aboutsummaryrefslogtreecommitdiff
path: root/tools/run_tests/xds_k8s_test_driver/tests/authz_test.py
diff options
context:
space:
mode:
Diffstat (limited to 'tools/run_tests/xds_k8s_test_driver/tests/authz_test.py')
-rw-r--r--tools/run_tests/xds_k8s_test_driver/tests/authz_test.py396
1 files changed, 0 insertions, 396 deletions
diff --git a/tools/run_tests/xds_k8s_test_driver/tests/authz_test.py b/tools/run_tests/xds_k8s_test_driver/tests/authz_test.py
deleted file mode 100644
index e3c3bff896..0000000000
--- a/tools/run_tests/xds_k8s_test_driver/tests/authz_test.py
+++ /dev/null
@@ -1,396 +0,0 @@
-# Copyright 2021 gRPC authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import datetime
-import time
-from typing import Optional
-
-from absl import flags
-from absl.testing import absltest
-import grpc
-
-from framework import xds_k8s_testcase
-from framework.helpers import skips
-
-flags.adopt_module_key_flags(xds_k8s_testcase)
-
-# Type aliases
-_XdsTestServer = xds_k8s_testcase.XdsTestServer
-_XdsTestClient = xds_k8s_testcase.XdsTestClient
-_SecurityMode = xds_k8s_testcase.SecurityXdsKubernetesTestCase.SecurityMode
-_Lang = skips.Lang
-
-# The client generates QPS even when it is still loading information from xDS.
-# Once it finally connects there will be an outpouring of the bufferred RPCs and
-# the server needs time to chew through the backlog, especially since it is
-# still a new process and so probably interpreted. The server on one run
-# processed 225 RPCs a second, so with the client configured for 25 qps this is
-# 40 seconds worth of buffering before starting to drain the backlog.
-_SETTLE_DURATION = datetime.timedelta(seconds=5)
-_SAMPLE_DURATION = datetime.timedelta(seconds=0.5)
-
-
-class AuthzTest(xds_k8s_testcase.SecurityXdsKubernetesTestCase):
- RPC_TYPE_CYCLE = {
- "UNARY_CALL": "EMPTY_CALL",
- "EMPTY_CALL": "UNARY_CALL",
- }
-
- @staticmethod
- def is_supported(config: skips.TestConfig) -> bool:
- # Per "Authorization (RBAC)" in
- # https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md
- if config.client_lang in _Lang.CPP | _Lang.PYTHON:
- return config.version_gte("v1.47.x")
- elif config.client_lang in _Lang.GO | _Lang.JAVA:
- return config.version_gte("v1.42.x")
- elif config.client_lang == _Lang.NODE:
- return False
- return True
-
- def setUp(self):
- super().setUp()
- self.next_rpc_type: Optional[int] = None
-
- def authz_rules(self):
- return [
- {
- "destinations": {
- "hosts": [f"*:{self.server_xds_port}"],
- "ports": [self.server_port],
- "httpHeaderMatch": {
- "headerName": "test",
- "regexMatch": "host-wildcard",
- },
- },
- },
- {
- "destinations": {
- "hosts": [f"*:{self.server_xds_port}"],
- "ports": [self.server_port],
- "httpHeaderMatch": {
- "headerName": "test",
- "regexMatch": "header-regex-a+",
- },
- },
- },
- {
- "destinations": [
- {
- "hosts": [
- f"{self.server_xds_host}:{self.server_xds_port}"
- ],
- "ports": [self.server_port],
- "httpHeaderMatch": {
- "headerName": "test",
- "regexMatch": "host-match1",
- },
- },
- {
- "hosts": [
- f"a-not-it.com:{self.server_xds_port}",
- f"{self.server_xds_host}:{self.server_xds_port}",
- "z-not-it.com:1",
- ],
- "ports": [1, self.server_port, 65535],
- "httpHeaderMatch": {
- "headerName": "test",
- "regexMatch": "host-match2",
- },
- },
- ],
- },
- {
- "destinations": {
- "hosts": [
- f"not-the-host:{self.server_xds_port}",
- "not-the-host",
- ],
- "ports": [self.server_port],
- "httpHeaderMatch": {
- "headerName": "test",
- "regexMatch": "never-match-host",
- },
- },
- },
- {
- "destinations": {
- "hosts": [f"*:{self.server_xds_port}"],
