| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722 |
- // Copyright 2021 gRPC authors.
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- #include <stdio.h>
- #include <string.h>
- #include <grpc/byte_buffer.h>
- #include <grpc/grpc_security.h>
- #include <grpc/support/alloc.h>
- #include <grpc/support/log.h>
- #include <grpc/support/time.h>
- #include "src/core/lib/channel/channel_args.h"
- #include "src/core/lib/gpr/string.h"
- #include "src/core/lib/security/authorization/grpc_authorization_policy_provider.h"
- #include "src/core/lib/security/credentials/credentials.h"
- #include "test/core/end2end/cq_verifier.h"
- #include "test/core/end2end/end2end_tests.h"
- #include "test/core/util/tls_utils.h"
- static void* tag(intptr_t t) { return reinterpret_cast<void*>(t); }
- static grpc_end2end_test_fixture begin_test(grpc_end2end_test_config config,
- const char* test_name,
- grpc_channel_args* client_args,
- grpc_channel_args* server_args) {
- grpc_end2end_test_fixture f;
- gpr_log(GPR_INFO, "Running test: %s/%s", test_name, config.name);
- f = config.create_fixture(client_args, server_args);
- config.init_server(&f, server_args);
- config.init_client(&f, client_args);
- return f;
- }
- static gpr_timespec n_seconds_from_now(int n) {
- return grpc_timeout_seconds_to_deadline(n);
- }
- static gpr_timespec five_seconds_from_now(void) {
- return n_seconds_from_now(5);
- }
- static void drain_cq(grpc_completion_queue* cq) {
- grpc_event ev;
- do {
- ev = grpc_completion_queue_next(cq, five_seconds_from_now(), nullptr);
- } while (ev.type != GRPC_QUEUE_SHUTDOWN);
- }
- static void shutdown_server(grpc_end2end_test_fixture* f) {
- if (!f->server) return;
- grpc_server_shutdown_and_notify(f->server, f->shutdown_cq, tag(1000));
- GPR_ASSERT(grpc_completion_queue_pluck(f->shutdown_cq, tag(1000),
- grpc_timeout_seconds_to_deadline(5),
- nullptr)
- .type == GRPC_OP_COMPLETE);
- grpc_server_destroy(f->server);
- f->server = nullptr;
- }
- static void shutdown_client(grpc_end2end_test_fixture* f) {
- if (!f->client) return;
- grpc_channel_destroy(f->client);
- f->client = nullptr;
- }
- static void end_test(grpc_end2end_test_fixture* f) {
- shutdown_server(f);
- shutdown_client(f);
- grpc_completion_queue_shutdown(f->cq);
- drain_cq(f->cq);
- grpc_completion_queue_destroy(f->cq);
- grpc_completion_queue_destroy(f->shutdown_cq);
- }
- static void test_allow_authorized_request(grpc_end2end_test_fixture f) {
- grpc_call* c;
- grpc_call* s;
- grpc_op ops[6];
- grpc_op* op;
- grpc_metadata_array initial_metadata_recv;
- grpc_metadata_array trailing_metadata_recv;
- grpc_metadata_array request_metadata_recv;
- grpc_call_details call_details;
- grpc_status_code status;
- const char* error_string = nullptr;
- grpc_call_error error;
- grpc_slice details = grpc_empty_slice();
- int was_cancelled = 2;
- cq_verifier* cqv = cq_verifier_create(f.cq);
- gpr_timespec deadline = five_seconds_from_now();
- c = grpc_channel_create_call(f.client, nullptr, GRPC_PROPAGATE_DEFAULTS, f.cq,
- grpc_slice_from_static_string("/foo"), nullptr,
- deadline, nullptr);
- GPR_ASSERT(c);
- grpc_metadata_array_init(&initial_metadata_recv);
- grpc_metadata_array_init(&trailing_metadata_recv);
- grpc_metadata_array_init(&request_metadata_recv);
- grpc_call_details_init(&call_details);
- memset(ops, 0, sizeof(ops));
- op = ops;
- op->op = GRPC_OP_SEND_INITIAL_METADATA;
- op->data.send_initial_metadata.count = 0;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- op->op = GRPC_OP_SEND_CLOSE_FROM_CLIENT;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- op->op = GRPC_OP_RECV_INITIAL_METADATA;
- op->data.recv_initial_metadata.recv_initial_metadata = &initial_metadata_recv;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- op->op = GRPC_OP_RECV_STATUS_ON_CLIENT;
- op->data.recv_status_on_client.trailing_metadata = &trailing_metadata_recv;
- op->data.recv_status_on_client.status = &status;
- op->data.recv_status_on_client.status_details = &details;
- op->data.recv_status_on_client.error_string = &error_string;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- error = grpc_call_start_batch(c, ops, static_cast<size_t>(op - ops), tag(1),
