[Audit Logging] xDS e2e test for audit logging. (#33252)

Added tests involve: 1. Checking the # of logger invocations with multiple RBACs in the chain. 2. Verifying content in audit context with action and audit condition permutations. 3. Confirm custom logger and built-in logger configurations are working. 4. Confirm the feature is protected by the environment variable. --------- Co-authored-by: rockspore <rockspore@users.noreply.github.com>
2 years ago · d1c0dc58cc
parent c32cbb57df
commit d1c0dc58cc
5 changed files with 381 additions and 0 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -24357,6 +24357,11 @@ if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
    ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/tls.grpc.pb.cc
    ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/tls.pb.h
    ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/tls.grpc.pb.h
+    ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/typed_struct.pb.cc
+    ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/typed_struct.grpc.pb.cc
+    ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/typed_struct.pb.h
+    ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/typed_struct.grpc.pb.h
+    test/core/util/audit_logging_utils.cc
    test/cpp/end2end/test_service_impl.cc
    test/cpp/end2end/xds/xds_end2end_test.cc
    test/cpp/end2end/xds/xds_end2end_test_lib.cc
--- a/build_autogenerated.yaml
+++ b/build_autogenerated.yaml
@ -13360,6 +13360,8 @@ targets:
  run: false
  language: c++
  headers:
+  - test/core/util/audit_logging_utils.h
+  - test/core/util/scoped_env_var.h
  - test/cpp/end2end/counted_service.h
  - test/cpp/end2end/test_service_impl.h
  - test/cpp/end2end/xds/xds_end2end_test_lib.h
@ -13401,6 +13403,8 @@ targets:
  - src/proto/grpc/testing/xds/v3/router.proto
  - src/proto/grpc/testing/xds/v3/string.proto
  - src/proto/grpc/testing/xds/v3/tls.proto
+  - src/proto/grpc/testing/xds/v3/typed_struct.proto
+  - test/core/util/audit_logging_utils.cc
  - test/cpp/end2end/test_service_impl.cc
  - test/cpp/end2end/xds/xds_end2end_test.cc
  - test/cpp/end2end/xds/xds_end2end_test_lib.cc
--- a/test/cpp/end2end/xds/BUILD
+++ b/test/cpp/end2end/xds/BUILD
@ -110,6 +110,7 @@ grpc_cc_test(
        "//:grpc++",
        "//:grpc_resolver_fake",
        "//src/core:channel_args",
+        "//src/core:grpc_audit_logging",
        "//src/proto/grpc/testing:echo_messages_proto",
        "//src/proto/grpc/testing:echo_proto",
        "//src/proto/grpc/testing/duplicate:echo_duplicate_proto",
@ -124,7 +125,10 @@ grpc_cc_test(
        "//src/proto/grpc/testing/xds/v3:route_proto",
        "//src/proto/grpc/testing/xds/v3:router_proto",
        "//src/proto/grpc/testing/xds/v3:tls_proto",
+        "//src/proto/grpc/testing/xds/v3:typed_struct_proto",
+        "//test/core/util:audit_logging_utils",
        "//test/core/util:grpc_test_util",
+        "//test/core/util:scoped_env_var",
        "//test/cpp/util:test_config",
        "//test/cpp/util:test_util",
        "//test/cpp/util:tls_test_utils",
--- a/test/cpp/end2end/xds/xds_end2end_test.cc
+++ b/test/cpp/end2end/xds/xds_end2end_test.cc
@ -52,6 +52,7 @@
 #include <grpcpp/channel.h>
 #include <grpcpp/client_context.h>
 #include <grpcpp/create_channel.h>
+#include <grpcpp/security/audit_logging.h>
 #include <grpcpp/security/tls_certificate_provider.h>
 #include <grpcpp/server.h>
 #include <grpcpp/server_builder.h>
@ -82,6 +83,7 @@
 #include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/iomgr/sockaddr.h"
 #include "src/core/lib/resolver/server_address.h"
+#include "src/core/lib/security/authorization/audit_logging.h"
 #include "src/core/lib/security/certificate_provider/certificate_provider_registry.h"
 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
@ -96,12 +98,16 @@
 #include "src/proto/grpc/testing/xds/v3/fault.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/http_connection_manager.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/http_filter_rbac.grpc.pb.h"
