github.com/tickoalcantara12/micro/v3@v3.0.0-20221007104245-9d75b9bcbab9/util/auth/rules/rules_test.go (about) 1 // Copyright 2020 Asim Aslam 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 // 15 // Original source: github.com/micro/go-micro/v3/auth/rules_test.go 16 17 package rules 18 19 import ( 20 "testing" 21 22 "github.com/tickoalcantara12/micro/v3/service/auth" 23 ) 24 25 func TestVerify(t *testing.T) { 26 srvResource := &auth.Resource{ 27 Type: "service", 28 Name: "go.micro.service.foo", 29 Endpoint: "Foo.Bar", 30 } 31 32 webResource := &auth.Resource{ 33 Type: "service", 34 Name: "go.micro.web.foo", 35 Endpoint: "/foo/bar", 36 } 37 38 catchallResource := &auth.Resource{ 39 Type: "*", 40 Name: "*", 41 Endpoint: "*", 42 } 43 44 tt := []struct { 45 Name string 46 Rules []*auth.Rule 47 Account *auth.Account 48 Resource *auth.Resource 49 Error error 50 Options []auth.VerifyOption 51 }{ 52 { 53 Name: "NoRules", 54 Rules: []*auth.Rule{}, 55 Account: nil, 56 Resource: srvResource, 57 Error: auth.ErrForbidden, 58 }, 59 { 60 Name: "CatchallPublicAccount", 61 Account: &auth.Account{}, 62 Resource: srvResource, 63 Rules: []*auth.Rule{ 64 &auth.Rule{ 65 Scope: "", 66 Resource: catchallResource, 67 }, 68 }, 69 }, 70 { 71 Name: "CatchallPublicNoAccount", 72 Resource: srvResource, 73 Rules: []*auth.Rule{ 74 &auth.Rule{ 75 Scope: "", 76 Resource: catchallResource, 77 }, 78 }, 79 }, 80 { 81 Name: "CatchallPrivateAccount", 82 Account: &auth.Account{}, 83 Resource: srvResource, 84 Rules: []*auth.Rule{ 85 &auth.Rule{ 86 Scope: "*", 87 Resource: catchallResource, 88 }, 89 }, 90 }, 91 { 92 Name: "CatchallPrivateNoAccount", 93 Resource: srvResource, 94 Rules: []*auth.Rule{ 95 &auth.Rule{ 96 Scope: "*", 97 Resource: catchallResource, 98 }, 99 }, 100 Error: auth.ErrForbidden, 101 }, 102 { 103 Name: "CatchallServiceRuleMatch", 104 Resource: srvResource, 105 Account: &auth.Account{}, 106 Rules: []*auth.Rule{ 107 &auth.Rule{ 108 Scope: "*", 109 Resource: &auth.Resource{ 110 Type: srvResource.Type, 111 Name: srvResource.Name, 112 Endpoint: "*", 113 }, 114 }, 115 }, 116 }, 117 { 118 Name: "CatchallServiceRuleNoMatch", 119 Resource: srvResource, 120 Account: &auth.Account{}, 121 Rules: []*auth.Rule{ 122 &auth.Rule{ 123 Scope: "*", 124 Resource: &auth.Resource{ 125 Type: srvResource.Type, 126 Name: "wrongname", 127 Endpoint: "*", 128 }, 129 }, 130 }, 131 Error: auth.ErrForbidden, 132 }, 133 { 134 Name: "ExactRuleValidScope", 135 Resource: srvResource, 136 Account: &auth.Account{ 137 Scopes: []string{"neededscope"}, 138 }, 139 Rules: []*auth.Rule{ 140 &auth.Rule{ 141 Scope: "neededscope", 142 Resource: srvResource, 143 }, 144 }, 145 }, 146 { 147 Name: "ExactRuleInvalidScope", 148 Resource: srvResource, 149 Account: &auth.Account{ 150 Scopes: []string{"neededscope"}, 151 }, 152 Rules: []*auth.Rule{ 153 &auth.Rule{ 