- "ports": [1],
- "httpHeaderMatch": {
- "headerName": "test",
- "regexMatch": "never-match-port",
- },
- },
- },
- # b/202058316. The wildcard principal is generating invalid config
- # {
- # "sources": {
- # "principals": ["*"],
- # },
- # "destinations": {
- # "hosts": [f"*:{self.server_xds_port}"],
- # "ports": [self.server_port],
- # "httpHeaderMatch": {
- # "headerName": "test",
- # "regexMatch": "principal-present",
- # },
- # },
- # },
- {
- "sources": [
- {
- "principals": [
- f"spiffe://{self.project}.svc.id.goog/not/the/client",
- ],
- },
- {
- "principals": [
- f"spiffe://{self.project}.svc.id.goog/not/the/client",
- (
- f"spiffe://{self.project}.svc.id.goog/ns/"
- f"{self.client_namespace}/sa/{self.client_name}"
- ),
- ],
- },
- ],
- "destinations": {
- "hosts": [f"*:{self.server_xds_port}"],
- "ports": [self.server_port],
- "httpHeaderMatch": {
- "headerName": "test",
- "regexMatch": "match-principal",
- },
- },
- },
- {
- "sources": {
- "principals": [
- f"spiffe://{self.project}.svc.id.goog/not/the/client",
- ],
- },
- "destinations": {
- "hosts": [f"*:{self.server_xds_port}"],
- "ports": [self.server_port],
- "httpHeaderMatch": {
- "headerName": "test",
- "regexMatch": "never-match-principal",
- },
- },
- },
- ]
-
- def configure_and_assert(
- self,
- test_client: _XdsTestClient,
- test_metadata_val: Optional[str],
- status_code: grpc.StatusCode,
- ) -> None:
- # Swap method type every sub-test to avoid mixing results
- rpc_type = self.next_rpc_type
- if rpc_type is None:
- stats = test_client.get_load_balancer_accumulated_stats()
- for t in self.RPC_TYPE_CYCLE:
- if not stats.stats_per_method[t].rpcs_started:
- rpc_type = t
- self.assertIsNotNone(rpc_type, "All RPC types already used")
- self.next_rpc_type = self.RPC_TYPE_CYCLE[rpc_type]
-
- metadata = None
- if test_metadata_val is not None:
- metadata = ((rpc_type, "test", test_metadata_val),)
- test_client.update_config.configure(
- rpc_types=[rpc_type], metadata=metadata
- )
- # b/228743575 Python has as race. Give us time to fix it.
- stray_rpc_limit = 1 if self.lang_spec.client_lang == _Lang.PYTHON else 0
- self.assertRpcStatusCodes(
- test_client,
- expected_status=status_code,
- duration=_SAMPLE_DURATION,
- method=rpc_type,
- stray_rpc_limit=stray_rpc_limit,
- )
-
- def test_plaintext_allow(self) -> None:
- self.setupTrafficDirectorGrpc()
- self.td.create_authz_policy(action="ALLOW", rules=self.authz_rules())
- self.setupSecurityPolicies(
- server_tls=False,
- server_mtls=False,
- client_tls=False,
- client_mtls=False,
- )
-
- test_server: _XdsTestServer = self.startSecureTestServer()
- self.setupServerBackends()
- test_client: _XdsTestClient = self.startSecureTestClient(test_server)
- time.sleep(_SETTLE_DURATION.total_seconds())
-
- with self.subTest("01_host_wildcard"):
- self.configure_and_assert(
- test_client, "host-wildcard", grpc.StatusCode.OK
- )
-
- with self.subTest("02_no_match"):
- self.configure_and_assert(
- test_client, "no-such-rule", grpc.StatusCode.PERMISSION_DENIED
- )
- self.configure_and_assert(
- test_client, None, grpc.StatusCode.PERMISSION_DENIED
- )
-
- with self.subTest("03_header_regex"):
- self.configure_and_assert(
- test_client, "header-regex-a", grpc.StatusCode.OK
- )
- self.configure_and_assert(
- test_client, "header-regex-aa", grpc.StatusCode.OK
- )
- self.configure_and_assert(
- test_client, "header-regex-", grpc.StatusCode.PERMISSION_DENIED
- )
- self.configure_and_assert(
- test_client,
- "header-regex-ab",
- grpc.StatusCode.PERMISSION_DENIED,
- )
- self.configure_and_assert(
- test_client,
- "aheader-regex-a",
