_end2end_test.cc index 3b6fb4a47e0..853920a6655 100644 --- a/test/cpp/end2end/sdk_authz_end2end_test.cc +++ b/test/cpp/end2end/sdk_authz_end2end_test.cc @@ -28,7 +28,6 @@ #include "src/proto/grpc/testing/echo.grpc.pb.h" #include "test/core/util/port.h" #include "test/core/util/test_config.h" -#include "test/core/util/tls_utils.h" #include "test/cpp/end2end/test_service_impl.h" namespace grpc { @@ -77,17 +76,6 @@ class SdkAuthzEnd2EndTest : public ::testing::Test { return provider; } - std::shared_ptr - CreateFileWatcherAuthzPolicyProvider(const std::string& policy_path, - unsigned int refresh_interval_sec) { - grpc::Status status; - auto provider = - experimental::FileWatcherAuthorizationPolicyProvider::Create( - policy_path, refresh_interval_sec, &status); - EXPECT_TRUE(status.ok()); - return provider; - } - std::shared_ptr BuildChannel() { ChannelArguments args; return ::grpc::CreateCustomChannel(server_address_, channel_creds_, args); @@ -360,397 +348,6 @@ TEST_F( EXPECT_TRUE(resp.message().empty()); } -TEST_F(SdkAuthzEnd2EndTest, - FileWatcherInitAllowsRpcRequestNoMatchInDenyMatchInAllow) { - std::string policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_echo\"," - " \"request\": {" - " \"paths\": [" - " \"*/Echo\"" - " ]," - " \"headers\": [" - " {" - " \"key\": \"key-foo\"," - " \"values\": [\"foo1\", \"foo2\"]" - " }," - " {" - " \"key\": \"key-bar\"," - " \"values\": [\"bar1\"]" - " }" - " ]" - " }" - " }" - " ]," - " \"deny_rules\": [" - " {" - " \"name\": \"deny_clientstreamingecho\"," - " \"request\": {" - " \"paths\": [" - " \"*/ClientStreamingEcho\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(policy); - InitServer(CreateFileWatcherAuthzPolicyProvider(tmp_policy.name(), 5)); - auto channel = BuildChannel(); - ClientContext context; - context.AddMetadata("key-foo", "foo2"); - context.AddMetadata("key-bar", "bar1"); - context.AddMetadata("key-baz", "baz1"); - grpc::testing::EchoResponse resp; - grpc::Status status = SendRpc(channel, &context, &resp); - EXPECT_TRUE(status.ok()); - EXPECT_EQ(resp.message(), kMessage); -} - -TEST_F(SdkAuthzEnd2EndTest, - FileWatcherInitDeniesRpcRequestNoMatchInAllowAndDeny) { - std::string policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]," - " \"deny_rules\": [" - " {" - " \"name\": \"deny_bar\"," - " \"source\": {" - " \"principals\": [" - " \"bar\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(policy); - InitServer(CreateFileWatcherAuthzPolicyProvider(tmp_policy.name(), 5)); - auto channel = BuildChannel(); - ClientContext context; - grpc::testing::EchoResponse resp; - grpc::Status status = SendRpc(channel, &context, &resp); - EXPECT_EQ(status.error_code(), grpc::StatusCode::PERMISSION_DENIED); - EXPECT_EQ(status.error_message(), "Unauthorized RPC request rejected."); - EXPECT_TRUE(resp.message().empty()); -} - -TEST_F(SdkAuthzEnd2EndTest, - FileWatcherInitDeniesRpcRequestMatchInDenyMatchInAllow) { - std::string policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_all\"" - " }" - " ]," - " \"deny_rules\": [" - " {" - " \"name\": \"deny_echo\"," - " \"request\": {" - " \"paths\": [" - " \"*/Echo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(policy); - InitServer(CreateFileWatcherAuthzPolicyProvider(tmp_policy.name(), 5)); - auto channel = BuildChannel(); - ClientContext context; - grpc::testing::EchoResponse resp; - grpc::Status status = SendRpc(channel, &context, &resp); - EXPECT_EQ(status.error_code(), grpc::StatusCode::PERMISSION_DENIED); - EXPECT_EQ(status.error_message(), "Unauthorized RPC request rejected."); - EXPECT_TRUE(resp.message().empty()); -} - -TEST_F(SdkAuthzEnd2EndTest, - FileWatcherInitDeniesRpcRequestMatchInDenyNoMatchInAllow) { - std::string policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_clientstreamingecho\"," - " \"request\": {" - " \"paths\": [" - " \"*/ClientStreamingEcho\"" - " ]" - " }" - " }" - " ]," - " \"deny_rules\": [" - " {" - " \"name\": \"deny_echo\"," - " \"request\": {" - " \"paths\": [" - " \"*/Echo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(policy); - InitServer(CreateFileWatcherAuthzPolicyProvider(tmp_policy.name(), 5)); - auto channel = BuildChannel(); - ClientContext context; - grpc::testing::EchoResponse resp; - grpc::Status status = SendRpc(channel, &context, &resp); - EXPECT_EQ(status.error_code(), grpc::StatusCode::PERMISSION_DENIED); - EXPECT_EQ(status.error_message(), "Unauthorized RPC request rejected."); - EXPECT_TRUE(resp.message().empty()); -} - -TEST_F(SdkAuthzEnd2EndTest, - FileWatcherInitAllowsRpcRequestEmptyDenyMatchInAllow) { - std::string policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_echo\"," - " \"request\": {" - " \"paths\": [" - " \"*/Echo\"" - " ]," - " \"headers\": [" - " {" - " \"key\": \"key-foo\"," - " \"values\": [\"foo1\", \"foo2\"]" - " }," - " {" - " \"key\": \"key-bar\"," - " \"values\": [\"bar1\"]" - " }" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(policy); - InitServer(CreateFileWatcherAuthzPolicyProvider(tmp_policy.name(), 5)); - auto channel = BuildChannel(); - ClientContext context; - context.AddMetadata("key-foo", "foo2"); - context.AddMetadata("key-bar", "bar1"); - context.AddMetadata("key-baz", "baz1"); - grpc::testing::EchoResponse resp; - grpc::Status status = SendRpc(channel, &context, &resp); - EXPECT_TRUE(status.ok()); - EXPECT_EQ(resp.message(), kMessage); -} - -TEST_F(SdkAuthzEnd2EndTest, - FileWatcherInitDeniesRpcRequestEmptyDenyNoMatchInAllow) { - std::string policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_echo\"," - " \"request\": {" - " \"paths\": [" - " \"*/Echo\"" - " ]," - " \"headers\": [" - " {" - " \"key\": \"key-foo\"," - " \"values\": [\"foo1\"]" - " }" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(policy); - InitServer(CreateFileWatcherAuthzPolicyProvider(tmp_policy.name(), 5)); - auto channel = BuildChannel(); - ClientContext context; - context.AddMetadata("key-bar", "bar1"); - grpc::testing::EchoResponse resp; - grpc::Status status = SendRpc(channel, &context, &resp); - EXPECT_EQ(status.error_code(), grpc::StatusCode::PERMISSION_DENIED); - EXPECT_EQ(status.error_message(), "Unauthorized RPC request rejected."); - EXPECT_TRUE(resp.message().empty()); -} - -TEST_F(SdkAuthzEnd2EndTest, FileWatcherValidPolicyRefresh) { - std::string policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_echo\"," - " \"request\": {" - " \"paths\": [" - " \"*/Echo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(policy); - InitServer(CreateFileWatcherAuthzPolicyProvider(tmp_policy.name(), 1)); - auto channel = BuildChannel(); - ClientContext context1; - grpc::testing::EchoResponse resp1; - grpc::Status status = SendRpc(channel, &context1, &resp1); - EXPECT_TRUE(status.ok()); - EXPECT_EQ(resp1.message(), kMessage); - // Replace the existing policy with a new