+#include "src/proto/grpc/testing/xds/v3/http_filter_rbac.pb.h"
 #include "src/proto/grpc/testing/xds/v3/listener.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/lrs.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/route.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/router.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/tls.grpc.pb.h"
+#include "src/proto/grpc/testing/xds/v3/typed_struct.pb.h"
+#include "test/core/util/audit_logging_utils.h"
 #include "test/core/util/port.h"
+#include "test/core/util/scoped_env_var.h"
 #include "test/core/util/test_config.h"
 #include "test/cpp/end2end/xds/xds_end2end_test_lib.h"
 #include "test/cpp/util/test_config.h"
@ -116,15 +122,26 @@ using ::envoy::config::rbac::v3::Policy;
 using ::envoy::config::rbac::v3::RBAC_Action_ALLOW;
 using ::envoy::config::rbac::v3::RBAC_Action_DENY;
 using ::envoy::config::rbac::v3::RBAC_Action_LOG;
+using ::envoy::config::rbac::v3::
+    RBAC_AuditLoggingOptions_AuditCondition_ON_ALLOW;
+using ::envoy::config::rbac::v3::
+    RBAC_AuditLoggingOptions_AuditCondition_ON_DENY;
+using ::envoy::config::rbac::v3::
+    RBAC_AuditLoggingOptions_AuditCondition_ON_DENY_AND_ALLOW;
 using ::envoy::extensions::filters::http::rbac::v3::RBAC;
 using ::envoy::extensions::filters::http::rbac::v3::RBACPerRoute;
 using ::envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext;
 using ::envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext;
 using ::envoy::type::matcher::v3::StringMatcher;
+using ::xds::type::v3::TypedStruct;

 using ::grpc::experimental::ExternalCertificateVerifier;
 using ::grpc::experimental::IdentityKeyCertPair;
+using ::grpc::experimental::RegisterAuditLoggerFactory;
 using ::grpc::experimental::StaticDataCertificateProvider;
+using ::grpc_core::experimental::AuditLoggerRegistry;
+using ::grpc_core::testing::ScopedExperimentalEnvVar;
+using ::grpc_core::testing::TestAuditLoggerFactory;

 constexpr char kClientCertPath[] = "src/core/tsi/test_creds/client.pem";
 constexpr char kClientKeyPath[] = "src/core/tsi/test_creds/client.key";
@ -1935,6 +1952,13 @@ TEST_P(XdsServerRdsTest, MultipleRouteConfigurations) {
 // override permutations.
 class XdsRbacTest : public XdsServerRdsTest {
 protected:
+  XdsRbacTest() {
+    RegisterAuditLoggerFactory(
+        std::make_unique<TestAuditLoggerFactory>(&audit_logs_));
+  }
+
+  ~XdsRbacTest() override { AuditLoggerRegistry::TestOnlyResetRegistry(); }
+
  void SetServerRbacPolicies(Listener listener,
                             const std::vector<RBAC>& rbac_policies) {
    HttpConnectionManager http_connection_manager =
@ -1978,6 +2002,8 @@ class XdsRbacTest : public XdsServerRdsTest {
  void SetServerRbacPolicy(const RBAC& rbac) {
    SetServerRbacPolicy(default_server_listener_, rbac);
  }
+
+  std::vector<std::string> audit_logs_;
 };

 TEST_P(XdsRbacTest, AbsentRbacPolicy) {
@ -2790,6 +2816,283 @@ TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionOrIdPrincipal) {
      grpc::StatusCode::PERMISSION_DENIED);
 }

+TEST_P(XdsRbacTestWithActionPermutations,
+       AuditLoggerNotInvokedOnAuditConditionNone) {
+  ScopedExperimentalEnvVar env_var("GRPC_EXPERIMENTAL_XDS_RBAC_AUDIT_LOGGING");
+  RBAC rbac;
+  rbac.mutable_rules()->set_action(GetParam().rbac_action());
+  auto* logging_options = rbac.mutable_rules()->mutable_audit_logging_options();
+  auto* audit_logger =
+      logging_options->add_logger_configs()->mutable_audit_logger();
+  audit_logger->mutable_typed_config()->set_type_url("/test_logger");
+  TypedStruct typed_struct;
+  typed_struct.set_type_url("/test_logger");
+  typed_struct.mutable_value()->mutable_fields();
+  audit_logger->mutable_typed_config()->PackFrom(typed_struct);
+  SetServerRbacPolicy(rbac);
+  backends_[0]->Start();
+  backends_[0]->notifier()->WaitOnServingStatusChange(
+      absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()),
+      grpc::StatusCode::OK);
+  // An empty RBAC policy leads to all RPCs being rejected.
