Authz Feature Profile Tests (openconfig#2136)

feature/security/gnsi/authz/tests/README.md → feature/security/gnsi/authz/tests/authz/README.md

@@ -1,4 +1,4 @@
-# gNSI Authz Tests
+# Authz: General Authz (1-4) tests
 
 ## Summary
 
@@ -26,7 +26,7 @@ NOTE: the support of SPIFFE-ID should NOT require explicitly pre-configured loca
 Prepare the following certs with the specified SPIFFE ID. Cert format details can be found in [SPIFFE PR](https://github.com/openconfig/featureprofiles/pull/1563/files)
 
 * `cert_user_admin` with `spiffe://test-abc.foo.bar/xyz/admin`
-* `cert_user_fake` with `spiffe://test-abc.foo.bar/xyz/fake`
+* `cert_user_deny_all` with `spiffe://test-abc.foo.bar/xyz/deny-all`
 * `cert_gribi_modify` with `spiffe://test-abc.foo.bar/xyz/gribi-modify`
 * `cert_gnmi_set` with `spiffe://test-abc.foo.bar/xyz/gnmi-set`
 * `cert_gnoi_time` with `spiffe://test-abc.foo.bar/xyz/gnoi-time`
@@ -80,30 +80,39 @@ Prepare the following gRPC authorization policies.
 ```
 
 ```json
-{
-  "name": "policy-everyone-can-gribi-not-gnmi",
-  "allow_rules": [
-    {
-      "name": "admin-can-do-everything",
-      "source": {
-        "principals": [
-          "spiffe://test-abc.foo.bar/xyz/admin"
-        ]
-      },
-      "request": {}
-    }
-  ],
-  "deny_rules": [
-    {
-      "name": "fake-user-can-do-nothing",
-      "source": {
-        "principals": [
-          "spiffe://test-abc.foo.bar/xyz/fake"
-        ]
+ {
+    "name": "policy-everyone-can-gribi-not-gnmi",
+    "allow_rules": [
+      {
+        "name": "everyone-can-gribi",
+        "source": {
+          "principals": [
+            "*"
+          ]
+        },
+        "request": {
+          "paths": [
+            "/gribi.gRIBI/*"
+          ]
+        }
       }
-    }
-  ]
-}
+    ],
+    "deny_rules": [
+      {
+        "name": "no-one-can-gnmi",
+        "source": {
+          "principals": [
+            "*"
+          ]
+        },
+        "request": {
+          "paths": [
+            "/gribi.gNMI/*"
+          ]
+        }
+      } 
+    ]
+  }
 ```
 
 ```json
@@ -114,7 +123,7 @@ Prepare the following gRPC authorization policies.
       "name": "no-one-can-gribi",
       "request": {
         "paths": [
-          "/gribi.gRIBI/Modify"
+          "/gribi.gRIBI/*"
         ]
       }
     }
@@ -165,7 +174,7 @@ The following table describes policy `policy-normal-1`:
 Cert | gRIBI.Modify | gRIBI.Get | gNMI.Set | gNMI.Get | gNOI.Time | gNOI.Ping | gNSI.Rotate | gNSI.Get | gNSI.Probe
 :--- | :---  | :--- | :---  | :---  | :---  | :--- | :--- | :----- | :-----
 cert_user_admin | allow | allow |allow |allow |allow |allow |allow |allow |allow
-cert_user_fake | deny |deny |deny |deny |deny |deny |deny |deny |deny
+cert_user_deny_all | deny |deny |deny |deny |deny |deny |deny |deny |deny
 cert_gribi_modify | allow |allow |deny |deny |deny |deny |deny |deny |deny
 cert_gnmi_set | deny |deny |allow |allow |deny |deny |deny |deny |deny
 cert_gnoi_time |deny |deny |deny |deny |allow |deny |deny |deny |deny
@@ -265,10 +274,10 @@ cert_read_only |deny |allow |deny |allow |deny |deny |deny |allow |deny
   ],
   "deny_rules": [
     {
-      "name": "fake-user-can-do-nothing",
+      "name": "deny-all-user-can-do-nothing",
       "source": {
         "principals": [
-          "spiffe://test-abc.foo.bar/xyz/fake"
+          "spiffe://test-abc.foo.bar/xyz/deny_all"
         ]
       },
       "request": {
@@ -316,7 +325,7 @@ For each of the scenarios in this section, we need to exercise the following 3 a
 * Authz-1.2, "Test empty request"
   1. Use `gNSI.Rotate` method to push and finalize policy `policy-everyone-can-gribi-not-gnmi`, with `create_on` = `100` and `version` = `policy-everyone-can-gribi-not-gnmi_v1`.
   2. Ensure all results match per the following:
-      * `cert_user_fake` is denied to issue `gRIBI.Get` method.
+      * `cert_user_deny_all` is denied to issue `gNMI.Get` method.
       * `cert_user_admin` is allowed to issue `gRIBI.Get` method.
 
 * Authz-1.3, "Test that there can only be one policy"