From 784e0740a6ca7684feba3fb4f26d68e098b5c826 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 4 Jul 2025 16:39:37 -0600 Subject: refactor: map from http request to cedar request --- tests/authorization/cedar_authorizer_test.rs | 20 ++++++++------------ tests/authorization/check_service_test.rs | 17 +++++++---------- 2 files changed, 15 insertions(+), 22 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 79f83c00..317ef67f 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -8,12 +8,10 @@ mod tests { #[test] fn test_cedar_authorizer_allows_valid_token() { let request = build_request(|item: &mut HttpRequest| { - item.headers = build_with(|item: &mut HashMap| { - item.insert( - String::from("authorization"), - String::from("Bearer valid-token"), - ); - }); + item.headers = build_headers(vec![( + "authorization".to_string(), + "Bearer valid-token".to_string(), + )]); }); assert!(build_cedar_authorizer().authorize(request)); @@ -22,12 +20,10 @@ mod tests { #[test] fn test_cedar_authorizer_denies_invalid_token() { let request = build_request(|item: &mut HttpRequest| { - item.headers = build_with(|item: &mut HashMap| { - item.insert( - String::from("authorization"), - String::from("Bearer invalid-token"), - ); - }); + item.headers = build_headers(vec![( + "authorization".to_string(), + "Bearer invalid-token".to_string(), + )]); }); assert!(!build_cedar_authorizer().authorize(request)); diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index a4b8f2ee..fe45712d 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -14,6 +14,7 @@ mod tests { #[tokio::test] async fn test_check_allows_valid_bearer_token() { let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { + item.path = String::from("/"); item.headers = build_headers(vec![( "authorization".to_string(), format!("Bearer {}", String::from("valid-token")), @@ -100,13 +101,13 @@ mod tests { #[tokio::test] async fn test_table() { let test_cases = vec![ - ("Bearer valid-token", true), - ("Bearer invalid-token", false), - ("Basic valid-token", false), - ("", false), + ("Bearer valid-token", tonic::Code::Ok), + ("Bearer invalid-token", tonic::Code::Unauthenticated), + ("Basic valid-token", tonic::Code::Unauthenticated), + ("", tonic::Code::Unauthenticated), ]; - for (auth_value, should_succeed) in test_cases { + for (auth_value, expected_status_code) in test_cases { let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { item.headers = build_headers(vec![("authorization".to_string(), auth_value.to_string())]); @@ -118,11 +119,7 @@ mod tests { let check_response = response.unwrap().into_inner(); let status = check_response.status.unwrap(); - if should_succeed { - assert_eq!(status.code, tonic::Code::Ok as i32); - } else { - assert_eq!(status.code, tonic::Code::Unauthenticated as i32); - } + assert_eq!(status.code, expected_status_code as i32); } } -- cgit v1.2.3 From c27093125aed8434c16655af7e7f415d84859dc7 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 4 Jul 2025 17:03:20 -0600 Subject: test: start to build table tests --- tests/authorization/check_service_test.rs | 55 ++++++++++++++----------------- 1 file changed, 25 insertions(+), 30 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index fe45712d..4ff7a89b 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -146,39 +146,34 @@ mod tests { // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard"}}, // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "POST", Path: "/sparkles"}}, - // - // http: - // method: \"GET\", - // headers: { - // \":method\": \"GET\", - // \":authority\": \"localhost:10000\", - // \":path\": \"/sparkles\", - // }, - // path: \"/sparkles\", - // host: \"localhost:10000\", - let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - let path = String::from("/"); - let method = String::from("GET"); - let host = String::from("sparkle.staging.runway.gitlab.net"); - - item.method = method.clone(); - item.path = path.clone(); - item.host = host.clone(); - item.headers = build_headers(vec![ - (String::from(":path"), path), - (String::from(":method"), method), - (String::from(":authority"), host), - ]); - })); + let test_cases = vec![( + "GET", + "/", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + )]; - let response = subject().check(request).await; - assert!