154 Scope: "invalidscope", 155 Resource: srvResource, 156 }, 157 }, 158 Error: auth.ErrForbidden, 159 }, 160 { 161 Name: "CatchallDenyWithAccount", 162 Resource: srvResource, 163 Account: &auth.Account{}, 164 Rules: []*auth.Rule{ 165 &auth.Rule{ 166 Scope: "*", 167 Resource: catchallResource, 168 Access: auth.AccessDenied, 169 }, 170 }, 171 Error: auth.ErrForbidden, 172 }, 173 { 174 Name: "CatchallDenyWithNoAccount", 175 Resource: srvResource, 176 Account: &auth.Account{}, 177 Rules: []*auth.Rule{ 178 &auth.Rule{ 179 Scope: "*", 180 Resource: catchallResource, 181 Access: auth.AccessDenied, 182 }, 183 }, 184 Error: auth.ErrForbidden, 185 }, 186 { 187 Name: "RulePriorityGrantFirst", 188 Resource: srvResource, 189 Account: &auth.Account{}, 190 Rules: []*auth.Rule{ 191 &auth.Rule{ 192 Scope: "*", 193 Resource: catchallResource, 194 Access: auth.AccessGranted, 195 Priority: 1, 196 }, 197 &auth.Rule{ 198 Scope: "*", 199 Resource: catchallResource, 200 Access: auth.AccessDenied, 201 Priority: 0, 202 }, 203 }, 204 }, 205 { 206 Name: "RulePriorityDenyFirst", 207 Resource: srvResource, 208 Account: &auth.Account{}, 209 Rules: []*auth.Rule{ 210 &auth.Rule{ 211 Scope: "*", 212 Resource: catchallResource, 213 Access: auth.AccessGranted, 214 Priority: 0, 215 }, 216 &auth.Rule{ 217 Scope: "*", 218 Resource: catchallResource, 219 Access: auth.AccessDenied, 220 Priority: 1, 221 }, 222 }, 223 Error: auth.ErrForbidden, 224 }, 225 { 226 Name: "WebExactEndpointValid", 227 Resource: webResource, 228 Account: &auth.Account{}, 229 Rules: []*auth.Rule{ 230 &auth.Rule{ 231 Scope: "*", 232 Resource: webResource, 233 }, 234 }, 235 }, 236 { 237 Name: "WebExactEndpointInalid", 238 Resource: webResource, 239 Account: &auth.Account{}, 240 Rules: []*auth.Rule{ 241 &auth.Rule{ 242 Scope: "*", 243 Resource: &auth.Resource{ 244 Type: webResource.Type, 245 Name: webResource.Name, 246 Endpoint: "invalidendpoint", 247 }, 248 }, 249 }, 250 Error: auth.ErrForbidden, 251 }, 252 { 253 Name: "WebWildcardEndpoint", 254 Resource: webResource, 255 Account: &auth.Account{}, 256 Rules: []*auth.Rule{ 257 &auth.Rule{ 258 Scope: "*", 259 Resource: &auth.Resource{ 260 Type: webResource.Type, 261 Name: webResource.Name, 262 Endpoint: "*", 263 }, 264 }, 265 }, 266 }, 267 { 268 Name: "WebWildcardPathEndpointValid", 269 Resource: webResource, 270 Account: &auth.Account{}, 271 Rules: []*auth.Rule{ 272 &auth.Rule{ 273 Scope: "*", 274 Resource: &auth.Resource{ 275 Type: webResource.Type, 276 Name: webResource.Name, 277 Endpoint: "/foo/*", 278 }, 279 }, 280 }, 281 }, 282 { 283 Name: "WebWildcardPathEndpointInvalid", 284 Resource: webResource, 285 Account: &auth.Account{}, 286 Rules: []*auth.Rule{ 287 &auth.Rule{ 288 Scope: "*", 289 Resource: &auth.Resource{ 290 Type: webResource.Type, 291 Name: webResource.Name, 292 Endpoint: "/bar/*", 293 }, 