+  SendRpc(
+      [this]() { return CreateInsecureChannel(); }, {}, {},
+      /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_ALLOW,
+      grpc::StatusCode::PERMISSION_DENIED);
+  EXPECT_THAT(audit_logs_, ::testing::ElementsAre());
+}
+
+TEST_P(XdsRbacTestWithActionPermutations,
+       MultipleRbacPoliciesWithAuditOnAllow) {
+  ScopedExperimentalEnvVar env_var("GRPC_EXPERIMENTAL_XDS_RBAC_AUDIT_LOGGING");
+  RBAC always_allow;
+  auto* rules = always_allow.mutable_rules();
+  rules->set_action(RBAC_Action_ALLOW);
+  Policy policy;
+  policy.add_permissions()->set_any(true);
+  policy.add_principals()->set_any(true);
+  (*rules->mutable_policies())["policy"] = policy;
+  auto* logging_options = rules->mutable_audit_logging_options();
+  logging_options->set_audit_condition(
+      RBAC_AuditLoggingOptions_AuditCondition_ON_ALLOW);
+  auto* audit_logger =
+      logging_options->add_logger_configs()->mutable_audit_logger();
+  audit_logger->mutable_typed_config()->set_type_url("/test_logger");
+  TypedStruct typed_struct;
+  typed_struct.set_type_url("/test_logger");
+  typed_struct.mutable_value()->mutable_fields();
+  audit_logger->mutable_typed_config()->PackFrom(typed_struct);
+  RBAC rbac;
+  rules = rbac.mutable_rules();
+  rules->set_action(GetParam().rbac_action());
+  (*rules->mutable_policies())["policy"] = policy;
+  logging_options = rules->mutable_audit_logging_options();
+  logging_options->set_audit_condition(
+      RBAC_AuditLoggingOptions_AuditCondition_ON_ALLOW);
+  audit_logger = logging_options->add_logger_configs()->mutable_audit_logger();
+  audit_logger->mutable_typed_config()->PackFrom(typed_struct);
+  SetServerRbacPolicies(default_server_listener_,
+                        {always_allow, rbac, always_allow});
+  backends_[0]->Start();
+  backends_[0]->notifier()->WaitOnServingStatusChange(
+      absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()),
+      grpc::StatusCode::OK);
+  SendRpc([this]() { return CreateInsecureChannel(); }, {}, {},
+          /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY,
+          grpc::StatusCode::PERMISSION_DENIED);
+  // If the second rbac denies the rpc, only one log from the first rbac.
+  // Otherwise, all three rbacs log.
