New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Audit Logging] End2end test for audit logging in authorization policy #33196
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few initial comments
Bazel RBE Windows Debug C/C++ has been consistently failing and it seems like the captured stdout failed to be unmarshaled into a valid json. This is difficult to troubleshoot as I don't have a windows machine (and running RBE Windows locally needs it as well). I think I will switch to use the test logger to verify the log content and have to ditch stdout logger here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM (assuming all tests are good, etc)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to name it authz_audit_logging_utils
?
Automated fix for refs/heads/authz-e2e
We have public headers simply named |
Yeah in this case I think I'm fine |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good! My comments are all fairly minor, so feel free to merge after addressing.
@@ -82,9 +93,15 @@ class GrpcAuthzEnd2EndTest : public ::testing::Test { | |||
channel_options.watch_identity_key_cert_pairs(); | |||
channel_options.watch_root_certs(); | |||
channel_creds_ = grpc::experimental::TlsCredentials(channel_options); | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Please remove unnecessary blank lines within functions.
Same thing throughout.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
grpc::Status status; | ||
|
||
ClientContext context1; | ||
// Matches the allow rule. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please split each of these cases into their own TEST_F()
blocks, as per go/tott/649.
Same for all of these tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Thanks for the link!
@@ -798,6 +1120,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
grpc::Status status = SendRpc(channel, &context1, &resp1); | |||
EXPECT_TRUE(status.ok()); | |||
EXPECT_EQ(resp1.message(), kMessage); | |||
ASSERT_EQ(audit_logs_.size(), 1); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest using EXPECT_THAT(audit_logs_, ::testing::ElementsAre(...))
here. That way, if the check fails, we won't bail out early.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -823,6 +1150,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
status = SendRpc(channel, &context2, &resp2); | |||
EXPECT_TRUE(status.ok()); | |||
EXPECT_EQ(resp2.message(), kMessage); | |||
EXPECT_EQ(audit_logs_.size(), 2); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest using ElementsAre()
here as well. Note that you can say audit_logs_.clear()
after the previous pass to clear out the entry you've already checked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -871,6 +1212,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
EXPECT_EQ(status.error_code(), grpc::StatusCode::PERMISSION_DENIED); | |||
EXPECT_EQ(status.error_message(), "Unauthorized RPC request rejected."); | |||
EXPECT_TRUE(resp3.message().empty()); | |||
EXPECT_EQ(audit_logs_.size(), 3); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review, Mark!
@@ -82,9 +93,15 @@ class GrpcAuthzEnd2EndTest : public ::testing::Test { | |||
channel_options.watch_identity_key_cert_pairs(); | |||
channel_options.watch_root_certs(); | |||
channel_creds_ = grpc::experimental::TlsCredentials(channel_options); | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
grpc::Status status; | ||
|
||
ClientContext context1; | ||
// Matches the allow rule. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Thanks for the link!
@@ -798,6 +1120,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
grpc::Status status = SendRpc(channel, &context1, &resp1); | |||
EXPECT_TRUE(status.ok()); | |||
EXPECT_EQ(resp1.message(), kMessage); | |||
ASSERT_EQ(audit_logs_.size(), 1); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -823,6 +1150,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
status = SendRpc(channel, &context2, &resp2); | |||
EXPECT_TRUE(status.ok()); | |||
EXPECT_EQ(resp2.message(), kMessage); | |||
EXPECT_EQ(audit_logs_.size(), 2); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -871,6 +1212,11 @@ TEST_F(GrpcAuthzEnd2EndTest, FileWatcherRecoversFromFailure) { | |||
EXPECT_EQ(status.error_code(), grpc::StatusCode::PERMISSION_DENIED); | |||
EXPECT_EQ(status.error_message(), "Unauthorized RPC request rejected."); | |||
EXPECT_TRUE(resp3.message().empty()); | |||
EXPECT_EQ(audit_logs_.size(), 3); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
grpc#33196) I generated a new client key and cert where a Spiffe ID is added as the URI SAN. As such, we are able to test the audit log contains the principal correctly. Update: I switched to use the test logger to verify the log content and removed stdout logger here because one the failure of [RBE Windows Debug C/C++](https://source.cloud.google.com/results/invocations/c3187f41-bb1f-44b3-b2b1-23f38e47386d). Update again: Refactored the test logger in a util such that the authz engine test also uses the same logger. Subsequently, xDS e2e test will also use it. --------- Co-authored-by: rockspore <rockspore@users.noreply.github.com>
I generated a new client key and cert where a Spiffe ID is added as the URI SAN. As such, we are able to test the audit log contains the principal correctly.
As for the test strategy, a test logger is registered to check the log count only and the log content is verified in details via the built-in stdout logger.
Update: I switched to use the test logger to verify the log content and removed stdout logger here because one the failure of RBE Windows Debug C/C++.
Update again: Refactored the test logger in a util such that the authz engine test also uses the same logger. Subsequently, xDS e2e test will also use it.