github.com/weaviate/weaviate@v1.24.6/usecases/auth/authorization/adminlist/authorizer_test.go (about) 1 // _ _ 2 // __ _____ __ ___ ___ __ _| |_ ___ 3 // \ \ /\ / / _ \/ _` \ \ / / |/ _` | __/ _ \ 4 // \ V V / __/ (_| |\ V /| | (_| | || __/ 5 // \_/\_/ \___|\__,_| \_/ |_|\__,_|\__\___| 6 // 7 // Copyright © 2016 - 2024 Weaviate B.V. All rights reserved. 8 // 9 // CONTACT: hello@weaviate.io 10 // 11 12 package adminlist 13 14 import ( 15 "testing" 16 17 "github.com/stretchr/testify/assert" 18 "github.com/weaviate/weaviate/entities/models" 19 "github.com/weaviate/weaviate/usecases/auth/authorization/errors" 20 ) 21 22 func Test_AdminList_Authorizer(t *testing.T) { 23 t.Run("with read requests", func(t *testing.T) { 24 t.Run("with no users configured at all", func(t *testing.T) { 25 cfg := Config{ 26 Enabled: true, 27 Users: []string{}, 28 } 29 30 principal := &models.Principal{ 31 Username: "johndoe", 32 } 33 34 err := New(cfg).Authorize(principal, "get", "things") 35 assert.Equal(t, errors.NewForbidden(principal, "get", "things"), err, 36 "should have the correct err msg") 37 }) 38 39 t.Run("with a nil principal", func(t *testing.T) { 40 cfg := Config{ 41 Enabled: true, 42 Users: []string{}, 43 } 44 45 principal := (*models.Principal)(nil) 46 err := New(cfg).Authorize(principal, "get", "things") 47 assert.Equal(t, errors.NewForbidden(newAnonymousPrincipal(), "get", "things"), err, 48 "should have the correct err msg") 49 }) 50 51 t.Run("with a non-configured user, it denies the request", func(t *testing.T) { 52 cfg := Config{ 53 Enabled: true, 54 Users: []string{ 55 "alice", 56 }, 57 } 58 59 principal := &models.Principal{ 60 Username: "johndoe", 61 } 62 63 err := New(cfg).Authorize(principal, "get", "things") 64 assert.Equal(t, errors.NewForbidden(principal, "get", "things"), err, 65 "should have the correct err msg") 66 }) 67 68 t.Run("with a configured admin user, it allows the request", func(t *testing.T) { 69 cfg := Config{ 70 Enabled: true, 71 Users: []string{ 72 "alice", 73 "johndoe", 74 }, 75 } 76 77 principal := &models.Principal{ 78 Username: "johndoe", 79 } 80 81 err := New(cfg).Authorize(principal, "get", "things") 82 assert.Nil(t, err) 83 }) 84 85 t.Run("with a configured read-only user, it allows the request", func(t *testing.T) { 86 cfg := Config{ 87 Enabled: true, 88 ReadOnlyUsers: []string{ 89 "alice", 90 "johndoe", 91 }, 92 } 93 94 principal := &models.Principal{ 95 Username: "johndoe", 96 } 97 98 err := New(cfg).Authorize(principal, "get", "things") 99 assert.Nil(t, err) 100 }) 101 102 t.Run("with anonymous as read-only user and no principal, it allows the request", func(t *testing.T) { 103 cfg := Config{ 104 Enabled: true, 105 ReadOnlyUsers: []string{ 106 "anonymous", 107 }, 108 } 109 110 principal := (*models.Principal)(nil) 111 err := New(cfg).Authorize(principal, "get", "things") 112 assert.Nil(t, err) 113 }) 114 }) 115 116 t.Run("with a non-configured group, it denies the request", func(t *testing.T) { 117 cfg := Config{ 118 Enabled: true, 119 Groups: []string{ 120 "band", 121 }, 122 } 123 124 principal := &models.Principal{ 125 Username: "alice", 126 Groups: []string{ 127 "posse", 128 }, 129 } 130 err := New(cfg).Authorize(principal, "get", "things") 131 assert.Equal(t, errors.NewForbidden(principal, "get", "things"), err, 132 "should have the correct err msg") 133 }) 134 135 t.Run("with a configured admin group, it allows the request", func(t *testing.T) { 