/* * * Copyright 2020 gRPC authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ package engine import ( "testing" expr "google.golang.org/genproto/googleapis/api/expr/v1alpha1" "github.com/google/cel-go/cel" "github.com/google/cel-go/checker/decls" ) func (s) TestStringConvert(t *testing.T) { declarations := []*expr.Decl{ decls.NewIdent("request.url_path", decls.String, nil), decls.NewIdent("request.host", decls.String, nil), decls.NewIdent("connection.uri_san_peer_certificate", decls.String, nil), } env, err := cel.NewEnv() if err != nil { t.Fatalf("Failed to create the CEL environment") } for _, test := range []struct { desc string wantEvalOutcome bool wantParsingError bool wantEvalError bool expr string authzArgs map[string]interface{} }{ { desc: "single primitive match", wantEvalOutcome: true, expr: "request.url_path.startsWith('/pkg.service/test')", authzArgs: map[string]interface{}{"request.url_path": "/pkg.service/test"}, }, { desc: "single compare match", wantEvalOutcome: true, expr: "connection.uri_san_peer_certificate == 'cluster/ns/default/sa/admin'", authzArgs: map[string]interface{}{"connection.uri_san_peer_certificate": "cluster/ns/default/sa/admin"}, }, { desc: "single primitive no match", wantEvalOutcome: false, expr: "request.url_path.startsWith('/pkg.service/test')", authzArgs: map[string]interface{}{"request.url_path": "/source/pkg.service/test"}, }, { desc: "primitive and compare match", wantEvalOutcome: true, expr: "request.url_path == '/pkg.service/test' && connection.uri_san_peer_certificate == 'cluster/ns/default/sa/admin'", authzArgs: map[string]interface{}{"request.url_path": "/pkg.service/test", "connection.uri_san_peer_certificate": "cluster/ns/default/sa/admin"}, }, { desc: "parse error field not present in environment", wantParsingError: true, expr: "request.source_path.startsWith('/pkg.service/test')", authzArgs: map[string]interface{}{"request.url_path": "/pkg.service/test"}, }, { desc: "eval error argument not included in environment", wantEvalError: true, expr: "request.url_path.startsWith('/pkg.service/test')", authzArgs: map[string]interface{}{"request.source_path": "/pkg.service/test"}, }, } { test := test t.Run(test.desc, func(t *testing.T) { checked, err := compileStringToCheckedExpr(test.expr, declarations) if (err != nil) != test.wantParsingError { t.Fatalf("Error mismatch in conversion, wantParsingError =%v, got %v", test.wantParsingError, err != nil) } if test.wantParsingError { return } ast := cel.CheckedExprToAst(checked) program, err := env.Program(ast) if err != nil { t.Fatalf("Failed to create CEL Program: %v", err) } eval, _, err := program.Eval(test.authzArgs) if (err != nil) != test.wantEvalError { t.Fatalf("Error mismatch in evaluation, wantEvalError =%v, got %v", test.wantEvalError, err != nil) } if test.wantEvalError { return } if eval.Value() != test.wantEvalOutcome { t.Fatalf("Error in evaluating converted CheckedExpr: want %v, got %v", test.wantEvalOutcome, eval.Value()) } }) } }