authz: End2End test for AuditLogger

[erm-g]

End to end tests covering

1. AuditLogging invocation testing
2. Audit on Allow, Audit on Deny, Audit All, No Auditing
3. SPIFFE Ids from new cert

RELEASE NOTES: none

[rockspore]

Left some initial comments. Please fix the tests.

[gtcooke94]

A few small comments

[rockspore]

Now that we have EventContent, do we still need this field singled out?

[erm-g]

I'm checking EventContent only once but I'd still prefer to check SPIFFE every time

[rockspore]

Is there any specific reason behind that? I thought if Spiffe ID is populated in one case, we can safely assume it's already there.

[rockspore]

Please fix the vet testing failure.

[rockspore]

Is there any specific reason behind that? I thought if Spiffe ID is populated in one case, we can safely assume it's already there.

[rockspore]

LGTM. Thanks!

[rockspore]

micronit: 2023

[dfawley]

RELEASE NOTES:

• TBD

Please fill in release notes when creating the PR (or asap after noticing they're missing due to failing checker). This should be part of what is reviewed as part of the PR review. In this case, it's just for testing, so we use RELEASE NOTES: none (or n/a) since our users don't really care much about our tests (they just assume we do a good enough job with them).

[dfawley]

Also: only one Type label should be applied (pick the best one). In this case, Testing makes the most sense since you aren't addressing a security-related issue, but it's not actually all that important if there are no release notes.

[dfawley]

Why not s.EventContent = event and make this field type *audit.Event? (Also consider a rename to lastEvent?)

[erm-g]

Here EventContent is a map created at loggerBuilder but manipulated by statAuditLogger. At the end I'm using loggerBuilder to access it's content. I'm not sure how to achieve the same using *audit.Event - maybe only if I use a slice or map wrapping it?

[dfawley]

I DON"T UNDERSTAND THIS> Why can't you just change the type of this field (now lastEventContent) to *audit.Event and rename the field to lastEvent? Are you saying the tricky bit is communicating between the test and the constructed logger? If so, 2 options:

1. Use *audit.Event and *s.lastEvent = *event
2. Use **audit.Event and *s.lastEvent = event

[dfawley]

Wow what happened with my last comment here?? Sometimes the shift key sticks on my keyboard, but I can't believe I didn't see it. Sorry if that came off as rude, I didn't mean to type in all-caps.

[erm-g]

No worries!

[dfawley]

By the time I got here reading the code, it's pretty obvious what is happening. 😄 IMO: delete this comment but put something like this up at the top of the function.

[dfawley]

This needs to check the error.

[erm-g]

I'm leaning towards ignoring the errors here - #6304 (comment)

[dfawley]

Maybe define map[bool]int as a want in the testcase struct instead? Or replace the map in the logger with 2 bools so it's clearer that this is comparing equivalent things.

[dfawley]

Only one test case actually covers this. And it only captures the most recent event. Is that sufficient?

[erm-g]

The idea is that we already tested event content propagation in unit tests. Here it's an extra check because of end to end scenario including certificate with a SPIFFE ID. That's why I'm doing it just once

[dfawley]

Please just Test, which is our convention.

[dfawley]

I DON"T UNDERSTAND THIS> Why can't you just change the type of this field (now lastEventContent) to *audit.Event and rename the field to lastEvent? Are you saying the tricky bit is communicating between the test and the constructed logger? If so, 2 options:

1. Use *audit.Event and *s.lastEvent = *event
2. Use **audit.Event and *s.lastEvent = event

[dfawley]

Please wrap all comments at 80 columns (every file and always). Thanks!

[dfawley]

Missed one

[dfawley]

Missed one

[dfawley]

Missed one

[dfawley]

This is not a map anymore.

[dfawley]

I don't think ignoring errors is a good idea. Check them so we can more easily debug what went wrong instead of trying to figure out why the numbers didn't match up at the end.

