mirror of https://github.com/grpc/grpc.git
Merge pull request #21547 from ZhenLian/zhen_alts_context_new_3
Exposing ALTS Context and clientAuthzCheck()pull/21542/head
Jiangtao Li
5 years ago
committed by
GitHub
commit
fef0a47222
13 changed files with 852 additions and 2 deletions
@ -0,0 +1,67 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2019 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
|
||||
#ifndef GRPCPP_SECURITY_ALTS_CONTEXT_H |
||||
#define GRPCPP_SECURITY_ALTS_CONTEXT_H |
||||
|
||||
#include <grpc/grpc_security_constants.h> |
||||
#include <grpcpp/security/auth_context.h> |
||||
|
||||
#include <memory> |
||||
|
||||
struct grpc_gcp_AltsContext; |
||||
|
||||
namespace grpc { |
||||
namespace experimental { |
||||
|
||||
// AltsContext is a wrapper class for grpc_gcp_AltsContext.
|
||||
class AltsContext { |
||||
public: |
||||
struct RpcProtocolVersions { |
||||
struct Version { |
||||
int major_version; |
||||
int minor_version; |
||||
}; |
||||
Version max_rpc_version; |
||||
Version min_rpc_version; |
||||
}; |
||||
explicit AltsContext(const grpc_gcp_AltsContext* ctx); |
||||
AltsContext& operator=(const AltsContext&) = default; |
||||
AltsContext(const AltsContext&) = default; |
||||
|
||||
grpc::string application_protocol() const; |
||||
grpc::string record_protocol() const; |
||||
grpc::string peer_service_account() const; |
||||
grpc::string local_service_account() const; |
||||
grpc_security_level security_level() const; |
||||
RpcProtocolVersions peer_rpc_versions() const; |
||||
|
||||
private: |
||||
// TODO(ZhenLian): Also plumb field peer_attributes when it is in use
|
||||
grpc::string application_protocol_; |
||||
grpc::string record_protocol_; |
||||
grpc::string peer_service_account_; |
||||
grpc::string local_service_account_; |
||||
grpc_security_level security_level_ = GRPC_SECURITY_NONE; |
||||
RpcProtocolVersions peer_rpc_versions_ = {{0, 0}, {0, 0}}; |
||||
}; |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc
|
||||
|
||||
#endif // GRPCPP_SECURITY_ALTS_CONTEXT_H
|
||||
@ -0,0 +1,50 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2019 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
|
||||
#ifndef GRPCPP_SECURITY_ALTS_UTIL_H |
||||
#define GRPCPP_SECURITY_ALTS_UTIL_H |
||||
|
||||
#include <grpc/grpc_security_constants.h> |
||||
#include <grpcpp/impl/codegen/status.h> |
||||
#include <grpcpp/security/alts_context.h> |
||||
#include <grpcpp/security/auth_context.h> |
||||
|
||||
#include <memory> |
||||
|
||||
struct grpc_gcp_AltsContext; |
||||
|
||||
namespace grpc { |
||||
namespace experimental { |
||||
|
||||
// GetAltsContextFromAuthContext helps to get the AltsContext from AuthContext.
|
||||
// If ALTS is not the transport security protocol used to establish the
|
||||
// connection, this function will return nullptr.
|
||||
std::unique_ptr<AltsContext> GetAltsContextFromAuthContext( |
||||
const std::shared_ptr<const AuthContext>& auth_context); |
||||
|
||||
// This utility function performs ALTS client authorization check on server
|
||||
// side, i.e., checks if the client identity matches one of the expected service
|
||||
// accounts. It returns OK if client is authorized and an error otherwise.