+  std::vector<absl::string_view> expected = {
+      "{\"authorized\":true,\"matched_rule\":\"policy\","
+      "\"policy_name\":\"rbac1\",\"principal\":\"\",\"rpc_"
+      "method\":\"/grpc.testing.EchoTestService/Echo\"}"};
+  if (GetParam().rbac_action() != RBAC_Action_DENY) {
+    expected.push_back(
+        "{\"authorized\":true,\"matched_rule\":\"policy\","
+        "\"policy_name\":\"rbac2\",\"principal\":\"\",\"rpc_"
+        "method\":\"/grpc.testing.EchoTestService/Echo\"}");
+    expected.push_back(
+        "{\"authorized\":true,\"matched_rule\":\"policy\","
+        "\"policy_name\":\"rbac3\",\"principal\":\"\",\"rpc_"
+        "method\":\"/grpc.testing.EchoTestService/Echo\"}");
+  }
+  EXPECT_THAT(audit_logs_, ::testing::ElementsAreArray(expected));
+}
+
+TEST_P(XdsRbacTestWithActionPermutations, MultipleRbacPoliciesWithAuditOnDeny) {
+  ScopedExperimentalEnvVar env_var("GRPC_EXPERIMENTAL_XDS_RBAC_AUDIT_LOGGING");
+  RBAC always_allow;
+  auto* rules = always_allow.mutable_rules();
+  rules->set_action(RBAC_Action_ALLOW);
+  Policy policy;
+  policy.add_permissions()->set_any(true);
+  policy.add_principals()->set_any(true);
+  (*rules->mutable_policies())["policy"] = policy;
+  auto* logging_options = rules->mutable_audit_logging_options();
+  logging_options->set_audit_condition(
+      RBAC_AuditLoggingOptions_AuditCondition_ON_DENY);
+  auto* audit_logger =
+      logging_options->add_logger_configs()->mutable_audit_logger();
+  audit_logger->mutable_typed_config()->set_type_url("/test_logger");
+  TypedStruct typed_struct;
+  typed_struct.set_type_url("/test_logger");
+  typed_struct.mutable_value()->mutable_fields();
+  audit_logger->mutable_typed_config()->PackFrom(typed_struct);
+  RBAC rbac;
+  rules = rbac.mutable_rules();
+  rules->set_action(GetParam().rbac_action());
+  (*rules->mutable_policies())["policy"] = policy;
+  logging_options = rules->mutable_audit_logging_options();
+  logging_options->set_audit_condition(
+      RBAC_AuditLoggingOptions_AuditCondition_ON_DENY);
+  audit_logger = logging_options->add_logger_configs()->mutable_audit_logger();
+  audit_logger->mutable_typed_config()->PackFrom(typed_struct);
+  SetServerRbacPolicies(default_server_listener_,
+                        {always_allow, rbac, always_allow});
+  backends_[0]->Start();
+  backends_[0]->notifier()->WaitOnServingStatusChange(
+      absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()),
+      grpc::StatusCode::OK);
+  SendRpc([this]() { return CreateInsecureChannel(); }, {}, {},
+          /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY,
+          grpc::StatusCode::PERMISSION_DENIED);
+  // Only the second rbac logs if it denies the rpc.
+  std::vector<absl::string_view> expected;
+  if (GetParam().rbac_action() == RBAC_Action_DENY) {
+    expected.push_back(
+        "{\"authorized\":false,\"matched_rule\":\"policy\",\"policy_name\":"
+        "\"rbac2\",\"principal\":\"\",\"rpc_method\":\"/"
+        "grpc.testing.EchoTestService/Echo\"}");
+  }
+  EXPECT_THAT(audit_logs_, ::testing::ElementsAreArray(expected));
+}
+
+TEST_P(XdsRbacTestWithActionPermutations,
+       MultipleRbacPoliciesWithAuditOnDenyAndAllow) {
+  ScopedExperimentalEnvVar env_var("GRPC_EXPERIMENTAL_XDS_RBAC_AUDIT_LOGGING");
+  RBAC always_allow;
+  auto* rules = always_allow.mutable_rules();
+  rules->set_action(RBAC_Action_ALLOW);
+  Policy policy;
+  policy.add_permissions()->set_any(true);
+  policy.add_principals()->set_any(true);
+  (*rules->mutable_policies())["policy"] = policy;
+  auto* logging_options = rules->mutable_audit_logging_options();
+  logging_options->set_audit_condition(
+      RBAC_AuditLoggingOptions_AuditCondition_ON_DENY_AND_ALLOW);
+  auto* audit_logger =
+      logging_options->add_logger_configs()->mutable_audit_logger();
+  audit_logger->mutable_typed_config()->set_type_url("/test_logger");
+  TypedStruct typed_struct;
+  typed_struct.set_type_url("/test_logger");
+  typed_struct.mutable_value()->mutable_fields();
+  audit_logger->mutable_typed_config()->PackFrom(typed_struct);
+  RBAC rbac;
+  rules = rbac.mutable_rules();
+  rules->set_action(GetParam().rbac_action());
+  (*rules->mutable_policies())["policy"] = policy;
+  logging_options = rules->mutable_audit_logging_options();
+  logging_options->set_audit_condition(
+      RBAC_AuditLoggingOptions_AuditCondition_ON_DENY_AND_ALLOW);
+  audit_logger = logging_options->add_logger_configs()->mutable_audit_logger();
+  audit_logger->mutable_typed_config()->PackFrom(typed_struct);
+  SetServerRbacPolicies(default_server_listener_,
+                        {always_allow, rbac, always_allow});
+  backends_[0]->Start();
+  backends_[0]->notifier()->WaitOnServingStatusChange(
+      absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()),
+      grpc::StatusCode::OK);
+  SendRpc([this]() { return CreateInsecureChannel(); }, {}, {},
+          /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY,
+          grpc::StatusCode::PERMISSION_DENIED);
+  // If the second rbac denies the request, the last rbac won't log. Otherwise
+  // all rbacs log.
