Auth Rules tests & bug fixes

This commit is contained in:
Ben Toogood 2020-05-22 09:31:15 +01:00
parent 1fce0f02b6
commit b2cf501952
2 changed files with 292 additions and 2 deletions

View File

@ -65,14 +65,14 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
// this rule applies to any account // this rule applies to any account
if rule.Scope == "*" && rule.Access == auth.AccessDenied { if rule.Scope == "*" && rule.Access == auth.AccessDenied {
return auth.ErrForbidden return auth.ErrForbidden
} else if rule.Scope == "" && rule.Access == auth.AccessGranted { } else if rule.Scope == "*" && rule.Access == auth.AccessGranted {
return nil return nil
} }
// if the account has the necessary scope // if the account has the necessary scope
if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied { if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied {
return auth.ErrForbidden return auth.ErrForbidden
} else if rule.Scope == "" && rule.Access == auth.AccessGranted { } else if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessGranted {
return nil return nil
} }
} }

290
auth/rules/rules_test.go Normal file
View File

@ -0,0 +1,290 @@
package rules
import (
"testing"
"github.com/micro/go-micro/v2/auth"
)
func TestVerify(t *testing.T) {
srvResource := &auth.Resource{
Type: "service",
Name: "go.micro.service.foo",
Endpoint: "Foo.Bar",
}
webResource := &auth.Resource{
Type: "service",
Name: "go.micro.web.foo",
Endpoint: "/foo/bar",
}
catchallResource := &auth.Resource{
Type: "*",
Name: "*",
Endpoint: "*",
}
tt := []struct {
Name string
Rules []*auth.Rule
Account *auth.Account
Resource *auth.Resource
Error error
}{
{
Name: "NoRules",
Rules: []*auth.Rule{},
Account: nil,
Resource: srvResource,
Error: auth.ErrForbidden,
},
{
Name: "CatchallPublicAccount",
Account: &auth.Account{},
Resource: srvResource,
Rules: []*auth.Rule{
&auth.Rule{
Scope: "",
Resource: catchallResource,
},
},
},
{
Name: "CatchallPublicNoAccount",
Resource: srvResource,
Rules: []*auth.Rule{
&auth.Rule{
Scope: "",
Resource: catchallResource,
},
},
},
{
Name: "CatchallPrivateAccount",
Account: &auth.Account{},
Resource: srvResource,
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: catchallResource,
},
},
},
{
Name: "CatchallPrivateNoAccount",
Resource: srvResource,
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: catchallResource,
},
},
Error: auth.ErrForbidden,
},
{
Name: "CatchallServiceRuleMatch",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: &auth.Resource{
Type: srvResource.Type,
Name: srvResource.Name,
Endpoint: "*",
},
},
},
},
{
Name: "CatchallServiceRuleNoMatch",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: &auth.Resource{
Type: srvResource.Type,
Name: "wrongname",
Endpoint: "*",
},
},
},
Error: auth.ErrForbidden,
},
{
Name: "ExactRuleValidScope",
Resource: srvResource,
Account: &auth.Account{
Scopes: []string{"neededscope"},
},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "neededscope",
Resource: srvResource,
},
},
},
{
Name: "ExactRuleInvalidScope",
Resource: srvResource,
Account: &auth.Account{
Scopes: []string{"neededscope"},
},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "invalidscope",
Resource: srvResource,
},
},
Error: auth.ErrForbidden,
},
{
Name: "CatchallDenyWithAccount",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessDenied,
},
},
Error: auth.ErrForbidden,
},
{
Name: "CatchallDenyWithNoAccount",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessDenied,
},
},
Error: auth.ErrForbidden,
},
{
Name: "RulePriorityGrantFirst",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessGranted,
Priority: 1,
},
&auth.Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessDenied,
Priority: 0,
},
},
},
{
Name: "RulePriorityDenyFirst",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessGranted,
Priority: 0,
},
&auth.Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessDenied,
Priority: 1,
},
},
Error: auth.ErrForbidden,
},
{
Name: "WebExactEndpointValid",
Resource: webResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: webResource,
},
},
},
{
Name: "WebExactEndpointInalid",
Resource: webResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: &auth.Resource{
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "invalidendpoint",
},
},
},
Error: auth.ErrForbidden,
},
{
Name: "WebWildcardEndpoint",
Resource: webResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: &auth.Resource{
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "*",
},
},
},
},
{
Name: "WebWildcardPathEndpointValid",
Resource: webResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: &auth.Resource{
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "/foo/*",
},
},
},
},
{
Name: "WebWildcardPathEndpointInvalid",
Resource: webResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Scope: "*",
Resource: &auth.Resource{
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "/bar/*",
},
},
},
Error: auth.ErrForbidden,
},
}
for _, tc := range tt {
t.Run(tc.Name, func(t *testing.T) {
if err := Verify(tc.Rules, tc.Account, tc.Resource); err != tc.Error {
t.Errorf("Expected %v but got %v", tc.Error, err)
}
})
}
}