Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authz: update representation of allow authenticated in SDK #5052

Merged
merged 4 commits into from Dec 28, 2021
Merged

authz: update representation of allow authenticated in SDK #5052

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a58a7e4
remove empty principals logic
ashithasantosh Dec 10, 2021
5f0a981
Update test
ashithasantosh Dec 14, 2021
9c7af69
minor formatting
ashithasantosh Dec 14, 2021
080042c
resolving comments
ashithasantosh Dec 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 1 addition & 7 deletions authz/rbac_translator.go
View file
Open in desktop
Expand Up @@ -157,19 +157,13 @@ func parsePrincipalNames(principalNames []string) []*v3rbacpb.Principal {
}

func parsePeer(source peer) *v3rbacpb.Principal {
if source.Principals == nil {
if len(source.Principals) == 0 {
return &v3rbacpb.Principal{
Identifier: &v3rbacpb.Principal_Any{
Any: true,
},
}
}
if len(source.Principals) == 0 {
return &v3rbacpb.Principal{
Identifier: &v3rbacpb.Principal_Authenticated_{
Authenticated: &v3rbacpb.Principal_Authenticated{},
}}
}
return principalOr(parsePrincipalNames(source.Principals))
}

Expand Down
34 changes: 24 additions & 10 deletions authz/rbac_translator_test.go
View file
Open in desktop
Expand Up @@ -205,23 +205,37 @@ func TestTranslatePolicy(t *testing.T) {
},
},
},
"empty principal field": {
easwars marked this conversation as resolved.
Show resolved Hide resolved
"allow authenticated": {
authzPolicy: `{
"name": "authz",
"allow_rules": [{
"name": "allow_authenticated",
"source": {"principals":[]}
}]
}`,
"name": "authz",
"allow_rules": [
{
"name": "allow_authenticated",
"source": {
"principals":["*", ""]
}
}]
}`,
wantPolicies: []*v3rbacpb.RBAC{
{
Action: v3rbacpb.RBAC_ALLOW,
Policies: map[string]*v3rbacpb.Policy{
"authz_allow_authenticated": {
Principals: []*v3rbacpb.Principal{
{Identifier: &v3rbacpb.Principal_Authenticated_{
Authenticated: &v3rbacpb.Principal_Authenticated{},
}},
{Identifier: &v3rbacpb.Principal_OrIds{OrIds: &v3rbacpb.Principal_Set{
Ids: []*v3rbacpb.Principal{
{Identifier: &v3rbacpb.Principal_Authenticated_{
Authenticated: &v3rbacpb.Principal_Authenticated{PrincipalName: &v3matcherpb.StringMatcher{
MatchPattern: &v3matcherpb.StringMatcher_SafeRegex{SafeRegex: &v3matcherpb.RegexMatcher{Regex: ".+"}},
}},
}},
{Identifier: &v3rbacpb.Principal_Authenticated_{
Authenticated: &v3rbacpb.Principal_Authenticated{PrincipalName: &v3matcherpb.StringMatcher{
MatchPattern: &v3matcherpb.StringMatcher_Exact{Exact: ""},
}},
}},
},
}}},
},
Permissions: []*v3rbacpb.Permission{
{Rule: &v3rbacpb.Permission_Any{Any: true}},
Expand Down
34 changes: 5 additions & 29 deletions authz/sdk_end2end_test.go
View file
Open in desktop
Expand Up @@ -261,38 +261,14 @@ var sdkTests = map[string]struct {
wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
},
"DeniesRPCRequestWithPrincipalsFieldOnUnauthenticatedConnection": {
authzPolicy: `{
easwars marked this conversation as resolved.
Show resolved Hide resolved
"name": "authz",
"allow_rules":
[
{
"name": "allow_TestServiceCalls",
"source": {
"principals":
[
"foo"
]
},
"request": {
"paths":
[
"/grpc.testing.TestService/*"
]
}
}
]
}`,
wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
},
"DeniesRPCRequestWithEmptyPrincipalsOnUnauthenticatedConnection": {
authzPolicy: `{
"name": "authz",
"allow_rules":
[
{
"name": "allow_authenticated",
"source": {
"principals": []
"principals": ["*", ""]
}
}
]
Expand Down Expand Up @@ -386,15 +362,15 @@ func (s) TestSDKStaticPolicyEnd2End(t *testing.T) {
}
}

func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnTLSAuthenticatedConnection(t *testing.T) {
func (s) TestSDKAllowsRPCRequestWithPrincipalsFieldOnTLSAuthenticatedConnection(t *testing.T) {
authzPolicy := `{
"name": "authz",
"allow_rules":
[
{
"name": "allow_authenticated",
"source": {
"principals": []
"principals": ["*", ""]
}
}
]
Expand Down Expand Up @@ -438,15 +414,15 @@ func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnTLSAuthenticatedConnection(
}
}

func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnMTLSAuthenticatedConnection(t *testing.T) {
func (s) TestSDKAllowsRPCRequestWithPrincipalsFieldOnMTLSAuthenticatedConnection(t *testing.T) {
authzPolicy := `{
"name": "authz",
"allow_rules":
[
{
"name": "allow_authenticated",
"source": {
"principals": []
"principals": ["*", ""]
}
}
]
Expand Down