github.com/hxx258456/ccgo@v0.0.5-0.20230213014102-48b35f46f66f/grpc/authz/sdk_end2end_test.go (about)

     1  /*
     2   *
     3   * Copyright 2021 gRPC authors.
     4   *
     5   * Licensed under the Apache License, Version 2.0 (the "License");
     6   * you may not use this file except in compliance with the License.
     7   * You may obtain a copy of the License at
     8   *
     9   *     http://www.apache.org/licenses/LICENSE-2.0
    10   *
    11   * Unless required by applicable law or agreed to in writing, software
    12   * distributed under the License is distributed on an "AS IS" BASIS,
    13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14   * See the License for the specific language governing permissions and
    15   * limitations under the License.
    16   *
    17   */
    18  
    19  package authz_test
    20  
    21  import (
    22  	"context"
    23  	"io"
    24  	"io/ioutil"
    25  	"net"
    26  	"os"
    27  	"testing"
    28  	"time"
    29  
    30  	"github.com/hxx258456/ccgo/x509"
    31  
    32  	tls "github.com/hxx258456/ccgo/gmtls"
    33  
    34  	grpc "github.com/hxx258456/ccgo/grpc"
    35  	"github.com/hxx258456/ccgo/grpc/authz"
    36  	"github.com/hxx258456/ccgo/grpc/codes"
    37  	"github.com/hxx258456/ccgo/grpc/credentials"
    38  	"github.com/hxx258456/ccgo/grpc/internal/grpctest"
    39  	"github.com/hxx258456/ccgo/grpc/metadata"
    40  	"github.com/hxx258456/ccgo/grpc/status"
    41  	pb "github.com/hxx258456/ccgo/grpc/test/grpc_testing"
    42  	"github.com/hxx258456/ccgo/grpc/testdata"
    43  )
    44  
    45  type testServer struct {
    46  	pb.UnimplementedTestServiceServer
    47  }
    48  
    49  func (s *testServer) UnaryCall(ctx context.Context, req *pb.SimpleRequest) (*pb.SimpleResponse, error) {
    50  	return &pb.SimpleResponse{}, nil
    51  }
    52  
    53  func (s *testServer) StreamingInputCall(stream pb.TestService_StreamingInputCallServer) error {
    54  	for {
    55  		_, err := stream.Recv()
    56  		if err == io.EOF {
    57  			return stream.SendAndClose(&pb.StreamingInputCallResponse{})
    58  		}
    59  		if err != nil {
    60  			return err
    61  		}
    62  	}
    63  }
    64  
    65  type s struct {
    66  	grpctest.Tester
    67  }
    68  
    69  func Test(t *testing.T) {
    70  	grpctest.RunSubTests(t, s{})
    71  }
    72  
    73  var sdkTests = map[string]struct {
    74  	authzPolicy string
    75  	md          metadata.MD
    76  	wantStatus  *status.Status
    77  }{
    78  	"DeniesRPCMatchInDenyNoMatchInAllow": {
    79  		authzPolicy: `{
    80  				"name": "authz",
    81  				"allow_rules": 
    82  				[
    83  					{
    84  						"name": "allow_StreamingOutputCall",
    85  						"request": {
    86  							"paths":
    87  							[
    88  								"/grpc.testing.TestService/StreamingOutputCall"
    89  							]
    90  						}
    91  					}
    92  				],
    93  				"deny_rules":
    94  				[
    95  					{
    96  						"name": "deny_TestServiceCalls",
    97  						"request": {
    98  							"paths":
    99  							[
   100  								"/grpc.testing.TestService/*"
   101  							],
   102  							"headers":
   103  							[
   104  								{
   105  									"key": "key-abc",
   106  									"values":
   107  									[
   108  										"val-abc",
   109  										"val-def"
   110  									]
   111  								}
   112  							]
   113  						}
   114  					}
   115  				]
   116  			}`,
   117  		md:         metadata.Pairs("key-abc", "val-abc"),
   118  		wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
   119  	},
   120  	"DeniesRPCMatchInDenyAndAllow": {
   121  		authzPolicy: `{
   122  				"name": "authz",
   123  				"allow_rules":
   124  				[
   125  					{
   126  						"name": "allow_all",
   127  						"request": {
   128  							"paths":
   129  							[
   130  								"*"
   131  							]
   132  						}
   133  					}
   134  				],
   135  				"deny_rules":
   136  				[
   137  					{
   138  						"name": "deny_all",
   139  						"request": {
   140  							"paths":
   141  							[
   142  								"*"
   143  							]
   144  						}
   145  					}
   146  				]
   147  			}`,
   148  		wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
   149  	},
   150  	"AllowsRPCNoMatchInDenyMatchInAllow": {
   151  		authzPolicy: `{
