package rules import ( "testing" "github.com/micro/go-micro/v2/auth" ) func TestVerify(t *testing.T) { srvResource := &auth.Resource{ Type: "service", Name: "go.micro.service.foo", Endpoint: "Foo.Bar", } webResource := &auth.Resource{ Type: "service", Name: "go.micro.web.foo", Endpoint: "/foo/bar", } catchallResource := &auth.Resource{ Type: "*", Name: "*", Endpoint: "*", } tt := []struct { Name string Rules []*auth.Rule Account *auth.Account Resource *auth.Resource Error error }{ { Name: "NoRules", Rules: []*auth.Rule{}, Account: nil, Resource: srvResource, Error: auth.ErrForbidden, }, { Name: "CatchallPublicAccount", Account: &auth.Account{}, Resource: srvResource, Rules: []*auth.Rule{ &auth.Rule{ Scope: "", Resource: catchallResource, }, }, }, { Name: "CatchallPublicNoAccount", Resource: srvResource, Rules: []*auth.Rule{ &auth.Rule{ Scope: "", Resource: catchallResource, }, }, }, { Name: "CatchallPrivateAccount", Account: &auth.Account{}, Resource: srvResource, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: catchallResource, }, }, }, { Name: "CatchallPrivateNoAccount", Resource: srvResource, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: catchallResource, }, }, Error: auth.ErrForbidden, }, { Name: "CatchallServiceRuleMatch", Resource: srvResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: &auth.Resource{ Type: srvResource.Type, Name: srvResource.Name, Endpoint: "*", }, }, }, }, { Name: "CatchallServiceRuleNoMatch", Resource: srvResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: &auth.Resource{ Type: srvResource.Type, Name: "wrongname", Endpoint: "*", }, }, }, Error: auth.ErrForbidden, }, { Name: "ExactRuleValidScope", Resource: srvResource, Account: &auth.Account{ Scopes: []string{"neededscope"}, }, Rules: []*auth.Rule{ &auth.Rule{ Scope: "neededscope", Resource: srvResource, }, }, }, { Name: "ExactRuleInvalidScope", Resource: srvResource, Account: &auth.Account{ Scopes: []string{"neededscope"}, }, Rules: []*auth.Rule{ &auth.Rule{ Scope: "invalidscope", Resource: srvResource, }, }, Error: auth.ErrForbidden, }, { Name: "CatchallDenyWithAccount", Resource: srvResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: catchallResource, Access: auth.AccessDenied, }, }, Error: auth.ErrForbidden, }, { Name: "CatchallDenyWithNoAccount", Resource: srvResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: catchallResource, Access: auth.AccessDenied, }, }, Error: auth.ErrForbidden, }, { Name: "RulePriorityGrantFirst", Resource: srvResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: catchallResource, Access: auth.AccessGranted, Priority: 1, }, &auth.Rule{ Scope: "*", Resource: catchallResource, Access: auth.AccessDenied, Priority: 0, }, }, }, { Name: "RulePriorityDenyFirst", Resource: srvResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: catchallResource, Access: auth.AccessGranted, Priority: 0, }, &auth.Rule{ Scope: "*", Resource: catchallResource, Access: auth.AccessDenied, Priority: 1, }, }, Error: auth.ErrForbidden, }, { Name: "WebExactEndpointValid", Resource: webResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: webResource, }, }, }, { Name: "WebExactEndpointInalid", Resource: webResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: &auth.Resource{ Type: webResource.Type, Name: webResource.Name, Endpoint: "invalidendpoint", }, }, }, Error: auth.ErrForbidden, }, { Name: "WebWildcardEndpoint", Resource: webResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: &auth.Resource{ Type: webResource.Type, Name: webResource.Name, Endpoint: "*", }, }, }, }, { Name: "WebWildcardPathEndpointValid", Resource: webResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: &auth.Resource{ Type: webResource.Type, Name: webResource.Name, Endpoint: "/foo/*", }, }, }, }, { Name: "WebWildcardPathEndpointInvalid", Resource: webResource, Account: &auth.Account{}, Rules: []*auth.Rule{ &auth.Rule{ Scope: "*", Resource: &auth.Resource{ Type: webResource.Type, Name: webResource.Name, Endpoint: "/bar/*", }, }, }, Error: auth.ErrForbidden, }, } for _, tc := range tt { t.Run(tc.Name, func(t *testing.T) { if err := Verify(tc.Rules, tc.Account, tc.Resource); err != tc.Error { t.Errorf("Expected %v but got %v", tc.Error, err) } }) } }