|
||||
grpc::Status AltsClientAuthzCheck( |
||||
const std::shared_ptr<const AuthContext>& auth_context, |
||||
const std::vector<std::string>& expected_service_accounts); |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc
|
||||
|
||||
#endif // GRPCPP_SECURITY_ALTS_UTIL_H
|
||||
@ -0,0 +1,108 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2019 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
|
||||
#include <grpc/grpc_security.h> |
||||
#include <grpcpp/security/alts_context.h> |
||||
|
||||
#include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h" |
||||
#include "src/proto/grpc/gcp/altscontext.upb.h" |
||||
|
||||
namespace grpc { |
||||
namespace experimental { |
||||
|
||||
// A upb-generated grpc_gcp_AltsContext is passed in to construct an
|
||||
// AltsContext. Normal users should use GetAltsContextFromAuthContext to get
|
||||
// AltsContext, instead of constructing their own.
|
||||
AltsContext::AltsContext(const grpc_gcp_AltsContext* ctx) { |
||||
upb_strview application_protocol = |
||||
grpc_gcp_AltsContext_application_protocol(ctx); |
||||
if (application_protocol.data != nullptr && application_protocol.size > 0) { |
||||
application_protocol_ = |
||||
grpc::string(application_protocol.data, application_protocol.size); |
||||
} |
||||
upb_strview record_protocol = grpc_gcp_AltsContext_record_protocol(ctx); |
||||
if (record_protocol.data != nullptr && record_protocol.size > 0) { |
||||
record_protocol_ = grpc::string(record_protocol.data, record_protocol.size); |
||||
} |
||||
upb_strview peer_service_account = |
||||
grpc_gcp_AltsContext_peer_service_account(ctx); |
||||
if (peer_service_account.data != nullptr && peer_service_account.size > 0) { |
||||
peer_service_account_ = |
||||
grpc::string(peer_service_account.data, peer_service_account.size); |
||||
} |
||||
upb_strview local_service_account = |
||||
grpc_gcp_AltsContext_local_service_account(ctx); |
||||
if (local_service_account.data != nullptr && local_service_account.size > 0) { |
||||
local_service_account_ = |
||||
grpc::string(local_service_account.data, local_service_account.size); |
||||
} |
||||
const grpc_gcp_RpcProtocolVersions* versions = |
||||
grpc_gcp_AltsContext_peer_rpc_versions(ctx); |
||||
if (versions != nullptr) { |
||||
const grpc_gcp_RpcProtocolVersions_Version* max_version = |
||||
grpc_gcp_RpcProtocolVersions_max_rpc_version(versions); |
||||
if (max_version != nullptr) { |
||||
int max_version_major = |
||||
grpc_gcp_RpcProtocolVersions_Version_major(max_version); |
||||
int max_version_minor = |
||||
grpc_gcp_RpcProtocolVersions_Version_minor(max_version); |
||||
peer_rpc_versions_.max_rpc_version.major_version = max_version_major; |
||||
peer_rpc_versions_.max_rpc_version.minor_version = max_version_minor; |
||||
} |
||||
const grpc_gcp_RpcProtocolVersions_Version* min_version = |
||||
grpc_gcp_RpcProtocolVersions_min_rpc_version(versions); |
||||
if (min_version != nullptr) { |
||||
int min_version_major = |
||||
grpc_gcp_RpcProtocolVersions_Version_major(min_version); |
||||
int min_version_minor = |
||||
grpc_gcp_RpcProtocolVersions_Version_minor(min_version); |
||||
peer_rpc_versions_.min_rpc_version.major_version = min_version_major; |
||||
peer_rpc_versions_.min_rpc_version.minor_version = min_version_minor; |