   152  				"name": "authz",
   153  				"allow_rules":
   154  				[
   155  					{
   156  						"name": "allow_all"
   157  					}
   158  				],
   159  				"deny_rules":
   160  				[
   161  					{
   162  						"name": "deny_TestServiceCalls",
   163  						"request": {
   164  							"paths":
   165  							[
   166  								"/grpc.testing.TestService/UnaryCall",
   167  								"/grpc.testing.TestService/StreamingInputCall"
   168  							],
   169  							"headers": 
   170  							[
   171  								{
   172  									"key": "key-abc",
   173  									"values": 
   174  									[
   175  										"val-abc",
   176  										"val-def"
   177  									]
   178  								}
   179  							]
   180  						}
   181  					}
   182  				]
   183  			}`,
   184  		md:         metadata.Pairs("key-xyz", "val-xyz"),
   185  		wantStatus: status.New(codes.OK, ""),
   186  	},
   187  	"DeniesRPCNoMatchInDenyAndAllow": {
   188  		authzPolicy: `{
   189  				"name": "authz",
   190  				"allow_rules":
   191  				[
   192  					{
   193  						"name": "allow_some_user",
   194  						"source": {
   195  							"principals":
   196  							[
   197  								"some_user"
   198  							]
   199  						}
   200  					}
   201  				],
   202  				"deny_rules":
   203  				[
   204  					{
   205  						"name": "deny_StreamingOutputCall",
   206  						"request": {
   207  							"paths":
   208  							[
   209  								"/grpc.testing.TestService/StreamingOutputCall"
   210  							]
   211  						}
   212  					}
   213  				]
   214  			}`,
   215  		wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
   216  	},
   217  	"AllowsRPCEmptyDenyMatchInAllow": {
   218  		authzPolicy: `{
   219  				"name": "authz",
   220  				"allow_rules":
   221  				[
   222  					{
   223  						"name": "allow_UnaryCall",
   224  						"request":
   225  						{
   226  							"paths":
   227  							[
   228  								"/grpc.testing.TestService/UnaryCall"
   229  							]
   230  						}
   231  					},
   232  					{
   233  						"name": "allow_StreamingInputCall",
   234  						"request":
   235  						{
   236  							"paths":
   237  							[
   238  								"/grpc.testing.TestService/StreamingInputCall"
   239  							]
   240  						}
   241  					}
   242  				]
   243  			}`,
   244  		wantStatus: status.New(codes.OK, ""),
   245  	},
   246  	"DeniesRPCEmptyDenyNoMatchInAllow": {
   247  		authzPolicy: `{
   248  				"name": "authz",
   249  				"allow_rules":
   250  				[
   251  					{
   252  						"name": "allow_StreamingOutputCall",
   253  						"request": 
   254  						{
   255  							"paths":
   256  							[
   257  								"/grpc.testing.TestService/StreamingOutputCall"
   258  							]
   259  						}
   260  					}
   261  				]
   262  			}`,
   263  		wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
   264  	},
   265  	"DeniesRPCRequestWithPrincipalsFieldOnUnauthenticatedConnection": {
   266  		authzPolicy: `{
   267  				"name": "authz",
   268  				"allow_rules":
   269  				[
   270  					{
   271  						"name": "allow_authenticated",
   272  						"source": {
   273  							"principals": ["*", ""]
   274  						}
   275  					}
   276  				]
   277  			}`,
   278  		wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
   279  	},
   280  	"DeniesRPCRequestNoMatchInAllowFailsPresenceMatch": {
   281  		authzPolicy: `{
   282  				"name": "authz",
   283  				"allow_rules":
   284  				[
   285  					{
   286  						"name": "allow_TestServiceCalls",
   287  						"request": {
   288  							"paths":
   289  							[
   290  								"/grpc.testing.TestService/*"
   291  							],
   292  							"headers":
   293  							[
   294  								{
   295  									"key": "key-abc",
   296  									"values":
   297  									[
   298  										"*"
   299  									]
   300  								}
   301  							]
   302  						}
   303  					}
   304  				]
   305  			}`,
   306  		md:         metadata.Pairs("key-abc", ""),
   307  		wantStatus: status.New(codes.PermissionDenied, "unauthorized RPC request rejected"),
   308  	},
   309  }
   310  
   311  func (s) TestSDKStaticPolicyEnd2End(t *testing.T) {
   312  	for name, test := range sdkTests {
   313  		t.Run(name, func(t *testing.T) {
   314  			// Start a gRPC server with SDK unary and stream server interceptors.