294 }, 295 }, 296 Error: auth.ErrForbidden, 297 }, 298 { 299 Name: "CrossNamespaceForbidden", 300 Resource: srvResource, 301 Account: &auth.Account{Issuer: "foo"}, 302 Rules: []*auth.Rule{ 303 &auth.Rule{ 304 Scope: "*", 305 Resource: catchallResource, 306 }, 307 }, 308 Error: auth.ErrForbidden, 309 Options: []auth.VerifyOption{auth.VerifyNamespace("bar")}, 310 }, 311 { 312 Name: "CrossNamespaceNilAccountForbidden", 313 Resource: srvResource, 314 Account: &auth.Account{}, 315 Rules: []*auth.Rule{ 316 &auth.Rule{ 317 Scope: "*", 318 Resource: catchallResource, 319 }, 320 }, 321 Error: auth.ErrForbidden, 322 Options: []auth.VerifyOption{auth.VerifyNamespace("bar")}, 323 }, 324 { 325 Name: "CrossNamespacePublic", 326 Resource: srvResource, 327 Account: &auth.Account{Issuer: "foo"}, 328 Rules: []*auth.Rule{ 329 &auth.Rule{ 330 Scope: auth.ScopePublic, 331 Resource: catchallResource, 332 }, 333 }, 334 Options: []auth.VerifyOption{auth.VerifyNamespace("bar")}, 335 }, 336 { 337 Name: "CrossNamespacePublicNilAccount", 338 Resource: srvResource, 339 Account: &auth.Account{}, 340 Rules: []*auth.Rule{ 341 &auth.Rule{ 342 Scope: auth.ScopePublic, 343 Resource: catchallResource, 344 }, 345 }, 346 Options: []auth.VerifyOption{auth.VerifyNamespace("bar")}, 347 }, 348 { 349 Name: "CrossNamespaceCrossIssuerTrue", 350 Resource: &auth.Resource{ 351 Type: "service", 352 Name: "runtime", 353 Endpoint: "Runtime.Read", 354 }, 355 Account: &auth.Account{ 356 ID: "admin", 357 Type: "user", 358 Issuer: "foo-bar-baz", 359 Scopes: []string{"admin"}, 360 Name: "admin", 361 }, 362 Rules: []*auth.Rule{ 363 &auth.Rule{ 364 ID: "runtimepublic", 365 Scope: auth.ScopeAnyNamespaceAccount, 366 Resource: &auth.Resource{ 367 Name: "runtime", 368 Type: "service", 369 Endpoint: "*", 370 }, 371 Access: auth.AccessGranted, 372 Priority: 1, 373 }, 374 }, 375 Options: []auth.VerifyOption{auth.VerifyNamespace("my-user-ns")}, 376 }, 377 { 378 Name: "CrossNamespaceCrossIssuerFalse", 379 Resource: &auth.Resource{ 380 Type: "service", 381 Name: "runtime", 382 Endpoint: "Runtime.Read", 383 }, 384 Account: &auth.Account{ 385 ID: "admin", 386 Type: "user", 387 Issuer: "foo-bar-baz", 388 Scopes: []string{"admin"}, 389 Name: "admin", 390 }, 391 Rules: []*auth.Rule{ 392 &auth.Rule{ 393 ID: "runtimepublic", 394 Scope: auth.ScopeAccount, 395 Resource: &auth.Resource{ 396 Name: "runtime", 397 Type: "service", 398 Endpoint: "*", 399 }, 400 Access: auth.AccessGranted, 401 Priority: 1, 402 }, 403 }, 404 Options: []auth.VerifyOption{auth.VerifyNamespace("my-user-ns")}, 405 Error: auth.ErrForbidden, 406 }, 407 } 408 409 for _, tc := range tt { 410 t.Run(tc.Name, func(t *testing.T) { 411 if err := VerifyAccess(tc.Rules, tc.Account, tc.Resource, tc.Options...); err != tc.Error { 412 t.Errorf("Expected %v but got %v", tc.Error, err) 413 } 414 }) 415 } 416 }