github.com/annwntech/go-micro/v2@v2.9.5/auth/rules/rules_test.go (about) 1 package rules 2 3 import ( 4 "testing" 5 6 "github.com/annwntech/go-micro/v2/auth" 7 ) 8 9 func TestVerify(t *testing.T) { 10 srvResource := &auth.Resource{ 11 Type: "service", 12 Name: "go.micro.service.foo", 13 Endpoint: "Foo.Bar", 14 } 15 16 webResource := &auth.Resource{ 17 Type: "service", 18 Name: "go.micro.web.foo", 19 Endpoint: "/foo/bar", 20 } 21 22 catchallResource := &auth.Resource{ 23 Type: "*", 24 Name: "*", 25 Endpoint: "*", 26 } 27 28 tt := []struct { 29 Name string 30 Rules []*auth.Rule 31 Account *auth.Account 32 Resource *auth.Resource 33 Error error 34 }{ 35 { 36 Name: "NoRules", 37 Rules: []*auth.Rule{}, 38 Account: nil, 39 Resource: srvResource, 40 Error: auth.ErrForbidden, 41 }, 42 { 43 Name: "CatchallPublicAccount", 44 Account: &auth.Account{}, 45 Resource: srvResource, 46 Rules: []*auth.Rule{ 47 &auth.Rule{ 48 Scope: "", 49 Resource: catchallResource, 50 }, 51 }, 52 }, 53 { 54 Name: "CatchallPublicNoAccount", 55 Resource: srvResource, 56 Rules: []*auth.Rule{ 57 &auth.Rule{ 58 Scope: "", 59 Resource: catchallResource, 60 }, 61 }, 62 }, 63 { 64 Name: "CatchallPrivateAccount", 65 Account: &auth.Account{}, 66 Resource: srvResource, 67 Rules: []*auth.Rule{ 68 &auth.Rule{ 69 Scope: "*", 70 Resource: catchallResource, 71 }, 72 }, 73 }, 74 { 75 Name: "CatchallPrivateNoAccount", 76 Resource: srvResource, 77 Rules: []*auth.Rule{ 78 &auth.Rule{ 79 Scope: "*", 80 Resource: catchallResource, 81 }, 82 }, 83 Error: auth.ErrForbidden, 84 }, 85 { 86 Name: "CatchallServiceRuleMatch", 87 Resource: srvResource, 88 Account: &auth.Account{}, 89 Rules: []*auth.Rule{ 90 &auth.Rule{ 91 Scope: "*", 92 Resource: &auth.Resource{ 93 Type: srvResource.Type, 94 Name: srvResource.Name, 95 Endpoint: "*", 96 }, 97 }, 98 }, 99 }, 100 { 101 Name: "CatchallServiceRuleNoMatch", 102 Resource: srvResource, 103 Account: &auth.Account{}, 104 Rules: []*auth.Rule{ 105 &auth.Rule{ 106 Scope: "*", 107 Resource: &auth.Resource{ 108 Type: srvResource.Type, 109 Name: "wrongname", 110 Endpoint: "*", 111 }, 112 }, 113 }, 114 Error: auth.ErrForbidden, 115 }, 116 { 117 Name: "ExactRuleValidScope", 118 Resource: srvResource, 119 Account: &auth.Account{ 120 Scopes: []string{"neededscope"}, 121 }, 122 Rules: []*auth.Rule{ 123 &auth.Rule{ 124 Scope: "neededscope", 125 Resource: srvResource, 126 }, 127 }, 128 }, 129 { 130 Name: "ExactRuleInvalidScope", 131 Resource: srvResource, 132 Account: &auth.Account{ 133 Scopes: []string{"neededscope"}, 134 }, 135 Rules: []*auth.Rule{ 136 &auth.Rule{ 137 Scope: "invalidscope", 138 Resource: srvResource, 139 }, 140 }, 141 Error: auth.ErrForbidden, 142 }, 143 { 144 Name: "CatchallDenyWithAccount", 145 Resource: srvResource, 146 Account: &auth.Account{}, 147 Rules: []*auth.Rule{ 148 &auth.Rule{ 149 Scope: "*", 150 Resource: catchallResource, 151 Access: auth.AccessDenied, 152 }, 153 }, 154 Error: auth.ErrForbidden, 155 }, 156 { 157 Name: "CatchallDenyWithNoAccount", 158 Resource: srvResource, 159 Account: &auth.Account{}, 160 Rules: []*auth.Rule{ 161 &auth.Rule{ 162 Scope: "*", 163 Resource: catchallResource, 164 Access: auth.AccessDenied, 165 }, 166 }, 167 Error: auth.ErrForbidden, 168 }, 169 { 170 Name: "RulePriorityGrantFirst", 171 Resource: srvResource, 172 Account: &auth.Account{}, 173 Rules: []*auth.Rule{ 174 &auth.Rule{ 175 Scope: "*", 176 Resource: catchallResource, 177 Access: auth.AccessGranted, 178 Priority: 1, 179 }, 180 &auth.Rule{ 181 Scope: "*", 182 Resource: catchallResource, 183 Access: auth.AccessDenied, 184 Priority: 0, 185 }, 186 }, 187 }, 188 { 189 Name: "RulePriorityDenyFirst", 190 Resource: srvResource, 191 Account: &auth.Account{}, 192 Rules: []*auth.Rule{ 193 &auth.Rule{ 194 Scope: "*", 195 Resource: catchallResource, 196 Access: auth.AccessGranted, 197 Priority: 0, 198 }, 199 &auth.Rule{ 200 Scope: "*", 201 Resource: catchallResource, 202 Access: auth.AccessDenied, 203 Priority: 1, 204 }, 205 }, 206 Error: auth.ErrForbidden, 207 }, 208 { 209 Name: "WebExactEndpointValid", 210 Resource: webResource, 211 Account: &auth.Account{}, 212 Rules: []*auth.Rule{ 213 &auth.Rule{ 214 Scope: "*", 215 Resource: webResource, 216 }, 217 }, 218 }, 219 { 220 Name: "WebExactEndpointInalid", 221 Resource: webResource, 222 Account: &auth.Account{}, 223 Rules: []*auth.Rule{ 224 &auth.Rule{ 225 Scope: "*", 226 Resource: &auth.Resource{ 227 Type: webResource.Type, 228 Name: webResource.Name, 229 Endpoint: "invalidendpoint", 230 }, 231 }, 232 }, 233 Error: auth.ErrForbidden, 234 }, 235 { 236 Name: "WebWildcardEndpoint", 237 Resource: webResource, 238 Account: &auth.Account{}, 239 Rules: []*auth.Rule{ 240 &auth.Rule{ 241 Scope: "*", 242 Resource: &auth.Resource{ 243 Type: webResource.Type, 244 Name: webResource.Name, 245 Endpoint: "*", 246 }, 247 }, 248 }, 249 }, 250 { 251 Name: "WebWildcardPathEndpointValid", 252 Resource: webResource, 253 Account: &auth.Account{}, 254 Rules: []*auth.Rule{ 255 &auth.Rule{ 256 Scope: "*", 257 Resource: &auth.Resource{ 258 Type: webResource.Type, 259 Name: webResource.Name, 260 Endpoint: "/foo/*", 261 }, 262 }, 263 }, 264 }, 265 { 266 Name: "WebWildcardPathEndpointInvalid", 267 Resource: webResource, 268 Account: &auth.Account{}, 269 Rules: []*auth.Rule{ 270 &auth.Rule{ 271 Scope: "*", 272 Resource: &auth.Resource{ 273 Type: webResource.Type, 274 Name: webResource.Name, 275 Endpoint: "/bar/*", 276 }, 277 }, 278 }, 279 Error: auth.ErrForbidden, 280 }, 281 } 282 283 for _, tc := range tt { 284 t.Run(tc.Name, func(t *testing.T) { 285 if err := VerifyAccess(tc.Rules, tc.Account, tc.Resource); err != tc.Error { 286 t.Errorf("Expected %v but got %v", tc.Error, err) 287 } 288 }) 289 } 290 }