Skip to content

Commit

Permalink
[Audit Logging] End2end test for audit logging in authorization policy (
Browse files Browse the repository at this point in the history 
grpc#33196)

I generated a new client key and cert where a Spiffe ID is added as the
URI SAN. As such, we are able to test the audit log contains the
principal correctly.

Update: I switched to use the test logger to verify the log content and
removed stdout logger here because one the failure of [RBE Windows Debug
C/C++](https://source.cloud.google.com/results/invocations/c3187f41-bb1f-44b3-b2b1-23f38e47386d).

Update again: Refactored the test logger in a util such that the authz
engine test also uses the same logger. Subsequently, xDS e2e test will
also use it.

---------

Co-authored-by: rockspore <rockspore@users.noreply.github.com>
  • Loading branch information
@rockspore @eugeneo
2 people authored and eugeneo committed Jun 1, 2023
1 parent f071d7d commit be88c72
Show file tree
Hide file tree
Showing 14 changed files with 1,011 additions and 118 deletions.
2 changes: 2 additions & 0 deletions CMakeLists.txt
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions build_autogenerated.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions src/core/tsi/test_creds/BUILD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ exports_files([
"server0.pem",
"client.key",
"client.pem",
"client-with-spiffe.key",
"client-with-spiffe.pem",
"badserver.key",
"badserver.pem",
"badclient.key",
Expand Down
9 changes: 9 additions & 0 deletions src/core/tsi/test_creds/README
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,15 @@ common name which is set to testclient2.
$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client2.csr \
-out client2.pem -days 3650

client-with-spiffe is issued by CA:
-----------------------

$ openssl genrsa -out client-with-spiffe.key.rsa 2048
$ openssl pkcs8 -topk8 -in client-with-spiffe.key.rsa -out client-with-spiffe.key -nocrypt
$ openssl req -new -key client-with-spiffe.key -out client-with-spiffe.csr -config client-with-spiffe-openssl.cnf
$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client-with-spiffe.csr \
-out client-with-spiffe.pem -extensions v3_req -extfile client-with-spiffe-openssl.cnf -days 3650

server0 is issued by CA:
------------------------

Expand Down
15 changes: 15 additions & 0 deletions src/core/tsi/test_creds/client-with-spiffe-openssl.cnf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
CN = testclient3

