[Audit Logging] End2end test for audit logging in authorization policy #33196
Conversation
rockspore
added
the
release notes: no
grpc-checks
bot
added
per-call-memory/neutral
per-channel-memory/neutral
bloat/none
labels
|
Bazel RBE Windows Debug C/C++ has been consistently failing and it seems like the captured stdout failed to be unmarshaled into a valid json. This is difficult to troubleshoot as I don't have a windows machine (and running RBE Windows locally needs it as well). I think I will switch to use the test logger to verify the log content and have to ditch stdout logger here. |
Automated fix for refs/heads/authz-e2e
We have public headers simply named |
Yeah in this case I think I'm fine |
| @@ -82,9 +93,15 @@ class GrpcAuthzEnd2EndTest : public ::testing::Test { | |||
| channel_options.watch_identity_key_cert_pairs(); | |||
| channel_options.watch_root_certs(); | |||
| channel_creds_ = grpc::experimental::TlsCredentials(channel_options); | |||
|
|
|||
There was a problem hiding this comment.
Nit: Please remove unnecessary blank lines within functions.
Same thing throughout.
| grpc::Status status; | ||
|
|
||
| ClientContext context1; | ||
| // Matches the allow rule. |
There was a problem hiding this comment.
Please split each of these cases into their own TEST_F() blocks, as per go/tott/649.
Same for all of these tests.
There was a problem hiding this comment.
Done. Thanks for the link!
| @@ -798,6 +1120,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
| grpc::Status status = SendRpc(channel, &context1, &resp1); | |||
| EXPECT_TRUE(status.ok()); | |||
| EXPECT_EQ(resp1.message(), kMessage); | |||
| ASSERT_EQ(audit_logs_.size(), 1); | |||
There was a problem hiding this comment.
Suggest using EXPECT_THAT(audit_logs_, ::testing::ElementsAre(...)) here. That way, if the check fails, we won't bail out early.
| @@ -823,6 +1150,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
| status = SendRpc(channel, &context2, &resp2); | |||
| EXPECT_TRUE(status.ok()); | |||
| EXPECT_EQ(resp2.message(), kMessage); | |||
| EXPECT_EQ(audit_logs_.size(), 2); | |||
There was a problem hiding this comment.
Suggest using ElementsAre() here as well. Note that you can say audit_logs_.clear() after the previous pass to clear out the entry you've already checked.
| @@ -871,6 +1212,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
| EXPECT_EQ(status.error_code(), grpc::StatusCode::PERMISSION_DENIED); | |||
| EXPECT_EQ(status.error_message(), "Unauthorized RPC request rejected."); | |||
| EXPECT_TRUE(resp3.message().empty()); | |||
| EXPECT_EQ(audit_logs_.size(), 3); | |||
| @@ -82,9 +93,15 @@ class GrpcAuthzEnd2EndTest : public ::testing::Test { | |||
| channel_options.watch_identity_key_cert_pairs(); | |||
| channel_options.watch_root_certs(); | |||
| channel_creds_ = grpc::experimental::TlsCredentials(channel_options); | |||
|
|
|||
| grpc::Status status; | ||
|
|
||
| ClientContext context1; | ||
| // Matches the allow rule. |
There was a problem hiding this comment.
Done. Thanks for the link!
| @@ -798,6 +1120,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
| grpc::Status status = SendRpc(channel, &context1, &resp1); | |||
| EXPECT_TRUE(status.ok()); | |||
| EXPECT_EQ(resp1.message(), kMessage); | |||
| ASSERT_EQ(audit_logs_.size(), 1); | |||
| @@ -823,6 +1150,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
| status = SendRpc(channel, &context2, &resp2); | |||
| EXPECT_TRUE(status.ok()); | |||
| EXPECT_EQ(resp2.message(), kMessage); | |||
| EXPECT_EQ(audit_logs_.size(), 2); | |||
| @@ -871,6 +1212,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
| EXPECT_EQ(status.error_code(), grpc::StatusCode::PERMISSION_DENIED); | |||
| EXPECT_EQ(status.error_message(), "Unauthorized RPC request rejected."); | |||
| EXPECT_TRUE(resp3.message().empty()); | |||
| EXPECT_EQ(audit_logs_.size(), 3); | |||
copybara-service
bot
added
the
imported
yijiem
added
release notes: yes
grpc#33196) I generated a new client key and cert where a Spiffe ID is added as the URI SAN. As such, we are able to test the audit log contains the principal correctly. Update: I switched to use the test logger to verify the log content and removed stdout logger here because one the failure of [RBE Windows Debug C/C++](https://source.cloud.google.com/results/invocations/c3187f41-bb1f-44b3-b2b1-23f38e47386d). Update again: Refactored the test logger in a util such that the authz engine test also uses the same logger. Subsequently, xDS e2e test will also use it. --------- Co-authored-by: rockspore <rockspore@users.noreply.github.com>
erm-g
removed
the
release notes: yes
yijiem
added
the
release notes: no
I generated a new client key and cert where a Spiffe ID is added as the URI SAN. As such, we are able to test the audit log contains the principal correctly.
As for the test strategy, a test logger is registered to check the log count only and the log content is verified in details via the built-in stdout logger.
Update: I switched to use the test logger to verify the log content and removed stdout logger here because one the failure of RBE Windows Debug C/C++.
Update again: Refactored the test logger in a util such that the authz engine test also uses the same logger. Subsequently, xDS e2e test will also use it.