Google Git
Sign in
fuchsia / third_party / github.com / grpc / grpc-go / refs/tags/v1.53.0 / . / security / authorization / engine / util_test.go
blob: e766fbf3ffe0c845bd0a07d30ffdee14817b0a1f [file] [log] [blame]
/*
*
* Copyright 2020 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package engine
import (
"testing"
expr "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
"github.com/google/cel-go/cel"
"github.com/google/cel-go/checker/decls"
)
func (s) TestStringConvert(t *testing.T) {
declarations := []*expr.Decl{
decls.NewIdent("request.url_path", decls.String, nil),
decls.NewIdent("request.host", decls.String, nil),
decls.NewIdent("connection.uri_san_peer_certificate", decls.String, nil),
}
env, err := cel.NewEnv()
if err != nil {
t.Fatalf("Failed to create the CEL environment")
}
for _, test := range []struct {
desc string
wantEvalOutcome bool
wantParsingError bool
wantEvalError bool
expr string
authzArgs map[string]interface{}
}{
{
desc: "single primitive match",
wantEvalOutcome: true,
expr: "request.url_path.startsWith('/pkg.service/test')",
authzArgs: map[string]interface{}{"request.url_path": "/pkg.service/test"},
},
{
desc: "single compare match",
wantEvalOutcome: true,
expr: "connection.uri_san_peer_certificate == 'cluster/ns/default/sa/admin'",
authzArgs: map[string]interface{}{"connection.uri_san_peer_certificate": "cluster/ns/default/sa/admin"},
},
{
desc: "single primitive no match",
wantEvalOutcome: false,
expr: "request.url_path.startsWith('/pkg.service/test')",
authzArgs: map[string]interface{}{"request.url_path": "/source/pkg.service/test"},
},
{
desc: "primitive and compare match",
wantEvalOutcome: true,
expr: "request.url_path == '/pkg.service/test' && connection.uri_san_peer_certificate == 'cluster/ns/default/sa/admin'",
authzArgs: map[string]interface{}{"request.url_path": "/pkg.service/test",
"connection.uri_san_peer_certificate": "cluster/ns/default/sa/admin"},
},
{
desc: "parse error field not present in environment",
wantParsingError: true,
expr: "request.source_path.startsWith('/pkg.service/test')",
authzArgs: map[string]interface{}{"request.url_path": "/pkg.service/test"},
},
{
desc: "eval error argument not included in environment",
wantEvalError: true,
expr: "request.url_path.startsWith('/pkg.service/test')",
authzArgs: map[string]interface{}{"request.source_path": "/pkg.service/test"},
},
} {
test := test
t.Run(test.desc, func(t *testing.T) {
checked, err := compileStringToCheckedExpr(test.expr, declarations)
if (err != nil) != test.wantParsingError {
t.Fatalf("Error mismatch in conversion, wantParsingError =%v, got %v", test.wantParsingError, err != nil)
}
if test.wantParsingError {
return
}
ast := cel.CheckedExprToAst(checked)
program, err := env.Program(ast)
if err != nil {
t.Fatalf("Failed to create CEL Program: %v", err)
}
eval, _, err := program.Eval(test.authzArgs)
if (err != nil) != test.wantEvalError {
t.Fatalf("Error mismatch in evaluation, wantEvalError =%v, got %v", test.wantEvalError, err != nil)
}
if test.wantEvalError {
return
}
if eval.Value() != test.wantEvalOutcome {
t.Fatalf("Error in evaluating converted CheckedExpr: want %v, got %v", test.wantEvalOutcome, eval.Value())
}
})
}
}