micro/auth/rules_test.go

289 lines
5.2 KiB
Go
Raw Normal View History

2020-07-19 13:12:03 +01:00
package auth
2020-05-22 09:31:15 +01:00
import (
"testing"
)
func TestVerify(t *testing.T) {
2020-07-19 13:12:03 +01:00
srvResource := &Resource{
2020-05-22 09:31:15 +01:00
Type: "service",
Name: "go.micro.service.foo",
Endpoint: "Foo.Bar",
}
2020-07-19 13:12:03 +01:00
webResource := &Resource{
2020-05-22 09:31:15 +01:00
Type: "service",
Name: "go.micro.web.foo",
Endpoint: "/foo/bar",
}
2020-07-19 13:12:03 +01:00
catchallResource := &Resource{
2020-05-22 09:31:15 +01:00
Type: "*",
Name: "*",
Endpoint: "*",
}
tt := []struct {
Name string
2020-07-19 13:12:03 +01:00
Rules []*Rule
Account *Account
Resource *Resource
2020-05-22 09:31:15 +01:00
Error error
}{
{
Name: "NoRules",
2020-07-19 13:12:03 +01:00
Rules: []*Rule{},
2020-05-22 09:31:15 +01:00
Account: nil,
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Error: ErrForbidden,
2020-05-22 09:31:15 +01:00
},
{
Name: "CatchallPublicAccount",
2020-07-19 13:12:03 +01:00
Account: &Account{},
2020-05-22 09:31:15 +01:00
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "",
Resource: catchallResource,
},
},
},
{
Name: "CatchallPublicNoAccount",
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "",
Resource: catchallResource,
},
},
},
{
Name: "CatchallPrivateAccount",
2020-07-19 13:12:03 +01:00
Account: &Account{},
2020-05-22 09:31:15 +01:00
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
Resource: catchallResource,
},
},
},
{
Name: "CatchallPrivateNoAccount",
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
Resource: catchallResource,
},
},
2020-07-19 13:12:03 +01:00
Error: ErrForbidden,
2020-05-22 09:31:15 +01:00
},
{
Name: "CatchallServiceRuleMatch",
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
2020-07-19 13:12:03 +01:00
Resource: &Resource{
2020-05-22 09:31:15 +01:00
Type: srvResource.Type,
Name: srvResource.Name,
Endpoint: "*",
},
},
},
},
{
Name: "CatchallServiceRuleNoMatch",
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
2020-07-19 13:12:03 +01:00
Resource: &Resource{
2020-05-22 09:31:15 +01:00
Type: srvResource.Type,
Name: "wrongname",
Endpoint: "*",
},
},
},
2020-07-19 13:12:03 +01:00
Error: ErrForbidden,
2020-05-22 09:31:15 +01:00
},
{
Name: "ExactRuleValidScope",
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Account: &Account{
2020-05-22 09:31:15 +01:00
Scopes: []string{"neededscope"},
},
2020-07-19 13:12:03 +01:00
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "neededscope",
Resource: srvResource,
},
},
},
{
Name: "ExactRuleInvalidScope",
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Account: &Account{
2020-05-22 09:31:15 +01:00
Scopes: []string{"neededscope"},
},
2020-07-19 13:12:03 +01:00
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "invalidscope",
Resource: srvResource,
},
},
2020-07-19 13:12:03 +01:00
Error: ErrForbidden,
2020-05-22 09:31:15 +01:00
},
{
Name: "CatchallDenyWithAccount",
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
Resource: catchallResource,
2020-07-19 13:12:03 +01:00
Access: AccessDenied,
2020-05-22 09:31:15 +01:00
},
},
2020-07-19 13:12:03 +01:00
Error: ErrForbidden,
2020-05-22 09:31:15 +01:00
},
{
Name: "CatchallDenyWithNoAccount",
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
Resource: catchallResource,
2020-07-19 13:12:03 +01:00
Access: AccessDenied,
2020-05-22 09:31:15 +01:00
},
},
2020-07-19 13:12:03 +01:00
Error: ErrForbidden,
2020-05-22 09:31:15 +01:00
},
{
Name: "RulePriorityGrantFirst",
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
Resource: catchallResource,
2020-07-19 13:12:03 +01:00
Access: AccessGranted,
2020-05-22 09:31:15 +01:00
Priority: 1,
},
2020-07-19 13:12:03 +01:00
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
Resource: catchallResource,
2020-07-19 13:12:03 +01:00
Access: AccessDenied,
2020-05-22 09:31:15 +01:00
Priority: 0,
},
},
},
{
Name: "RulePriorityDenyFirst",
Resource: srvResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
Resource: catchallResource,
2020-07-19 13:12:03 +01:00
Access: AccessGranted,
2020-05-22 09:31:15 +01:00
Priority: 0,
},
2020-07-19 13:12:03 +01:00
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
Resource: catchallResource,
2020-07-19 13:12:03 +01:00
Access: AccessDenied,
2020-05-22 09:31:15 +01:00
Priority: 1,
},
},
2020-07-19 13:12:03 +01:00
Error: ErrForbidden,
2020-05-22 09:31:15 +01:00
},
{
Name: "WebExactEndpointValid",
Resource: webResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
Resource: webResource,
},
},
},
{
Name: "WebExactEndpointInalid",
Resource: webResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
2020-07-19 13:12:03 +01:00
Resource: &Resource{
2020-05-22 09:31:15 +01:00
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "invalidendpoint",
},
},
},
2020-07-19 13:12:03 +01:00
Error: ErrForbidden,
2020-05-22 09:31:15 +01:00
},
{
Name: "WebWildcardEndpoint",
Resource: webResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
2020-07-19 13:12:03 +01:00
Resource: &Resource{
2020-05-22 09:31:15 +01:00
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "*",
},
},
},
},
{
Name: "WebWildcardPathEndpointValid",
Resource: webResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
2020-07-19 13:12:03 +01:00
Resource: &Resource{
2020-05-22 09:31:15 +01:00
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "/foo/*",
},
},
},
},
{
Name: "WebWildcardPathEndpointInvalid",
Resource: webResource,
2020-07-19 13:12:03 +01:00
Account: &Account{},
Rules: []*Rule{
&Rule{
2020-05-22 09:31:15 +01:00
Scope: "*",
2020-07-19 13:12:03 +01:00
Resource: &Resource{
2020-05-22 09:31:15 +01:00
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "/bar/*",
},
},
},
2020-07-19 13:12:03 +01:00
Error: ErrForbidden,
2020-05-22 09:31:15 +01:00
},
}
for _, tc := range tt {
t.Run(tc.Name, func(t *testing.T) {
2020-07-19 13:12:03 +01:00
if err := VerifyAccess(tc.Rules, tc.Account, tc.Resource); err != tc.Error {
2020-05-22 09:31:15 +01:00
t.Errorf("Expected %v but got %v", tc.Error, err)
}
})
}
}