- nullptr);
- GPR_ASSERT(GRPC_CALL_OK == error);
- error =
- grpc_server_request_call(f.server, &s, &call_details,
- &request_metadata_recv, f.cq, f.cq, tag(101));
- GPR_ASSERT(GRPC_CALL_OK == error);
- CQ_EXPECT_COMPLETION(cqv, tag(101), 1);
- cq_verify(cqv);
- memset(ops, 0, sizeof(ops));
- op = ops;
- op->op = GRPC_OP_SEND_INITIAL_METADATA;
- op->data.send_initial_metadata.count = 0;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- op->op = GRPC_OP_SEND_STATUS_FROM_SERVER;
- op->data.send_status_from_server.trailing_metadata_count = 0;
- op->data.send_status_from_server.status = GRPC_STATUS_OK;
- grpc_slice status_details = grpc_slice_from_static_string("xyz");
- op->data.send_status_from_server.status_details = &status_details;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- op->op = GRPC_OP_RECV_CLOSE_ON_SERVER;
- op->data.recv_close_on_server.cancelled = &was_cancelled;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- error = grpc_call_start_batch(s, ops, static_cast<size_t>(op - ops), tag(102),
- nullptr);
- GPR_ASSERT(GRPC_CALL_OK == error);
- CQ_EXPECT_COMPLETION(cqv, tag(102), 1);
- CQ_EXPECT_COMPLETION(cqv, tag(1), 1);
- cq_verify(cqv);
- GPR_ASSERT(GRPC_STATUS_OK == status);
- GPR_ASSERT(0 == grpc_slice_str_cmp(details, "xyz"));
- grpc_slice_unref(details);
- gpr_free(const_cast<char*>(error_string));
- grpc_metadata_array_destroy(&initial_metadata_recv);
- grpc_metadata_array_destroy(&trailing_metadata_recv);
- grpc_metadata_array_destroy(&request_metadata_recv);
- grpc_call_details_destroy(&call_details);
- grpc_call_unref(c);
- grpc_call_unref(s);
- cq_verifier_destroy(cqv);
- }
- static void test_deny_unauthorized_request(grpc_end2end_test_fixture f) {
- grpc_call* c;
- grpc_op ops[6];
- grpc_op* op;
- grpc_metadata_array initial_metadata_recv;
- grpc_metadata_array trailing_metadata_recv;
- grpc_status_code status;
- const char* error_string = nullptr;
- grpc_call_error error;
- grpc_slice details = grpc_empty_slice();
- cq_verifier* cqv = cq_verifier_create(f.cq);
- gpr_timespec deadline = five_seconds_from_now();
- c = grpc_channel_create_call(f.client, nullptr, GRPC_PROPAGATE_DEFAULTS, f.cq,
- grpc_slice_from_static_string("/foo"), nullptr,
- deadline, nullptr);
- GPR_ASSERT(c);
- grpc_metadata_array_init(&initial_metadata_recv);
- grpc_metadata_array_init(&trailing_metadata_recv);
- memset(ops, 0, sizeof(ops));
- op = ops;
- op->op = GRPC_OP_SEND_INITIAL_METADATA;
- op->data.send_initial_metadata.count = 0;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- op->op = GRPC_OP_SEND_CLOSE_FROM_CLIENT;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- op->op = GRPC_OP_RECV_INITIAL_METADATA;
- op->data.recv_initial_metadata.recv_initial_metadata = &initial_metadata_recv;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- op->op = GRPC_OP_RECV_STATUS_ON_CLIENT;
- op->data.recv_status_on_client.trailing_metadata = &trailing_metadata_recv;
- op->data.recv_status_on_client.status = &status;
- op->data.recv_status_on_client.status_details = &details;
- op->data.recv_status_on_client.error_string = &error_string;
- op->flags = 0;
- op->reserved = nullptr;
- op++;
- error = grpc_call_start_batch(c, ops, static_cast<size_t>(op - ops), tag(1),
- nullptr);
- GPR_ASSERT(GRPC_CALL_OK == error);
- CQ_EXPECT_COMPLETION(cqv, tag(1), 1);
- cq_verify(cqv);
- GPR_ASSERT(GRPC_STATUS_PERMISSION_DENIED == status);
- GPR_ASSERT(0 ==
- grpc_slice_str_cmp(details, "Unauthorized RPC request rejected."));
- grpc_slice_unref(details);
- gpr_free(const_cast<char*>(error_string));
- grpc_metadata_array_destroy(&initial_metadata_recv);
- grpc_metadata_array_destroy(&trailing_metadata_recv);
- grpc_call_unref(c);
- cq_verifier_destroy(cqv);
- }
- static void test_static_init_allow_authorized_request(
- grpc_end2end_test_config config) {
- const char* authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_foo\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/foo\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- grpc_status_code code = GRPC_STATUS_OK;
- const char* error_details;
