1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
use envoy_types::ext_authz::v3::CheckResponseExt;
use envoy_types::ext_authz::v3::pb::{CheckRequest, CheckResponse};
use tonic::{Request, Response, Status};
#[derive(Debug, Default)]
pub struct PolicyServer;
#[tonic::async_trait]
impl envoy_types::ext_authz::v3::pb::Authorization for PolicyServer {
async fn check(
&self,
request: Request<CheckRequest>,
) -> Result<Response<CheckResponse>, Status> {
let request = request.into_inner();
let client_headers = request
.attributes
.as_ref()
.and_then(|attr| attr.request.as_ref())
.and_then(|req| req.http.as_ref())
.map(|http| &http.headers)
.ok_or_else(|| Status::invalid_argument("client headers not populated by envoy"))?;
let mut request_status = Status::unauthenticated("not authorized");
if let Some(authorization) = client_headers.get("authorization") {
if authorization == "Bearer valid-token" {
request_status = Status::ok("request is valid");
}
}
Ok(Response::new(CheckResponse::with_status(request_status)))
}
}
#[cfg(test)]
mod tests {
use super::*;
use envoy_types::ext_authz::v3::pb::{Authorization, CheckRequest};
use std::collections::HashMap;
use tonic::Request;
fn create_test_request_with_headers(headers: HashMap<String, String>) -> Request<CheckRequest> {
use envoy_types::pb::envoy::service::auth::v3::{AttributeContext, attribute_context};
let http_request = attribute_context::HttpRequest {
headers,
..Default::default()
};
let request_context = attribute_context::Request {
http: Some(http_request),
..Default::default()
};
let attributes = AttributeContext {
request: Some(request_context),
..Default::default()
};
let check_request = CheckRequest {
attributes: Some(attributes),
..Default::default()
};
Request::new(check_request)
}
fn create_headers_with_auth(auth_value: &str) -> HashMap<String, String> {
let mut headers = HashMap::new();
headers.insert("authorization".to_string(), auth_value.to_string());
headers
}
#[tokio::test]
async fn test_check_allows_valid_bearer_token() {
let token = String::from("valid-token");
let server = PolicyServer::default();
let headers = create_headers_with_auth(&format!("Bearer {}", token));
let request = create_test_request_with_headers(headers);
let response = server.check(request).await;
assert!(response.is_ok());
let check_response = response.unwrap().into_inner();
assert!(check_response.status.is_some());
let status = check_response.status.unwrap();
assert_eq!(status.code, tonic::Code::Ok.into());
}
#[tokio::test]
async fn test_check_denies_invalid_bearer_token() {
let server = PolicyServer::default();
let request = create_test_request_with_headers(HashMap::new());
let response = server.check(request).await;
assert!(response.is_ok());
let check_response = response.unwrap().into_inner();
assert!(check_response.status.is_some());
let status = check_response.status.unwrap();
assert_eq!(status.code, tonic::Code::Unauthenticated.into());
}
}
|
