upd(internal): rules test with savepoint
This commit is contained in:
Mitja Zivkovic
parent
9c4cc0870d
commit
aa39d4e052
@ -37,15 +37,5 @@ func TestMain(m *testing.M) {
|
||||
return
|
||||
}
|
||||
|
||||
// clean up tables
|
||||
{
|
||||
for _, name := range []string{"sys_user", "sys_role", "sys_role_member", "sys_organisation", "sys_rules"} {
|
||||
_, err := db.Exec("truncate " + name)
|
||||
if err != nil {
|
||||
panic("Error when clearing " + name + ": " + err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
os.Exit(m.Run())
|
||||
}
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
package rules
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"encoding/json"
|
||||
@ -17,8 +16,6 @@ func TestResource(t *testing.T) {
|
||||
assert(t, r.String() == "messaging:channel:123", "Resource ID doesn't match, messaging:channel:123 != '%s'", r.String())
|
||||
|
||||
b, _ := json.Marshal(r)
|
||||
fmt.Println(string(b))
|
||||
|
||||
{
|
||||
r := ResourceJSON{}
|
||||
json.Unmarshal(b, &r)
|
||||
|
||||
@ -2,9 +2,9 @@ package rules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/titpetric/factory"
|
||||
|
||||
"github.com/crusttech/crust/internal/auth"
|
||||
@ -15,122 +15,135 @@ import (
|
||||
)
|
||||
|
||||
func TestRules(t *testing.T) {
|
||||
user := &types.User{ID: 1337}
|
||||
ctx := auth.SetIdentityToContext(context.Background(), user)
|
||||
|
||||
db := factory.Database.MustGet()
|
||||
|
||||
roleID := uint64(123456)
|
||||
|
||||
db.Insert("sys_user", user)
|
||||
db.Insert("sys_role", types.Role{ID: roleID, Name: fmt.Sprintf("Role %d", roleID)})
|
||||
db.Insert("sys_role_member", types.RoleMember{RoleID: roleID, UserID: user.ID})
|
||||
|
||||
Expect := func(expected rules.Access, actual rules.Access, format string, params ...interface{}) {
|
||||
Assert(t, expected == actual, format, params...)
|
||||
}
|
||||
|
||||
// Create test user and role.
|
||||
user := &types.User{ID: 1337}
|
||||
role := &types.Role{ID: 123456, Name: "Test role"}
|
||||
|
||||
// Write user to context.
|
||||
ctx := auth.SetIdentityToContext(context.Background(), user)
|
||||
|
||||
// Connect do DB.
|
||||
db := factory.Database.MustGet()
|
||||
|
||||
// Create resources interface.
|
||||
resources := rules.NewResources(ctx, db)
|
||||
|
||||
// delete all for test roleID = 123456
|
||||
{
|
||||
err := resources.Delete(roleID)
|
||||
NoError(t, err, "expected no error")
|
||||
}
|
||||
// Run test with savepoint.
|
||||
err := func() error {
|
||||
db.Exec("SAVEPOINT rules_test")
|
||||
|
||||
// default (unset=deny), forbidden check ...:*
|
||||
{
|
||||
Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit")
|
||||
Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny")
|
||||
}
|
||||
db.Insert("sys_user", user)
|
||||
db.Insert("sys_role", role)
|
||||
db.Insert("sys_role_member", types.RoleMember{RoleID: role.ID, UserID: user.ID})
|
||||
|
||||
// allow messaging:channel:2 update,delete
|
||||
{
|
||||
list := []rules.Rule{
|
||||
rules.Rule{Resource: "messaging:channel:2", Operation: "update", Value: rules.Allow},
|
||||
rules.Rule{Resource: "messaging:channel:2", Operation: "delete", Value: rules.Allow},
|
||||
// delete all for test roleID = 123456
|
||||
{
|
||||
err := resources.Delete(role.ID)
|
||||
NoError(t, err, "expected no error")
|
||||
}
|
||||
err := resources.Grant(roleID, list)
|
||||
NoError(t, err, "expect no error")
|
||||
|
||||
Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit")
|
||||
Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow")
|
||||
Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny")
|
||||
}
|
||||
|
||||
// list grants for test role
|
||||
{
|
||||
grants, err := resources.Read(roleID)
|
||||
NoError(t, err, "expect no error")
|
||||
Assert(t, len(grants) == 2, "expected 2 grants")
|
||||
|
||||
for _, grant := range grants {
|
||||
Assert(t, grant.RoleID == roleID, "expected RoleID == 123456, got %v", grant.RoleID)
|
||||
Assert(t, grant.Resource == "messaging:channel:2", "expected Resource == messaging:channel:2, got %s", grant.Resource)
|
||||
Assert(t, grant.Value == rules.Allow, "expected Value == Allow, got %s", grant.Value)
|
||||
// default (unset=deny), forbidden check ...:*
|
||||
{
|
||||
Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit")
|
||||
Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny")
|
||||
}
|
||||
}
|
||||
|
||||
// deny messaging:channel:1 update
|
||||
{
|
||||
list := []rules.Rule{
|
||||
rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Deny},
|
||||
// allow messaging:channel:2 update,delete
|
||||
{
|
||||
list := []rules.Rule{
|
||||
rules.Rule{Resource: "messaging:channel:2", Operation: "update", Value: rules.Allow},
|
||||
rules.Rule{Resource: "messaging:channel:2", Operation: "delete", Value: rules.Allow},
|
||||
}
|
||||
err := resources.Grant(role.ID, list)
|
||||
NoError(t, err, "expect no error")
|
||||
|
||||
Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit")
|
||||
Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow")
|
||||
Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny")
|
||||
}
|
||||
err := resources.Grant(roleID, list)
|
||||
NoError(t, err, "expect no error")
|
||||
|
||||
Expect(rules.Deny, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Deny")
|
||||
Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow")
|
||||
Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny")
|
||||
}
|
||||
// list grants for test role
|
||||
{
|
||||
grants, err := resources.Read(role.ID)
|
||||
NoError(t, err, "expect no error")
|
||||
Assert(t, len(grants) == 2, "expected 2 grants")
|
||||
|
||||
// reset messaging:channel:1, messaging:channel:2
|
||||
{
|
||||
list := []rules.Rule{
|
||||
rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Inherit},
|
||||
rules.Rule{Resource: "messaging:channel:1", Operation: "delete", Value: rules.Inherit},
|
||||
rules.Rule{Resource: "messaging:channel:2", Operation: "update", Value: rules.Inherit},
|
||||
rules.Rule{Resource: "messaging:channel:2", Operation: "delete", Value: rules.Inherit},
|
||||
for _, grant := range grants {
|
||||
Assert(t, grant.RoleID == role.ID, "expected RoleID == 123456, got %v", grant.RoleID)
|
||||
Assert(t, grant.Resource == "messaging:channel:2", "expected Resource == messaging:channel:2, got %s", grant.Resource)
|
||||
Assert(t, grant.Value == rules.Allow, "expected Value == Allow, got %s", grant.Value)
|
||||
}
|
||||
}
|
||||
err := resources.Grant(roleID, list)
|
||||
NoError(t, err, "expect no error")
|
||||
|
||||
Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit")
|
||||
Expect(rules.Inherit, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Inherit")
|
||||
}
|
||||
// deny messaging:channel:1 update
|
||||
{
|
||||
list := []rules.Rule{
|
||||
rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Deny},
|
||||
}
|
||||
err := resources.Grant(role.ID, list)
|
||||
NoError(t, err, "expect no error")
|
||||
|
||||
// [messaging:channel:*,update] - allow, [messaging:channel:1, deny]
|
||||
{
|
||||
list := []rules.Rule{
|
||||
rules.Rule{Resource: "messaging:channel:*", Operation: "update", Value: rules.Allow},
|
||||
rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Deny},
|
||||
rules.Rule{Resource: "messaging:channel:2", Operation: "update"},
|
||||
rules.Rule{Resource: "system", Operation: "organisation.create", Value: rules.Allow},
|
||||
Expect(rules.Deny, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Deny")
|
||||
Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow")
|
||||
Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny")
|
||||
}
|
||||
err := resources.Grant(roleID, list)
|
||||
NoError(t, err, "expected no error")
|
||||
|
||||
Expect(rules.Deny, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Deny")
|
||||
Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow")
|
||||
}
|
||||
// reset messaging:channel:1, messaging:channel:2
|
||||
{
|
||||
list := []rules.Rule{
|
||||
rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Inherit},
|
||||
rules.Rule{Resource: "messaging:channel:1", Operation: "delete", Value: rules.Inherit},
|
||||
rules.Rule{Resource: "messaging:channel:2", Operation: "update", Value: rules.Inherit},
|
||||
rules.Rule{Resource: "messaging:channel:2", Operation: "delete", Value: rules.Inherit},
|
||||
}
|
||||
err := resources.Grant(role.ID, list)
|
||||
NoError(t, err, "expect no error")
|
||||
|
||||
// list all by roleID
|
||||
{
|
||||
grants, err := resources.Read(roleID)
|
||||
NoError(t, err, "expected no error")
|
||||
Assert(t, len(grants) == 3, "expected grants == 3, got %v", len(grants))
|
||||
}
|
||||
Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit")
|
||||
Expect(rules.Inherit, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Inherit")
|
||||
}
|
||||
|
||||
// delete all by roleID
|
||||
{
|
||||
err := resources.Delete(roleID)
|
||||
NoError(t, err, "expected no error")
|
||||
}
|
||||
// [messaging:channel:*,update] - allow, [messaging:channel:1, deny]
|
||||
{
|
||||
list := []rules.Rule{
|
||||
rules.Rule{Resource: "messaging:channel:*", Operation: "update", Value: rules.Allow},
|
||||
rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Deny},
|
||||
rules.Rule{Resource: "messaging:channel:2", Operation: "update"},
|
||||
rules.Rule{Resource: "system", Operation: "organisation.create", Value: rules.Allow},
|
||||
}
|
||||
err := resources.Grant(role.ID, list)
|
||||
NoError(t, err, "expected no error")
|
||||
|
||||
// list all by roleID
|
||||
{
|
||||
grants, err := resources.Read(roleID)
|
||||
NoError(t, err, "expected no error")
|
||||
Assert(t, len(grants) == 0, "expected grants == 0, got %v", len(grants))
|
||||
Expect(rules.Deny, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Deny")
|
||||
Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow")
|
||||
}
|
||||
|
||||
// list all by roleID
|
||||
{
|
||||
grants, err := resources.Read(role.ID)
|
||||
NoError(t, err, "expected no error")
|
||||
Assert(t, len(grants) == 3, "expected grants == 3, got %v", len(grants))
|
||||
}
|
||||
|
||||
// delete all by roleID
|
||||
{
|
||||
err := resources.Delete(role.ID)
|
||||
NoError(t, err, "expected no error")
|
||||
}
|
||||
|
||||
// list all by roleID
|
||||
{
|
||||
grants, err := resources.Read(role.ID)
|
||||
NoError(t, err, "expected no error")
|
||||
Assert(t, len(grants) == 0, "expected grants == 0, got %v", len(grants))
|
||||
}
|
||||
return errors.New("Rollback")
|
||||
}()
|
||||
if err != nil {
|
||||
db.Exec("ROLLBACK TO SAVEPOINT rules_test")
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user