go-micro.dev/v5@v5.12.0/auth/rules_test.go (about) 1 package auth 2 3 import ( 4 "testing" 5 ) 6 7 func TestVerify(t *testing.T) { 8 srvResource := &Resource{ 9 Type: "service", 10 Name: "go.micro.service.foo", 11 Endpoint: "Foo.Bar", 12 } 13 14 webResource := &Resource{ 15 Type: "service", 16 Name: "go.micro.web.foo", 17 Endpoint: "/foo/bar", 18 } 19 20 catchallResource := &Resource{ 21 Type: "*", 22 Name: "*", 23 Endpoint: "*", 24 } 25 26 tt := []struct { 27 Name string 28 Rules []*Rule 29 Account *Account 30 Resource *Resource 31 Error error 32 }{ 33 { 34 Name: "NoRules", 35 Rules: []*Rule{}, 36 Account: nil, 37 Resource: srvResource, 38 Error: ErrForbidden, 39 }, 40 { 41 Name: "CatchallPublicAccount", 42 Account: &Account{}, 43 Resource: srvResource, 44 Rules: []*Rule{ 45 { 46 Scope: "", 47 Resource: catchallResource, 48 }, 49 }, 50 }, 51 { 52 Name: "CatchallPublicNoAccount", 53 Resource: srvResource, 54 Rules: []*Rule{ 55 { 56 Scope: "", 57 Resource: catchallResource, 58 }, 59 }, 60 }, 61 { 62 Name: "CatchallPrivateAccount", 63 Account: &Account{}, 64 Resource: srvResource, 65 Rules: []*Rule{ 66 { 67 Scope: "*", 68 Resource: catchallResource, 69 }, 70 }, 71 }, 72 { 73 Name: "CatchallPrivateNoAccount", 74 Resource: srvResource, 75 Rules: []*Rule{ 76 { 77 Scope: "*", 78 Resource: catchallResource, 79 }, 80 }, 81 Error: ErrForbidden, 82 }, 83 { 84 Name: "CatchallServiceRuleMatch", 85 Resource: srvResource, 86 Account: &Account{}, 87 Rules: []*Rule{ 88 { 89 Scope: "*", 90 Resource: &Resource{ 91 Type: srvResource.Type, 92 Name: srvResource.Name, 93 Endpoint: "*", 94 }, 95 }, 96 }, 97 }, 98 { 99 Name: "CatchallServiceRuleNoMatch", 100 Resource: srvResource, 101 Account: &Account{}, 102 Rules: []*Rule{ 103 { 104 Scope: "*", 105 Resource: &Resource{ 106 Type: srvResource.Type, 107 Name: "wrongname", 108 Endpoint: "*", 109 }, 110 }, 111 }, 112 Error: ErrForbidden, 113 }, 114 { 115 Name: "ExactRuleValidScope", 116 Resource: srvResource, 117 Account: &Account{ 118 Scopes: []string{"neededscope"}, 119 }, 120 Rules: []*Rule{ 121 { 122 Scope: "neededscope", 123 Resource: srvResource, 124 }, 125 }, 126 }, 127 { 128 Name: "ExactRuleInvalidScope", 129 Resource: srvResource, 130 Account: &Account{ 131 Scopes: []string{"neededscope"}, 132 }, 133 Rules: []*Rule{ 134 { 135 Scope: "invalidscope", 136 Resource: srvResource, 137 }, 138 }, 139 Error: ErrForbidden, 140 }, 141 { 142 Name: "CatchallDenyWithAccount", 143 Resource: srvResource, 144 Account: &Account{}, 145 Rules: []*Rule{ 146 { 147 Scope: "*", 148 Resource: catchallResource, 149 Access: AccessDenied, 150 }, 151 }, 152 Error: ErrForbidden, 153 }, 154 { 155 Name: "CatchallDenyWithNoAccount", 156 Resource: srvResource, 157 Account: &Account{}, 158 Rules: []*Rule{ 159 { 160 Scope: "*", 161 Resource: catchallResource, 162 Access: AccessDenied, 163 }, 164 }, 165 Error: ErrForbidden, 166 }, 167 { 168 Name: "RulePriorityGrantFirst", 169 Resource: srvResource, 170 Account: &Account{}, 171 Rules: []*Rule{ 172 { 173 Scope: "*", 174 Resource: catchallResource, 175 Access: AccessGranted, 176 Priority: 1, 177 }, 178 { 179 Scope: "*", 180 Resource: catchallResource, 181 Access: AccessDenied, 182 Priority: 0, 183 }, 184 }, 185 }, 186 { 187 Name: "RulePriorityDenyFirst", 188 Resource: srvResource, 189 Account: &Account{}, 190 Rules: []*Rule{ 191 { 192 Scope: "*", 193 Resource: catchallResource, 194 Access: AccessGranted, 195 Priority: 0, 196 }, 197 { 198 Scope: "*", 199 Resource: catchallResource, 200 Access: AccessDenied, 201 Priority: 1, 202 }, 203 }, 204 Error: ErrForbidden, 205 }, 206 { 207 Name: "WebExactEndpointValid", 208 Resource: webResource, 209 Account: &Account{}, 210 Rules: []*Rule{ 211 { 212 Scope: "*", 213 Resource: webResource, 214 }, 215 }, 216 }, 217 { 218 Name: "WebExactEndpointInalid", 219 Resource: webResource, 220 Account: &Account{}, 221 Rules: []*Rule{ 222 { 223 Scope: "*", 224 Resource: &Resource{ 225 Type: webResource.Type, 226 Name: webResource.Name, 227 Endpoint: "invalidendpoint", 228 }, 229 }, 230 }, 231 Error: ErrForbidden, 232 }, 233 { 234 Name: "WebWildcardEndpoint", 235 Resource: webResource, 236 Account: &Account{}, 237 Rules: []*Rule{ 238 { 239 Scope: "*", 240 Resource: &Resource{ 241 Type: webResource.Type, 242 Name: webResource.Name, 243 Endpoint: "*", 244 }, 245 }, 246 }, 247 }, 248 { 249 Name: "WebWildcardPathEndpointValid", 250 Resource: webResource, 251 Account: &Account{}, 252 Rules: []*Rule{ 253 { 254 Scope: "*", 255 Resource: &Resource{ 256 Type: webResource.Type, 257 Name: webResource.Name, 258 Endpoint: "/foo/*", 259 }, 260 }, 261 }, 262 }, 263 { 264 Name: "WebWildcardPathEndpointInvalid", 265 Resource: webResource, 266 Account: &Account{}, 267 Rules: []*Rule{ 268 { 269 Scope: "*", 270 Resource: &Resource{ 271 Type: webResource.Type, 272 Name: webResource.Name, 273 Endpoint: "/bar/*", 274 }, 275 }, 276 }, 277 Error: ErrForbidden, 278 }, 279 } 280 281 for _, tc := range tt { 282 t.Run(tc.Name, func(t *testing.T) { 283 if err := Verify(tc.Rules, tc.Account, tc.Resource); err != tc.Error { 284 t.Errorf("Expected %v but got %v", tc.Error, err) 285 } 286 }) 287 } 288 }