github.com/tecuane/corral@v0.0.0-20191220120004-308e3e724924/corral_test.go (about) 1 package corral 2 3 import ( 4 "testing" 5 ) 6 7 type Role struct { 8 ID int64 9 Name string 10 } 11 12 func (r *Role) SubjectKey() string { 13 return string(r.ID) 14 } 15 16 type Profile struct { 17 ID int64 18 Role *Role 19 Name string 20 } 21 22 type Post struct { 23 ID int64 24 ProfileID int64 25 Title string 26 Hidden bool 27 } 28 29 func (p *Post) ObjectType() string { 30 return "post" 31 } 32 33 // Returns the ID of the post's owner. 34 func (p *Post) OwnerID() int64 { 35 return p.ProfileID 36 } 37 38 var adminRole = &Role{ID: 1, Name: "Administrator"} 39 var userRole = &Role{ID: 2, Name: "User"} 40 41 var adminProfile = &Profile{ID: 1000, Role: adminRole, Name: "Administrator Profile"} 42 var userProfile = &Profile{ID: 2000, Role: userRole, Name: "User Profile"} 43 44 var testPosts = []*Post{ 45 {ID: 1, ProfileID: 1, Hidden: false, Title: "Post by Administrator"}, 46 {ID: 2, ProfileID: 2, Hidden: false, Title: "Post by User"}, 47 {ID: 3, ProfileID: 1, Hidden: true, Title: "Hidden Post by Administrator"}, 48 {ID: 4, ProfileID: 2, Hidden: true, Title: "Hidden Post by User"}, 49 } 50 51 func TestNoPermissions(t *testing.T) { 52 for _, post := range testPosts { 53 if Can(userRole, post, ReadAction) { 54 t.Fatalf("Was able to perform an action without permissions.") 55 } 56 } 57 } 58 59 func BenchmarkNoPermissions(b *testing.B) { 60 for _, post := range testPosts { 61 if Can(userRole, post, ReadAction) { 62 b.Fatalf("Was able to perform an action without permissions.") 63 } 64 } 65 } 66 67 func TestFullCRUD(t *testing.T) { 68 defer Reset() 69 Authorize(adminRole.SubjectKey(), "post", ManageAction) 70 71 for _, post := range testPosts { 72 if Cannot(adminProfile.Role, post, CreateAction) { 73 t.Fatalf("Admin was marked as manage, but cannot create.") 74 } 75 76 if Cannot(adminProfile.Role, post, ReadAction) { 77 t.Fatalf("Admin was marked as manage, but cannot read.") 78 } 79 80 if Cannot(adminProfile.Role, post, UpdateAction) { 81 t.Fatalf("Admin was marked as manage, but cannot update.") 82 } 83 84 if Cannot(adminProfile.Role, post, DeleteAction) { 85 t.Fatalf("Admin was marked as manage, but cannot delete.") 86 } 87 } 88 } 89 90 func BenchmarkFullCRUD(b *testing.B) { 91 defer Reset() 92 Authorize(adminRole.SubjectKey(), "post", ManageAction) 93 94 for _, post := range testPosts { 95 if Cannot(adminProfile.Role, post, CreateAction) { 96 b.Fatalf("Admin was marked as manage, but cannot create.") 97 } 98 99 if Cannot(adminProfile.Role, post, ReadAction) { 100 b.Fatalf("Admin was marked as manage, but cannot read.") 101 } 102 103 if Cannot(adminProfile.Role, post, UpdateAction) { 104 b.Fatalf("Admin was marked as manage, but cannot update.") 105 } 106 107 if Cannot(adminProfile.Role, post, DeleteAction) { 108 b.Fatalf("Admin was marked as manage, but cannot delete.") 109 } 110 111 if Can(userProfile.Role, post, CreateAction) { 112 b.Fatalf("User was not authorized, but can create.") 113 } 114 115 if Can(userProfile.Role, post, ReadAction) { 116 b.Fatalf("User was not authorized, but can read.") 117 } 118 119 if Can(userProfile.Role, post, UpdateAction) { 120 b.Fatalf("User was not authorized, but can update.") 121 } 122 123 if Can(userProfile.Role, post, DeleteAction) { 124 b.Fatalf("User was not authorized, but can delete.") 125 } 126 } 127 } 128 129 // Returns false if the post is hidden. 130 func notHidden(profile interface{}, post interface{}) bool { 131 return !post.(*Post).Hidden 132 } 133 134 // Returns false if the post is not owned by the profile. 135 func owned(profile interface{}, post interface{}) bool { 136 return post.(*Post).ProfileID == profile.(*Profile).ID 137 } 138 139 func TestUserComplex(t *testing.T) { 140 defer Reset() 141 ConditionalAuthorize(userRole.SubjectKey(), "post", ReadAction, notHidden) 142 143 if Cannot(userProfile.Role, testPosts[0], ReadAction) { 144 t.Fatalf("User was allowed to read all posts but cannot read.") 145 } 146 147 if Cannot(userProfile.Role, testPosts[1], ReadAction) { 148 t.Fatalf("User was allowed to read all posts but cannot read.") 149 } 150 151 if Can(userProfile.Role, testPosts[2], ReadAction) { 152 t.Fatalf("User was allowed to read a post they shouldn't be able to see.") 153 } 154 155 if Can(userProfile.Role, testPosts[3], ReadAction) { 156 t.Fatalf("User was allowed to read a post they shouldn't be able to see.") 157 } 158 } 159 160 func BenchmarkUserComplex(b *testing.B) { 161 defer Reset() 162 ConditionalAuthorize(userRole.SubjectKey(), "post", ReadAction, notHidden) 163 ConditionalAuthorize(userRole.SubjectKey(), "post", UpdateAction, owned) 164 165 if Cannot(userProfile.Role, testPosts[0], ReadAction) { 166 b.Fatalf("User was allowed to read all posts but cannot read.") 167 } 168 169 if Cannot(userProfile.Role, testPosts[1], ReadAction) { 170 b.Fatalf("User was allowed to read all posts but cannot read.") 171 } 172 173 if Can(userProfile.Role, testPosts[2], ReadAction) { 174 b.Fatalf("User was allowed to read a post they shouldn't be able to see.") 175 } 176 177 if Can(userProfile.Role, testPosts[3], ReadAction) { 178 b.Fatalf("User was allowed to read a post they shouldn't be able to see.") 179 } 180 }