- grpc_authorization_policy_provider* provider =
- grpc_authorization_policy_provider_static_data_create(authz_policy, &code,
- &error_details);
- GPR_ASSERT(GRPC_STATUS_OK == code);
- grpc_arg args[] = {
- grpc_channel_arg_pointer_create(
- const_cast<char*>(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider,
- grpc_authorization_policy_provider_arg_vtable()),
- };
- grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args};
- grpc_end2end_test_fixture f =
- begin_test(config, "test_static_init_allow_authorized_request", nullptr,
- &server_args);
- grpc_authorization_policy_provider_release(provider);
- test_allow_authorized_request(f);
- end_test(&f);
- config.tear_down_data(&f);
- }
- static void test_static_init_deny_unauthorized_request(
- grpc_end2end_test_config config) {
- const char* authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_bar\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/bar\""
- " ]"
- " }"
- " }"
- " ],"
- " \"deny_rules\": ["
- " {"
- " \"name\": \"deny_foo\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/foo\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- grpc_status_code code = GRPC_STATUS_OK;
- const char* error_details;
- grpc_authorization_policy_provider* provider =
- grpc_authorization_policy_provider_static_data_create(authz_policy, &code,
- &error_details);
- GPR_ASSERT(GRPC_STATUS_OK == code);
- grpc_arg args[] = {
- grpc_channel_arg_pointer_create(
- const_cast<char*>(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider,
- grpc_authorization_policy_provider_arg_vtable()),
- };
- grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args};
- grpc_end2end_test_fixture f =
- begin_test(config, "test_static_init_deny_unauthorized_request", nullptr,
- &server_args);
- grpc_authorization_policy_provider_release(provider);
- test_deny_unauthorized_request(f);
- end_test(&f);
- config.tear_down_data(&f);
- }
- static void test_static_init_deny_request_no_match_in_policy(
- grpc_end2end_test_config config) {
- const char* authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_bar\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/bar\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- grpc_status_code code = GRPC_STATUS_OK;
- const char* error_details;
- grpc_authorization_policy_provider* provider =
- grpc_authorization_policy_provider_static_data_create(authz_policy, &code,
- &error_details);
- GPR_ASSERT(GRPC_STATUS_OK == code);
- grpc_arg args[] = {
- grpc_channel_arg_pointer_create(
- const_cast<char*>(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider,
- grpc_authorization_policy_provider_arg_vtable()),
- };
- grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args};
- grpc_end2end_test_fixture f =
- begin_test(config, "test_static_init_deny_request_no_match_in_policy",
- nullptr, &server_args);
- grpc_authorization_policy_provider_release(provider);
- test_deny_unauthorized_request(f);
- end_test(&f);
- config.tear_down_data(&f);
- }
- static void test_file_watcher_init_allow_authorized_request(
- grpc_end2end_test_config config) {
- const char* authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_foo\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/foo\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- grpc_core::testing::TmpFile tmp_policy(authz_policy);
- grpc_status_code code = GRPC_STATUS_OK;
- const char* error_details;
- grpc_authorization_policy_provider* provider =
- grpc_authorization_policy_provider_file_watcher_create(
- tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code,
- &error_details);
- GPR_ASSERT(GRPC_STATUS_OK == code);
- grpc_arg args[] = {
- grpc_channel_arg_pointer_create(
- const_cast<char*>(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider,
- grpc_authorization_policy_provider_arg_vtable()),
- };
- grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args};
- grpc_end2end_test_fixture f =
- begin_test(config, "test_file_watcher_init_allow_authorized_request",
- nullptr, &server_args);
- grpc_authorization_policy_provider_release(provider);
- test_allow_authorized_request(f);
- end_test(&f);
- config.tear_down_data(&f);
