Authorization Matchers: Fix header matcher to check for :method, :path and :authority (#28371)

* Authorization Matchers: Fix header matcher to check for :method, :path and :authority

* Reviewer comments
pull/28395/head
Yash Tibrewal 3 years ago committed by GitHub
parent 1a8d2b6760
commit ecd968391a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 21
      src/core/lib/security/authorization/evaluate_args.cc
  2. 60
      test/core/security/authorization_matchers_test.cc

@ -115,6 +115,27 @@ absl::optional<absl::string_view> EvaluateArgs::GetHeaderValue(
if (metadata_ == nullptr) {
return absl::nullopt;
}
// TODO(yashykt): Remove these special cases for known metadata after
// https://github.com/grpc/grpc/pull/28267 is merged
if (key == HttpMethodMetadata::key()) {
auto method = metadata_->get(HttpMethodMetadata());
return method.has_value()
? absl::optional<absl::string_view>(
HttpMethodMetadata::Encode(*method).as_string_view())
: absl::nullopt;
}
if (key == HttpAuthorityMetadata().key()) {
auto authority = metadata_->get_pointer(HttpAuthorityMetadata());
return authority != nullptr
? absl::optional<absl::string_view>(authority->as_string_view())
: absl::nullopt;
}
if (key == HttpPathMetadata().key()) {
auto path = metadata_->get_pointer(HttpPathMetadata());
return path != nullptr
? absl::optional<absl::string_view>(path->as_string_view())
: absl::nullopt;
}
return metadata_->GetValue(key, concatenated_value);
}

@ -237,6 +237,66 @@ TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherFailedMatch) {
EXPECT_FALSE(matcher.Matches(args));
}
TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherMethodSuccess) {
args_.AddPairToMetadata(":method", "GET");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/":method", HeaderMatcher::Type::kExact,
/*matcher=*/"GET")
.value());
EXPECT_TRUE(matcher.Matches(args));
}
TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherMethodFail) {
args_.AddPairToMetadata(":method", "GET");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/":method", HeaderMatcher::Type::kExact,
/*matcher=*/"PUT")
.value());
EXPECT_FALSE(matcher.Matches(args));
}
TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherAuthoritySuccess) {
args_.AddPairToMetadata(":authority", "localhost");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/":authority", HeaderMatcher::Type::kExact,
/*matcher=*/"localhost")
.value());
EXPECT_TRUE(matcher.Matches(args));
}
TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherAuthorityFail) {
args_.AddPairToMetadata(":authority", "localhost");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/":authority", HeaderMatcher::Type::kExact,
/*matcher=*/"bad_authority")
.value());
EXPECT_FALSE(matcher.Matches(args));
}
TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherPathSuccess) {
args_.AddPairToMetadata(":path", "/expected/path");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/":path", HeaderMatcher::Type::kExact,
/*matcher=*/"/expected/path")
.value());
EXPECT_TRUE(matcher.Matches(args));
}
TEST_F(AuthorizationMatchersTest, HeaderAuthorizationMatcherPathFail) {
args_.AddPairToMetadata(":path", "/expected/path");
EvaluateArgs args = args_.MakeEvaluateArgs();
HeaderAuthorizationMatcher matcher(
HeaderMatcher::Create(/*name=*/":path", HeaderMatcher::Type::kExact,
/*matcher=*/"/unexpected/path")
.value());
EXPECT_FALSE(matcher.Matches(args));
}
TEST_F(AuthorizationMatchersTest,
HeaderAuthorizationMatcherFailedMatchMultivaluedHeader) {
args_.AddPairToMetadata("key123", "foo");

Loading…
Cancel
Save