github.com/greenpau/go-authcrunch@v1.1.4/pkg/authz/gatekeeper_test.go (about) 1 // Copyright 2022 Paul Greenberg greenpau@outlook.com 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package authz 16 17 import ( 18 "github.com/google/go-cmp/cmp" 19 "github.com/greenpau/go-authcrunch/internal/tests" 20 "github.com/greenpau/go-authcrunch/pkg/acl" 21 "github.com/greenpau/go-authcrunch/pkg/authz/bypass" 22 "github.com/greenpau/go-authcrunch/pkg/authz/injector" 23 "github.com/greenpau/go-authcrunch/pkg/errors" 24 logutil "github.com/greenpau/go-authcrunch/pkg/util/log" 25 "go.uber.org/zap" 26 "testing" 27 ) 28 29 func TestNewGatekeeper(t *testing.T) { 30 31 var testcases = []struct { 32 name string 33 disabled bool 34 want string 35 shouldErr bool 36 err error 37 38 loggerFunc func() *zap.Logger 39 configFunc func() *PolicyConfig 40 41 bypassConfigs []*bypass.Config 42 injectorConfigs []*injector.Config 43 aclConfigs []*acl.RuleConfiguration 44 cryptoRawConfigs []string 45 authProxyRawConfig []string 46 }{ 47 { 48 name: "test new gatekeeper without logger", 49 loggerFunc: func() *zap.Logger { 50 return nil 51 }, 52 configFunc: func() *PolicyConfig { 53 return nil 54 }, 55 shouldErr: true, 56 err: errors.ErrNewGatekeeperLoggerNil, 57 }, 58 { 59 name: "test new gatekeeper without config", 60 loggerFunc: func() *zap.Logger { 61 return logutil.NewLogger() 62 }, 63 configFunc: func() *PolicyConfig { 64 return nil 65 }, 66 shouldErr: true, 67 err: errors.ErrNewGatekeeperConfigNil, 68 }, 69 { 70 name: "test new gatekeeper without name", 71 loggerFunc: func() *zap.Logger { 72 return logutil.NewLogger() 73 }, 74 configFunc: func() *PolicyConfig { 75 return &PolicyConfig{} 76 }, 77 shouldErr: true, 78 err: errors.ErrNewGatekeeper.WithArgs(errors.ErrPolicyConfigNameNotFound), 79 }, 80 { 81 name: "test new gatekeeper", 82 loggerFunc: func() *zap.Logger { 83 return logutil.NewLogger() 84 }, 85 configFunc: func() *PolicyConfig { 86 return &PolicyConfig{ 87 Name: "mygatekeeper", 88 AuthURLPath: "/auth", 89 } 90 }, 91 aclConfigs: []*acl.RuleConfiguration{ 92 { 93 Conditions: []string{"match roles anonymous guest admin"}, 94 Action: "allow stop", 95 }, 96 { 97 Conditions: []string{"match roles superadmin"}, 98 Action: "allow stop", 99 }, 100 { 101 Conditions: []string{"match roles admin editor viewer"}, 102 Action: "allow stop", 103 }, 104 { 105 Conditions: []string{"match roles AzureAD_Administrator AzureAD_Editor AzureAD_Viewer"}, 106 Action: "allow stop", 107 }, 108 { 109 Conditions: []string{"match roles everyone Everyone"}, 110 Action: "allow stop", 111 }, 112 }, 113 cryptoRawConfigs: []string{ 114 "key verify 0e2fdcf8-6868-41a7-884b-7308795fc286", 115 }, 116 want: `{ 117 "config": { 118 "name": "mygatekeeper", 119 "access_list_rules": [ 120 { 121 "action": "allow stop", 122 "conditions": ["match roles anonymous guest admin"] 123 }, 124 { 125 "action": "allow stop", 126 "conditions": ["match roles superadmin"] 127 }, 128 { 129 "action": "allow stop", 130 "conditions": ["match roles admin editor viewer"] 131 }, 132 { 133 "action": "allow stop", 134 "conditions": ["match roles AzureAD_Administrator AzureAD_Editor AzureAD_Viewer"] 135 }, 136 { 137 "action": "allow stop", 138 "conditions": ["match roles everyone Everyone"] 139 } 140 ], 141 "auth_redirect_query_param": "redirect_url", 142 "auth_redirect_status_code": 302, 143 "auth_url_path": "/auth", 144 "crypto_key_configs": [ 145 { 146 "algorithm": "hmac", 147 "id": "0", 148 "source": "config", 149 "token_lifetime": 900, 150 "token_name": "access_token", 151 "token_secret": "0e2fdcf8-6868-41a7-884b-7308795fc286", 152 "usage": "verify" 153 } 154 ] 155 } 156 }`, 157 }, 158 } 159 160 for _, tc := range testcases { 161 t.Run(tc.name, func(t *testing.T) { 162 if tc.disabled { 163 return 164 } 165 logger := tc.loggerFunc() 166 cfg := tc.configFunc() 167 if cfg != nil { 168 cfg.BypassConfigs = tc.bypassConfigs 169 cfg.HeaderInjectionConfigs = tc.injectorConfigs 170 cfg.AccessListRules = tc.aclConfigs 171 cfg.cryptoRawConfigs = tc.cryptoRawConfigs 172 cfg.authProxyRawConfig = tc.authProxyRawConfig 173 } 174 175 gatekeeper, err := NewGatekeeper(cfg, logger) 176 if err != nil { 177 if !tc.shouldErr { 178 t.Fatalf("expected success, got: %v", err) 179 } 180 if diff := cmp.Diff(err.Error(), tc.err.Error()); diff != "" { 181 t.Fatalf("unexpected error: %v, want: %v", err, tc.err) 182 } 183 return 184 } 185 if tc.shouldErr { 186 t.Fatalf("unexpected success, want: %v", tc.err) 187 } 188 189 got := make(map[string]interface{}) 190 got["config"] = tests.Unpack(t, gatekeeper.config) 191 want := tests.Unpack(t, tc.want) 192 193 // t.Logf("JSON: %s", tests.UnpackJSON(t, got)) 194 if diff := cmp.Diff(want, got); diff != "" { 195 t.Errorf("NewGatekeeper() config mismatch (-want +got):\n%s", diff) 196 } 197 }) 198 } 199 }