diff --git a/internal/rules/main_test.go b/internal/rules/main_test.go index 5f09020e6..371b1e704 100644 --- a/internal/rules/main_test.go +++ b/internal/rules/main_test.go @@ -37,15 +37,5 @@ func TestMain(m *testing.M) { return } - // clean up tables - { - for _, name := range []string{"sys_user", "sys_role", "sys_role_member", "sys_organisation", "sys_rules"} { - _, err := db.Exec("truncate " + name) - if err != nil { - panic("Error when clearing " + name + ": " + err.Error()) - } - } - } - os.Exit(m.Run()) } diff --git a/internal/rules/resource_test.go b/internal/rules/resource_test.go index e653479cf..262ebf2dd 100644 --- a/internal/rules/resource_test.go +++ b/internal/rules/resource_test.go @@ -1,7 +1,6 @@ package rules import ( - "fmt" "testing" "encoding/json" @@ -17,8 +16,6 @@ func TestResource(t *testing.T) { assert(t, r.String() == "messaging:channel:123", "Resource ID doesn't match, messaging:channel:123 != '%s'", r.String()) b, _ := json.Marshal(r) - fmt.Println(string(b)) - { r := ResourceJSON{} json.Unmarshal(b, &r) diff --git a/internal/rules/resources_test.go b/internal/rules/resources_test.go index 69b4505c6..cc8dca465 100644 --- a/internal/rules/resources_test.go +++ b/internal/rules/resources_test.go @@ -2,9 +2,9 @@ package rules_test import ( "context" - "fmt" "testing" + "github.com/pkg/errors" "github.com/titpetric/factory" "github.com/crusttech/crust/internal/auth" @@ -15,122 +15,135 @@ import ( ) func TestRules(t *testing.T) { - user := &types.User{ID: 1337} - ctx := auth.SetIdentityToContext(context.Background(), user) - - db := factory.Database.MustGet() - - roleID := uint64(123456) - - db.Insert("sys_user", user) - db.Insert("sys_role", types.Role{ID: roleID, Name: fmt.Sprintf("Role %d", roleID)}) - db.Insert("sys_role_member", types.RoleMember{RoleID: roleID, UserID: user.ID}) - Expect := func(expected rules.Access, actual rules.Access, format string, params ...interface{}) { Assert(t, expected == actual, format, params...) } + // Create test user and role. + user := &types.User{ID: 1337} + role := &types.Role{ID: 123456, Name: "Test role"} + + // Write user to context. + ctx := auth.SetIdentityToContext(context.Background(), user) + + // Connect do DB. + db := factory.Database.MustGet() + + // Create resources interface. resources := rules.NewResources(ctx, db) - // delete all for test roleID = 123456 - { - err := resources.Delete(roleID) - NoError(t, err, "expected no error") - } + // Run test with savepoint. + err := func() error { + db.Exec("SAVEPOINT rules_test") - // default (unset=deny), forbidden check ...:* - { - Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit") - Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny") - } + db.Insert("sys_user", user) + db.Insert("sys_role", role) + db.Insert("sys_role_member", types.RoleMember{RoleID: role.ID, UserID: user.ID}) - // allow messaging:channel:2 update,delete - { - list := []rules.Rule{ - rules.Rule{Resource: "messaging:channel:2", Operation: "update", Value: rules.Allow}, - rules.Rule{Resource: "messaging:channel:2", Operation: "delete", Value: rules.Allow}, + // delete all for test roleID = 123456 + { + err := resources.Delete(role.ID) + NoError(t, err, "expected no error") } - err := resources.Grant(roleID, list) - NoError(t, err, "expect no error") - Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit") - Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow") - Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny") - } - - // list grants for test role - { - grants, err := resources.Read(roleID) - NoError(t, err, "expect no error") - Assert(t, len(grants) == 2, "expected 2 grants") - - for _, grant := range grants { - Assert(t, grant.RoleID == roleID, "expected RoleID == 123456, got %v", grant.RoleID) - Assert(t, grant.Resource == "messaging:channel:2", "expected Resource == messaging:channel:2, got %s", grant.Resource) - Assert(t, grant.Value == rules.Allow, "expected Value == Allow, got %s", grant.Value) + // default (unset=deny), forbidden check ...:* + { + Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit") + Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny") } - } - // deny messaging:channel:1 update - { - list := []rules.Rule{ - rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Deny}, + // allow messaging:channel:2 update,delete + { + list := []rules.Rule{ + rules.Rule{Resource: "messaging:channel:2", Operation: "update", Value: rules.Allow}, + rules.Rule{Resource: "messaging:channel:2", Operation: "delete", Value: rules.Allow}, + } + err := resources.Grant(role.ID, list) + NoError(t, err, "expect no error") + + Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit") + Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow") + Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny") } - err := resources.Grant(roleID, list) - NoError(t, err, "expect no