- }
- static void test_file_watcher_init_deny_unauthorized_request(
- grpc_end2end_test_config config) {
- const char* authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_bar\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/bar\""
- " ]"
- " }"
- " }"
- " ],"
- " \"deny_rules\": ["
- " {"
- " \"name\": \"deny_foo\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/foo\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- grpc_core::testing::TmpFile tmp_policy(authz_policy);
- grpc_status_code code = GRPC_STATUS_OK;
- const char* error_details;
- grpc_authorization_policy_provider* provider =
- grpc_authorization_policy_provider_file_watcher_create(
- tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code,
- &error_details);
- GPR_ASSERT(GRPC_STATUS_OK == code);
- grpc_arg args[] = {
- grpc_channel_arg_pointer_create(
- const_cast<char*>(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider,
- grpc_authorization_policy_provider_arg_vtable()),
- };
- grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args};
- grpc_end2end_test_fixture f =
- begin_test(config, "test_file_watcher_init_deny_unauthorized_request",
- nullptr, &server_args);
- grpc_authorization_policy_provider_release(provider);
- test_deny_unauthorized_request(f);
- end_test(&f);
- config.tear_down_data(&f);
- }
- static void test_file_watcher_init_deny_request_no_match_in_policy(
- grpc_end2end_test_config config) {
- const char* authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_bar\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/bar\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- grpc_core::testing::TmpFile tmp_policy(authz_policy);
- grpc_status_code code = GRPC_STATUS_OK;
- const char* error_details;
- grpc_authorization_policy_provider* provider =
- grpc_authorization_policy_provider_file_watcher_create(
- tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code,
- &error_details);
- GPR_ASSERT(GRPC_STATUS_OK == code);
- grpc_arg args[] = {
- grpc_channel_arg_pointer_create(
- const_cast<char*>(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider,
- grpc_authorization_policy_provider_arg_vtable()),
- };
- grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args};
- grpc_end2end_test_fixture f = begin_test(
- config, "test_file_watcher_init_deny_request_no_match_in_policy", nullptr,
- &server_args);
- grpc_authorization_policy_provider_release(provider);
- test_deny_unauthorized_request(f);
- end_test(&f);
- config.tear_down_data(&f);
- }
- static void test_file_watcher_valid_policy_reload(
- grpc_end2end_test_config config) {
- const char* authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_foo\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/foo\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- grpc_core::testing::TmpFile tmp_policy(authz_policy);
- grpc_status_code code = GRPC_STATUS_OK;
- const char* error_details;
- grpc_authorization_policy_provider* provider =
- grpc_authorization_policy_provider_file_watcher_create(
- tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code,
- &error_details);
- GPR_ASSERT(GRPC_STATUS_OK == code);
- grpc_arg args[] = {
- grpc_channel_arg_pointer_create(
- const_cast<char*>(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider,
- grpc_authorization_policy_provider_arg_vtable()),
- };
- grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args};
- grpc_end2end_test_fixture f = begin_test(
- config, "test_file_watcher_valid_policy_reload", nullptr, &server_args);
- grpc_authorization_policy_provider_release(provider);
- test_allow_authorized_request(f);
- // Replace existing policy in file with a different authorization policy.
- authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_bar\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/bar\""
- " ]"
- " }"
- " }"
- " ],"
- " \"deny_rules\": ["
- " {"
- " \"name\": \"deny_foo\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/foo\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- tmp_policy.RewriteFile(authz_policy);
- // Wait 2 seconds for the provider's refresh thread to read the updated files.
