Skip to content

Commit fbaf7c5

Browse files
authz: update representation of allow authenticated in SDK (#5052)
* remove empty principals logic * Update test * minor formatting * resolving comments
1 parent 344b93a commit fbaf7c5

File tree

3 files changed

+30
-46
lines changed

3 files changed

+30
-46
lines changed

authz/rbac_translator.go

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -157,19 +157,13 @@ func parsePrincipalNames(principalNames []string) []*v3rbacpb.Principal {
157157
}
158158

159159
func parsePeer(source peer) *v3rbacpb.Principal {
160-
if source.Principals == nil {
160+
if len(source.Principals) == 0 {
161161
return &v3rbacpb.Principal{
162162
Identifier: &v3rbacpb.Principal_Any{
163163
Any: true,
164164
},
165165
}
166166
}
167-
if len(source.Principals) == 0 {
168-
return &v3rbacpb.Principal{
169-
Identifier: &v3rbacpb.Principal_Authenticated_{
170-
Authenticated: &v3rbacpb.Principal_Authenticated{},
171-
}}
172-
}
173167
return principalOr(parsePrincipalNames(source.Principals))
174168
}
175169

authz/rbac_translator_test.go

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -205,23 +205,37 @@ func TestTranslatePolicy(t *testing.T) {
205205
},
206206
},
207207
},
208-
"empty principal field": {
208+
"allow authenticated": {
209209
authzPolicy: `{
210-
"name": "authz",
211-
"allow_rules": [{
212-
"name": "allow_authenticated",
213-
"source": {"principals":[]}
214-
}]
215-
}`,
210+
"name": "authz",
211+
"allow_rules": [
212+
{
213+
"name": "allow_authenticated",
214+
"source": {
215+
"principals":["*", ""]
216+
}
217+
}]
218+
}`,
216219
wantPolicies: []*v3rbacpb.RBAC{
217220
{
218221
Action: v3rbacpb.RBAC_ALLOW,
219222
Policies: map[string]*v3rbacpb.Policy{
220223
"authz_allow_authenticated": {
221224
Principals: []*v3rbacpb.Principal{
222-
{Identifier: &v3rbacpb.Principal_Authenticated_{
223-
Authenticated: &v3rbacpb.Principal_Authenticated{},
224-
}},
225+
{Identifier: &v3rbacpb.Principal_OrIds{OrIds: &v3rbacpb.Principal_Set{
226+
Ids: []*v3rbacpb.Principal{
227+
{Identifier: &v3rbacpb.Principal_Authenticated_{
228+
Authenticated: &v3rbacpb.Principal_Authenticated{PrincipalName: &v3matcherpb.StringMatcher{
229+
MatchPattern: &v3matcherpb.StringMatcher_SafeRegex{SafeRegex: &v3matcherpb.RegexMatcher{Regex: ".+"}},
230+
}},
231+
}},
232+
{Identifier: &v3rbacpb.Principal_Authenticated_{
233+
Authenticated: &v3rbacpb.Principal_Authenticated{PrincipalName: &v3matcherpb.StringMatcher{
234+
MatchPattern: &v3matcherpb.StringMatcher_Exact{Exact: ""},
235+
}},
236+
}},
237+
},
238+
}}},
225239
},
226240
Permissions: []*v3rbacpb.Permission{
227241
{Rule: &v3rbacpb.Permission_Any{Any: true}},

authz/sdk_end2end_test.go

Lines changed: 5 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -261,38 +261,14 @@ var sdkTests = map[string]struct {
261261
wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
262262
},
263263
"DeniesRPCRequestWithPrincipalsFieldOnUnauthenticatedConnection": {
264-
authzPolicy: `{
265-
"name": "authz",
266-
"allow_rules":
267-
[
268-
{
269-
"name": "allow_TestServiceCalls",
270-
"source": {
271-
"principals":
272-
[
273-
"foo"
274-
]
275-
},
276-
"request": {
277-
"paths":
278-
[
279-
"/grpc.testing.TestService/*"
280-
]
281-
}
282-
}
283-
]
284-
}`,
285-
wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
286-
},
287-
"DeniesRPCRequestWithEmptyPrincipalsOnUnauthenticatedConnection": {
288264
authzPolicy: `{
289265
"name": "authz",
290266
"allow_rules":
291267
[
292268
{
293269
"name": "allow_authenticated",
294270
"source": {
295-
"principals": []
271+
"principals": ["*", ""]
296272
}
297273
}
298274
]
@@ -386,15 +362,15 @@ func (s) TestSDKStaticPolicyEnd2End(t *testing.T) {
386362
}
387363
}
388364

389-
func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnTLSAuthenticatedConnection(t *testing.T) {
365+
func (s) TestSDKAllowsRPCRequestWithPrincipalsFieldOnTLSAuthenticatedConnection(t *testing.T) {
390366
authzPolicy := `{
391367
"name": "authz",
392368
"allow_rules":
393369
[
394370
{
395371
"name": "allow_authenticated",
396372
"source": {
397-
"principals": []
373+
"principals": ["*", ""]
398374
}
399375
}
400376
]
@@ -438,15 +414,15 @@ func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnTLSAuthenticatedConnection(
438414
}
439415
}
440416

441-
func (s) TestSDKAllowsRPCRequestWithEmptyPrincipalsOnMTLSAuthenticatedConnection(t *testing.T) {
417+
func (s) TestSDKAllowsRPCRequestWithPrincipalsFieldOnMTLSAuthenticatedConnection(t *testing.T) {
442418
authzPolicy := `{
443419
"name": "authz",
444420
"allow_rules":
445421
[
446422
{
447423
"name": "allow_authenticated",
448424
"source": {
449-
"principals": []
425+
"principals": ["*", ""]
450426
}
451427
}
452428
]

0 commit comments

Comments
 (0)