| @@ -478,6 +478,30 @@ func (s) TestRBACHTTPFilter(t *testing.T) { |
|
|
| 478 |
478 |
wantStatusEmptyCall: codes.PermissionDenied, |
| 479 |
479 |
wantStatusUnaryCall: codes.OK, |
| 480 |
480 |
}, |
|
481 |
+// This test tests an RBAC HTTP Filter which is configured to allow only |
|
482 |
+// RPC's with certain paths ("UnaryCall") via the ":path" header. Only |
|
483 |
+// unary calls passing through this RBAC HTTP Filter should proceed as |
|
484 |
+// normal, and any others should be denied. |
|
485 |
+ { |
|
486 |
+name: "allow-certain-path-by-header", |
|
487 |
+rbacCfg: &rpb.RBAC{ |
|
488 |
+Rules: &v3rbacpb.RBAC{ |
|
489 |
+Action: v3rbacpb.RBAC_ALLOW, |
|
490 |
+Policies: map[string]*v3rbacpb.Policy{ |
|
491 |
+"certain-path": { |
|
492 |
+Permissions: []*v3rbacpb.Permission{ |
|
493 |
+ {Rule: &v3rbacpb.Permission_Header{Header: &v3routepb.HeaderMatcher{Name: ":path", HeaderMatchSpecifier: &v3routepb.HeaderMatcher_ExactMatch{ExactMatch: "/grpc.testing.TestService/UnaryCall"}}}}, |
|
494 |
+ }, |
|
495 |
+Principals: []*v3rbacpb.Principal{ |
|
496 |
+ {Identifier: &v3rbacpb.Principal_Any{Any: true}}, |
|
497 |
+ }, |
|
498 |
+ }, |
|
499 |
+ }, |
|
500 |
+ }, |
|
501 |
+ }, |
|
502 |
+wantStatusEmptyCall: codes.PermissionDenied, |
|
503 |
+wantStatusUnaryCall: codes.OK, |
|
504 |
+ }, |
| 481 |
505 |
// This test that a RBAC Config with nil rules means that every RPC is |
| 482 |
506 |
// allowed. This maps to the line "If absent, no enforcing RBAC policy |
| 483 |
507 |
// will be applied" from the RBAC Proto documentation for the Rules |