||||
} |
||||
} |
||||
if (grpc_gcp_AltsContext_security_level(ctx) >= GRPC_SECURITY_MIN || |
||||
grpc_gcp_AltsContext_security_level(ctx) <= GRPC_SECURITY_MAX) { |
||||
security_level_ = static_cast<grpc_security_level>( |
||||
grpc_gcp_AltsContext_security_level(ctx)); |
||||
} |
||||
} |
||||
|
||||
grpc::string AltsContext::application_protocol() const { |
||||
return application_protocol_; |
||||
} |
||||
|
||||
grpc::string AltsContext::record_protocol() const { return record_protocol_; } |
||||
|
||||
grpc::string AltsContext::peer_service_account() const { |
||||
return peer_service_account_; |
||||
} |
||||
|
||||
grpc::string AltsContext::local_service_account() const { |
||||
return local_service_account_; |
||||
} |
||||
|
||||
grpc_security_level AltsContext::security_level() const { |
||||
return security_level_; |
||||
} |
||||
|
||||
AltsContext::RpcProtocolVersions AltsContext::peer_rpc_versions() const { |
||||
return peer_rpc_versions_; |
||||
} |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc
|
||||
@ -0,0 +1,79 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2019 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
|
||||
#include <grpc/grpc_security.h> |
||||
#include <grpcpp/security/alts_context.h> |
||||
#include <grpcpp/security/alts_util.h> |
||||
|
||||
#include "src/core/lib/gprpp/memory.h" |
||||
#include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h" |
||||
#include "src/cpp/common/secure_auth_context.h" |
||||
#include "src/proto/grpc/gcp/altscontext.upb.h" |
||||
|
||||
namespace grpc { |
||||
namespace experimental { |
||||
|
||||
std::unique_ptr<AltsContext> GetAltsContextFromAuthContext( |
||||
const std::shared_ptr<const AuthContext>& auth_context) { |
||||
if (auth_context == nullptr) { |
||||
gpr_log(GPR_ERROR, "auth_context is nullptr."); |
||||
return nullptr; |
||||
} |
||||
std::vector<string_ref> ctx_vector = |
||||
auth_context->FindPropertyValues(TSI_ALTS_CONTEXT); |
||||
if (ctx_vector.size() != 1) { |
||||
gpr_log(GPR_ERROR, "contains zero or more than one ALTS context."); |
||||
return nullptr; |
||||
} |
||||
upb::Arena context_arena; |
||||
grpc_gcp_AltsContext* ctx = grpc_gcp_AltsContext_parse( |
||||
ctx_vector[0].data(), ctx_vector[0].size(), context_arena.ptr()); |
||||
if (ctx == nullptr) { |
||||
gpr_log(GPR_ERROR, "fails to parse ALTS context."); |
||||
return nullptr; |
||||
} |
||||
if (grpc_gcp_AltsContext_security_level(ctx) < GRPC_SECURITY_MIN || |
||||
grpc_gcp_AltsContext_security_level(ctx) > GRPC_SECURITY_MAX) { |
||||
gpr_log(GPR_ERROR, "security_level is invalid."); |
||||
return nullptr; |
||||
} |
||||
return grpc_core::MakeUnique<AltsContext>(AltsContext(ctx)); |
||||
} |
||||
|
||||
grpc::Status AltsClientAuthzCheck( |
||||
const std::shared_ptr<const AuthContext>& auth_context, |
||||
const std::vector<std::string>& expected_service_accounts) { |
||||
std::unique_ptr<AltsContext> alts_ctx = |
||||
GetAltsContextFromAuthContext(auth_context); |
||||
if (alts_ctx == nullptr) { |
||||
return grpc::Status(grpc::StatusCode::PERMISSION_DENIED, |
||||
"fails to parse ALTS context."); |
||||
} |
||||
if (std::find(expected_service_accounts.begin(), |
||||
expected_service_accounts.end(), |
||||
alts_ctx->peer_service_account()) != |
