github.com/tickoalcantara12/micro/v3@v3.0.0-20221007104245-9d75b9bcbab9/util/auth/namespace/namespace_test.go (about) 1 package namespace 2 3 import ( 4 "context" 5 "testing" 6 7 "github.com/tickoalcantara12/micro/v3/service/auth" 8 9 "github.com/stretchr/testify/assert" 10 ) 11 12 func TestAuthorize(t *testing.T) { 13 tcs := []struct { 14 name string 15 acc *auth.Account 16 ns string 17 method string 18 err string 19 }{ 20 { 21 name: "MicroAdminAccessingMicro", 22 acc: &auth.Account{ 23 ID: "1", 24 Type: "user", 25 Issuer: "micro", 26 Metadata: nil, 27 Scopes: []string{"admin"}, 28 }, 29 ns: "micro", 30 method: "foo.Bar", 31 err: "", 32 }, 33 { 34 name: "MicroAdminAccessingFoo", 35 acc: &auth.Account{ 36 ID: "1", 37 Type: "user", 38 Issuer: "micro", 39 Metadata: nil, 40 Scopes: []string{"admin"}, 41 }, 42 ns: "foo", 43 method: "foo.Bar", 44 err: "", 45 }, 46 { 47 name: "MicroUserAccessingMicro", 48 acc: &auth.Account{ 49 ID: "1", 50 Type: "user", 51 Issuer: "micro", 52 Metadata: nil, 53 Scopes: []string{}, 54 }, 55 ns: "micro", 56 method: "foo.Bar", 57 err: "", 58 }, 59 { 60 name: "MicroUserAccessingFoo", 61 acc: &auth.Account{ 62 ID: "1", 63 Type: "user", 64 Issuer: "micro", 65 Metadata: nil, 66 Scopes: []string{}, 67 }, 68 ns: "foo", 69 method: "foo.Bar", 70 err: "Forbidden", 71 }, 72 { 73 name: "FooAdminAccessingMicro", 74 acc: &auth.Account{ 75 ID: "1", 76 Type: "user", 77 Issuer: "foo", 78 Metadata: nil, 79 Scopes: []string{"admin"}, 80 }, 81 ns: "micro", 82 method: "foo.Bar", 83 err: "Forbidden", 84 }, 85 { 86 name: "FooAdminAccessingFoo", 87 acc: &auth.Account{ 88 ID: "1", 89 Type: "user", 90 Issuer: "foo", 91 Metadata: nil, 92 Scopes: []string{"admin"}, 93 }, 94 ns: "foo", 95 method: "foo.Bar", 96 }, 97 { 98 name: "FooUserAccessingMicro", 99 acc: &auth.Account{ 100 ID: "1", 101 Type: "user", 102 Issuer: "foo", 103 Metadata: nil, 104 Scopes: []string{}, 105 }, 106 ns: "micro", 107 method: "foo.Bar", 108 err: "Forbidden", 109 }, 110 { 111 name: "FooUserAccessingFoo", 112 acc: &auth.Account{ 113 ID: "1", 114 Type: "user", 115 Issuer: "foo", 116 Metadata: nil, 117 Scopes: []string{}, 118 }, 119 ns: "foo", 120 method: "foo.Bar", 121 err: "", 122 }, 123 124 { 125 name: "MicroServiceAccessingMicro", 126 acc: &auth.Account{ 127 ID: "1", 128 Type: "service", 129 Issuer: "micro", 130 Metadata: nil, 131 Scopes: []string{"service"}, 132 }, 133 ns: "micro", 134 method: "foo.Bar", 135 err: "", 136 }, 137 { 138 name: "MicroServiceAccessingFoo", 139 acc: &auth.Account{ 140 ID: "1", 141 Type: "service", 142 Issuer: "micro", 143 Metadata: nil, 144 Scopes: []string{"service"}, 145 }, 146 ns: "foo", 147 method: "foo.Bar", 148 err: "", 149 }, 150 { 151 name: "FooServiceAccessingMicro", 152 acc: &auth.Account{ 153 ID: "1", 154 Type: "service", 155 Issuer: "foo", 156 Metadata: nil, 157 Scopes: []string{"service"}, 158 }, 159 ns: "micro", 160 method: "foo.Bar", 161 err: "Forbidden", 162 }, 163 { 164 name: "FooServiceAccessingFoo", 165 acc: &auth.Account{ 166 ID: "1", 167 Type: "service", 168 Issuer: "foo", 169 Metadata: nil, 170 Scopes: []string{"service"}, 171 }, 172 ns: "foo", 173 method: "foo.Bar", 174 }, 175 } 176 for _, tc := range tcs { 177 t.Run(tc.name, func(t *testing.T) { 178 179 ctx := context.TODO() 180 err := Authorize(auth.ContextWithAccount(ctx, tc.acc), tc.ns, tc.method) 181 if tc.err != "" { 182 assert.NotNil(t, err) 183 assert.Contains(t, err.Error(), tc.err) 184 } else { 185 assert.Nil(t, err) 186 } 187 }) 188 } 189 } 190 191 func TestAuthorizeAdmin(t *testing.T) { 192 tcs := []struct { 193 name string 194 acc *auth.Account 195 ns string 196 method string 197 err string 198 }{ 199 { 200 name: "MicroAdminAccessingMicro", 201 acc: &auth.Account{ 202 ID: "1", 203 Type: "user", 204 Issuer: "micro", 205 Metadata: nil, 206 Scopes: []string{"admin"}, 207 }, 208 ns: "micro", 209 method: "foo.Bar", 210 err: "", 211 }, 212 { 213 name: "MicroAdminAccessingFoo", 214 acc: &auth.Account{ 215 ID: "1", 216 Type: "user", 217 Issuer: "micro", 218 Metadata: nil, 219 Scopes: []string{"admin"}, 220 }, 221 ns: "foo", 222 method: "foo.Bar", 223 err: "", 224 }, 225 { 226 name: "MicroUserAccessingMicro", 227 acc: &auth.Account{ 228 ID: "1", 229 Type: "user", 230 Issuer: "micro", 231 Metadata: nil, 232 Scopes: []string{}, 233 }, 234 ns: "micro", 235 method: "foo.Bar", 236 err: "Unauthorized", 237 }, 238 { 239 name: "MicroUserAccessingFoo", 240 acc: &auth.Account{ 241 ID: "1", 242 Type: "user", 243 Issuer: "micro", 244 Metadata: nil, 245 Scopes: []string{}, 246 }, 247 ns: "foo", 248 method: "foo.Bar", 249 err: "Forbidden", 250 }, 251 { 252 name: "FooAdminAccessingMicro", 253 acc: &auth.Account{ 254 ID: "1", 255 Type: "user", 256 Issuer: "foo", 257 Metadata: nil, 258 Scopes: []string{"admin"}, 259 }, 260 ns: "micro", 261 method: "foo.Bar", 262 err: "Forbidden", 263 }, 264 { 265 name: "FooAdminAccessingFoo", 266 acc: &auth.Account{ 267 ID: "1", 268 Type: "user", 269 Issuer: "foo", 270 Metadata: nil, 271 Scopes: []string{"admin"}, 272 }, 273 ns: "foo", 274 method: "foo.Bar", 275 }, 276 { 277 name: "FooUserAccessingMicro", 278 acc: &auth.Account{ 279 ID: "1", 280 Type: "user", 281 Issuer: "foo", 282 Metadata: nil, 283 Scopes: []string{}, 284 }, 285 ns: "micro", 286 method: "foo.Bar", 287 err: "Forbidden", 288 }, 289 { 290 name: "FooUserAccessingFoo", 291 acc: &auth.Account{ 292 ID: "1", 293 Type: "user", 294 Issuer: "foo", 295 Metadata: nil, 296 Scopes: []string{}, 297 }, 298 ns: "foo", 299 method: "foo.Bar", 300 err: "Unauthorized", 301 }, 302 303 { 304 name: "MicroServiceAccessingMicro", 305 acc: &auth.Account{ 306 ID: "1", 307 Type: "service", 308 Issuer: "micro", 309 Metadata: nil, 310 Scopes: []string{"service"}, 311 }, 312 ns: "micro", 313 method: "foo.Bar", 314 err: "", 315 }, 316 { 317 name: "MicroServiceAccessingFoo", 318 acc: &auth.Account{ 319 ID: "1", 320 Type: "service", 321 Issuer: "micro", 322 Metadata: nil, 323 Scopes: []string{"service"}, 324 }, 325 ns: "foo", 326 method: "foo.Bar", 327 err: "", 328 }, 329 { 330 name: "FooServiceAccessingMicro", 331 acc: &auth.Account{ 332 ID: "1", 333 Type: "service", 334 Issuer: "foo", 335 Metadata: nil, 336 Scopes: []string{"service"}, 337 }, 338 ns: "micro", 339 method: "foo.Bar", 340 err: "Forbidden", 341 }, 342 { 343 name: "FooServiceAccessingFoo", 344 acc: &auth.Account{ 345 ID: "1", 346 Type: "service", 347 Issuer: "foo", 348 Metadata: nil, 349 Scopes: []string{"service"}, 350 }, 351 ns: "foo", 352 method: "foo.Bar", 353 }, 354 } 355 for _, tc := range tcs { 356 t.Run(tc.name, func(t *testing.T) { 357 358 ctx := context.TODO() 359 err := AuthorizeAdmin(auth.ContextWithAccount(ctx, tc.acc), tc.ns, tc.method) 360 if tc.err != "" { 361 assert.NotNil(t, err) 362 assert.Contains(t, err.Error(), tc.err) 363 } else { 364 assert.Nil(t, err) 365 } 366 }) 367 } 368 } 369 370 func TestHasTypeAndScope(t *testing.T) { 371 tcs := []struct { 372 name string 373 atype string 374 scope string 375 scopes []string 376 result bool 377 }{ 378 { 379 name: "hasScope", 380 scope: "admin", 381 382 scopes: []string{"developer", "admin", "analyst"}, 383 result: true, 384 }, 385 { 386 name: "hasScopeSingle", 387 scope: "admin", 388 scopes: []string{"admin"}, 389 result: true, 390 }, 391 { 392 name: "noScope", 393 scope: "admin", 394 scopes: []string{}, 395 result: false, 396 }, 397 { 398 name: "noMatch", 399 scope: "developer", 400 scopes: []string{"admin", "analyst"}, 401 result: false, 402 }, 403 } 404 405 for _, tc := range tcs { 406 t.Run(tc.name, func(t *testing.T) { 407 acc := auth.Account{ 408 ID: tc.name, 409 Type: tc.atype, 410 Issuer: "foobar", 411 Scopes: tc.scopes, 412 Name: tc.name, 413 } 414 assert.Equal(t, tc.result, hasTypeAndScope(tc.atype, tc.scope, &acc)) 415 }) 416 417 } 418 }