+  std::vector<absl::string_view> expected = {
+      "{\"authorized\":true,\"matched_rule\":\"policy\",\"policy_name\":"
+      "\"rbac1\",\"principal\":\"\",\"rpc_method\":\"/"
+      "grpc.testing.EchoTestService/Echo\"}"};
+  if (GetParam().rbac_action() == RBAC_Action_DENY) {
+    expected.push_back(
+        "{\"authorized\":false,\"matched_rule\":\"policy\",\"policy_name\":"
+        "\"rbac2\",\"principal\":\"\",\"rpc_method\":\"/"
+        "grpc.testing.EchoTestService/Echo\"}");
+  } else {
+    expected.push_back(
+        "{\"authorized\":true,\"matched_rule\":\"policy\",\"policy_name\":"
+        "\"rbac2\",\"principal\":\"\",\"rpc_method\":\"/"
+        "grpc.testing.EchoTestService/Echo\"}");
+    expected.push_back(
+        "{\"authorized\":true,\"matched_rule\":\"policy\",\"policy_name\":"
+        "\"rbac3\",\"principal\":\"\",\"rpc_method\":\"/"
+        "grpc.testing.EchoTestService/Echo\"}");
+  }
+  EXPECT_THAT(audit_logs_, ::testing::ElementsAreArray(expected));
+}
+
+// Adds Audit Condition Permutations to XdsRbacTest
+using XdsRbacTestWithActionAndAuditConditionPermutations = XdsRbacTest;
+
+TEST_P(XdsRbacTestWithActionAndAuditConditionPermutations,
+       AuditLoggingDisabled) {
+  RBAC rbac;
+  auto* rules = rbac.mutable_rules();
+  rules->set_action(GetParam().rbac_action());
+  Policy policy;
+  policy.add_permissions()->set_any(true);
+  policy.add_principals()->set_any(true);
+  (*rules->mutable_policies())["policy"] = policy;
+  auto* logging_options = rules->mutable_audit_logging_options();
+  logging_options->set_audit_condition(GetParam().rbac_audit_condition());
+  auto* audit_logger =
+      logging_options->add_logger_configs()->mutable_audit_logger();
+  audit_logger->mutable_typed_config()->set_type_url("/test_logger");
+  TypedStruct typed_struct;
+  typed_struct.set_type_url("/test_logger");
+  typed_struct.mutable_value()->mutable_fields();
+  audit_logger->mutable_typed_config()->PackFrom(typed_struct);
+  SetServerRbacPolicy(rbac);
+  backends_[0]->Start();
+  backends_[0]->notifier()->WaitOnServingStatusChange(
+      absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()),
+      grpc::StatusCode::OK);
+  SendRpc([this]() { return CreateInsecureChannel(); }, {}, {},
+          /*test_expects_failure=*/GetParam().rbac_action() == RBAC_Action_DENY,
+          grpc::StatusCode::PERMISSION_DENIED);
+  EXPECT_THAT(audit_logs_, ::testing::ElementsAre());
+}
+
+TEST_P(XdsRbacTestWithActionAndAuditConditionPermutations, MultipleLoggers) {
+  ScopedExperimentalEnvVar env_var("GRPC_EXPERIMENTAL_XDS_RBAC_AUDIT_LOGGING");
+  RBAC rbac;
+  auto* rules = rbac.mutable_rules();
+  rules->set_action(GetParam().rbac_action());
+  Policy policy;
+  policy.add_permissions()->set_any(true);
+  policy.add_principals()->set_any(true);
+  (*rules->mutable_policies())["policy"] = policy;
+  auto* logging_options = rules->mutable_audit_logging_options();
+  logging_options->set_audit_condition(GetParam().rbac_audit_condition());
+  auto* stdout_logger =
+      logging_options->add_logger_configs()->mutable_audit_logger();
+  stdout_logger->mutable_typed_config()->set_type_url(
