go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/cipd/appengine/impl/cas/acled_test.go (about) 1 // Copyright 2017 The LUCI Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package cas 16 17 import ( 18 "context" 19 "fmt" 20 "testing" 21 22 "google.golang.org/grpc/codes" 23 "google.golang.org/grpc/status" 24 25 "go.chromium.org/luci/auth/identity" 26 "go.chromium.org/luci/server/auth" 27 "go.chromium.org/luci/server/auth/authtest" 28 29 api "go.chromium.org/luci/cipd/api/cipd/v1" 30 31 . "github.com/smartystreets/goconvey/convey" 32 ) 33 34 func TestACLDecorator(t *testing.T) { 35 t.Parallel() 36 37 acledSrv := Public(&api.UnimplementedStorageServer{}) 38 39 anon := identity.AnonymousIdentity 40 someone := identity.Identity("user:someone@example.com") 41 admin := identity.Identity("user:admin@example.com") 42 43 state := &authtest.FakeState{ 44 FakeDB: authtest.NewFakeDB( 45 authtest.MockMembership(admin, "administrators"), 46 ), 47 } 48 ctx := auth.WithState(context.Background(), state) 49 50 getObjectURL := func() (any, error) { 51 return acledSrv.GetObjectURL(ctx, nil) 52 } 53 beginUpload := func() (any, error) { 54 return acledSrv.BeginUpload(ctx, nil) 55 } 56 noForceHash := func() (any, error) { 57 return acledSrv.FinishUpload(ctx, &api.FinishUploadRequest{}) 58 } 59 withForceHash := func() (any, error) { 60 return acledSrv.FinishUpload(ctx, &api.FinishUploadRequest{ForceHash: &api.ObjectRef{}}) 61 } 62 cancelReq := func() (any, error) { 63 return acledSrv.CancelUpload(ctx, &api.CancelUploadRequest{}) 64 } 65 66 var cases = []struct { 67 method string 68 caller identity.Identity 69 request func() (any, error) 70 allowed bool 71 }{ 72 {"GetObjectURL", anon, getObjectURL, false}, 73 {"GetObjectURL", someone, getObjectURL, false}, 74 {"GetObjectURL", admin, getObjectURL, true}, 75 76 {"BeginUpload", anon, beginUpload, false}, 77 {"BeginUpload", someone, beginUpload, false}, 78 {"BeginUpload", admin, beginUpload, true}, 79 80 {"FinishUpload", anon, noForceHash, true}, 81 {"FinishUpload", someone, noForceHash, true}, 82 {"FinishUpload", admin, noForceHash, true}, 83 84 {"FinishUpload", anon, withForceHash, false}, 85 {"FinishUpload", someone, withForceHash, false}, 86 {"FinishUpload", admin, withForceHash, false}, 87 88 {"CancelUpload", anon, cancelReq, true}, 89 {"CancelUpload", someone, cancelReq, true}, 90 {"CancelUpload", admin, cancelReq, true}, 91 } 92 93 for idx, cs := range cases { 94 Convey(fmt.Sprintf("%d - %s by %s", idx, cs.method, cs.caller), t, func() { 95 state.Identity = cs.caller 96 _, err := cs.request() 97 if cs.allowed { 98 So(status.Code(err), ShouldEqual, codes.Unimplemented) 99 } else { 100 So(status.Code(err), ShouldEqual, codes.PermissionDenied) 101 } 102 }) 103 } 104 }