github.com/wrgl/wrgl@v0.14.0/pkg/auth/fs/authz_test.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright © 2022 Wrangle Ltd 3 4 package authfs 5 6 import ( 7 "fmt" 8 "net/http" 9 "os" 10 "path/filepath" 11 "testing" 12 "time" 13 14 "github.com/stretchr/testify/assert" 15 "github.com/stretchr/testify/require" 16 "github.com/wrgl/wrgl/pkg/auth" 17 "github.com/wrgl/wrgl/pkg/local" 18 "github.com/wrgl/wrgl/pkg/testutils" 19 ) 20 21 func TestAuthzStore(t *testing.T) { 22 dir, err := testutils.TempDir("", "test_flatdb") 23 require.NoError(t, err) 24 defer os.RemoveAll(dir) 25 rd, err := local.NewRepoDir(dir, "") 26 require.NoError(t, err) 27 defer rd.Close() 28 29 s, err := NewAuthzStore(rd) 30 require.NoError(t, err) 31 32 email1 := "alice@domain.com" 33 email2 := "bob@domain.com" 34 require.NoError(t, s.AddPolicy(email1, auth.ScopeRepoRead)) 35 require.NoError(t, s.AddPolicy(email2, auth.ScopeRepoRead)) 36 require.NoError(t, s.AddPolicy(email2, auth.ScopeRepoWrite)) 37 38 r, err := http.NewRequest(http.MethodGet, "/", nil) 39 require.NoError(t, err) 40 41 ok, err := s.Authorized(r, email1, auth.ScopeRepoRead) 42 require.NoError(t, err) 43 assert.True(t, ok) 44 ok, err = s.Authorized(r, email1, auth.ScopeRepoWrite) 45 require.NoError(t, err) 46 assert.False(t, ok) 47 ok, err = s.Authorized(r, email2, auth.ScopeRepoWrite) 48 require.NoError(t, err) 49 assert.True(t, ok) 50 51 scopes, err := s.ListPolicies(email1) 52 require.NoError(t, err) 53 assert.Equal(t, []string{auth.ScopeRepoRead}, scopes) 54 scopes, err = s.ListPolicies(email2) 55 require.NoError(t, err) 56 assert.Equal(t, []string{auth.ScopeRepoRead, auth.ScopeRepoWrite}, scopes) 57 58 require.NoError(t, s.Flush()) 59 60 s, err = NewAuthzStore(rd) 61 require.NoError(t, err) 62 ok, err = s.Authorized(r, email1, auth.ScopeRepoRead) 63 require.NoError(t, err) 64 assert.True(t, ok) 65 require.NoError(t, s.RemovePolicy(email1, auth.ScopeRepoRead)) 66 ok, err = s.Authorized(r, email1, auth.ScopeRepoRead) 67 require.NoError(t, err) 68 assert.False(t, ok) 69 70 require.NoError(t, s.Flush()) 71 72 s, err = NewAuthzStore(rd) 73 require.NoError(t, err) 74 ok, err = s.Authorized(r, email1, auth.ScopeRepoRead) 75 require.NoError(t, err) 76 assert.False(t, ok) 77 } 78 79 func TestAuthzStoreWatchFile(t *testing.T) { 80 dir, err := testutils.TempDir("", "test_flatdb") 81 require.NoError(t, err) 82 defer os.RemoveAll(dir) 83 rd, err := local.NewRepoDir(dir, "") 84 require.NoError(t, err) 85 defer rd.Close() 86 87 s, err := NewAuthzStore(rd) 88 require.NoError(t, err) 89 defer s.Close() 90 91 f, err := os.Create(filepath.Join(dir, "authz.csv")) 92 require.NoError(t, err) 93 _, err = f.Write([]byte(fmt.Sprintf("p, john.doe@domain.com, -, %s\n", auth.ScopeRepoRead))) 94 require.NoError(t, err) 95 require.NoError(t, f.Close()) 96 97 time.Sleep(time.Millisecond * 100) 98 scopes, err := s.ListPolicies("john.doe@domain.com") 99 require.NoError(t, err) 100 assert.Equal(t, []string{auth.ScopeRepoRead}, scopes) 101 }