+      "/envoy.extensions.rbac.audit_loggers.stream.v3.StdoutAuditLog");
+  auto* test_logger =
+      logging_options->add_logger_configs()->mutable_audit_logger();
+  test_logger->mutable_typed_config()->set_type_url("/test_logger");
+  TypedStruct typed_struct;
+  typed_struct.set_type_url("/test_logger");
+  typed_struct.mutable_value()->mutable_fields();
+  test_logger->mutable_typed_config()->PackFrom(typed_struct);
+  SetServerRbacPolicy(rbac);
+  backends_[0]->Start();
+  backends_[0]->notifier()->WaitOnServingStatusChange(
+      absl::StrCat(ipv6_only_ ? "[::1]:" : "127.0.0.1:", backends_[0]->port()),
+      grpc::StatusCode::OK);
+  auto action = GetParam().rbac_action();
+  SendRpc([this]() { return CreateInsecureChannel(); }, {}, {},
+          /*test_expects_failure=*/action == RBAC_Action_DENY,
+          grpc::StatusCode::PERMISSION_DENIED);
+  auto audit_condition = GetParam().rbac_audit_condition();
+  bool should_log =
+      (audit_condition ==
+       RBAC_AuditLoggingOptions_AuditCondition_ON_DENY_AND_ALLOW) ||
+      (action != RBAC_Action_DENY &&
+       audit_condition == RBAC_AuditLoggingOptions_AuditCondition_ON_ALLOW) ||
+      (action == RBAC_Action_DENY &&
+       audit_condition == RBAC_AuditLoggingOptions_AuditCondition_ON_DENY);
+  if (should_log) {
+    EXPECT_THAT(audit_logs_,
+                ::testing::ElementsAre(absl::StrFormat(
+                    "{\"authorized\":%s,\"matched_rule\":\"policy\","
+                    "\"policy_name\":\"rbac1\",\"principal\":\"\","
+                    "\"rpc_"
+                    "method\":\"/grpc.testing.EchoTestService/Echo\"}",
+                    action == RBAC_Action_DENY ? "false" : "true")));
+  } else {
+    EXPECT_THAT(audit_logs_, ::testing::ElementsAre());
+  }
+}
+
 // CDS depends on XdsResolver.
 // Security depends on v3.
 // Not enabling load reporting or RDS, since those are irrelevant to these
@ -2945,6 +3248,48 @@ INSTANTIATE_TEST_SUITE_P(
            .set_bootstrap_source(XdsTestType::kBootstrapFromEnvVar)),
    &XdsTestType::Name);

+INSTANTIATE_TEST_SUITE_P(
+    XdsTest, XdsRbacTestWithActionAndAuditConditionPermutations,
+    ::testing::Values(
+        XdsTestType()
+            .set_use_xds_credentials()
+            .set_rbac_action(RBAC_Action_ALLOW)
+            .set_rbac_audit_condition(
+                RBAC_AuditLoggingOptions_AuditCondition_ON_DENY)
+            .set_bootstrap_source(XdsTestType::kBootstrapFromEnvVar),
+        XdsTestType()
+            .set_use_xds_credentials()
+            .set_rbac_action(RBAC_Action_ALLOW)
+            .set_rbac_audit_condition(
+                RBAC_AuditLoggingOptions_AuditCondition_ON_ALLOW)
+            .set_bootstrap_source(XdsTestType::kBootstrapFromEnvVar),
+        XdsTestType()
+            .set_use_xds_credentials()
+            .set_rbac_action(RBAC_Action_ALLOW)
+            .set_rbac_audit_condition(
+                RBAC_AuditLoggingOptions_AuditCondition_ON_DENY_AND_ALLOW)
+            .set_bootstrap_source(XdsTestType::kBootstrapFromEnvVar),
+        XdsTestType()
+            .set_use_xds_credentials()
+            .set_rbac_action(RBAC_Action_DENY)
+            .set_rbac_audit_condition(