   315  			i, _ := authz.NewStatic(test.authzPolicy)
   316  			s := grpc.NewServer(
   317  				grpc.ChainUnaryInterceptor(i.UnaryInterceptor),
   318  				grpc.ChainStreamInterceptor(i.StreamInterceptor))
   319  			defer s.Stop()
   320  			pb.RegisterTestServiceServer(s, &testServer{})
   321  
   322  			lis, err := net.Listen("tcp", "localhost:0")
   323  			if err != nil {
   324  				t.Fatalf("error listening: %v", err)
   325  			}
   326  			go s.Serve(lis)
   327  
   328  			// Establish a connection to the server.
   329  			clientConn, err := grpc.Dial(lis.Addr().String(), grpc.WithInsecure())
   330  			if err != nil {
   331  				t.Fatalf("grpc.Dial(%v) failed: %v", lis.Addr().String(), err)
   332  			}
   333  			defer clientConn.Close()
   334  			client := pb.NewTestServiceClient(clientConn)
   335  
   336  			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
   337  			defer cancel()
   338  			ctx = metadata.NewOutgoingContext(ctx, test.md)
   339  
   340  			// Verifying authorization decision for Unary RPC.
   341  			_, err = client.UnaryCall(ctx, &pb.SimpleRequest{})
   342  			if got := status.Convert(err); got.Code() != test.wantStatus.Code() || got.Message() != test.wantStatus.Message() {
   343  				t.Fatalf("[UnaryCall] error want:{%v} got:{%v}", test.wantStatus.Err(), got.Err())
   344  			}
   345  
   346  			// Verifying authorization decision for Streaming RPC.
   347  			stream, err := client.StreamingInputCall(ctx)
   348  			if err != nil {
   349  				t.Fatalf("failed StreamingInputCall err: %v", err)
   350  			}
   351  			req := &pb.StreamingInputCallRequest{
   352  				Payload: &pb.Payload{
   353  					Body: []byte("hi"),
   354  				},
   355  			}
   356  			if err := stream.Send(req); err != nil && err != io.EOF {
   357  				t.Fatalf("failed stream.Send err: %v", err)
   358  			}
   359  			_, err = stream.CloseAndRecv()
   360  			if got := status.Convert(err); got.Code() != test.wantStatus.Code() || got.Message() != test.wantStatus.Message() {
   361  				t.Fatalf("[StreamingCall] error want:{%v} got:{%v}", test.wantStatus.Err(), got.Err())
   362  			}
   363  		})
   364  	}
   365  }
   366  
   367  func (s) TestSDKAllowsRPCRequestWithPrincipalsFieldOnTLSAuthenticatedConnection(t *testing.T) {
   368  	authzPolicy := `{
   369  				"name": "authz",
   370  				"allow_rules":
   371  				[
   372  					{
   373  						"name": "allow_authenticated",
   374  						"source": {
   375  							"principals": ["*", ""]
   376  						}
   377  					}
   378  				]
   379  			}`
   380  	// Start a gRPC server with SDK unary server interceptor.
   381  	i, _ := authz.NewStatic(authzPolicy)
   382  	creds, err := credentials.NewServerTLSFromFile(testdata.Path("x509/server1_cert.pem"), testdata.Path("x509/server1_key.pem"))
   383  	if err != nil {
   384  		t.Fatalf("failed to generate credentials: %v", err)
   385  	}
   386  	s := grpc.NewServer(
   387  		grpc.Creds(creds),
   388  		grpc.ChainUnaryInterceptor(i.UnaryInterceptor))
   389  	defer s.Stop()
   390  	pb.RegisterTestServiceServer(s, &testServer{})
   391  
   392  	lis, err := net.Listen("tcp", "localhost:0")
   393  	if err != nil {
   394  		t.Fatalf("error listening: %v", err)
   395  	}
   396  	go s.Serve(lis)
   397  
   398  	// Establish a connection to the server.
