grpc-go/security/authorization/engine/util_test.go

/*
 *
 * Copyright 2020 gRPC authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */

package engine

import (
	"testing"

	expr "google.golang.org/genproto/googleapis/api/expr/v1alpha1"

	"github.com/google/cel-go/cel"
	"github.com/google/cel-go/checker/decls"
)

func (s) TestStringConvert(t *testing.T) {
	declarations := []*expr.Decl{
		decls.NewIdent("request.url_path", decls.String, nil),
		decls.NewIdent("request.host", decls.String, nil),
		decls.NewIdent("connection.uri_san_peer_certificate", decls.String, nil),
	}
	env, err := cel.NewEnv()
	if err != nil {
		t.Fatalf("Failed to create the CEL environment")
	}
	for _, test := range []struct {
		desc             string
		wantEvalOutcome  bool
		wantParsingError bool
		wantEvalError    bool
		expr             string
		authzArgs        map[string]any
	}{
		{
			desc:            "single primitive match",
			wantEvalOutcome: true,
			expr:            "request.url_path.startsWith('/pkg.service/test')",
			authzArgs:       map[string]any{"request.url_path": "/pkg.service/test"},
		},
		{
			desc:            "single compare match",
			wantEvalOutcome: true,
			expr:            "connection.uri_san_peer_certificate == 'cluster/ns/default/sa/admin'",
			authzArgs:       map[string]any{"connection.uri_san_peer_certificate": "cluster/ns/default/sa/admin"},
		},
		{
			desc:            "single primitive no match",
			wantEvalOutcome: false,
			expr:            "request.url_path.startsWith('/pkg.service/test')",
			authzArgs:       map[string]any{"request.url_path": "/source/pkg.service/test"},
		},
		{
			desc:            "primitive and compare match",
			wantEvalOutcome: true,
			expr:            "request.url_path == '/pkg.service/test' && connection.uri_san_peer_certificate == 'cluster/ns/default/sa/admin'",
			authzArgs: map[string]any{"request.url_path": "/pkg.service/test",
				"connection.uri_san_peer_certificate": "cluster/ns/default/sa/admin"},
		},
		{
			desc:             "parse error field not present in environment",
			wantParsingError: true,
			expr:             "request.source_path.startsWith('/pkg.service/test')",
			authzArgs:        map[string]any{"request.url_path": "/pkg.service/test"},
		},
		{
			desc:          "eval error argument not included in environment",
			wantEvalError: true,
			expr:          "request.url_path.startsWith('/pkg.service/test')",
			authzArgs:     map[string]any{"request.source_path": "/pkg.service/test"},
		},
	} {
		test := test
		t.Run(test.desc, func(t *testing.T) {
			checked, err := compileStringToCheckedExpr(test.expr, declarations)
			if (err != nil) != test.wantParsingError {
				t.Fatalf("Error mismatch in conversion, wantParsingError =%v, got %v", test.wantParsingError, err != nil)
			}
			if test.wantParsingError {
				return
			}
			ast := cel.CheckedExprToAst(checked)
			program, err := env.Program(ast)
			if err != nil {
				t.Fatalf("Failed to create CEL Program: %v", err)
			}
			eval, _, err := program.Eval(test.authzArgs)
			if (err != nil) != test.wantEvalError {
				t.Fatalf("Error mismatch in evaluation, wantEvalError =%v, got %v", test.wantEvalError, err != nil)
			}
			if test.wantEvalError {
				return
			}
			if eval.Value() != test.wantEvalOutcome {
				t.Fatalf("Error in evaluating converted CheckedExpr: want %v, got %v", test.wantEvalOutcome, eval.Value())
			}
		})
	}
}