(response.is_ok()); + for (method, path, host, expected_status_code) in test_cases { + let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { + item.method = method.to_string(); + item.path = path.to_string(); + item.host = host.to_string(); + item.headers = build_headers(vec![ + (String::from(":path"), path.to_string()), + (String::from(":method"), method.to_string()), + (String::from(":authority"), host.to_string()), + ]); + })); - let check_response = response.unwrap().into_inner(); - assert!(check_response.status.is_some()); + let response = subject().check(request).await; + assert!(response.is_ok()); - let status = check_response.status.unwrap(); - assert_eq!(status.code, tonic::Code::Ok as i32); + let check_response = response.unwrap().into_inner(); + assert!(check_response.status.is_some()); + + let status = check_response.status.unwrap(); + assert_eq!(status.code, expected_status_code as i32); + } } } -- cgit v1.2.3 From e821b395783f2494f48ad941c606bec615e3b44e Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 4 Jul 2025 17:44:34 -0600 Subject: refactor: extract method to convert http request to cedar context --- src/authorization/cedar_authorizer.rs | 26 ++++++++++++++++---------- tests/authorization/check_service_test.rs | 27 ++++++++++++++++++++------- 2 files changed, 36 insertions(+), 17 deletions(-) (limited to 'tests/authorization') diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs index 4eeaf645..e56640f9 100644 --- a/src/authorization/cedar_authorizer.rs +++ b/src/authorization/cedar_authorizer.rs @@ -111,12 +111,6 @@ impl CedarAuthorizer { &self, http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, ) -> Result> { - let headers = &http_request.headers; - let bearer_token = headers - .get("authorization") - .and_then(|auth| auth.strip_prefix("Bearer ")) - .unwrap_or(""); - // Create principal entity let principal_id = EntityId::from_str("client")?; let principal_type = EntityTypeName::from_str("User")?; @@ -132,7 +126,22 @@ impl CedarAuthorizer { let resource_type = EntityTypeName::from_str("Resource")?; let resource = EntityUid::from_type_name_and_id(resource_type, resource_id); + let context = self.context_from(http_request); + CedarRequest::new(principal, action, resource, context?, None) + .map_err(|e| Box::new(e) as Box) + } + + fn context_from( + &self, + http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, + ) -> Result { let mut context_map = std::collections::HashMap::new(); + + let headers = &http_request.headers; + let bearer_token = headers + .get("authorization") + .and_then(|auth| auth.strip_prefix("Bearer ")) + .unwrap_or(""); if !bearer_token.is_empty() { context_map.insert( "bearer_token".to_string(), @@ -146,9 +155,6 @@ impl CedarAuthorizer { ); } - let context = Context::from_pairs(context_map.into_iter().collect::>())?; - - CedarRequest::new(principal, action, resource, context, None) - .map_err(|e| Box::new(e) as Box) + Context::from_pairs(context_map.into_iter().collect::>()) } } diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 4ff7a89b..73812fa1 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -125,7 +125,6 @@ mod tests { #[tokio::test] async fn test_public_sparkle_endpoints() { - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/"}}, // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/application.js"}}, // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/callback"}}, // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, @@ -147,12 +146,26 @@ mod tests { // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "POST", Path: "/sparkles"}}, - let test_cases = vec![( - "GET", - "/", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - )]; + let test_cases = vec![ + ( + "GET", + "/", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/application.js", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/callback", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ]; for (method, path, host, expected_status_code) in test_cases { let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { -- cgit v1.2.3 From a45c159dac5893c7214e18a59c8a6d5115472e44 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 4 Jul 2025 18:47:33 -0600 Subject: test: add missing public asset tests --- etc/authzd/policy0.cedar | 21 ++++++- tests/authorization/check_service_test.rs | 101 +++++++++++++++++++++++++----- 2 files changed, 103 insertions(+), 19 deletions(-) (limited to 