   399  	creds, err = credentials.NewClientTLSFromFile(testdata.Path("x509/server_ca_cert.pem"), "x.test.example.com")
   400  	if err != nil {
   401  		t.Fatalf("failed to load credentials: %v", err)
   402  	}
   403  	clientConn, err := grpc.Dial(lis.Addr().String(), grpc.WithTransportCredentials(creds))
   404  	if err != nil {
   405  		t.Fatalf("grpc.Dial(%v) failed: %v", lis.Addr().String(), err)
   406  	}
   407  	defer clientConn.Close()
   408  	client := pb.NewTestServiceClient(clientConn)
   409  
   410  	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
   411  	defer cancel()
   412  
   413  	// Verifying authorization decision.
   414  	if _, err = client.UnaryCall(ctx, &pb.SimpleRequest{}); err != nil {
   415  		t.Fatalf("client.UnaryCall(_, _) = %v; want nil", err)
   416  	}
   417  }
   418  
   419  func (s) TestSDKAllowsRPCRequestWithPrincipalsFieldOnMTLSAuthenticatedConnection(t *testing.T) {
   420  	authzPolicy := `{
   421  				"name": "authz",
   422  				"allow_rules":
   423  				[
   424  					{
   425  						"name": "allow_authenticated",
   426  						"source": {
   427  							"principals": ["*", ""]
   428  						}
   429  					}
   430  				]
   431  			}`
   432  	// Start a gRPC server with SDK unary server interceptor.
   433  	i, _ := authz.NewStatic(authzPolicy)
   434  	cert, err := tls.LoadX509KeyPair(testdata.Path("x509/server1_cert.pem"), testdata.Path("x509/server1_key.pem"))
   435  	if err != nil {
   436  		t.Fatalf("tls.LoadX509KeyPair(x509/server1_cert.pem, x509/server1_key.pem) failed: %v", err)
   437  	}
   438  	ca, err := ioutil.ReadFile(testdata.Path("x509/client_ca_cert.pem"))
   439  	if err != nil {
   440  		t.Fatalf("ioutil.ReadFile(x509/client_ca_cert.pem) failed: %v", err)
   441  	}
   442  	certPool := x509.NewCertPool()
   443  	if !certPool.AppendCertsFromPEM(ca) {
   444  		t.Fatal("failed to append certificates")
   445  	}
   446  	creds := credentials.NewTLS(&tls.Config{
   447  		ClientAuth:   tls.RequireAndVerifyClientCert,
   448  		Certificates: []tls.Certificate{cert},
   449  		ClientCAs:    certPool,
   450  	})
   451  	s := grpc.NewServer(
   452  		grpc.Creds(creds),
   453  		grpc.ChainUnaryInterceptor(i.UnaryInterceptor))
   454  	defer s.Stop()
   455  	pb.RegisterTestServiceServer(s, &testServer{})
   456  
   457  	lis, err := net.Listen("tcp", "localhost:0")
   458  	if err != nil {
   459  		t.Fatalf("error listening: %v", err)
   460  	}
   461  	go s.Serve(lis)
   462  
   463  	// Establish a connection to the server.
   464  	cert, err = tls.LoadX509KeyPair(testdata.Path("x509/client1_cert.pem"), testdata.Path("x509/client1_key.pem"))
   465  	if err != nil {
   466  		t.Fatalf("tls.LoadX509KeyPair(x509/client1_cert.pem, x509/client1_key.pem) failed: %v", err)
   467  	}
   468  	ca, err = ioutil.ReadFile(testdata.Path("x509/server_ca_cert.pem"))
   469  	if err != nil {
   470  		t.Fatalf("ioutil.ReadFile(x509/server_ca_cert.pem) failed: %v", err)
   471  	}
   472  	roots := x509.NewCertPool()
   473  	if !roots.AppendCertsFromPEM(ca) {
   474  		t.Fatal("failed to append certificates")
   475  	}
   476  	creds = credentials.NewTLS(&tls.Config{
   477  		Certificates: []tls.Certificate{cert},
   478  		RootCAs:      roots,
   479  		ServerName:   "x.test.example.com",
   480  	})
   481  	clientConn, err := grpc.Dial(lis.Addr().String(), grpc.WithTransportCredentials(creds))
   482  	if err != nil {
   483  		t.Fatalf("grpc.Dial(%v) failed: %v", lis.Addr().String(), err)
   484  	}
   485  	defer clientConn.Close()
   486  	client := pb.NewTestServiceClient(clientConn)
   487  
   488  	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
   489  	defer cancel()
   490  
   491  	// Verifying authorization decision.
