summaryrefslogtreecommitdiff
path: root/grpc/test/core/security/grpc_authorization_engine_test.cc
diff options
context:
space:
mode:
Diffstat (limited to 'grpc/test/core/security/grpc_authorization_engine_test.cc')
-rw-r--r--grpc/test/core/security/grpc_authorization_engine_test.cc107
1 files changed, 107 insertions, 0 deletions
diff --git a/grpc/test/core/security/grpc_authorization_engine_test.cc b/grpc/test/core/security/grpc_authorization_engine_test.cc
new file mode 100644
index 00000000..a2b5e114
--- /dev/null
+++ b/grpc/test/core/security/grpc_authorization_engine_test.cc
@@ -0,0 +1,107 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <grpc/support/port_platform.h>
+
+#include <gmock/gmock.h>
+#include <gtest/gtest.h>
+
+#include "src/core/lib/security/authorization/grpc_authorization_engine.h"
+
+namespace grpc_core {
+
+TEST(GrpcAuthorizationEngineTest, AllowEngineWithMatchingPolicy) {
+ Rbac::Policy policy1(
+ Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true),
+ Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true));
+ Rbac::Policy policy2((Rbac::Permission(Rbac::Permission::RuleType::kAny)),
+ (Rbac::Principal(Rbac::Principal::RuleType::kAny)));
+ std::map<std::string, Rbac::Policy> policies;
+ policies["policy1"] = std::move(policy1);
+ policies["policy2"] = std::move(policy2);
+ Rbac rbac(Rbac::Action::kAllow, std::move(policies));
+ GrpcAuthorizationEngine engine(std::move(rbac));
+ AuthorizationEngine::Decision decision =
+ engine.Evaluate(EvaluateArgs(nullptr, nullptr));
+ EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
+ EXPECT_EQ(decision.matching_policy_name, "policy2");
+}
+
+TEST(GrpcAuthorizationEngineTest, AllowEngineWithNoMatchingPolicy) {
+ Rbac::Policy policy1(
+ Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true),
+ Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true));
+ std::map<std::string, Rbac::Policy> policies;
+ policies["policy1"] = std::move(policy1);
+ Rbac rbac(Rbac::Action::kAllow, std::move(policies));
+ GrpcAuthorizationEngine engine(std::move(rbac));
+ AuthorizationEngine::Decision decision =
+ engine.Evaluate(EvaluateArgs(nullptr, nullptr));
+ EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
+ EXPECT_TRUE(decision.matching_policy_name.empty());
+}
+
+TEST(GrpcAuthorizationEngineTest, AllowEngineWithEmptyPolicies) {
+ GrpcAuthorizationEngine engine(Rbac::Action::kAllow);
+ AuthorizationEngine::Decision decision =
+ engine.Evaluate(EvaluateArgs(nullptr, nullptr));
+ EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
+ EXPECT_TRUE(decision.matching_policy_name.empty());
+}
+
+TEST(GrpcAuthorizationEngineTest, DenyEngineWithMatchingPolicy) {
+ Rbac::Policy policy1(
+ Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true),
+ Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true));
+ Rbac::Policy policy2((Rbac::Permission(Rbac::Permission::RuleType::kAny)),
+ (Rbac::Principal(Rbac::Principal::RuleType::kAny)));
+ std::map<std::string, Rbac::Policy> policies;
+ policies["policy1"] = std::move(policy1);
+ policies["policy2"] = std::move(policy2);
+ Rbac rbac(Rbac::Action::kDeny, std::move(policies));
+ GrpcAuthorizationEngine engine(std::move(rbac));
+ AuthorizationEngine::Decision decision =
+ engine.Evaluate(EvaluateArgs(nullptr, nullptr));
+ EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny);
+ EXPECT_EQ(decision.matching_policy_name, "policy2");
+}
+
+TEST(GrpcAuthorizationEngineTest, DenyEngineWithNoMatchingPolicy) {
+ Rbac::Policy policy1(
+ Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true),
+ Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true));
+ std::map<std::string, Rbac::Policy> policies;
+ policies["policy1"] = std::move(policy1);
+ Rbac rbac(Rbac::Action::kDeny, std::move(policies));
+ GrpcAuthorizationEngine engine(std::move(rbac));
+ AuthorizationEngine::Decision decision =
+ engine.Evaluate(EvaluateArgs(nullptr, nullptr));
+ EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
+ EXPECT_TRUE(decision.matching_policy_name.empty());
+}
+
+TEST(GrpcAuthorizationEngineTest, DenyEngineWithEmptyPolicies) {
+ GrpcAuthorizationEngine engine(Rbac::Action::kDeny);
+ AuthorizationEngine::Decision decision =
+ engine.Evaluate(EvaluateArgs(nullptr, nullptr));
+ EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow);
+ EXPECT_TRUE(decision.matching_policy_name.empty());
+}
+
+} // namespace grpc_core
+
+int main(int argc, char** argv) {
+ ::testing::InitGoogleTest(&argc, argv);
+ return RUN_ALL_TESTS();
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-23 08:52:54 +0000