+                RBAC_AuditLoggingOptions_AuditCondition_ON_ALLOW)
+            .set_bootstrap_source(XdsTestType::kBootstrapFromEnvVar),
+        XdsTestType()
+            .set_use_xds_credentials()
+            .set_rbac_action(RBAC_Action_DENY)
+            .set_rbac_audit_condition(
+                RBAC_AuditLoggingOptions_AuditCondition_ON_DENY)
+            .set_bootstrap_source(XdsTestType::kBootstrapFromEnvVar),
+        XdsTestType()
+            .set_use_xds_credentials()
+            .set_enable_rds_testing()
+            .set_rbac_action(RBAC_Action_DENY)
+            .set_rbac_audit_condition(
+                RBAC_AuditLoggingOptions_AuditCondition_ON_DENY_AND_ALLOW)
+            .set_bootstrap_source(XdsTestType::kBootstrapFromEnvVar)),
+    &XdsTestType::Name);
+
 }  // namespace
 }  // namespace testing
 }  // namespace grpc
--- a/test/cpp/end2end/xds/xds_end2end_test_lib.h
+++ b/test/cpp/end2end/xds/xds_end2end_test_lib.h
@ -45,6 +45,7 @@
 #include "src/proto/grpc/testing/xds/v3/http_connection_manager.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/http_filter_rbac.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/orca_load_report.pb.h"
+#include "src/proto/grpc/testing/xds/v3/rbac.pb.h"
 #include "test/core/util/port.h"
 #include "test/cpp/end2end/counted_service.h"
 #include "test/cpp/end2end/test_service_impl.h"
@ -104,6 +105,13 @@ class XdsTestType {
    return *this;
  }

+  XdsTestType& set_rbac_audit_condition(
+      ::envoy::config::rbac::v3::RBAC_AuditLoggingOptions_AuditCondition
+          audit_condition) {
+    rbac_audit_condition_ = audit_condition;
+    return *this;
+  }
+
  bool enable_load_reporting() const { return enable_load_reporting_; }
  bool enable_rds_testing() const { return enable_rds_testing_; }
  bool use_xds_credentials() const { return use_xds_credentials_; }
@ -115,6 +123,10 @@ class XdsTestType {
  ::envoy::config::rbac::v3::RBAC_Action rbac_action() const {
    return rbac_action_;
  }
+  ::envoy::config::rbac::v3::RBAC_AuditLoggingOptions_AuditCondition
+  rbac_audit_condition() const {
+    return rbac_audit_condition_;
+  }

  std::string AsString() const {
    std::string retval = "V3";
@ -135,6 +147,14 @@ class XdsTestType {
    } else if (rbac_action_ == ::envoy::config::rbac::v3::RBAC_Action_DENY) {
      retval += "RbacDeny";
    }
+    if (rbac_audit_condition_ !=
+        ::envoy::config::rbac::v3::
+            RBAC_AuditLoggingOptions_AuditCondition_NONE) {
+      retval += absl::StrCat("AuditCondition",
+                             ::envoy::config::rbac::v3::
+                                 RBAC_AuditLoggingOptions_AuditCondition_Name(
+                                     rbac_audit_condition_));
+    }
    return retval;
  }

@ -152,6 +172,9 @@ class XdsTestType {
  BootstrapSource bootstrap_source_ = kBootstrapFromChannelArg;
  ::envoy::config::rbac::v3::RBAC_Action rbac_action_ =
      ::envoy::config::rbac::v3::RBAC_Action_LOG;
+  ::envoy::config::rbac::v3::RBAC_AuditLoggingOptions_AuditCondition
+      rbac_audit_condition_ = ::envoy::config::rbac::v3::
+          RBAC_AuditLoggingOptions_AuditCondition_NONE;
 };

 // A base class for xDS end-to-end tests.