- gpr_sleep_until(grpc_timeout_seconds_to_deadline(2));
- test_deny_unauthorized_request(f);
- end_test(&f);
- config.tear_down_data(&f);
- }
- static void test_file_watcher_invalid_policy_skip_reload(
- grpc_end2end_test_config config) {
- const char* authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_foo\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/foo\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- grpc_core::testing::TmpFile tmp_policy(authz_policy);
- grpc_status_code code = GRPC_STATUS_OK;
- const char* error_details;
- grpc_authorization_policy_provider* provider =
- grpc_authorization_policy_provider_file_watcher_create(
- tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code,
- &error_details);
- GPR_ASSERT(GRPC_STATUS_OK == code);
- grpc_arg args[] = {
- grpc_channel_arg_pointer_create(
- const_cast<char*>(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider,
- grpc_authorization_policy_provider_arg_vtable()),
- };
- grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args};
- grpc_end2end_test_fixture f =
- begin_test(config, "test_file_watcher_invalid_policy_skip_reload",
- nullptr, &server_args);
- grpc_authorization_policy_provider_release(provider);
- test_allow_authorized_request(f);
- // Replace exisiting policy in file with an invalid policy.
- authz_policy = "{}";
- tmp_policy.RewriteFile(authz_policy);
- // Wait 2 seconds for the provider's refresh thread to read the updated files.
- gpr_sleep_until(grpc_timeout_seconds_to_deadline(2));
- test_allow_authorized_request(f);
- end_test(&f);
- config.tear_down_data(&f);
- }
- static void test_file_watcher_recovers_from_failure(
- grpc_end2end_test_config config) {
- const char* authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_foo\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/foo\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- grpc_core::testing::TmpFile tmp_policy(authz_policy);
- grpc_status_code code = GRPC_STATUS_OK;
- const char* error_details;
- grpc_authorization_policy_provider* provider =
- grpc_authorization_policy_provider_file_watcher_create(
- tmp_policy.name().c_str(), /*refresh_interval_sec=*/1, &code,
- &error_details);
- GPR_ASSERT(GRPC_STATUS_OK == code);
- grpc_arg args[] = {
- grpc_channel_arg_pointer_create(
- const_cast<char*>(GRPC_ARG_AUTHORIZATION_POLICY_PROVIDER), provider,
- grpc_authorization_policy_provider_arg_vtable()),
- };
- grpc_channel_args server_args = {GPR_ARRAY_SIZE(args), args};
- grpc_end2end_test_fixture f = begin_test(
- config, "test_file_watcher_valid_policy_reload", nullptr, &server_args);
- grpc_authorization_policy_provider_release(provider);
- test_allow_authorized_request(f);
- // Replace exisiting policy in file with an invalid policy.
- authz_policy = "{}";
- tmp_policy.RewriteFile(authz_policy);
- // Wait 2 seconds for the provider's refresh thread to read the updated files.
- gpr_sleep_until(grpc_timeout_seconds_to_deadline(2));
- test_allow_authorized_request(f);
- // Recover from reload errors, by replacing invalid policy in file with a
- // valid policy.
- authz_policy =
- "{"
- " \"name\": \"authz\","
- " \"allow_rules\": ["
- " {"
- " \"name\": \"allow_bar\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/bar\""
- " ]"
- " }"
- " }"
- " ],"
- " \"deny_rules\": ["
- " {"
- " \"name\": \"deny_foo\","
- " \"request\": {"
- " \"paths\": ["
- " \"*/foo\""
- " ]"
- " }"
- " }"
- " ]"
- "}";
- tmp_policy.RewriteFile(authz_policy);
- // Wait 2 seconds for the provider's refresh thread to read the updated files.
- gpr_sleep_until(grpc_timeout_seconds_to_deadline(2));
- test_deny_unauthorized_request(f);
- end_test(&f);
- config.tear_down_data(&f);
- }
- void grpc_authz(grpc_end2end_test_config config) {
- test_static_init_allow_authorized_request(config);
- test_static_init_deny_unauthorized_request(config);
- test_static_init_deny_request_no_match_in_policy(config);
- test_file_watcher_init_allow_authorized_request(config);
- test_file_watcher_init_deny_unauthorized_request(config);
- test_file_watcher_init_deny_request_no_match_in_policy(config);
- test_file_watcher_valid_policy_reload(config);
- test_file_watcher_invalid_policy_skip_reload(config);
- test_file_watcher_recovers_from_failure(config);
- }
- void grpc_authz_pre_init(void) {}
|