   492  	if _, err = client.UnaryCall(ctx, &pb.SimpleRequest{}); err != nil {
   493  		t.Fatalf("client.UnaryCall(_, _) = %v; want nil", err)
   494  	}
   495  }
   496  
   497  func (s) TestSDKFileWatcherEnd2End(t *testing.T) {
   498  	for name, test := range sdkTests {
   499  		t.Run(name, func(t *testing.T) {
   500  			file := createTmpPolicyFile(t, name, []byte(test.authzPolicy))
   501  			i, _ := authz.NewFileWatcher(file, 1*time.Second)
   502  			defer i.Close()
   503  
   504  			// Start a gRPC server with SDK unary and stream server interceptors.
   505  			s := grpc.NewServer(
   506  				grpc.ChainUnaryInterceptor(i.UnaryInterceptor),
   507  				grpc.ChainStreamInterceptor(i.StreamInterceptor))
   508  			defer s.Stop()
   509  			pb.RegisterTestServiceServer(s, &testServer{})
   510  
   511  			lis, err := net.Listen("tcp", "localhost:0")
   512  			if err != nil {
   513  				t.Fatalf("error listening: %v", err)
   514  			}
   515  			defer lis.Close()
   516  			go s.Serve(lis)
   517  
   518  			// Establish a connection to the server.
   519  			clientConn, err := grpc.Dial(lis.Addr().String(), grpc.WithInsecure())
   520  			if err != nil {
   521  				t.Fatalf("grpc.Dial(%v) failed: %v", lis.Addr().String(), err)
   522  			}
   523  			defer clientConn.Close()
   524  			client := pb.NewTestServiceClient(clientConn)
   525  
   526  			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
   527  			defer cancel()
   528  			ctx = metadata.NewOutgoingContext(ctx, test.md)
   529  
   530  			// Verifying authorization decision for Unary RPC.
   531  			_, err = client.UnaryCall(ctx, &pb.SimpleRequest{})
   532  			if got := status.Convert(err); got.Code() != test.wantStatus.Code() || got.Message() != test.wantStatus.Message() {
   533  				t.Fatalf("[UnaryCall] error want:{%v} got:{%v}", test.wantStatus.Err(), got.Err())
   534  			}
   535  
   536  			// Verifying authorization decision for Streaming RPC.
   537  			stream, err := client.StreamingInputCall(ctx)
   538  			if err != nil {
   539  				t.Fatalf("failed StreamingInputCall err: %v", err)
   540  			}
   541  			req := &pb.StreamingInputCallRequest{
   542  				Payload: &pb.Payload{
   543  					Body: []byte("hi"),
   544  				},
   545  			}
   546  			if err := stream.Send(req); err != nil && err != io.EOF {
   547  				t.Fatalf("failed stream.Send err: %v", err)
   548  			}
   549  			_, err = stream.CloseAndRecv()
   550  			if got := status.Convert(err); got.Code() != test.wantStatus.Code() || got.Message() != test.wantStatus.Message() {
   551  				t.Fatalf("[StreamingCall] error want:{%v} got:{%v}", test.wantStatus.Err(), got.Err())
   552  			}
   553  		})
   554  	}
   555  }
   556  
   557  func retryUntil(ctx context.Context, tsc pb.TestServiceClient, want *status.Status) (lastErr error) {
   558  	for ctx.Err() == nil {
   559  		_, lastErr = tsc.UnaryCall(ctx, &pb.SimpleRequest{})
   560  		if s := status.Convert(lastErr); s.Code() == want.Code() && s.Message() == want.Message() {
   561  			return nil
   562  		}
   563  		time.Sleep(20 * time.Millisecond)
   564  	}
   565  	return lastErr
   566  }
   567  
   568  func (s) TestSDKFileWatcher_ValidPolicyRefresh(t *testing.T) {
   569  	valid1 := sdkTests["DeniesRPCMatchInDenyAndAllow"]
   570  	file := createTmpPolicyFile(t, "valid_policy_refresh", []byte(valid1.authzPolicy))
   571  	i, _ := authz.NewFileWatcher(file, 100*time.Millisecond)
   572  	defer i.Close()
   573  
   574  	// Start a gRPC server with SDK unary server interceptor.
