grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

authz: update representation of allow authenticated in SDK (#5052) 

* remove empty principals logic

* Update test

* minor formatting

* resolving comments
This commit is contained in:
Ashitha Santhosh 2021-12-28 15:07:12 -08:00 committed by GitHub
parent 344b93a285
commit fbaf7c5582
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
authz/rbac_translator.go
View File

@ -157,19 +157,13 @@ func parsePrincipalNames(principalNames []string) []*v3rbacpb.Principal {
} }
func parsePeer(source peer) *v3rbacpb.Principal { func parsePeer(source peer) *v3rbacpb.Principal {
if source.Principals == nil { if len(source.Principals) == 0 {
return &v3rbacpb.Principal{ return &v3rbacpb.Principal{
Identifier: &v3rbacpb.Principal_Any{ Identifier: &v3rbacpb.Principal_Any{
Any: true, Any: true,
}, },
} }
} }
if len(source.Principals) == 0 {
return &v3rbacpb.Principal{
Identifier: &v3rbacpb.Principal_Authenticated_{
Authenticated: &v3rbacpb.Principal_Authenticated{},
}}
}
return principalOr(parsePrincipalNames(source.Principals)) return principalOr(parsePrincipalNames(source.Principals))
} }

34
authz/rbac_translator_test.go
View File

@ -205,23 +205,37 @@ func TestTranslatePolicy(t *testing.T) {
}, },
}, },
}, },
"empty principal field": { "allow authenticated": {
authzPolicy: `{ authzPolicy: `{
"name": "authz", "name": "authz",
"allow_rules": [{ "allow_rules": [
"name": "allow_authenticated", {
"source": {"principals":[]} "name": "allow_authenticated",
}] "source": {
}`, "principals":["*", ""]
}
}]
}`,
wantPolicies: []*v3rbacpb.RBAC{ wantPolicies: []*v3rbacpb.RBAC{
{ {
Action: v3rbacpb.RBAC_ALLOW, Action: v3rbacpb.RBAC_ALLOW,
Policies: map[string]*v3rbacpb.Policy{ Policies: map[string]*v3rbacpb.Policy{
"authz_allow_authenticated": { "authz_allow_authenticated": {
Principals: []*v3rbacpb.Principal{ Principals: []*v3rbacpb.Principal{
{Identifier: &v3rbacpb.Principal_Authenticated_{ {Identifier: &v3rbacpb.Principal_OrIds{OrIds: &v3rbacpb.Principal_Set{
Authenticated: &v3rbacpb.Principal_Authenticated{}, Ids: []*v3rbacpb.Principal{
}}, {Identifier: &v3rbacpb.Principal_Authenticated_{
Authenticated: &v3rbacpb.Principal_Authenticated{PrincipalName: &v3matcherpb.StringMatcher{
MatchPattern: &v3matcherpb.StringMatcher_SafeRegex{SafeRegex: &v3matcherpb.RegexMatcher{Regex: ".+"}},
}},
}},
{Identifier: &v3rbacpb.Principal_Authenticated_{
Authenticated: &v3rbacpb.Principal_Authenticated{PrincipalName: &v3matcherpb.StringMatcher{
MatchPattern: &v3matcherpb.StringMatcher_Exact{Exact: ""},
}},
}},
},
}}},
}, },
Permissions: []*v3rbacpb.Permission{ Permissions: []*v3rbacpb.Permission{
{Rule: &v3rbacpb.Permission_Any{Any: true}}, {Rule: &v3rbacpb.Permission_Any{Any: true}},

34
authz/sdk_end2end_test.go
View File

@ -261,30 +261,6 @@ var sdkTests = map[string]struct {
wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"), wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
}, },
"DeniesRPCRequestWithPrincipalsFieldOnUnauthenticatedConnection": { "DeniesRPCRequestWithPrincipalsFieldOnUnauthenticatedConnection": {
authzPolicy: `{
"name": "authz",
"allow_rules":
[
{
"name": "allow_TestServiceCalls",
"source": {
"principals":
[
"foo"
]
},
"request": {
"paths":
[
"/grpc.testing.TestService/*"
]
}
}
]
}`,
wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
},
"DeniesRPCRequestWithEmptyPrincipalsOnUnauthenticatedConnection": {
authzPolicy: `{ authzPolicy: `{
"name": "authz", "name": "authz",
"allow_rules": "allow_rules":
@ -292,7 +268,7 @@ var sdkTests = map[string]struct {
{ {
"name": "allow_authenticated", "name": "allow_authenticated",
"source": { "source": {
"principals": [] "principals": ["*", ""]
} }
} }
] ]
@ -386,7 +362,7 @@ func (s) TestSDKStaticPolicyEnd2End(t *testing.T) {
} }
} }
func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnTLSAuthenticatedConnection(t *testing.T) { func (s) TestSDKAllowsRPCRequestWithPrincipalsFieldOnTLSAuthenticatedConnection(t *testing.T) {
authzPolicy := `{ authzPolicy := `{
"name": "authz", "name": "authz",
"allow_rules": "allow_rules":
@ -394,7 +370,7 @@ func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnTLSAuthenticatedConnection(
{ {
"name": "allow_authenticated", "name": "allow_authenticated",
"source": { "source": {
"principals": [] "principals": ["*", ""]
} }
} }
] ]
@ -438,7 +414,7 @@ func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnTLSAuthenticatedConnection(
} }
} }
func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnMTLSAuthenticatedConnection(t *testing.T) { func (s) TestSDKAllowsRPCRequestWithPrincipalsFieldOnMTLSAuthenticatedConnection(t *testing.T) {
authzPolicy := `{ authzPolicy := `{
"name": "authz", "name": "authz",
"allow_rules": "allow_rules":
@ -446,7 +422,7 @@ func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnMTLSAuthenticatedConnection
{ {
"name": "allow_authenticated", "name": "allow_authenticated",
"source": { "source": {
"principals": [] "principals": ["*", ""]
} }
} }
] ]