||||
expected_service_accounts.end()) { |
||||
return grpc::Status::OK; |
||||
} |
||||
return grpc::Status( |
||||
grpc::StatusCode::PERMISSION_DENIED, |
||||
"client " + alts_ctx->peer_service_account() + " is not authorized."); |
||||
} |
||||
|
||||
} // namespace experimental
|
||||
} // namespace grpc
|
||||
@ -0,0 +1,203 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2019 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
|
||||
#include <grpcpp/security/alts_context.h> |
||||
#include <grpcpp/security/alts_util.h> |
||||
#include <grpcpp/security/auth_context.h> |
||||
#include <gtest/gtest.h> |
||||
|
||||
#include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h" |
||||
#include "src/cpp/common/secure_auth_context.h" |
||||
#include "src/proto/grpc/gcp/altscontext.upb.h" |
||||
#include "test/cpp/util/string_ref_helper.h" |
||||
|
||||
namespace grpc { |
||||
namespace { |
||||
|
||||
TEST(AltsUtilTest, NullAuthContext) { |
||||
std::unique_ptr<experimental::AltsContext> alts_context = |
||||
experimental::GetAltsContextFromAuthContext(nullptr); |
||||
EXPECT_EQ(alts_context, nullptr); |
||||
} |
||||
|
||||
TEST(AltsUtilTest, EmptyAuthContext) { |
||||
grpc_core::RefCountedPtr<grpc_auth_context> ctx = |
||||
grpc_core::MakeRefCounted<grpc_auth_context>(nullptr); |
||||
const std::shared_ptr<AuthContext> auth_context( |
||||
new SecureAuthContext(ctx.get())); |
||||
std::unique_ptr<experimental::AltsContext> alts_context = |
||||
experimental::GetAltsContextFromAuthContext(auth_context); |
||||
EXPECT_EQ(alts_context, nullptr); |
||||
} |
||||
|
||||
TEST(AltsUtilTest, AuthContextWithMoreThanOneAltsContext) { |
||||
grpc_core::RefCountedPtr<grpc_auth_context> ctx = |
||||
grpc_core::MakeRefCounted<grpc_auth_context>(nullptr); |
||||
const std::shared_ptr<AuthContext> auth_context( |
||||
new SecureAuthContext(ctx.get())); |
||||
ctx.reset(); |
||||
auth_context->AddProperty(TSI_ALTS_CONTEXT, "context1"); |
||||
auth_context->AddProperty(TSI_ALTS_CONTEXT, "context2"); |
||||
std::unique_ptr<experimental::AltsContext> alts_context = |
||||
experimental::GetAltsContextFromAuthContext(auth_context); |
||||
EXPECT_EQ(alts_context, nullptr); |
||||
} |
||||
|
||||
TEST(AltsUtilTest, AuthContextWithBadAltsContext) { |
||||
grpc_core::RefCountedPtr<grpc_auth_context> ctx = |
||||
grpc_core::MakeRefCounted<grpc_auth_context>(nullptr); |
||||
const std::shared_ptr<AuthContext> auth_context( |
||||
new SecureAuthContext(ctx.get())); |
||||
ctx.reset(); |
||||
auth_context->AddProperty(TSI_ALTS_CONTEXT, |
||||
"bad context string serialization"); |
||||
std::unique_ptr<experimental::AltsContext> alts_context = |
||||
experimental::GetAltsContextFromAuthContext(auth_context); |
||||
EXPECT_EQ(alts_context, nullptr); |
||||
} |
||||
|
||||
TEST(AltsUtilTest, AuthContextWithGoodAltsContextWithoutRpcVersions) { |
||||
grpc_core::RefCountedPtr<grpc_auth_context> ctx = |
||||
grpc_core::MakeRefCounted<grpc_auth_context>(nullptr); |
||||
const std::shared_ptr<AuthContext> auth_context( |
||||
new SecureAuthContext(ctx.get())); |
||||
ctx.reset(); |
||||
grpc::string expected_ap("application protocol"); |
||||
grpc::string expected_rp("record protocol"); |
||||
grpc::string expected_peer("peer"); |
||||
