github.com/influxdata/influxdb/v2@v2.7.6/authz_test.go (about) 1 package influxdb_test 2 3 import ( 4 "testing" 5 6 platform "github.com/influxdata/influxdb/v2" 7 platform2 "github.com/influxdata/influxdb/v2/kit/platform" 8 influxdbtesting "github.com/influxdata/influxdb/v2/testing" 9 ) 10 11 func TestAuthorizer_PermissionAllowed(t *testing.T) { 12 tests := []struct { 13 name string 14 permission platform.Permission 15 permissions []platform.Permission 16 allowed bool 17 }{ 18 { 19 name: "global permission", 20 permission: platform.Permission{ 21 Action: platform.WriteAction, 22 Resource: platform.Resource{ 23 Type: platform.BucketsResourceType, 24 OrgID: influxdbtesting.IDPtr(1), 25 ID: influxdbtesting.IDPtr(1), 26 }, 27 }, 28 permissions: []platform.Permission{ 29 { 30 Action: platform.WriteAction, 31 Resource: platform.Resource{ 32 Type: platform.BucketsResourceType, 33 }, 34 }, 35 }, 36 allowed: true, 37 }, 38 { 39 name: "bad org id in permission", 40 permission: platform.Permission{ 41 Action: platform.WriteAction, 42 Resource: platform.Resource{ 43 Type: platform.BucketsResourceType, 44 OrgID: influxdbtesting.IDPtr(0), 45 ID: influxdbtesting.IDPtr(0), 46 }, 47 }, 48 permissions: []platform.Permission{ 49 { 50 Action: platform.WriteAction, 51 Resource: platform.Resource{ 52 Type: platform.BucketsResourceType, 53 OrgID: influxdbtesting.IDPtr(1), 54 ID: influxdbtesting.IDPtr(1), 55 }, 56 }, 57 }, 58 allowed: false, 59 }, 60 { 61 name: "bad resource id in permission", 62 permission: platform.Permission{ 63 Action: platform.WriteAction, 64 Resource: platform.Resource{ 65 Type: platform.BucketsResourceType, 66 OrgID: influxdbtesting.IDPtr(1), 67 ID: influxdbtesting.IDPtr(0), 68 }, 69 }, 70 permissions: []platform.Permission{ 71 { 72 Action: platform.WriteAction, 73 Resource: platform.Resource{ 74 Type: platform.BucketsResourceType, 75 OrgID: influxdbtesting.IDPtr(1), 76 ID: influxdbtesting.IDPtr(1), 77 }, 78 }, 79 }, 80 allowed: false, 81 }, 82 { 83 name: "bad resource id in permissions", 84 permission: platform.Permission{ 85 Action: platform.WriteAction, 86 Resource: platform.Resource{ 87 Type: platform.BucketsResourceType, 88 OrgID: influxdbtesting.IDPtr(1), 89 ID: influxdbtesting.IDPtr(1), 90 }, 91 }, 92 permissions: []platform.Permission{ 93 { 94 Action: platform.WriteAction, 95 Resource: platform.Resource{ 96 Type: platform.BucketsResourceType, 97 OrgID: influxdbtesting.IDPtr(1), 98 ID: influxdbtesting.IDPtr(0), 99 }, 100 }, 101 }, 102 allowed: false, 103 }, 104 { 105 name: "matching action resource and ID", 106 permission: platform.Permission{ 107 Action: platform.WriteAction, 108 Resource: platform.Resource{ 109 Type: platform.BucketsResourceType, 110 OrgID: influxdbtesting.IDPtr(1), 111 ID: influxdbtesting.IDPtr(1), 112 }, 113 }, 114 permissions: []platform.Permission{ 115 { 116 Action: platform.WriteAction, 117 Resource: platform.Resource{ 118 Type: platform.BucketsResourceType, 119 OrgID: influxdbtesting.IDPtr(1), 120 ID: influxdbtesting.IDPtr(1), 121 }, 122 }, 123 }, 124 allowed: true, 125 }, 126 { 127 name: "matching action resource with total", 128 permission: platform.Permission{ 129 Action: platform.WriteAction, 130 Resource: platform.Resource{ 131 Type: platform.BucketsResourceType, 132 OrgID: influxdbtesting.IDPtr(1), 133 ID: influxdbtesting.IDPtr(1), 134 }, 135 }, 136 permissions: []platform.Permission{ 137 { 138 Action: platform.WriteAction, 139 Resource: platform.Resource{ 140 Type: platform.BucketsResourceType, 141 OrgID: influxdbtesting.IDPtr(1), 142 }, 143 }, 144 }, 145 allowed: true, 146 }, 147 { 148 name: "matching action resource no ID", 149 permission: platform.Permission{ 150 Action: platform.WriteAction, 151 Resource: platform.Resource{ 152 Type: platform.BucketsResourceType, 153 OrgID: influxdbtesting.IDPtr(1), 154 }, 155 }, 156 permissions: []platform.Permission{ 157 { 158 Action: platform.WriteAction, 159 Resource: platform.Resource{ 160 Type: platform.BucketsResourceType, 161 OrgID: influxdbtesting.IDPtr(1), 162 }, 163 }, 164 }, 165 allowed: true, 166 }, 167 { 168 name: "matching action resource differing ID", 169 permission: platform.Permission{ 170 Action: platform.WriteAction, 171 Resource: platform.Resource{ 172 Type: platform.BucketsResourceType, 173 OrgID: influxdbtesting.IDPtr(1), 174 ID: influxdbtesting.IDPtr(1), 175 }, 176 }, 177 permissions: []platform.Permission{ 178 { 179 Action: platform.WriteAction, 180 Resource: platform.Resource{ 181 Type: platform.BucketsResourceType, 182 OrgID: influxdbtesting.IDPtr(1), 183 ID: influxdbtesting.IDPtr(2), 184 }, 185 }, 186 }, 187 allowed: false, 188 }, 189 { 190 name: "differing action same resource", 191 permission: platform.Permission{ 192 Action: platform.WriteAction, 193 Resource: platform.Resource{ 194 Type: platform.BucketsResourceType, 195 OrgID: influxdbtesting.IDPtr(1), 196 ID: influxdbtesting.IDPtr(1), 197 }, 198 }, 199 permissions: []platform.Permission{ 200 { 201 Action: platform.ReadAction, 202 Resource: platform.Resource{ 203 Type: platform.BucketsResourceType, 204 OrgID: influxdbtesting.IDPtr(1), 205 ID: influxdbtesting.IDPtr(1), 206 }, 207 }, 208 }, 209 allowed: false, 210 }, 211 { 212 name: "same action differing resource", 213 permission: platform.Permission{ 214 Action: platform.WriteAction, 215 Resource: platform.Resource{ 216 Type: platform.BucketsResourceType, 217 OrgID: influxdbtesting.IDPtr(1), 218 ID: influxdbtesting.IDPtr(1), 219 }, 220 }, 221 permissions: []platform.Permission{ 222 { 223 Action: platform.WriteAction, 224 Resource: platform.Resource{ 225 Type: platform.TasksResourceType, 226 OrgID: influxdbtesting.IDPtr(1), 227 ID: influxdbtesting.IDPtr(1), 228 }, 229 }, 230 }, 231 allowed: false, 232 }, 233 } 234 235 for _, tt := range tests { 236 t.Run(tt.name, func(t *testing.T) { 237 allowed := platform.PermissionAllowed(tt.permission, tt.permissions) 238 if allowed != tt.allowed { 239 t.Errorf("got allowed = %v, expected allowed = %v", allowed, tt.allowed) 240 } 241 }) 242 } 243 } 244 245 func TestPermission_Valid(t *testing.T) { 246 type fields struct { 247 Action platform.Action 248 Resource platform.Resource 249 } 250 tests := []struct { 251 name string 252 fields fields 253 wantErr bool 254 }{ 255 { 256 name: "valid bucket permission with ID", 257 fields: fields{ 258 Action: platform.WriteAction, 259 Resource: platform.Resource{ 260 Type: platform.BucketsResourceType, 261 ID: validID(), 262 OrgID: influxdbtesting.IDPtr(1), 263 }, 264 }, 265 }, 266 { 267 name: "valid bucket permission with nil ID", 268 fields: fields{ 269 Action: platform.WriteAction, 270 Resource: platform.Resource{ 271 Type: platform.BucketsResourceType, 272 ID: nil, 273 OrgID: influxdbtesting.IDPtr(1), 274 }, 275 }, 276 }, 277 { 278 name: "invalid bucket permission with an invalid ID", 279 fields: fields{ 280 Action: platform.WriteAction, 281 Resource: platform.Resource{ 282 Type: platform.BucketsResourceType, 283 ID: func() *platform2.ID { id := platform2.InvalidID(); return &id }(), 284 OrgID: influxdbtesting.IDPtr(1), 285 }, 286 }, 287 wantErr: true, 288 }, 289 { 290 name: "invalid permission without an action", 