diff options
Diffstat (limited to 'grpc/test/core/security/grpc_authorization_engine_test.cc')
-rw-r--r-- | grpc/test/core/security/grpc_authorization_engine_test.cc | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/grpc/test/core/security/grpc_authorization_engine_test.cc b/grpc/test/core/security/grpc_authorization_engine_test.cc new file mode 100644 index 00000000..a2b5e114 --- /dev/null +++ b/grpc/test/core/security/grpc_authorization_engine_test.cc @@ -0,0 +1,107 @@ +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include <grpc/support/port_platform.h> + +#include <gmock/gmock.h> +#include <gtest/gtest.h> + +#include "src/core/lib/security/authorization/grpc_authorization_engine.h" + +namespace grpc_core { + +TEST(GrpcAuthorizationEngineTest, AllowEngineWithMatchingPolicy) { + Rbac::Policy policy1( + Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true), + Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true)); + Rbac::Policy policy2((Rbac::Permission(Rbac::Permission::RuleType::kAny)), + (Rbac::Principal(Rbac::Principal::RuleType::kAny))); + std::map<std::string, Rbac::Policy> policies; + policies["policy1"] = std::move(policy1); + policies["policy2"] = std::move(policy2); + Rbac rbac(Rbac::Action::kAllow, std::move(policies)); + GrpcAuthorizationEngine engine(std::move(rbac)); + AuthorizationEngine::Decision decision = + engine.Evaluate(EvaluateArgs(nullptr, nullptr)); + EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow); + EXPECT_EQ(decision.matching_policy_name, "policy2"); +} + +TEST(GrpcAuthorizationEngineTest, AllowEngineWithNoMatchingPolicy) { + Rbac::Policy policy1( + Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true), + Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true)); + std::map<std::string, Rbac::Policy> policies; + policies["policy1"] = std::move(policy1); + Rbac rbac(Rbac::Action::kAllow, std::move(policies)); + GrpcAuthorizationEngine engine(std::move(rbac)); + AuthorizationEngine::Decision decision = + engine.Evaluate(EvaluateArgs(nullptr, nullptr)); + EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny); + EXPECT_TRUE(decision.matching_policy_name.empty()); +} + +TEST(GrpcAuthorizationEngineTest, AllowEngineWithEmptyPolicies) { + GrpcAuthorizationEngine engine(Rbac::Action::kAllow); + AuthorizationEngine::Decision decision = + engine.Evaluate(EvaluateArgs(nullptr, nullptr)); + EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny); + EXPECT_TRUE(decision.matching_policy_name.empty()); +} + +TEST(GrpcAuthorizationEngineTest, DenyEngineWithMatchingPolicy) { + Rbac::Policy policy1( + Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true), + Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true)); + Rbac::Policy policy2((Rbac::Permission(Rbac::Permission::RuleType::kAny)), + (Rbac::Principal(Rbac::Principal::RuleType::kAny))); + std::map<std::string, Rbac::Policy> policies; + policies["policy1"] = std::move(policy1); + policies["policy2"] = std::move(policy2); + Rbac rbac(Rbac::Action::kDeny, std::move(policies)); + GrpcAuthorizationEngine engine(std::move(rbac)); + AuthorizationEngine::Decision decision = + engine.Evaluate(EvaluateArgs(nullptr, nullptr)); + EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kDeny); + EXPECT_EQ(decision.matching_policy_name, "policy2"); +} + +TEST(GrpcAuthorizationEngineTest, DenyEngineWithNoMatchingPolicy) { + Rbac::Policy policy1( + Rbac::Permission(Rbac::Permission::RuleType::kAny, /*not_rule=*/true), + Rbac::Principal(Rbac::Principal::RuleType::kAny, /*not_rule=*/true)); + std::map<std::string, Rbac::Policy> policies; + policies["policy1"] = std::move(policy1); + Rbac rbac(Rbac::Action::kDeny, std::move(policies)); + GrpcAuthorizationEngine engine(std::move(rbac)); + AuthorizationEngine::Decision decision = + engine.Evaluate(EvaluateArgs(nullptr, nullptr)); + EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow); + EXPECT_TRUE(decision.matching_policy_name.empty()); +} + +TEST(GrpcAuthorizationEngineTest, DenyEngineWithEmptyPolicies) { + GrpcAuthorizationEngine engine(Rbac::Action::kDeny); + AuthorizationEngine::Decision decision = + engine.Evaluate(EvaluateArgs(nullptr, nullptr)); + EXPECT_EQ(decision.type, AuthorizationEngine::Decision::Type::kAllow); + EXPECT_TRUE(decision.matching_policy_name.empty()); +} + +} // namespace grpc_core + +int main(int argc, char** argv) { + ::testing::InitGoogleTest(&argc, argv); + return RUN_ALL_TESTS(); +} |