TestAuditLogger examines audit logging invocations using four different authorization policies. It covers scenarios including a disabled audit, auditing both 'allow' and 'deny' outcomes, and separately auditing 'allow' and 'deny' outcomes. Additionally, it checks if SPIFFE ID from a certificate is p
(t *testing.T)
| 88 | // and 'deny' outcomes. Additionally, it checks if SPIFFE ID from a certificate |
| 89 | // is propagated correctly. |
| 90 | func (s) TestAuditLogger(t *testing.T) { |
| 91 | // Each test data entry contains an authz policy for a grpc server, |
| 92 | // how many 'allow' and 'deny' outcomes we expect (each test case makes 2 |
| 93 | // unary calls and one client-streaming call), and a structure to check if |
| 94 | // the audit.Event fields are properly populated. Additionally, we specify |
| 95 | // directly which authz outcome we expect from each type of call. |
| 96 | tests := []struct { |
| 97 | name string |
| 98 | authzPolicy string |
| 99 | wantAuthzOutcomes map[bool]int |
| 100 | eventContent *audit.Event |
| 101 | wantUnaryCallCode codes.Code |
| 102 | wantStreamingCallCode codes.Code |
| 103 | }{ |
| 104 | { |
| 105 | name: "No audit", |
| 106 | authzPolicy: `{ |
| 107 | "name": "authz", |
| 108 | "allow_rules": [ |
| 109 | { |
| 110 | "name": "allow_UnaryCall", |
| 111 | "request": { |
| 112 | "paths": [ |
| 113 | "/grpc.testing.TestService/UnaryCall" |
| 114 | ] |
| 115 | } |
| 116 | } |
| 117 | ], |
| 118 | "audit_logging_options": { |
| 119 | "audit_condition": "NONE", |
| 120 | "audit_loggers": [ |
| 121 | { |
| 122 | "name": "stat_logger", |
| 123 | "config": {}, |
| 124 | "is_optional": false |
| 125 | } |
| 126 | ] |
| 127 | } |
| 128 | }`, |
| 129 | wantAuthzOutcomes: map[bool]int{true: 0, false: 0}, |
| 130 | wantUnaryCallCode: codes.OK, |
| 131 | wantStreamingCallCode: codes.PermissionDenied, |
| 132 | }, |
| 133 | { |
| 134 | name: "Allow All Deny Streaming - Audit All", |
| 135 | authzPolicy: `{ |
| 136 | "name": "authz", |
| 137 | "allow_rules": [ |
| 138 | { |
| 139 | "name": "allow_all", |
| 140 | "request": { |
| 141 | "paths": [ |
| 142 | "*" |
| 143 | ] |
| 144 | } |
| 145 | } |
| 146 | ], |
| 147 | "deny_rules": [ |
nothing calls this directly
no test coverage detected