   575  	s := grpc.NewServer(
   576  		grpc.ChainUnaryInterceptor(i.UnaryInterceptor))
   577  	defer s.Stop()
   578  	pb.RegisterTestServiceServer(s, &testServer{})
   579  
   580  	lis, err := net.Listen("tcp", "localhost:0")
   581  	if err != nil {
   582  		t.Fatalf("error listening: %v", err)
   583  	}
   584  	defer lis.Close()
   585  	go s.Serve(lis)
   586  
   587  	// Establish a connection to the server.
   588  	clientConn, err := grpc.Dial(lis.Addr().String(), grpc.WithInsecure())
   589  	if err != nil {
   590  		t.Fatalf("grpc.Dial(%v) failed: %v", lis.Addr().String(), err)
   591  	}
   592  	defer clientConn.Close()
   593  	client := pb.NewTestServiceClient(clientConn)
   594  
   595  	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
   596  	defer cancel()
   597  
   598  	// Verifying authorization decision.
   599  	_, err = client.UnaryCall(ctx, &pb.SimpleRequest{})
   600  	if got := status.Convert(err); got.Code() != valid1.wantStatus.Code() || got.Message() != valid1.wantStatus.Message() {
   601  		t.Fatalf("client.UnaryCall(_, _) = %v; want = %v", got.Err(), valid1.wantStatus.Err())
   602  	}
   603  
   604  	// Rewrite the file with a different valid authorization policy.
   605  	valid2 := sdkTests["AllowsRPCEmptyDenyMatchInAllow"]
   606  	if err := ioutil.WriteFile(file, []byte(valid2.authzPolicy), os.ModePerm); err != nil {
   607  		t.Fatalf("ioutil.WriteFile(%q) failed: %v", file, err)
   608  	}
   609  
   610  	// Verifying authorization decision.
   611  	if got := retryUntil(ctx, client, valid2.wantStatus); got != nil {
   612  		t.Fatalf("client.UnaryCall(_, _) = %v; want = %v", got, valid2.wantStatus.Err())
   613  	}
   614  }
   615  
   616  func (s) TestSDKFileWatcher_InvalidPolicySkipReload(t *testing.T) {
   617  	valid := sdkTests["DeniesRPCMatchInDenyAndAllow"]
   618  	file := createTmpPolicyFile(t, "invalid_policy_skip_reload", []byte(valid.authzPolicy))
   619  	i, _ := authz.NewFileWatcher(file, 20*time.Millisecond)
   620  	defer i.Close()
   621  
   622  	// Start a gRPC server with SDK unary server interceptors.
   623  	s := grpc.NewServer(
   624  		grpc.ChainUnaryInterceptor(i.UnaryInterceptor))
   625  	defer s.Stop()
   626  	pb.RegisterTestServiceServer(s, &testServer{})
   627  
   628  	lis, err := net.Listen("tcp", "localhost:0")
   629  	if err != nil {
   630  		t.Fatalf("error listening: %v", err)
   631  	}
   632  	defer lis.Close()
   633  	go s.Serve(lis)
   634  
   635  	// Establish a connection to the server.
   636  	clientConn, err := grpc.Dial(lis.Addr().String(), grpc.WithInsecure())
   637  	if err != nil {
   638  		t.Fatalf("grpc.Dial(%v) failed: %v", lis.Addr().String(), err)
   639  	}
   640  	defer clientConn.Close()
   641  	client := pb.NewTestServiceClient(clientConn)
   642  
   643  	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
   644  	defer cancel()
   645  
   646  	// Verifying authorization decision.
   647  	_, err = client.UnaryCall(ctx, &pb.SimpleRequest{})
   648  	if got := status.Convert(err); got.Code() != valid.wantStatus.Code() || got.Message() != valid.wantStatus.Message() {
   649  		t.Fatalf("client.UnaryCall(_, _) = %v; want = %v", got.Err(), valid.wantStatus.Err())
   650  	}
   651  
   652  	// Skips the invalid policy update, and continues to use the valid policy.