136 cfg := Config{ 137 Enabled: true, 138 Groups: []string{ 139 "band", 140 "posse", 141 }, 142 } 143 144 principal := &models.Principal{ 145 Username: "alice", 146 Groups: []string{ 147 "posse", 148 }, 149 } 150 err := New(cfg).Authorize(principal, "get", "things") 151 assert.Nil(t, err) 152 }) 153 154 t.Run("with a configured read-only group, it allows the request", func(t *testing.T) { 155 cfg := Config{ 156 Enabled: true, 157 ReadOnlyGroups: []string{ 158 "band", 159 "posse", 160 }, 161 } 162 163 principal := &models.Principal{ 164 Username: "johndoe", 165 Groups: []string{ 166 "posse", 167 }, 168 } 169 170 err := New(cfg).Authorize(principal, "get", "things") 171 assert.Nil(t, err) 172 }) 173 174 t.Run("with a configured admin user and non-configured group, it allows the request", func(t *testing.T) { 175 cfg := Config{ 176 Enabled: true, 177 Users: []string{ 178 "alice", 179 "johndoe", 180 }, 181 Groups: []string{ 182 "band", 183 }, 184 } 185 186 principal := &models.Principal{ 187 Username: "johndoe", 188 Groups: []string{ 189 "posse", 190 }, 191 } 192 193 err := New(cfg).Authorize(principal, "get", "things") 194 assert.Nil(t, err) 195 }) 196 197 t.Run("with a configured read-only user and non-configured read-only group, it allows the request", func(t *testing.T) { 198 cfg := Config{ 199 Enabled: true, 200 ReadOnlyUsers: []string{ 201 "alice", 202 "johndoe", 203 }, 204 ReadOnlyGroups: []string{ 205 "band", 206 }, 207 } 208 209 principal := &models.Principal{ 210 Username: "johndoe", 211 Groups: []string{ 212 "posse", 213 }, 214 } 215 216 err := New(cfg).Authorize(principal, "get", "things") 217 assert.Nil(t, err) 218 }) 219 220 t.Run("with write/delete requests", func(t *testing.T) { 221 t.Run("with a nil principal", func(t *testing.T) { 222 cfg := Config{ 223 Enabled: true, 224 Users: []string{}, 225 } 226 227 principal := (*models.Principal)(nil) 228 err := New(cfg).Authorize(principal, "create", "things") 229 assert.Equal(t, errors.NewForbidden(newAnonymousPrincipal(), "create", "things"), err, 230 "should have the correct err msg") 231 }) 232 233 t.Run("with no users configured at all", func(t *testing.T) { 234 cfg := Config{ 235 Enabled: true, 236 Users: []string{}, 237 } 238 239 principal := &models.Principal{ 240 Username: "johndoe", 241 } 242 243 err := New(cfg).Authorize(principal, "create", "things") 244 assert.Equal(t, errors.NewForbidden(principal, "create", "things"), err, 245 "should have the correct err msg") 246 }) 247 248 t.Run("with a non-configured user, it denies the request", func(t *testing.T) { 249 cfg := Config{ 250 Enabled: true, 251 Users: []string{ 252 "alice", 253 }, 254 } 255 256 principal := &models.Principal{ 257 Username: "johndoe", 258 } 259 260 err := New(cfg).Authorize(principal, "create", "things") 261 assert.Equal(t, errors.NewForbidden(principal, "create", "things"), err, 262 "should have the correct err msg") 263 }) 264 265 t.Run("with an empty user, it denies the request", func(t *testing.T) { 266 cfg := Config{ 267 Enabled: true, 268 Users: []string{ 269 "alice", 270 }, 271 } 272 273 principal := &models.Principal{ 274 Username: "", 275 } 276 277 err := New(cfg).Authorize(principal, "create", "things") 278 assert.Equal(t, errors.NewForbidden(principal, "create", "things"), err, 279 "should have the correct err msg") 280 }) 281 282 t.Run("with a configured admin user, it allows the request", func(t *testing.T) { 283 cfg := Config{ 284 