go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/cv/internal/acls/legacystatus_test.go (about) 1 // Copyright 2021 The LUCI Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package acls 16 17 import ( 18 "testing" 19 20 "go.chromium.org/luci/server/auth" 21 "go.chromium.org/luci/server/auth/authtest" 22 23 cfgpb "go.chromium.org/luci/cv/api/config/v2" 24 "go.chromium.org/luci/cv/internal/configs/prjcfg/prjcfgtest" 25 "go.chromium.org/luci/cv/internal/configs/validation" 26 "go.chromium.org/luci/cv/internal/cvtesting" 27 28 . "github.com/smartystreets/goconvey/convey" 29 ) 30 31 func TestCheckLegacy(t *testing.T) { 32 t.Parallel() 33 34 Convey("CheckLegacyCQStatusAccess works", t, func() { 35 ct := cvtesting.Test{} 36 ctx, cancel := ct.SetUp(t) 37 defer cancel() 38 39 cfg := &cfgpb.Config{ 40 CqStatusHost: "", // modified in tests below 41 ConfigGroups: []*cfgpb.ConfigGroup{{ 42 Name: "first", 43 }}, 44 } 45 46 Convey("not existing project", func() { 47 allowed, err := checkLegacyCQStatusAccess(ctx, "non-existing") 48 So(err, ShouldBeNil) 49 So(allowed, ShouldBeFalse) 50 }) 51 52 Convey("existing but disabled project", func() { 53 // Even if the previously configured CqStatusHost is public. 54 cfg.CqStatusHost = validation.CQStatusHostPublic 55 prjcfgtest.Create(ctx, "disabled", cfg) 56 prjcfgtest.Disable(ctx, "disabled") 57 allowed, err := checkLegacyCQStatusAccess(ctx, "disabled") 58 So(err, ShouldBeNil) 59 So(allowed, ShouldBeFalse) 60 }) 61 62 Convey("without configured CQ Status", func() { 63 cfg.CqStatusHost = "" 64 prjcfgtest.Create(ctx, "no-legacy", cfg) 65 allowed, err := checkLegacyCQStatusAccess(ctx, "no-legacy") 66 So(err, ShouldBeNil) 67 So(allowed, ShouldBeFalse) 68 }) 69 70 Convey("with misconfigured CQ Status", func() { 71 cfg.CqStatusHost = "misconfigured.example.com" 72 prjcfgtest.Create(ctx, "misconfigured", cfg) 73 allowed, err := checkLegacyCQStatusAccess(ctx, "misconfigured") 74 So(err, ShouldBeNil) 75 So(allowed, ShouldBeFalse) 76 }) 77 78 Convey("public access", func() { 79 cfg.CqStatusHost = validation.CQStatusHostPublic 80 prjcfgtest.Create(ctx, "public", cfg) 81 allowed, err := checkLegacyCQStatusAccess(ctx, "public") 82 So(err, ShouldBeNil) 83 So(allowed, ShouldBeTrue) 84 }) 85 86 Convey("internal CQ Status", func() { 87 cfg.CqStatusHost = validation.CQStatusHostInternal 88 prjcfgtest.Create(ctx, "internal", cfg) 89 90 Convey("request by Googler is allowed", func() { 91 ctx = auth.WithState(ctx, &authtest.FakeState{ 92 Identity: "user:googler@example.com", 93 IdentityGroups: []string{cqStatusInternalCrIAGroup}, 94 }) 95 allowed, err := checkLegacyCQStatusAccess(ctx, "internal") 96 So(err, ShouldBeNil) 97 So(allowed, ShouldBeTrue) 98 }) 99 100 Convey("request by non-Googler is not allowed", func() { 101 ctx = auth.WithState(ctx, &authtest.FakeState{ 102 Identity: "user:hacker@example.com", 103 IdentityGroups: []string{}, 104 }) 105 allowed, err := checkLegacyCQStatusAccess(ctx, "internal") 106 So(err, ShouldBeNil) 107 So(allowed, ShouldBeFalse) 108 }) 109 }) 110 }) 111 }