   653  	if err := ioutil.WriteFile(file, []byte("{}"), os.ModePerm); err != nil {
   654  		t.Fatalf("ioutil.WriteFile(%q) failed: %v", file, err)
   655  	}
   656  
   657  	// Wait 40 ms for background go routine to read updated files.
   658  	time.Sleep(40 * time.Millisecond)
   659  
   660  	// Verifying authorization decision.
   661  	_, err = client.UnaryCall(ctx, &pb.SimpleRequest{})
   662  	if got := status.Convert(err); got.Code() != valid.wantStatus.Code() || got.Message() != valid.wantStatus.Message() {
   663  		t.Fatalf("client.UnaryCall(_, _) = %v; want = %v", got.Err(), valid.wantStatus.Err())
   664  	}
   665  }
   666  
   667  func (s) TestSDKFileWatcher_RecoversFromReloadFailure(t *testing.T) {
   668  	valid1 := sdkTests["DeniesRPCMatchInDenyAndAllow"]
   669  	file := createTmpPolicyFile(t, "recovers_from_reload_failure", []byte(valid1.authzPolicy))
   670  	i, _ := authz.NewFileWatcher(file, 100*time.Millisecond)
   671  	defer i.Close()
   672  
   673  	// Start a gRPC server with SDK unary server interceptors.
   674  	s := grpc.NewServer(
   675  		grpc.ChainUnaryInterceptor(i.UnaryInterceptor))
   676  	defer s.Stop()
   677  	pb.RegisterTestServiceServer(s, &testServer{})
   678  
   679  	lis, err := net.Listen("tcp", "localhost:0")
   680  	if err != nil {
   681  		t.Fatalf("error listening: %v", err)
   682  	}
   683  	defer lis.Close()
   684  	go s.Serve(lis)
   685  
   686  	// Establish a connection to the server.
   687  	clientConn, err := grpc.Dial(lis.Addr().String(), grpc.WithInsecure())
   688  	if err != nil {
   689  		t.Fatalf("grpc.Dial(%v) failed: %v", lis.Addr().String(), err)
   690  	}
   691  	defer clientConn.Close()
   692  	client := pb.NewTestServiceClient(clientConn)
   693  
   694  	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
   695  	defer cancel()
   696  
   697  	// Verifying authorization decision.
   698  	_, err = client.UnaryCall(ctx, &pb.SimpleRequest{})
   699  	if got := status.Convert(err); got.Code() != valid1.wantStatus.Code() || got.Message() != valid1.wantStatus.Message() {
   700  		t.Fatalf("client.UnaryCall(_, _) = %v; want = %v", got.Err(), valid1.wantStatus.Err())
   701  	}
   702  
   703  	// Skips the invalid policy update, and continues to use the valid policy.
   704  	if err := ioutil.WriteFile(file, []byte("{}"), os.ModePerm); err != nil {
   705  		t.Fatalf("ioutil.WriteFile(%q) failed: %v", file, err)
   706  	}
   707  
   708  	// Wait 120 ms for background go routine to read updated files.
   709  	time.Sleep(120 * time.Millisecond)
   710  
   711  	// Verifying authorization decision.
   712  	_, err = client.UnaryCall(ctx, &pb.SimpleRequest{})
   713  	if got := status.Convert(err); got.Code() != valid1.wantStatus.Code() || got.Message() != valid1.wantStatus.Message() {
   714  		t.Fatalf("client.UnaryCall(_, _) = %v; want = %v", got.Err(), valid1.wantStatus.Err())
   715  	}
   716  
   717  	// Rewrite the file with a different valid authorization policy.
   718  	valid2 := sdkTests["AllowsRPCEmptyDenyMatchInAllow"]
   719  	if err := ioutil.WriteFile(file, []byte(valid2.authzPolicy), os.ModePerm); err != nil {
   720  		t.Fatalf("ioutil.WriteFile(%q) failed: %v", file, err)
   721  	}
   722  
   723  	// Verifying authorization decision.
   724  	if got := retryUntil(ctx, client, valid2.wantStatus); got != nil {
   725  		t.Fatalf("client.UnaryCall(_, _) = %v; want = %v", got, valid2.wantStatus.Err())
   726  	}
   727  }