grpc::string expected_local("local"); |
||||
grpc_security_level expected_sl = GRPC_INTEGRITY_ONLY; |
||||
upb::Arena context_arena; |
||||
grpc_gcp_AltsContext* context = grpc_gcp_AltsContext_new(context_arena.ptr()); |
||||
grpc_gcp_AltsContext_set_application_protocol( |
||||
context, upb_strview_make(expected_ap.data(), expected_ap.length())); |
||||
grpc_gcp_AltsContext_set_record_protocol( |
||||
context, upb_strview_make(expected_rp.data(), expected_rp.length())); |
||||
grpc_gcp_AltsContext_set_security_level(context, expected_sl); |
||||
grpc_gcp_AltsContext_set_peer_service_account( |
||||
context, upb_strview_make(expected_peer.data(), expected_peer.length())); |
||||
grpc_gcp_AltsContext_set_local_service_account( |
||||
context, |
||||
upb_strview_make(expected_local.data(), expected_local.length())); |
||||
size_t serialized_ctx_length; |
||||
char* serialized_ctx = grpc_gcp_AltsContext_serialize( |
||||
context, context_arena.ptr(), &serialized_ctx_length); |
||||
EXPECT_NE(serialized_ctx, nullptr); |
||||
auth_context->AddProperty(TSI_ALTS_CONTEXT, |
||||
string(serialized_ctx, serialized_ctx_length)); |
||||
std::unique_ptr<experimental::AltsContext> alts_context = |
||||
experimental::GetAltsContextFromAuthContext(auth_context); |
||||
EXPECT_NE(alts_context, nullptr); |
||||
EXPECT_EQ(expected_ap, alts_context->application_protocol()); |
||||
EXPECT_EQ(expected_rp, alts_context->record_protocol()); |
||||
EXPECT_EQ(expected_peer, alts_context->peer_service_account()); |
||||
EXPECT_EQ(expected_local, alts_context->local_service_account()); |
||||
EXPECT_EQ(expected_sl, alts_context->security_level()); |
||||
// all rpc versions should be 0 if not set
|
||||
experimental::AltsContext::RpcProtocolVersions rpc_protocol_versions = |
||||
alts_context->peer_rpc_versions(); |
||||
EXPECT_EQ(0, rpc_protocol_versions.max_rpc_version.major_version); |
||||
EXPECT_EQ(0, rpc_protocol_versions.max_rpc_version.minor_version); |
||||
EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.major_version); |
||||
EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.minor_version); |
||||
} |
||||
|
||||
TEST(AltsUtilTest, AuthContextWithGoodAltsContext) { |
||||
grpc_core::RefCountedPtr<grpc_auth_context> ctx = |
||||
grpc_core::MakeRefCounted<grpc_auth_context>(nullptr); |
||||
const std::shared_ptr<AuthContext> auth_context( |
||||
new SecureAuthContext(ctx.get())); |
||||
ctx.reset(); |
||||
upb::Arena context_arena; |
||||
grpc_gcp_AltsContext* context = grpc_gcp_AltsContext_new(context_arena.ptr()); |
||||
upb::Arena versions_arena; |
||||
grpc_gcp_RpcProtocolVersions* versions = |
||||
grpc_gcp_RpcProtocolVersions_new(versions_arena.ptr()); |
||||
upb::Arena max_major_version_arena; |
||||
grpc_gcp_RpcProtocolVersions_Version* version = |
||||
grpc_gcp_RpcProtocolVersions_Version_new(max_major_version_arena.ptr()); |
||||
grpc_gcp_RpcProtocolVersions_Version_set_major(version, 10); |
||||
grpc_gcp_RpcProtocolVersions_set_max_rpc_version(versions, version); |
||||
grpc_gcp_AltsContext_set_peer_rpc_versions(context, versions); |
||||
size_t serialized_ctx_length; |
||||
char* serialized_ctx = grpc_gcp_AltsContext_serialize( |
||||
context, context_arena.ptr(), &serialized_ctx_length); |
||||
EXPECT_NE(serialized_ctx, nullptr); |
||||