'tests/authorization') diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar index 56457622..75cf8178 100644 --- a/etc/authzd/policy0.cedar +++ b/etc/authzd/policy0.cedar @@ -22,11 +22,28 @@ when { permit(principal, action, resource) when { context has host && context has method && context has path && ( - context.host == "sparkle.staging.runway.gitlab.net" && + context.host == "sparkle.staging.runway.gitlab.net" && ( context.method == "GET" && ( context.path == "/" || - context.path == "/app.js" || + context.path == "/callback" || + context.path == "/dashboard/nav" || + context.path == "/health" || + context.path == "/signout" || + context.path == "/sparkles" || + context.path like "*.bmp" || + context.path like "*.css" || + context.path like "*.gif" || + context.path like "*.html" || + context.path like "*.ico" || + context.path like "*.jpeg" || + context.path like "*.jpg" || + context.path like "*.js" || + context.path like "*.png" || context.path == "/callback" ) + ) || ( + context.method == "POST" && ( + context.path == "/sparkles/restore" + ) ) }; diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 73812fa1..5ea0cb95 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -125,26 +125,9 @@ mod tests { #[tokio::test] async fn test_public_sparkle_endpoints() { - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/application.js"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/callback"}}, // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/dashboard/nav"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/favicon.ico"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/favicon.png"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/favicon.png"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/health"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/htmx.js"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/index.html"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/logo.png"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/pico.min.css"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/signout"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/sparkles"}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/vue.global.js"}}, // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "POST", Path: "/sparkles", Headers: loggedInHeaders}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "POST", Path: "/sparkles/restore"}}, - // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard"}}, // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, - // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "POST", Path: "/sparkles"}}, let test_cases = vec![ ( @@ -165,6 +148,90 @@ mod tests { "sparkle.staging.runway.gitlab.net", tonic::Code::Ok, ), + ( + "GET", + "/dashboard/nav", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/favicon.ico", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/favicon.png", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/health", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/htmx.js", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/index.html", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/logo.png", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/pico.min.css", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/signout", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/sparkles", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/vue.global.js", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "POST", + "/sparkles/restore", + "sparkle.staging.runway.gitlab.net", + tonic::Code::Ok, + ), + ( + "GET", + "/dashboard", + "sparkle.staging.runway.gitlab.net", + tonic::Code::PermissionDenied, + ), + ( + "POST", + "/sparkles", + "sparkle.staging.runway.gitlab.net", + tonic::Code::PermissionDenied, + ), ]; for (method, path, host, expected_status_code) in test_cases { -- cgit v1.2.3 From fc4bbd8efd805411239406c6323a37537d4534f2 Mon Sep 17 00:00:00 2001 From: mo khan Date: Sat, 5 Jul 2025 11:29:37 -0600 Subject: fix: fix typo in cedar policy file --- etc/authzd/policy0.cedar | 1 + src/authorization/cedar_authorizer.rs | 110 +++++++++++++-------------- tests/authorization/cedar_authorizer_test.rs | 18 +++-- tests/authorization/check_service_test.rs | 4 +- 4 files changed, 68 insertions(+), 65 deletions(-) (limited to 'tests/authorization') diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar index 75cf8178..e1037457 100644 --- a/etc/authzd/policy0.cedar +++ b/etc/authzd/policy0.cedar @@ -44,6 +44,7 @@ when { ) || ( context.method == "POST" && ( context.path == "/sparkles/restore" + ) ) ) }; diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs index 96a406d8..9fb7513a 100644 --- a/src/authorization/cedar_authorizer.rs +++ b/src/authorization/cedar_authorizer.rs @@ -49,58 +49,7 @@ impl CedarAuthorizer { Ok(policies) } -} - -impl Default for CedarAuthorizer { - fn default() -> Self { - Self::new_from(std::path::Path::new("/etc/authzd")) - } -} - -impl Authorizer for CedarAuthorizer { - fn authorize(&self, request: CheckRequest) -> bool { - let http_request = match request - .attributes - .as_ref() - .and_then(|attr| attr.request.as_ref()) - .and_then(|req| req.http.as_ref()) - { - Some(http) => http, - None => return false, - }; - - tracing::info!( - method = %http_request.method, - host = %http_request.host, - path = %http_request.path, - scheme = %http_request.scheme, - protocol = %http_request.protocol, - "Processing HTTP request" - ); - match self.map_from(http_request.clone()) { - Ok(cedar_request) => { - let entities = Entities::empty(); - let response = - self.authorizer - .is_authorized(&cedar_request, &self.policies, &entities); - - matches!(response.decision(), cedar_policy::Decision::Allow) - } - Err(e) => { - println!("error: {}", e); - tracing::error!( - error = %e, - path = %http_request.path, - "Failed to create Cedar request" - ); - false - } - } - } -} - -impl CedarAuthorizer { fn map_from( &self, http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, @@ -110,8 +59,9 @@ impl CedarAuthorizer { let resource = self.resource_from(&http_request)?; let context = self.context_from(http_request)?; - CedarRequest::new(principal, permission, resource, context, None) - .map_err(|e| Box::new(e) as Box) + Ok(CedarRequest::new( + principal, permission, resource, context, None, + )?) } fn principal_from( @@ -147,7 +97,7 @@ impl CedarAuthorizer { fn context_from( &self, http_request: envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, - ) -> Result { + ) -> Result> { let mut items = std::collections::HashMap::new(); items.insert("bearer_token".to_string(), self.token_from(&http_request)); @@ -155,7 +105,7 @@ impl CedarAuthorizer { items.insert("method".to_string(), self.safe_string(&http_request.method)); items.insert("path".to_string(), self.safe_string(&http_request.path)); - Context::from_pairs(items.into_iter().collect::>()) + Ok(Context::from_pairs(items.into_iter().collect::>())?) } fn token_from( @@ -175,3 +125,53 @@ impl CedarAuthorizer { cedar_policy::RestrictedExpression::new_string(item.to_string()) } } + +impl Default for CedarAuthorizer { + fn default() -> Self { + Self::new_from(std::path::Path::new("/etc/authzd")) + } +} + +impl Authorizer for CedarAuthorizer { + fn authorize(&self, request: CheckRequest) -> bool { + let http_request = match request + .attributes + .as_ref() + .and_then(|attr| attr.request.as_ref()) + .and_then(|req| req.http.as_ref()) + { + Some(http) => http, + None => return false, + }; + + tracing::info!( + method = %http_request.method, + host = %http_request.host, + path = %http_request.path, + scheme = %http_request.scheme, + protocol = %http_request.protocol, + "Processing HTTP request" + ); + + let entities = Entities::empty(); + + match self.map_from(http_request.clone()) { + Ok(cedar_request) => { + let response = + self.authorizer + .is_authorized(&cedar_request, &self.policies, &entities); + + matches!(response.decision(), cedar_policy::Decision::Allow) + } + Err(e) => { + println!("error: {}", e); + tracing::error!( + error = %e, + path = %http_request.path, + "Failed to create Cedar request" + ); + false + } + } + } +} diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 317ef67f..ccf8a1f8 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -5,16 +5,18 @@ mod tests { use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; use std::collections::HashMap; + fn subject() -> authzd::CedarAuthorizer { + build_cedar_authorizer() + } + #[test] fn test_cedar_authorizer_allows_valid_token() { - let request = build_request(|item: &mut HttpRequest| { + assert!(subject().authorize(build_request(|item: &mut HttpRequest| { item.headers = build_headers(vec![( "authorization".to_string(), "Bearer valid-token".to_string(), )]); - }); - - assert!