github.com/nats-io/nsc@v0.0.0-20221206222106-35db9400b257/cmd/editscopedsk_test.go

github.com/nats-io/nsc@v0.0.0-20221206222106-35db9400b257/cmd/editscopedsk_test.go (about)

     1  /*
     2   * Copyright 2018-2021 The NATS Authors
     3   * Licensed under the Apache License, Version 2.0 (the "License");
     4   * you may not use this file except in compliance with the License.
     5   * You may obtain a copy of the License at
     6   *
     7   * http://www.apache.org/licenses/LICENSE-2.0
     8   *
     9   * Unless required by applicable law or agreed to in writing, software
    10   * distributed under the License is distributed on an "AS IS" BASIS,
    11   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12   * See the License for the specific language governing permissions and
    13   * limitations under the License.
    14   */
    15  
    16  package cmd
    17  
    18  import (
    19  	"os"
    20  	"testing"
    21  
    22  	"github.com/nats-io/jwt/v2"
    23  	"github.com/stretchr/testify/require"
    24  )
    25  
    26  func Test_EditScopedSk_NotFound(t *testing.T) {
    27  	ts := NewTestStore(t, "edit scope")
    28  	defer ts.Done(t)
    29  
    30  	ts.AddAccount(t, "A")
    31  
    32  	_, _, err := ExecuteCmd(createEditSkopedSkCmd(), "--account", "not there")
    33  	require.Error(t, err)
    34  
    35  	_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--account", "A", "--sk", "not there")
    36  	require.Error(t, err)
    37  }
    38  
    39  func Test_EditScopedSk_Subs(t *testing.T) {
    40  	ts := NewTestStore(t, "edit scope")
    41  	defer ts.Done(t)
    42  
    43  	oc, err := ts.Store.ReadOperatorClaim()
    44  	require.NoError(t, err)
    45  
    46  	ts.AddAccount(t, "A")
    47  	_, pk, _ := CreateAccountKey(t)
    48  	s, pk2, kp := CreateAccountKey(t)
    49  
    50  	_, _, err = ExecuteCmd(createEditAccount(), "--sk", pk, "--sk", pk2)
    51  	require.NoError(t, err)
    52  
    53  	ac, err := ts.Store.ReadAccountClaim("A")
    54  	require.NoError(t, err)
    55  	require.Contains(t, ac.SigningKeys, pk)
    56  	require.Contains(t, ac.SigningKeys, pk2)
    57  	require.Equal(t, ac.Issuer, oc.Subject)
    58  
    59  	checkAcc := func(subs int64) {
    60  		ac, err = ts.Store.ReadAccountClaim("A")
    61  		require.NoError(t, err)
    62  		require.Contains(t, ac.SigningKeys, pk)
    63  		require.Equal(t, ac.Issuer, oc.Subject)
    64  		s, ok := ac.SigningKeys.GetScope(pk)
    65  		require.True(t, ok)
    66  		require.Nil(t, s)
    67  		require.Contains(t, ac.SigningKeys, pk2)
    68  		s, ok = ac.SigningKeys.GetScope(pk2)
    69  		require.True(t, ok)
    70  		require.NotNil(t, s)
    71  		us := s.(*jwt.UserScope)
    72  		require.Equal(t, us.Template.Subs, subs)
    73  		require.Equal(t, us.Template.Data, int64(5*1024))
    74  		require.True(t, us.Template.AllowedConnectionTypes.Contains("LEAFNODE"))
    75  		require.True(t, us.Template.Sub.Allow.Contains("foo"))
    76  		require.True(t, us.Template.Sub.Deny.Contains("bar"))
    77  		require.True(t, us.Template.Pub.Allow.Contains("foo"))
    78  		require.True(t, us.Template.BearerToken)
    79  		require.Equal(t, us.Role, "foo")
    80  	}
    81  
    82  	_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--account", "A", "--sk", pk2, "--subs", "5", "--role", "foo",
    83  		"--allow-pub", "foo", "--allow-sub", "foo", "--deny-sub", "bar", "--conn-type", "LEAFNODE", "--data", "5kib", "--bearer")
    84  	require.NoError(t, err)
    85  	checkAcc(5)
    86  	// update using role name, with key that can't be found
    87  	_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--account", "A", "--sk", "foo", "--subs", "10")
    88  	require.Error(t, err)
    89  
    90  	// store seed in temporary file and keystore so it can be found
    91  	f, err := os.CreateTemp("", "")
    92  	defer os.Remove(f.Name())
    93  	require.NoError(t, err)
    94  	f.Write(s)
    95  	f.Sync()
    96  	_, err = ts.KeyStore.Store(kp)
    97  	require.NoError(t, err)
    98  	// update using role name
    99  	_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--account", "A", "--sk", "foo", "--subs", "10")
   100  	require.NoError(t, err)
   101  
   102  }
   103  
   104  func Test_EditScopedSk_ResolveAny(t *testing.T) {
   105  	ts := NewTestStore(t, "edit scope")
   106  	defer ts.Done(t)
   107  
   108  	oc, err := ts.Store.ReadOperatorClaim()
   109  	require.NoError(t, err)
   110  
   111  	ts.AddAccount(t, "A")
   112  	s, pk, kp := CreateAccountKey(t)
   113  
   114  	fp, err := ts.KeyStore.Store(kp)
   115  	require.NoError(t, err)
   116  
   117  	_, _, err = ExecuteCmd(createEditAccount(), "--sk", pk)
   118  	require.NoError(t, err)
   119  
   120  	ac, err := ts.Store.ReadAccountClaim("A")
   121  	require.NoError(t, err)
   122  	require.Contains(t, ac.SigningKeys, pk)
   123  	require.Equal(t, ac.Issuer, oc.Subject)
   124  
   125  	_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--account", "A",
   126  		"--sk", string(s), "--subs", "10")
   127  	require.NoError(t, err)
   128  
   129  	_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--account", "A",
   130  		"--sk", pk, "--subs", "10")
   131  	require.NoError(t, err)
   132  
   133  	_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--account", "A",
   134  		"--sk", fp, "--subs", "10")
   135  	require.NoError(t, err)
   136  
   137  	_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--account", "A",
   138  		"--sk", "foo", "--subs", "10")
   139  	require.Error(t, err)
   140  }