mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 10:56:28 +02:00
a396c2eab3
This optimizes the Evaluator in the Authorize service to scale to very large numbers of routes. Additional caching was also added when building rego policy query evaluators in parallel to allow sharing work and to avoid building evaluators for scripts with the same contents.
77 lines
2.3 KiB
Go
77 lines
2.3 KiB
Go
package authorize
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
"github.com/pomerium/pomerium/config"
|
|
"github.com/pomerium/pomerium/pkg/grpc/session"
|
|
"github.com/pomerium/pomerium/pkg/grpcutil"
|
|
"github.com/pomerium/pomerium/pkg/storage"
|
|
)
|
|
|
|
func Test_getDataBrokerRecord(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second*10)
|
|
t.Cleanup(clearTimeout)
|
|
|
|
for _, tc := range []struct {
|
|
name string
|
|
recordVersion, queryVersion uint64
|
|
underlyingQueryCount, cachedQueryCount int
|
|
}{
|
|
{"cached", 1, 1, 1, 2},
|
|
{"invalidated", 1, 2, 3, 4},
|
|
} {
|
|
tc := tc
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
s1 := &session.Session{Id: "s1", Version: fmt.Sprint(tc.recordVersion)}
|
|
|
|
sq := storage.NewStaticQuerier(s1)
|
|
tsq := storage.NewTracingQuerier(sq)
|
|
cq := storage.NewCachingQuerier(tsq, storage.NewLocalCache())
|
|
tcq := storage.NewTracingQuerier(cq)
|
|
qctx := storage.WithQuerier(ctx, tcq)
|
|
|
|
s, err := getDataBrokerRecord(qctx, grpcutil.GetTypeURL(s1), s1.GetId(), tc.queryVersion)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, s)
|
|
|
|
s, err = getDataBrokerRecord(qctx, grpcutil.GetTypeURL(s1), s1.GetId(), tc.queryVersion)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, s)
|
|
|
|
assert.Len(t, tsq.Traces(), tc.underlyingQueryCount,
|
|
"should have %d traces to the underlying querier", tc.underlyingQueryCount)
|
|
assert.Len(t, tcq.Traces(), tc.cachedQueryCount,
|
|
"should have %d traces to the cached querier", tc.cachedQueryCount)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAuthorize_getDataBrokerSessionOrServiceAccount(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second*10)
|
|
t.Cleanup(clearTimeout)
|
|
|
|
opt := config.NewDefaultOptions()
|
|
a := New()
|
|
a.OnConfigChange(context.Background(), &config.Config{Options: opt})
|
|
require.True(t, a.HasValidState())
|
|
|
|
s1 := &session.Session{Id: "s1", ExpiresAt: timestamppb.New(time.Now().Add(-time.Second))}
|
|
sq := storage.NewStaticQuerier(s1)
|
|
qctx := storage.WithQuerier(ctx, sq)
|
|
_, err := a.getDataBrokerSessionOrServiceAccount(qctx, "s1", 0)
|
|
assert.ErrorIs(t, err, session.ErrSessionExpired)
|
|
}
|