authorization policy. - policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]," - " \"deny_rules\": [" - " {" - " \"name\": \"deny_echo\"," - " \"request\": {" - " \"paths\": [" - " \"*/Echo\"" - " ]" - " }" - " }" - " ]" - "}"; - tmp_policy.RewriteFile(policy); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - ClientContext context2; - grpc::testing::EchoResponse resp2; - status = SendRpc(channel, &context2, &resp2); - EXPECT_EQ(status.error_code(), grpc::StatusCode::PERMISSION_DENIED); - EXPECT_EQ(status.error_message(), "Unauthorized RPC request rejected."); - EXPECT_TRUE(resp2.message().empty()); -} - -TEST_F(SdkAuthzEnd2EndTest, FileWatcherInvalidPolicyRefreshSkipsReload) { - std::string policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_echo\"," - " \"request\": {" - " \"paths\": [" - " \"*/Echo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(policy); - InitServer(CreateFileWatcherAuthzPolicyProvider(tmp_policy.name(), 1)); - auto channel = BuildChannel(); - ClientContext context1; - grpc::testing::EchoResponse resp1; - grpc::Status status = SendRpc(channel, &context1, &resp1); - EXPECT_TRUE(status.ok()); - EXPECT_EQ(resp1.message(), kMessage); - // Replaces existing policy with an invalid authorization policy. - policy = "{}"; - tmp_policy.RewriteFile(policy); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - ClientContext context2; - grpc::testing::EchoResponse resp2; - status = SendRpc(channel, &context2, &resp2); - EXPECT_TRUE(status.ok()); - EXPECT_EQ(resp2.message(), kMessage); -} - -TEST_F(SdkAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { - std::string policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_echo\"," - " \"request\": {" - " \"paths\": [" - " \"*/Echo\"" - " ]" - " }" - " }" - " ]" - "}"; - grpc_core::testing::TmpFile tmp_policy(policy); - InitServer(CreateFileWatcherAuthzPolicyProvider(tmp_policy.name(), 1)); - auto channel = BuildChannel(); - ClientContext context1; - grpc::testing::EchoResponse resp1; - grpc::Status status = SendRpc(channel, &context1, &resp1); - EXPECT_TRUE(status.ok()); - EXPECT_EQ(resp1.message(), kMessage); - // Replaces existing policy with an invalid authorization policy. - policy = "{}"; - tmp_policy.RewriteFile(policy); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - ClientContext context2; - grpc::testing::EchoResponse resp2; - status = SendRpc(channel, &context2, &resp2); - EXPECT_TRUE(status.ok()); - EXPECT_EQ(resp2.message(), kMessage); - // Replace the existing invalid policy with a valid authorization policy. - policy = - "{" - " \"name\": \"authz\"," - " \"allow_rules\": [" - " {" - " \"name\": \"allow_foo\"," - " \"request\": {" - " \"paths\": [" - " \"*/foo\"" - " ]" - " }" - " }" - " ]," - " \"deny_rules\": [" - " {" - " \"name\": \"deny_echo\"," - " \"request\": {" - " \"paths\": [" - " \"*/Echo\"" - " ]" - " }" - " }" - " ]" - "}"; - tmp_policy.RewriteFile(policy); - // Wait 2 seconds for the provider's refresh thread to read the updated files. - gpr_sleep_until(grpc_timeout_seconds_to_deadline(2)); - ClientContext context3; - grpc::testing::EchoResponse resp3; - status = SendRpc(channel, &context3, &resp3); - EXPECT_EQ(status.error_code(), grpc::StatusCode::PERMISSION_DENIED); - EXPECT_EQ(status.error_message(), "Unauthorized RPC request rejected."); - EXPECT_TRUE(resp3.message().empty()); -} - } // namespace } // namespace testing } // namespace grpc diff --git a/test/cpp/server/BUILD b/test/cpp/server/BUILD index 5ddd24010af..549c859162c 100644 --- a/test/cpp/server/BUILD +++ b/test/cpp/server/BUILD @@ -82,11 +82,6 @@ grpc_cc_test( grpc_cc_test( name = "authorization_policy_provider_test", srcs = ["authorization_policy_provider_test.cc"], - data = [ - "//test/core/security/authorization/test_policies:invalid_policy.json", - "//test/core/security/authorization/test_policies:valid_policy_1.json", - "//test/core/security/authorization/test_policies:valid_policy_2.json", - ], external_deps = [ "gtest", ], diff --git a/test/cpp/server/authorization_policy_provider_test.cc b/test/cpp/server/authorization_policy_provider_test.cc index b64264610c4..9b84af833e0 100644 --- a/test/cpp/server/authorization_policy_provider_test.cc +++ b/test/cpp/server/authorization_policy_provider_test.cc @@ -17,21 +17,22 @@ #include #include "test/core/util/test_config.h" -#include "test/core/util/tls_utils.h" - -#define VALID_POLICY_PATH_1 \ - "test/core/security/authorization/test_policies/valid_policy_1.json" -#define VALID_POLICY_PATH_2 \ - "test/core/security/authorization/test_policies/valid_policy_2.json" -#define INVALID_POLICY_PATH \ - "test/core/security/authorization/test_policies/invalid_policy.json" namespace grpc { TEST(AuthorizationPolicyProviderTest, StaticDataCreateReturnsProvider) { + const char* authz_policy = + "{" + " \"name\": \"authz\"," + " \"allow_rules\": [" + " {" + " \"name\": \"allow_policy\"" + " }" + " ]" + "}"; grpc::Status status; auto provider = experimental::StaticDataAuthorizationPolicyProvider::Create( - grpc_core::testing::GetFileContents(VALID_POLICY_PATH_1), &status); + authz_policy, &status); ASSERT_NE(provider, nullptr); EXPECT_NE(provider->c_provider(), nullptr); EXPECT_TRUE(status.ok()); @@ -39,32 +40,10 @@ TEST(AuthorizationPolicyProviderTest, StaticDataCreateReturnsProvider) { } TEST(AuthorizationPolicyProviderTest, StaticDataCreateReturnsErrorStatus) { + const char* authz_policy = "{}"; grpc::Status status; auto provider = experimental::StaticDataAuthorizationPolicyProvider::Create( - grpc_core::testing::GetFileContents(INVALID_POLICY_PATH), &status); - ASSERT_EQ(provider, nullptr); - EXPECT_EQ(status.error_code(), grpc::StatusCode::INVALID_ARGUMENT); - EXPECT_EQ(status.error_message(), "\"name\" field is not present."); -} - -TEST(AuthorizationPolicyProviderTest, FileWatcherCreateReturnsProvider) { - auto tmp_authz_policy = absl::make_unique( - grpc_core::testing::GetFileContents(VALID_POLICY_PATH_1)); - grpc::Status status; - auto provider = experimental::FileWatcherAuthorizationPolicyProvider::Create( - tmp_authz_policy->name(), /*refresh_interval_sec=*/1, &status); - ASSERT_NE(provider, nullptr); - EXPECT_NE(provider->c_provider(), nullptr); - EXPECT_TRUE(status.ok()); - EXPECT_TRUE(status.error_message().empty()); -} - -TEST(AuthorizationPolicyProviderTest, FileWatcherCreateReturnsErrorStatus) { - auto tmp_authz_policy = absl::make_unique( - grpc_core::testing::GetFileContents(INVALID_POLICY_PATH)); - grpc::Status status; - auto provider = experimental::FileWatcherAuthorizationPolicyProvider::Create( - tmp_authz_policy->name(), /*refresh_interval_sec=*/1, &status); + authz_policy, &status); ASSERT_EQ(provider, nullptr); EXPECT_EQ(status.error_code(), grpc::StatusCode::INVALID_ARGUMENT); EXPECT_EQ(status.error_message(), "\"name\" field is not present.");