291 fields: fields{ 292 Resource: platform.Resource{ 293 Type: platform.BucketsResourceType, 294 OrgID: influxdbtesting.IDPtr(1), 295 }, 296 }, 297 wantErr: true, 298 }, 299 { 300 name: "invalid permission without a resource", 301 fields: fields{ 302 Action: platform.WriteAction, 303 }, 304 wantErr: true, 305 }, 306 } 307 for _, tt := range tests { 308 t.Run(tt.name, func(t *testing.T) { 309 p := &platform.Permission{ 310 Action: tt.fields.Action, 311 Resource: tt.fields.Resource, 312 } 313 if err := p.Valid(); (err != nil) != tt.wantErr { 314 t.Errorf("Permission.Valid() error = %v, wantErr %v", err, tt.wantErr) 315 } 316 }) 317 } 318 } 319 320 func TestPermissionAllResources_Valid(t *testing.T) { 321 var resources = []platform.ResourceType{ 322 platform.UsersResourceType, 323 platform.OrgsResourceType, 324 platform.TasksResourceType, 325 platform.BucketsResourceType, 326 platform.DashboardsResourceType, 327 platform.SourcesResourceType, 328 platform.NotebooksResourceType, 329 platform.AnnotationsResourceType, 330 } 331 332 for _, rt := range resources { 333 p := &platform.Permission{ 334 Action: platform.WriteAction, 335 Resource: platform.Resource{ 336 Type: rt, 337 ID: influxdbtesting.IDPtr(1), 338 }, 339 } 340 341 if err := p.Valid(); err != nil { 342 t.Errorf("PermissionAllResources.Valid() error = %v", err) 343 } 344 } 345 } 346 347 func TestPermissionAllActions(t *testing.T) { 348 var actions = []platform.Action{ 349 platform.ReadAction, 350 platform.WriteAction, 351 } 352 353 for _, a := range actions { 354 p := &platform.Permission{ 355 Action: a, 356 Resource: platform.Resource{ 357 Type: platform.TasksResourceType, 358 OrgID: influxdbtesting.IDPtr(1), 359 }, 360 } 361 362 if err := p.Valid(); err != nil { 363 t.Errorf("PermissionAllActions.Valid() error = %v", err) 364 } 365 } 366 } 367 368 func TestPermission_String(t *testing.T) { 369 type fields struct { 370 Action platform.Action 371 Resource platform.Resource 372 Name *string 373 } 374 tests := []struct { 375 name string 376 fields fields 377 want string 378 }{ 379 { 380 name: "valid permission with no id", 381 fields: fields{ 382 Action: platform.WriteAction, 383 Resource: platform.Resource{ 384 Type: platform.BucketsResourceType, 385 OrgID: influxdbtesting.IDPtr(1), 386 }, 387 }, 388 want: `write:orgs/0000000000000001/buckets`, 389 }, 390 { 391 name: "valid permission with an id", 392 fields: fields{ 393 Action: platform.WriteAction, 394 Resource: platform.Resource{ 395 Type: platform.BucketsResourceType, 396 OrgID: influxdbtesting.IDPtr(1), 397 ID: validID(), 398 }, 399 }, 400 want: `write:orgs/0000000000000001/buckets/0000000000000064`, 401 }, 402 { 403 name: "valid permission with no id or org id", 404 fields: fields{ 405 Action: platform.WriteAction, 406 Resource: platform.Resource{ 407 Type: platform.BucketsResourceType, 408 }, 409 }, 410 want: `write:buckets`, 411 }, 412 { 413 name: "valid permission with no org id", 414 fields: fields{ 415 Action: platform.WriteAction, 416 Resource: platform.Resource{ 417 Type: platform.BucketsResourceType, 418 ID: influxdbtesting.IDPtr(1), 419 }, 420 }, 421 want: `write:buckets/0000000000000001`, 422 }, 423 } 424 for _, tt := range tests { 425 t.Run(tt.name, func(t *testing.T) { 426 p := platform.Permission{ 427 Action: tt.fields.Action, 428 Resource: tt.fields.Resource, 429 } 430 if got := p.String(); got != tt.want { 431 t.Errorf("Permission.String() = %v, want %v", got, tt.want) 432 } 433 }) 434 } 435 } 436 437 func validID() *platform2.ID { 438 id := platform2.ID(100) 439 return &id 440 }