Enabled: true, 285 Users: []string{ 286 "alice", 287 "johndoe", 288 }, 289 } 290 291 principal := &models.Principal{ 292 Username: "johndoe", 293 } 294 295 err := New(cfg).Authorize(principal, "create", "things") 296 assert.Nil(t, err) 297 }) 298 299 t.Run("with a configured read-only user, it denies the request", func(t *testing.T) { 300 cfg := Config{ 301 Enabled: true, 302 ReadOnlyUsers: []string{ 303 "alice", 304 "johndoe", 305 }, 306 } 307 308 principal := &models.Principal{ 309 Username: "johndoe", 310 } 311 312 err := New(cfg).Authorize(principal, "create", "things") 313 assert.Equal(t, errors.NewForbidden(principal, "create", "things"), err, 314 "should have the correct err msg") 315 }) 316 317 t.Run("with anonymous on the read-only list and a nil principal", func(t *testing.T) { 318 cfg := Config{ 319 Enabled: true, 320 Users: []string{}, 321 ReadOnlyUsers: []string{ 322 "anonymous", 323 }, 324 } 325 326 principal := (*models.Principal)(nil) 327 err := New(cfg).Authorize(principal, "create", "things") 328 assert.Equal(t, errors.NewForbidden(newAnonymousPrincipal(), "create", "things"), err, 329 "should have the correct err msg") 330 }) 331 332 t.Run("with a non-configured group, it denies the request", func(t *testing.T) { 333 cfg := Config{ 334 Enabled: true, 335 Groups: []string{ 336 "band", 337 }, 338 } 339 340 principal := &models.Principal{ 341 Username: "johndoe", 342 Groups: []string{ 343 "posse", 344 }, 345 } 346 err := New(cfg).Authorize(principal, "create", "things") 347 assert.Equal(t, errors.NewForbidden(principal, "create", "things"), err, 348 "should have the correct err msg") 349 }) 350 351 t.Run("with an empty group, it denies the request", func(t *testing.T) { 352 cfg := Config{ 353 Enabled: true, 354 Groups: []string{ 355 "band", 356 }, 357 } 358 359 principal := &models.Principal{ 360 Username: "johndoe", 361 Groups: []string{}, 362 } 363 err := New(cfg).Authorize(principal, "create", "things") 364 assert.Equal(t, errors.NewForbidden(principal, "create", "things"), err, 365 "should have the correct err msg") 366 }) 367 368 t.Run("with a configured admin group, it allows the request", func(t *testing.T) { 369 cfg := Config{ 370 Enabled: true, 371 Groups: []string{ 372 "band", 373 "posse", 374 }, 375 } 376 377 principal := &models.Principal{ 378 Username: "johndoe", 379 Groups: []string{ 380 "band", 381 }, 382 } 383 err := New(cfg).Authorize(principal, "create", "things") 384 assert.Nil(t, err) 385 }) 386 387 t.Run("with a configured read-only group, it denies the request", func(t *testing.T) { 388 cfg := Config{ 389 Enabled: true, 390 ReadOnlyGroups: []string{ 391 "band", 392 "posse", 393 }, 394 } 395 396 principal := &models.Principal{ 397 Username: "johndoe", 398 Groups: []string{ 399 "posse", 400 }, 401 } 402 403 err := New(cfg).Authorize(principal, "create", "things") 404 assert.Equal(t, errors.NewForbidden(principal, "create", "things"), err, 405 "should have the correct err msg") 406 }) 407 408 t.Run("with a configured admin user and non-configured group, it allows the request", func(t *testing.T) { 409 cfg := Config{ 410 Enabled: true, 411 Users: []string{ 412 "alice", 413 "johndoe", 414 }, 415 Groups: []string{ 416 "band", 417 }, 418 } 419 420 principal := &models.Principal{ 421 Username: "johndoe", 422 Groups: []string{ 423 "posse", 424 }, 425 } 426 427 err := New(cfg).Authorize(principal, "create", "things") 428 assert.Nil(t, err) 429 }) 430 }) 431 }