github.com/fanux/shipyard@v0.0.0-20161009071005-6515ce223235/controller/middleware/access/access_test.go (about) 1 package access 2 3 import ( 4 "testing" 5 6 "github.com/shipyard/shipyard/auth" 7 "github.com/shipyard/shipyard/controller/mock_test" 8 ) 9 10 var ( 11 mockManager = &mock_test.MockManager{} 12 accessRequired = NewAccessRequired(mockManager) 13 ) 14 15 func TestAccessControlAdminRole(t *testing.T) { 16 testAcct := &auth.Account{ 17 Username: "testuser", 18 Roles: []string{"admin"}, 19 } 20 21 testPath := "/containers" 22 23 if !accessRequired.checkAccess(testAcct, testPath, "POST") { 24 t.Fatalf("expected valid access for %s", testPath) 25 } 26 27 testPath = "/images" 28 29 if !accessRequired.checkAccess(testAcct, testPath, "POST") { 30 t.Fatalf("expected valid access for %s", testPath) 31 } 32 } 33 34 func TestAccessControlContainersRORole(t *testing.T) { 35 testAcct := &auth.Account{ 36 Username: "testuser", 37 Roles: []string{"containers:ro"}, 38 } 39 40 testPath := "/containers" 41 testMethod := "GET" 42 43 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 44 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 45 } 46 47 testPath = "/containers" 48 testMethod = "POST" 49 50 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 51 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 52 } 53 54 testPath = "/images" 55 testMethod = "POST" 56 57 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 58 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 59 } 60 } 61 62 func TestAccessControlContainersRWRole(t *testing.T) { 63 testAcct := &auth.Account{ 64 Username: "testuser", 65 Roles: []string{"containers:rw"}, 66 } 67 68 testPath := "/containers" 69 testMethod := "GET" 70 71 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 72 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 73 } 74 75 testPath = "/containers" 76 testMethod = "POST" 77 78 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 79 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 80 } 81 82 testPath = "/images" 83 testMethod = "POST" 84 85 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 86 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 87 } 88 } 89 90 func TestAccessControlImagesRORole(t *testing.T) { 91 testAcct := &auth.Account{ 92 Username: "testuser", 93 Roles: []string{"images:ro"}, 94 } 95 96 testPath := "/images" 97 testMethod := "GET" 98 99 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 100 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 101 } 102 103 testPath = "/images" 104 testMethod = "POST" 105 106 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 107 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 108 } 109 110 testPath = "/containers" 111 testMethod = "POST" 112 113 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 114 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 115 } 116 } 117 118 func TestAccessControlImagesRWRole(t *testing.T) { 119 testAcct := &auth.Account{ 120 Username: "testuser", 121 Roles: []string{"images:rw"}, 122 } 123 124 testPath := "/containers" 125 testMethod := "GET" 126 127 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 128 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 129 } 130 131 testPath = "/containers" 132 testMethod = "POST" 133 134 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 135 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 136 } 137 138 testPath = "/images" 139 testMethod = "GET" 140 141 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 142 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 143 } 144 testPath = "/images" 145 testMethod = "POST" 146 147 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 148 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 149 } 150 } 151 152 func TestAccessControlRegistriesRORole(t *testing.T) { 153 testAcct := &auth.Account{ 154 Username: "testuser", 155 Roles: []string{"registries:ro"}, 156 } 157 158 testPath := "/api/registry" 159 testMethod := "GET" 160 161 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 162 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 163 } 164 165 testPath = "/api/registry" 166 testMethod = "POST" 167 168 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 169 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 170 } 171 172 testPath = "/containers" 173 testMethod = "POST" 174 175 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 176 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 177 } 178 } 179 180 func TestAccessControlRegistriesRWRole(t *testing.T) { 181 testAcct := &auth.Account{ 182 Username: "testuser", 183 Roles: []string{"registries:rw"}, 184 } 185 186 testPath := "/api/registry" 187 testMethod := "GET" 188 189 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 190 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 191 } 192 193 testPath = "/api/registry" 194 testMethod = "POST" 195 196 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 197 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 198 } 199 200 testPath = "/images" 201 testMethod = "GET" 202 203 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 204 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 205 } 206 207 testPath = "/images" 208 testMethod = "POST" 209 210 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 211 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 212 } 213 } 214 215 func TestAccessControlEventsRORole(t *testing.T) { 216 testAcct := &auth.Account{ 217 Username: "testuser", 218 Roles: []string{"events:ro"}, 219 } 220 221 testPath := "/api/events" 222 testMethod := "GET" 223 224 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 225 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 226 } 227 228 testPath = "/api/events" 229 testMethod = "POST" 230 231 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 232 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 233 } 234 235 testPath = "/containers" 236 testMethod = "POST" 237 238 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 239 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 240 } 241 } 242 243 func TestAccessControlEventsRWRole(t *testing.T) { 244 testAcct := &auth.Account{ 245 Username: "testuser", 246 Roles: []string{"events:rw"}, 247 } 248 249 testPath := "/api/events" 250 testMethod := "GET" 251 252 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 253 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 254 } 255 256 testPath = "/api/events" 257 testMethod = "POST" 258 259 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 260 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 261 } 262 263 testPath = "/api/events" 264 testMethod = "DELETE" 265 266 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 267 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 268 } 269 270 testPath = "/images" 271 testMethod = "GET" 272 273 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 274 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 275 } 276 testPath = "/images" 277 testMethod = "POST" 278 279 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 280 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 281 } 282 } 283 284 func TestAccessControlNodesRORole(t *testing.T) { 285 testAcct := &auth.Account{ 286 Username: "testuser", 287 Roles: []string{"nodes:ro"}, 288 } 289 290 testPath := "/api/nodes" 291 testMethod := "GET" 292 293 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 294 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 295 } 296 297 testPath = "/api/nodes" 298 testMethod = "POST" 299 300 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 301 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 302 } 303 304 testPath = "/containers" 305 testMethod = "POST" 306 307 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 308 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 309 } 310 } 311 312 func TestAccessControlNodesRWRole(t *testing.T) { 313 testAcct := &auth.Account{ 314 Username: "testuser", 315 Roles: []string{"nodes:rw"}, 316 } 317 318 testPath := "/api/nodes" 319 testMethod := "GET" 320 321 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 322 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 323 } 324 325 testPath = "/api/nodes" 326 testMethod = "POST" 327 328 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 329 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 330 } 331 332 testPath = "/api/nodes" 333 testMethod = "DELETE" 334 335 if !accessRequired.checkAccess(testAcct, testPath, testMethod) { 336 t.Fatalf("expected valid access for %s %s", testMethod, testPath) 337 } 338 339 testPath = "/images" 340 testMethod = "GET" 341 342 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 343 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 344 } 345 testPath = "/images" 346 testMethod = "POST" 347 348 if accessRequired.checkAccess(testAcct, testPath, testMethod) { 349 t.Fatalf("expected denied access for %s %s", testMethod, testPath) 350 } 351 }