(build_cedar_authorizer().authorize(request)); + }))); } #[test] @@ -26,7 +28,7 @@ mod tests { )]); }); - assert!(!build_cedar_authorizer().authorize(request)); + assert!(!subject().authorize(request)); } #[test] @@ -35,7 +37,7 @@ mod tests { item.headers = HashMap::new(); }); - assert!(!build_cedar_authorizer().authorize(request)); + assert!(!subject().authorize(request)); } #[test] @@ -55,7 +57,7 @@ mod tests { ]); }); - assert!(build_cedar_authorizer().authorize(request)); + assert!(subject().authorize(request)); } #[test] @@ -75,6 +77,6 @@ mod tests { ]); }); - assert!(build_cedar_authorizer().authorize(request)); + assert!(subject().authorize(request)); } } diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 5ea0cb95..a32f2a2c 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -224,13 +224,13 @@ mod tests { "GET", "/dashboard", "sparkle.staging.runway.gitlab.net", - tonic::Code::PermissionDenied, + tonic::Code::Unauthenticated, ), ( "POST", "/sparkles", "sparkle.staging.runway.gitlab.net", - tonic::Code::PermissionDenied, + tonic::Code::Unauthenticated, ), ]; -- cgit v1.2.3 From 2dd12b6a8109f05f508f382604f49744158d2080 Mon Sep 17 00:00:00 2001 From: mo khan Date: Sat, 5 Jul 2025 11:32:15 -0600 Subject: test: invalid request variables in tests --- tests/authorization/cedar_authorizer_test.rs | 38 +++++++++++++--------------- 1 file changed, 17 insertions(+), 21 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index ccf8a1f8..490a0107 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -21,28 +21,28 @@ mod tests { #[test] fn test_cedar_authorizer_denies_invalid_token() { - let request = build_request(|item: &mut HttpRequest| { - item.headers = build_headers(vec![( - "authorization".to_string(), - "Bearer invalid-token".to_string(), - )]); - }); - - assert!(!subject().authorize(request)); + assert!( + !subject().authorize(build_request(|item: &mut HttpRequest| { + item.headers = build_headers(vec![( + "authorization".to_string(), + "Bearer invalid-token".to_string(), + )]); + })) + ); } #[test] fn test_cedar_authorizer_denies_missing_header() { - let request = build_request(|item: &mut HttpRequest| { - item.headers = HashMap::new(); - }); - - assert!(!subject().authorize(request)); + assert!( + !subject().authorize(build_request(|item: &mut HttpRequest| { + item.headers = HashMap::new(); + })) + ); } #[test] fn test_cedar_authorizer_allows_static_assets() { - let request = build_request(|item: &mut HttpRequest| { + assert!(subject().authorize(build_request(|item: &mut HttpRequest| { let method = String::from("GET"); let host = String::from("sparkle.staging.runway.gitlab.net"); let path = "/public/style.css"; @@ -55,14 +55,12 @@ mod tests { (String::from(":method"), method), (String::from(":authority"), host), ]); - }); - - assert!(subject().authorize(request)); + }))); } #[test] fn test_cedar_authorizer_allows_js_assets() { - let request = build_request(|item: &mut HttpRequest| { + assert!(subject().authorize(build_request(|item: &mut HttpRequest| { let method = String::from("GET"); let host = String::from("sparkle.staging.runway.gitlab.net"); let path = "/app.js"; @@ -75,8 +73,6 @@ mod tests { (String::from(":method"), method), (String::from(":authority"), host), ]); - }); - - assert!(subject().authorize(request)); + }))); } } -- cgit v1.2.3 From 43ea56f31f1f00b5f6dfb84682ef40b716a327a4 Mon Sep 17 00:00:00 2001 From: mo khan Date: Sat, 5 Jul 2025 11:42:26 -0600 Subject: test: refactor tests to provide multiple sparkle hosts --- tests/authorization/check_service_test.rs | 166 ++++++++---------------------- 1 file changed, 44 insertions(+), 122 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index a32f2a2c..f6546802 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -129,131 +129,53 @@ mod tests { // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "POST", Path: "/sparkles", Headers: loggedInHeaders}}, // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, - let test_cases = vec![ - ( - "GET", - "/", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/application.js", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/callback", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/dashboard/nav", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/favicon.ico", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/favicon.png", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/health", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/htmx.js", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/index.html", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/logo.png", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/pico.min.css", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/signout", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/sparkles", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/vue.global.js", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "POST", - "/sparkles/restore", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Ok, - ), - ( - "GET", - "/dashboard", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Unauthenticated, - ), - ( - "POST", - "/sparkles", - "sparkle.staging.runway.gitlab.net", - tonic::Code::Unauthenticated, - ), + let hosts = vec![ + "sparkle.staging.runway.gitlab.net", + // "sparkle.runway.gitlab.net", ]; - for (method, path, host, expected_status_code) in test_cases { - let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - item.method = method.to_string(); - item.path = path.to_string(); - item.host = host.to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method.to_string()), - (String::from(":authority"), host.to_string()), - ]); - })); - - let response = subject().check(request).await; - assert!(response.is_ok()); - - let check_response = response.unwrap().into_inner(); - assert!(check_response.status.is_some()); + let routes = vec![ + ("GET", "/", tonic::Code::Ok), + ("GET", "/application.js", tonic::Code::Ok), + ("GET", "/callback", tonic::Code::Ok), + ("GET", "/dashboard/nav", tonic::Code::Ok), + ("GET", "/favicon.ico", tonic::Code::Ok), + ("GET", "/favicon.png", tonic::Code::Ok), + ("GET", "/health", tonic::Code::Ok), + ("GET", "/htmx.js", tonic::Code::Ok), + ("GET", "/index.html", tonic::Code::Ok), + ("GET", "/logo.png", tonic::Code::Ok), + ("GET", "/pico.min.css", tonic::Code::Ok), + ("GET", "/signout", tonic::Code::Ok), + ("GET", "/sparkles", tonic::Code::Ok), + ("GET", "/vue.global.js", tonic::Code::Ok), + ("POST", "/sparkles/restore", tonic::Code::Ok), + ("GET", "/dashboard", tonic::Code::Unauthenticated), + ("POST", "/sparkles", tonic::Code::Unauthenticated), + ]; - let status = check_response.status.unwrap(); - assert_eq!(status.code, expected_status_code as i32); + for host in hosts { + for (method, path, expected_status_code) in &routes { + let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { + item.method = method.to_string(); + item.path = path.to_string(); + item.host = host.to_string(); + item.headers = build_headers(vec![ + (String::from(":path"), path.to_string()), + (String::from(":method"), method.to_string()), + (String::from(":authority"), host.to_string()), + ]); + })); + + let response = subject().check(request).await; + assert!(response.is_ok()); + + let check_response = response.unwrap().into_inner(); + assert!(check_response.status.is_some()); + + let status = check_response.status.unwrap(); + assert_eq!(tonic::Code::from_i32(status.code), *expected_status_code); + } } } } -- cgit v1.2.3 From 3dbd58536a4c37a2cc3b18572ac9e46bbd19d718 Mon Sep 17 00:00:00 2001 From: mo khan Date: Sat, 5 Jul 2025 11:45:17 -0600 Subject: feat: allow access from production sparkle --- etc/authzd/policy0.cedar | 31 ++++++++++++++++++------------- tests/authorization/check_service_test.rs | 2 +- 2 files changed, 19 insertions(+), 14 deletions(-) (limited to 'tests/authorization') diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar index a7a0ccb5..18a48476 100644 --- a/etc/authzd/policy0.cedar +++ b/etc/authzd/policy0.cedar @@ -22,19 +22,24 @@ when { permit(principal, action, resource) when { context has host && context has method && context has path && ( - context.host == "sparkle.staging.runway.gitlab.net" && ( - context.method == "GET" && ( - context.path == "/" || - context.path == "/callback" || - context.path == "/dashboard/nav" || - context.path == "/health" || - context.path == "/signout" || - context.path == "/sparkles" || - context.path == "/callback" - ) - ) || ( - context.method == "POST" && ( - context.path == "/sparkles/restore" + ( + context.host == "sparkle.staging.runway.gitlab.net" || + context.host == "sparkle.runway.gitlab.net" + ) && ( + ( + context.method == "GET" && ( + context.path == "/" || + context.path == "/callback" || + context.path == "/dashboard/nav" || + context.path == "/health" || + context.path == "/signout" || + context.path == "/sparkles" || + context.path == "/callback" + ) + ) || ( + context.method == "POST" && ( + context.path == "/sparkles/restore" + ) ) ) ) diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index f6546802..fc1ab75a 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -131,7 +131,7 @@ mod tests { let hosts = vec![ "sparkle.staging.runway.gitlab.net", - // "sparkle.runway.gitlab.net", + "sparkle.runway.gitlab.net", ]; let routes = vec![ -- cgit v1.2.3 From 7a23f5256b861705b69405c690eead5b30df7775 Mon Sep 17 00:00:00 2001 From: mo khan Date: Sat, 5 Jul 2025 12:30:04 -0600 Subject: feat: allow requests from localhost --- etc/authzd/policy0.cedar | 3 ++- src/authorization/server.rs | 6 +++--- tests/authorization/check_service_test.rs | 3 ++- 3 files changed, 7 insertions(+), 5 deletions(-) (limited to 'tests/authorization') diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar index 12950df5..bc67afc3 100644 --- a/etc/authzd/policy0.cedar +++ b/etc/authzd/policy0.cedar @@ -23,8 +23,9 @@ permit(principal, action, resource) when { context has host && context has method && context has path && ( ( + context.host == "sparkle.runway.gitlab.net" || context.host == "sparkle.staging.runway.gitlab.net" || - context.host == "sparkle.runway.gitlab.net" + context.host like "localhost:*" ) && ( ( context.method == "GET" && ( diff --git a/src/authorization/server.rs b/src/authorization/server.rs index 23b7720e..feb89d52 100644 --- a/src/authorization/server.rs +++ b/src/authorization/server.rs @@ -40,9 +40,9 @@ impl Server { tracing::info!( method = %req.method(), path = %req.uri().path(), - content_type = ?req.headers().get("content-type").and_then(|v| v.to_str().ok()), - user_agent = ?req.headers().get("user-agent").and_then(|v| v.to_str().ok()), - x_request_id = ?req.headers().get("x-request-id").and_then(|v| v.to_str().ok()), + content_type = req.headers().get("content-type").map_or("unknown", |v| v.to_str().unwrap_or("unknown")), + user_agent = req.headers().get("user-agent").map_or("unknown", |v| v.to_str().unwrap_or("unknown")), + x_request_id = req.headers().get("x-request-id").map_or("none", |v| v.to_str().unwrap_or("none")), "gRPC request" ); diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index fc1ab75a..b50d3689 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -130,8 +130,9 @@ mod tests { // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, let hosts = vec![ - "sparkle.staging.runway.gitlab.net", + "localhost:10000", "sparkle.runway.gitlab.net", + "sparkle.staging.runway.gitlab.net", ]; let routes = vec![ -- cgit v1.2.3 From c6ec4e63d797c5e6cc01a4f09e723ad781b1034e Mon Sep 17 00:00:00 2001 From: mo khan Date: Sat, 5 Jul 2025 13:25:42 -0600 Subject: test: convert i32 to tonic::Code --- tests/authorization/check_service_test.rs | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index b50d3689..c5c824fc 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -28,7 +28,7 @@ mod tests { assert!(check_response.status.is_some()); let status = check_response.status.unwrap(); - assert_eq!(status.code, tonic::Code::Ok as i32); + assert_eq!(tonic::Code::from_i32(status.code), tonic::Code::Ok); } #[tokio::test] @@ -44,7 +44,10 @@ mod tests { assert!(check_response.status.is_some()); let status = check_response.status.unwrap(); - assert_eq!(status.code, tonic::Code::Unauthenticated as i32); + assert_eq!( + tonic::Code::from_i32(status.code), + tonic::Code::Unauthenticated + ); } #[tokio::test] @@ -80,7 +83,7 @@ mod tests { assert!(check_response.status.is_some()); let status = check_response.status.unwrap(); - assert_eq!(status.code, tonic::Code::Ok as i32); + assert_eq!(tonic::Code::from_i32(status.code), tonic::Code::Ok); } } @@ -95,7 +98,10 @@ mod tests { assert!(check_response.status.is_some()); let status = check_response.status.unwrap(); - assert_eq!(status.code, tonic::Code::Unauthenticated as i32); + assert_eq!( + tonic::Code::from_i32(status.code), + tonic::Code::Unauthenticated + ); } #[tokio::test] @@ -119,7 +125,7 @@ mod tests { let check_response = response.unwrap().into_inner(); let status = check_response.status.unwrap(); - assert_eq!(status.code, expected_status_code as i32); + assert_eq!(tonic::Code::from_i32(status.code), expected_status_code); } } -- cgit v1.2.3