- grpc.StatusCode.PERMISSION_DENIED,
- )
-
- with self.subTest("04_host_match"):
- self.configure_and_assert(
- test_client, "host-match1", grpc.StatusCode.OK
- )
- self.configure_and_assert(
- test_client, "host-match2", grpc.StatusCode.OK
- )
-
- with self.subTest("05_never_match_host"):
- self.configure_and_assert(
- test_client,
- "never-match-host",
- grpc.StatusCode.PERMISSION_DENIED,
- )
-
- with self.subTest("06_never_match_port"):
- self.configure_and_assert(
- test_client,
- "never-match-port",
- grpc.StatusCode.PERMISSION_DENIED,
- )
-
- # b/202058316
- # with self.subTest('07_principal_present'):
- # self.configure_and_assert(test_client, 'principal-present',
- # grpc.StatusCode.PERMISSION_DENIED)
-
- def test_tls_allow(self) -> None:
- self.setupTrafficDirectorGrpc()
- self.td.create_authz_policy(action="ALLOW", rules=self.authz_rules())
- self.setupSecurityPolicies(
- server_tls=True,
- server_mtls=False,
- client_tls=True,
- client_mtls=False,
- )
-
- test_server: _XdsTestServer = self.startSecureTestServer()
- self.setupServerBackends()
- test_client: _XdsTestClient = self.startSecureTestClient(test_server)
- time.sleep(_SETTLE_DURATION.total_seconds())
-
- with self.subTest("01_host_wildcard"):
- self.configure_and_assert(
- test_client, "host-wildcard", grpc.StatusCode.OK
- )
-
- with self.subTest("02_no_match"):
- self.configure_and_assert(
- test_client, None, grpc.StatusCode.PERMISSION_DENIED
- )
-
- # b/202058316
- # with self.subTest('03_principal_present'):
- # self.configure_and_assert(test_client, 'principal-present',
- # grpc.StatusCode.PERMISSION_DENIED)
-
- def test_mtls_allow(self) -> None:
- self.setupTrafficDirectorGrpc()
- self.td.create_authz_policy(action="ALLOW", rules=self.authz_rules())
- self.setupSecurityPolicies(
- server_tls=True, server_mtls=True, client_tls=True, client_mtls=True
- )
-
- test_server: _XdsTestServer = self.startSecureTestServer()
- self.setupServerBackends()
- test_client: _XdsTestClient = self.startSecureTestClient(test_server)
- time.sleep(_SETTLE_DURATION.total_seconds())
-
- with self.subTest("01_host_wildcard"):
- self.configure_and_assert(
- test_client, "host-wildcard", grpc.StatusCode.OK
- )
-
- with self.subTest("02_no_match"):
- self.configure_and_assert(
- test_client, None, grpc.StatusCode.PERMISSION_DENIED
- )
-
- # b/202058316
- # with self.subTest('03_principal_present'):
- # self.configure_and_assert(test_client, 'principal-present',
- # grpc.StatusCode.OK)
-
- with self.subTest("04_match_principal"):
- self.configure_and_assert(
- test_client, "match-principal", grpc.StatusCode.OK
- )
-
- with self.subTest("05_never_match_principal"):
- self.configure_and_assert(
- test_client,
- "never-match-principal",
- grpc.StatusCode.PERMISSION_DENIED,
- )
-
- def test_plaintext_deny(self) -> None:
- self.setupTrafficDirectorGrpc()
- self.td.create_authz_policy(action="DENY", rules=self.authz_rules())
- self.setupSecurityPolicies(
- server_tls=False,
- server_mtls=False,
- client_tls=False,
- client_mtls=False,
- )
-
- test_server: _XdsTestServer = self.startSecureTestServer()
- self.setupServerBackends()
- test_client: _XdsTestClient = self.startSecureTestClient(test_server)
- time.sleep(_SETTLE_DURATION.total_seconds())
-
- with self.subTest("01_host_wildcard"):
- self.configure_and_assert(
- test_client, "host-wildcard", grpc.StatusCode.PERMISSION_DENIED
- )
-
- with self.subTest("02_no_match"):
- self.configure_and_assert(test_client, None, grpc.StatusCode.OK)
-
-
-if __name__ == "__main__":
- absltest.main()
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-27 03:39:59 +0000