auth_context->AddProperty(TSI_ALTS_CONTEXT, |
||||
string(serialized_ctx, serialized_ctx_length)); |
||||
std::unique_ptr<experimental::AltsContext> alts_context = |
||||
experimental::GetAltsContextFromAuthContext(auth_context); |
||||
EXPECT_NE(alts_context, nullptr); |
||||
EXPECT_EQ("", alts_context->application_protocol()); |
||||
EXPECT_EQ("", alts_context->record_protocol()); |
||||
EXPECT_EQ("", alts_context->peer_service_account()); |
||||
EXPECT_EQ("", alts_context->local_service_account()); |
||||
EXPECT_EQ(GRPC_SECURITY_NONE, alts_context->security_level()); |
||||
experimental::AltsContext::RpcProtocolVersions rpc_protocol_versions = |
||||
alts_context->peer_rpc_versions(); |
||||
EXPECT_EQ(10, rpc_protocol_versions.max_rpc_version.major_version); |
||||
EXPECT_EQ(0, rpc_protocol_versions.max_rpc_version.minor_version); |
||||
EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.major_version); |
||||
EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.minor_version); |
||||
} |
||||
|
||||
TEST(AltsUtilTest, AltsClientAuthzCheck) { |
||||
// AltsClientAuthzCheck function should return a permission denied error on
|
||||
// the bad_auth_context, whose internal ALTS context does not exist
|
||||
const std::shared_ptr<AuthContext> bad_auth_context( |
||||
new SecureAuthContext(nullptr)); |
||||
std::vector<std::string> service_accounts{"client"}; |
||||
grpc::Status status = |
||||
experimental::AltsClientAuthzCheck(bad_auth_context, service_accounts); |
||||
EXPECT_EQ(grpc::StatusCode::PERMISSION_DENIED, status.error_code()); |
||||
// AltsClientAuthzCheck function should function normally when the peer name
|
||||
// in ALTS context is listed in service_accounts
|
||||
grpc_core::RefCountedPtr<grpc_auth_context> ctx = |
||||
grpc_core::MakeRefCounted<grpc_auth_context>(nullptr); |
||||
const std::shared_ptr<AuthContext> auth_context( |
||||
new SecureAuthContext(ctx.get())); |
||||
ctx.reset(); |
||||
grpc::string peer("good_client"); |
||||
std::vector<std::string> good_service_accounts{"good_client", |
||||
"good_client_1"}; |
||||
std::vector<std::string> bad_service_accounts{"bad_client", "bad_client_1"}; |
||||
upb::Arena context_arena; |
||||
grpc_gcp_AltsContext* context = grpc_gcp_AltsContext_new(context_arena.ptr()); |
||||
grpc_gcp_AltsContext_set_peer_service_account( |
||||
context, upb_strview_make(peer.data(), peer.length())); |
||||
size_t serialized_ctx_length; |
||||
char* serialized_ctx = grpc_gcp_AltsContext_serialize( |
||||
context, context_arena.ptr(), &serialized_ctx_length); |
||||
EXPECT_NE(serialized_ctx, nullptr); |
||||
auth_context->AddProperty(TSI_ALTS_CONTEXT, |
||||
string(serialized_ctx, serialized_ctx_length)); |
||||
grpc::Status good_status = |
||||
experimental::AltsClientAuthzCheck(auth_context, good_service_accounts); |
||||
EXPECT_TRUE(good_status.ok()); |
||||
grpc::Status bad_status = |
||||
experimental::AltsClientAuthzCheck(auth_context, bad_service_accounts); |
||||
EXPECT_EQ(grpc::StatusCode::PERMISSION_DENIED, bad_status.error_code()); |
||||
} |
||||
|
||||
} // namespace
|
||||
} // namespace grpc
|
||||
|
||||
int main(int argc, char** argv) { |
||||
::testing::InitGoogleTest(&argc, argv); |
||||
return RUN_ALL_TESTS(); |
||||
} |
||||
Loading…
Reference in new issue