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
URI = spiffe://foo.com/bar/baz
28 changes: 28 additions & 0 deletions src/core/tsi/test_creds/client-with-spiffe.key
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDNLEJrQ4+tX7+I
vyMLYg1xlz0TBEnZqPM3A81QoB0w5XuE5/wYp2vLmqz3c8b3tIoxSjl+i0E9KPKG
4YgFkQCOQFu2UBTjzlt2+zlWsFwGPXkKsmCNRw8Ey8cJqH4krk974yw1TQVZ8S/h
0yiyEsCgxjSHR1+Zjv7IqNBVuw+zgwR5QyirxNuaddrwysxotESoROTlesXiURfK
ywHWcIGgaxmaOAszcLjIK4zNkSYziVf7AMq4NvDmZWH/fe40nBhh4AflufRkcI/j
xogrCF6zA1CWwJO4AtSbnLqw7okkZlWY4opKG8VQXB9JwztPBSadCEwYh48DDM5l
Gyk0QPQ7AgMBAAECggEAPUEPe1KqXIqPdlYKMmXNubH7a+gF3FPSeQRLkdybmnOI
0v8nhnzFc/3z0dTg/CcMcvbD/4G3sni9H4PJxk+qKM4SE3YJJpH/QKB0V+tDLiHA
N29V4Bfs5fOosrt5HZ5k4InMMwWRqW6WawdNyQxMMjO6jwDCC+hjLKkpuc6lO2RD
DxSbZ1qnoEFevhn/A6WUaq/aQ+S56NvczUksP/EDsGD0aPSDpYx/ghj1Ps8A/H75
K+TnDsWpdMgW3/BIAAvIGRm5AVROuISwoAAtgvB1+fm9lMGJ/EPCtmCm3UZwmtYO
+YFznC4zvTzNZ7QswstO9A1FRGm1X90G6Rkdr1CCcQKBgQD1nLMFS6WBBTZEDk74
7fOmf0wBWdPW7kzcJfSz8dcedBfsZSffBPo23ePFHamGGW8YZRk48lBfNjPEXT/v
Otn4CoQIbEWPq8xIWjkAEP8JPj+t1KPkxFcL2r5+XlkSj+lmrvTlzsncz/QcU++j
MsKq50jshX0R1nf9KkZHsqlz7QKBgQDV2bcR0T7LdYvNon5gPbHv046Oc3XEQLD4
qlUsCxoIiSJCMe/mVrUI6EJl5qUH6pUO9FEyUSgQcIHZ0cYl6LnUSTR0+v6VzSOL
fHVb470RmOEorcPVeTV3craMhyoFBWTBs5J1ipq7/1bjrt1mqqoIXtdaHARQ7g+j
l2m9T3pTxwKBgQCVjDP0pXrAdEv2ZD/xkfEpD5lXuTojRDXIVdQJPNee01E9vtno
ET/I6JInE0iFPjdGw0f4RJJrZrVeeujS4SKWxNBf0I0KTbC03TqXr8GZ/y0GytKA
GIxny2jxyMCzbKzQuPakdqSyrmwUU4c191JQfUMJwL3Gfq/Qlkz0mvRSgQKBgDLV
xVID9rRw5eHlHbuNDu5e0QWF5tnXMvp5qzOEFBUxXCZ2LnwH4pMSey40DMj796EN
bPvUFP0LcaKw3jSGxR30pPal77z2fdubo15LnddAC04bOHFXleEmMMTpIJD+/juZ
j1hHsY69HQ+UsubD7RV+Th0KifAfFzKhPK6W5RJjAoGADfvdJhDFh/EqlS0IwKcP
SkZeIEKZjXQoyQHQs9BSEKS/YljOh1T/bSUgHasvQBLru2DwBZtjOUOr3AnspUWc
Ds6esvYqCmrejbAgH339q3ljyUAszOE5sCsz924WhMDzSaGCG4diPqIdRvXmQEhs
MjLXW5+g+AJOBB2XhJaxmB8=
-----END PRIVATE KEY-----
23 changes: 23 additions & 0 deletions src/core/tsi/test_creds/client-with-spiffe.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID1zCCAr+gAwIBAgIUM1A1YAb9yiRy8KEZ0Yw+Oqeyff0wDQYJKoZIhvcNAQEL
BQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIz
MDUxODE3MTYwNVoXDTMzMDUxNTE3MTYwNVowFjEUMBIGA1UEAwwLdGVzdGNsaWVu
dDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNLEJrQ4+tX7+IvyML
Yg1xlz0TBEnZqPM3A81QoB0w5XuE5/wYp2vLmqz3c8b3tIoxSjl+i0E9KPKG4YgF
kQCOQFu2UBTjzlt2+zlWsFwGPXkKsmCNRw8Ey8cJqH4krk974yw1TQVZ8S/h0yiy
EsCgxjSHR1+Zjv7IqNBVuw+zgwR5QyirxNuaddrwysxotESoROTlesXiURfKywHW
cIGgaxmaOAszcLjIK4zNkSYziVf7AMq4NvDmZWH/fe40nBhh4AflufRkcI/jxogr
CF6zA1CWwJO4AtSbnLqw7okkZlWY4opKG8VQXB9JwztPBSadCEwYh48DDM5lGyk0
QPQ7AgMBAAGjgdwwgdkwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwIwYDVR0RBBww
GoYYc3BpZmZlOi8vZm9vLmNvbS9iYXIvYmF6MB0GA1UdDgQWBBTnAcMwRonIKLo4
MPWq1QNGJFbt9TB7BgNVHSMEdDByoVqkWDBWMQswCQYDVQQGEwJBVTETMBEGA1UE
CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
MQ8wDQYDVQQDDAZ0ZXN0Y2GCFFqz9Fbx3Mviz+lLmDbYi/YAYQ+aMA0GCSqGSIb3
DQEBCwUAA4IBAQA2rDFPPcQEbQbV8ywaKaSsAHP8te7GVxBC3F18TVD+i8HNL1UU
gYXdVXYMPPKaNgOTY2SXx/73J74T3rTBf4aL/GBe9qOiNtV1lwVJDvswBHZ5obtd
aeBq3o1z0af9lGX/Q6JjO97/uovAuqmDGXFSPafTZAcvepKmlvQcmJnEUantlUCG
UWchPMbyoaOFmgD+b1fmj2/A2jFUyaK1tk5KlJMYCrWK16tUtVZk4mWytjijhpaJ
QBYOaX2tE1+E7LaXIVg/ZmYi7yfXCakopKCLY8DKDbLpXZKtUFjQAA8xXCcRV2Zc
5/et+LMsmzeD8rn3m5KN7uzWNTbQl/pvJi1Y
-----END CERTIFICATE-----
1 change: 1 addition & 0 deletions test/core/security/BUILD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -496,6 +496,7 @@ grpc_cc_test(
"//:gpr",
"//:grpc",
"//src/core:grpc_rbac_engine",
"//test/core/util:audit_logging_utils",
"//test/core/util:grpc_test_util",
"//test/core/util:grpc_test_util_base",
],
Expand Down

0 comments on commit be88c72

Please sign in to comment.