[dfawley]

Missed a couple recent changes

[dfawley]

Space after // please.

[dfawley]

Nit: CA not Ca

[dfawley]

Inline this please, since it's so simple:

if _, err := client.UnaryCall(ctx, &testpb.SimpleRequest{}); err != nil {
	t.Fatalf("Unexpected error from UnaryCall: %v", err)
}

[erm-g]

I also need to check if the err is a permission denied one - it's a valid scenario for the test (we count deny as well).
I think I can rely on code only but still it'll be 2 LOCs

_, err = client.UnaryCall(ctx, &testpb.SimpleRequest{})
if errCode := status.Code(err); errCode != permissionDeniedStatus.Code() && errCode != codes.OK {
	t.Errorf("Call failed:%v", err)
}

Or I can create a helper function which takes SimpleResponse, error and returns back error code - smth like

if errCode := errorCodeExtractor(client.UnaryCall(ctx, &testpb.SimpleRequest{})); errCode != permissionDeniedStatus.Code() && errCode != codes.OK {
	t.Errorf("Call failed:%v", err)
}

WDYT?

[dfawley]

So this is more of a problem of your test design.. You're using a table driven test but things are sufficiently different between iterations that it leads to these sorts of problems.

If you want to not care which one should happen:

if _, err := UnaryCall(); err != nil && status.Code(err) != codes.PermissionDenied {
	t.Fatalf()
}

Or if you want to require no error when unary should not be denied and vice-versa:

_, err := UnaryCall()
if test.wantAuthzOutcomes[false] > 1 /* LOL */ && status.Code(err) != codes.PermissionDenied {
	t.Fatalf()
} else if test.wantAuthzOutcomes[false] < 2 /* also LOL */ && err != nil {
	t.Fatalf()
}

Realistically, the latter is how your code should behave, but it's ugly. Maybe the test should be reworked a bit or split into multiple tests, as this seems wrong.

[erm-g]

So this is more of a problem of your test design.. You're using a table driven test but things are sufficiently different between iterations that it leads to these sorts of problems.

My idea is to have a set of authz policies with various audit_condition values. In order to test each audit_condition I need to make a few calls and then check if audit logger was invoked as expected. That's why I think that iterations are common enough to use a table driven approach. From my perspective

if _, err := UnaryCall(); err != nil && status.Code(err) != codes.PermissionDenied {
	t.Fatalf()
}

covers all the cases (we want to error test if a call returns an err but it's not a permission denied one).

Maybe the test should be reworked a bit or split into multiple tests, as this seems wrong.

What'd be your suggestion for refactoring? I think that splitting it will result in very similar tests with different err handling for permission denied cases.

[dfawley]

My idea is to have a set of authz policies with various audit_condition values. In order to test each audit_condition I need to make a few calls and then check if audit logger was invoked as expected. That's why I think that iterations are common enough to use a table driven approach. From my perspective

Maybe add a codes.Code for the expected result from the Unary and Streaming RPC calls to the table?

[erm-g]

Agreed, I think it makes the test more readable. PTAL

[dfawley]

Please check the error.

[dfawley]

This one needs to be Fatal because using the stream is illegal.

[erm-g]

I need some help here - go/go-style/decisions.md?cl=head#keep-going suggests to prefer Error over Fatal

to print out all of the failed checks in a single run

So for this test even if stream is not usable I can still proceed with unary calls to get the test results for it.
However the same doc suggests

Calling t.Fatal is primarily useful for reporting an unexpected error condition

and unusable stream is definitely something we don't expect.
WDYT?

[dfawley]

True, Error is nicer, generally, but this is a precondition for (some of) the rest of the test. The "ideal" would be to skip just the streaming calls and the checks that depend on them happening, but that really clutters the code and isn't worth it at all. Just Fatal since a precondition failed and keep things simple.

[erm-g]

Ok, sounds good - I changed Errorf to be used for

• cmp.Diff cases
• errors which status.Code is not expected