error") - Expect(rules.Deny, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Deny") - Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow") - Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny") - } + // list grants for test role + { + grants, err := resources.Read(role.ID) + NoError(t, err, "expect no error") + Assert(t, len(grants) == 2, "expected 2 grants") - // reset messaging:channel:1, messaging:channel:2 - { - list := []rules.Rule{ - rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Inherit}, - rules.Rule{Resource: "messaging:channel:1", Operation: "delete", Value: rules.Inherit}, - rules.Rule{Resource: "messaging:channel:2", Operation: "update", Value: rules.Inherit}, - rules.Rule{Resource: "messaging:channel:2", Operation: "delete", Value: rules.Inherit}, + for _, grant := range grants { + Assert(t, grant.RoleID == role.ID, "expected RoleID == 123456, got %v", grant.RoleID) + Assert(t, grant.Resource == "messaging:channel:2", "expected Resource == messaging:channel:2, got %s", grant.Resource) + Assert(t, grant.Value == rules.Allow, "expected Value == Allow, got %s", grant.Value) + } } - err := resources.Grant(roleID, list) - NoError(t, err, "expect no error") - Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit") - Expect(rules.Inherit, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Inherit") - } + // deny messaging:channel:1 update + { + list := []rules.Rule{ + rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Deny}, + } + err := resources.Grant(role.ID, list) + NoError(t, err, "expect no error") - // [messaging:channel:*,update] - allow, [messaging:channel:1, deny] - { - list := []rules.Rule{ - rules.Rule{Resource: "messaging:channel:*", Operation: "update", Value: rules.Allow}, - rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Deny}, - rules.Rule{Resource: "messaging:channel:2", Operation: "update"}, - rules.Rule{Resource: "system", Operation: "organisation.create", Value: rules.Allow}, + Expect(rules.Deny, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Deny") + Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow") + Expect(rules.Deny, resources.Check("messaging:channel:*", "update"), "messaging:channel:* update - Deny") } - err := resources.Grant(roleID, list) - NoError(t, err, "expected no error") - Expect(rules.Deny, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Deny") - Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow") - } + // reset messaging:channel:1, messaging:channel:2 + { + list := []rules.Rule{ + rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Inherit}, + rules.Rule{Resource: "messaging:channel:1", Operation: "delete", Value: rules.Inherit}, + rules.Rule{Resource: "messaging:channel:2", Operation: "update", Value: rules.Inherit}, + rules.Rule{Resource: "messaging:channel:2", Operation: "delete", Value: rules.Inherit}, + } + err := resources.Grant(role.ID, list) + NoError(t, err, "expect no error") - // list all by roleID - { - grants, err := resources.Read(roleID) - NoError(t, err, "expected no error") - Assert(t, len(grants) == 3, "expected grants == 3, got %v", len(grants)) - } + Expect(rules.Inherit, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Inherit") + Expect(rules.Inherit, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Inherit") + } - // delete all by roleID - { - err := resources.Delete(roleID) - NoError(t, err, "expected no error") - } + // [messaging:channel:*,update] - allow, [messaging:channel:1, deny] + { + list := []rules.Rule{ + rules.Rule{Resource: "messaging:channel:*", Operation: "update", Value: rules.Allow}, + rules.Rule{Resource: "messaging:channel:1", Operation: "update", Value: rules.Deny}, + rules.Rule{Resource: "messaging:channel:2", Operation: "update"}, + rules.Rule{Resource: "system", Operation: "organisation.create", Value: rules.Allow}, + } + err := resources.Grant(role.ID, list) + NoError(t, err, "expected no error") - // list all by roleID - { - grants, err := resources.Read(roleID) - NoError(t, err, "expected no error") - Assert(t, len(grants) == 0, "expected grants == 0, got %v", len(grants)) + Expect(rules.Deny, resources.Check("messaging:channel:1", "update"), "messaging:channel:1 update - Deny") + Expect(rules.Allow, resources.Check("messaging:channel:2", "update"), "messaging:channel:2 update - Allow") + } + + // list all by roleID + { + grants, err := resources.Read(role.ID) + NoError(t, err, "expected no error") + Assert(t, len(grants) == 3, "expected grants == 3, got %v", len(grants)) + } + + // delete all by roleID + { + err := resources.Delete(role.ID) + NoError(t, err, "expected no error") + } + + // list all by roleID + { + grants, err := resources.Read(role.ID) + NoError(t, err, "expected no error") + Assert(t, len(grants) == 0, "expected grants == 0, got %v", len(grants)) + } + return errors.New("Rollback") + }() + if err != nil { + db.Exec("ROLLBACK TO SAVEPOINT rules_test") } }