github.com/axw/juju@v0.0.0-20161005053422-4bd6544d08d4/apiserver/common/permissions_test.go (about) 1 // Copyright 2016 Canonical Ltd. 2 // Licensed under the AGPLv3, see LICENCE file for details. 3 4 package common_test 5 6 import ( 7 "github.com/juju/errors" 8 jc "github.com/juju/testing/checkers" 9 gc "gopkg.in/check.v1" 10 "gopkg.in/juju/names.v2" 11 12 "github.com/juju/juju/apiserver/common" 13 "github.com/juju/juju/permission" 14 "github.com/juju/juju/testing" 15 ) 16 17 type PermissionSuite struct { 18 testing.BaseSuite 19 } 20 21 var _ = gc.Suite(&PermissionSuite{}) 22 23 type fakeUserAccess struct { 24 subjects []names.UserTag 25 objects []names.Tag 26 user permission.UserAccess 27 err error 28 } 29 30 func (f *fakeUserAccess) call(subject names.UserTag, object names.Tag) (permission.UserAccess, error) { 31 f.subjects = append(f.subjects, subject) 32 f.objects = append(f.objects, object) 33 return f.user, f.err 34 } 35 36 func (r *PermissionSuite) TestNoUserTagLacksPermission(c *gc.C) { 37 nonUser := names.NewModelTag("beef1beef1-0000-0000-000011112222") 38 target := names.NewModelTag("beef1beef2-0000-0000-000011112222") 39 hasPermission, err := common.HasPermission((&fakeUserAccess{}).call, nonUser, permission.ReadAccess, target) 40 c.Assert(hasPermission, jc.IsFalse) 41 c.Assert(err, jc.ErrorIsNil) 42 } 43 44 func (r *PermissionSuite) TestHasPermission(c *gc.C) { 45 testCases := []struct { 46 title string 47 userGetterAccess permission.Access 48 user names.UserTag 49 target names.Tag 50 access permission.Access 51 expected bool 52 }{ 53 { 54 title: "user has lesser permissions than required", 55 userGetterAccess: permission.ReadAccess, 56 user: names.NewUserTag("validuser"), 57 target: names.NewModelTag("beef1beef2-0000-0000-000011112222"), 58 access: permission.WriteAccess, 59 expected: false, 60 }, 61 { 62 title: "user has equal permission than required", 63 userGetterAccess: permission.WriteAccess, 64 user: names.NewUserTag("validuser"), 65 target: names.NewModelTag("beef1beef2-0000-0000-000011112222"), 66 access: permission.WriteAccess, 67 expected: true, 68 }, 69 { 70 title: "user has greater permission than required", 71 userGetterAccess: permission.AdminAccess, 72 user: names.NewUserTag("validuser"), 73 target: names.NewModelTag("beef1beef2-0000-0000-000011112222"), 74 access: permission.WriteAccess, 75 expected: true, 76 }, 77 { 78 title: "user requests model permission on controller", 79 userGetterAccess: permission.AdminAccess, 80 user: names.NewUserTag("validuser"), 81 target: names.NewModelTag("beef1beef2-0000-0000-000011112222"), 82 access: permission.AddModelAccess, 83 expected: false, 84 }, 85 { 86 title: "user requests controller permission on model", 87 userGetterAccess: permission.AdminAccess, 88 user: names.NewUserTag("validuser"), 89 target: names.NewControllerTag("beef1beef2-0000-0000-000011112222"), 90 access: permission.AdminAccess, // notice user has this permission for model. 91 expected: false, 92 }, 93 { 94 title: "controller permissions also work", 95 userGetterAccess: permission.AddModelAccess, 96 user: names.NewUserTag("validuser"), 97 target: names.NewControllerTag("beef1beef2-0000-0000-000011112222"), 98 access: permission.AddModelAccess, 99 expected: true, 100 }, 101 } 102 for i, t := range testCases { 103 userGetter := &fakeUserAccess{ 104 user: permission.UserAccess{ 105 Access: t.userGetterAccess, 106 }} 107 c.Logf("HasPermission test n %d: %s", i, t.title) 108 hasPermission, err := common.HasPermission(userGetter.call, t.user, t.access, t.target) 109 c.Assert(hasPermission, gc.Equals, t.expected) 110 c.Assert(err, jc.ErrorIsNil) 111 } 112 113 } 114 115 func (r *PermissionSuite) TestUserGetterErrorReturns(c *gc.C) { 116 user := names.NewUserTag("validuser") 117 target := names.NewModelTag("beef1beef2-0000-0000-000011112222") 118 userGetter := &fakeUserAccess{ 119 user: permission.UserAccess{}, 120 err: errors.NotFoundf("a user"), 121 } 122 hasPermission, err := common.HasPermission(userGetter.call, user, permission.ReadAccess, target) 123 c.Assert(err, jc.ErrorIsNil) 124 c.Assert(hasPermission, jc.IsFalse) 125 c.Assert(userGetter.subjects, gc.HasLen, 1) 126 c.Assert(userGetter.subjects[0], gc.DeepEquals, user) 127 c.Assert(userGetter.objects, gc.HasLen, 1) 128 c.Assert(userGetter.objects[0], gc.DeepEquals, target) 129 } 130 131 type fakeEveryoneUserAccess struct { 132 user permission.UserAccess 133 everyone permission.UserAccess 134 } 135 136 func (f *fakeEveryoneUserAccess) call(subject names.UserTag, object names.Tag) (permission.UserAccess, error) { 137 if subject.Canonical() == common.EveryoneTagName { 138 return f.everyone, nil 139 } 140 return f.user, nil 141 } 142 143 func (r *PermissionSuite) TestEveryoneAtExternal(c *gc.C) { 144 testCases := []struct { 145 title string 146 userGetterAccess permission.Access 147 everyoneAccess permission.Access 148 user names.UserTag 149 target names.Tag 150 access permission.Access 151 expected bool 152 }{ 153 { 154 title: "user has lesser permissions than everyone", 155 userGetterAccess: permission.LoginAccess, 156 everyoneAccess: permission.AddModelAccess, 157 user: names.NewUserTag("validuser@external"), 158 target: names.NewControllerTag("beef1beef2-0000-0000-000011112222"), 159 access: permission.AddModelAccess, 160 expected: true, 161 }, 162 { 163 title: "user has greater permissions than everyone", 164 userGetterAccess: permission.AddModelAccess, 165 everyoneAccess: permission.LoginAccess, 166 user: names.NewUserTag("validuser@external"), 167 target: names.NewControllerTag("beef1beef2-0000-0000-000011112222"), 168 access: permission.AddModelAccess, 169 expected: true, 170 }, 171 { 172 title: "everibody not considered if user is local", 173 userGetterAccess: permission.LoginAccess, 174 everyoneAccess: permission.AddModelAccess, 175 user: names.NewUserTag("validuser"), 176 target: names.NewControllerTag("beef1beef2-0000-0000-000011112222"), 177 access: permission.AddModelAccess, 178 expected: false, 179 }, 180 } 181 182 for i, t := range testCases { 183 userGetter := &fakeEveryoneUserAccess{ 184 user: permission.UserAccess{ 185 Access: t.userGetterAccess, 186 }, 187 everyone: permission.UserAccess{ 188 Access: t.everyoneAccess, 189 }, 190 } 191 c.Logf(`HasPermission "everyone" test n %d: %s`, i, t.title) 192 hasPermission, err := common.HasPermission(userGetter.call, t.user, t.access, t.target) 193 c.Assert(err, jc.ErrorIsNil) 194 c.Assert(hasPermission, gc.Equals, t.expected) 195 } 196 }