go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/lucicfg/testdata/acl/entry.star

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/lucicfg/testdata/acl/entry.star (about)

     1  load("@stdlib//internal/luci/lib/acl.star", "acl")
     2  
     3  def check_entry(entry, roles, groups = [], users = [], projects = []):
     4      assert.eq(entry.roles, roles)
     5      assert.eq(entry.groups, groups)
     6      assert.eq(entry.users, users)
     7      assert.eq(entry.projects, projects)
     8  
     9  def test_roles_validation():
    10      # Entry without users or groups is OK.
    11      check_entry(
    12          entry = acl.entry(acl.BUILDBUCKET_READER),
    13          roles = [acl.BUILDBUCKET_READER],
    14      )
    15  
    16      # Many roles is OK.
    17      check_entry(
    18          entry = acl.entry([acl.BUILDBUCKET_READER, acl.BUILDBUCKET_TRIGGERER]),
    19          roles = [acl.BUILDBUCKET_READER, acl.BUILDBUCKET_TRIGGERER],
    20      )
    21  
    22      # No roles is NOT ok.
    23      assert.fails(lambda: acl.entry([]), 'missing required field "roles"')
    24      assert.fails(lambda: acl.entry(None), 'missing required field "roles"')
    25      assert.fails(lambda: acl.entry([None]), 'missing required field "roles"')
    26  
    27      # Invalid type is NOT ok.
    28      assert.fails(
    29          lambda: acl.entry("zzz"),
    30          'bad "roles": got string, want acl.role',
    31      )
    32      assert.fails(
    33          lambda: acl.entry(["zzz"]),
    34          'bad "roles": got string, want acl.role',
    35      )
    36  
    37  def test_groups_validation():
    38      # Singular group is OK.
    39      check_entry(
    40          entry = acl.entry(acl.BUILDBUCKET_READER, groups = "grr"),
    41          roles = [acl.BUILDBUCKET_READER],
    42          groups = ["grr"],
    43      )
    44  
    45      # Multiple groups is OK.
    46      check_entry(
    47          entry = acl.entry(acl.BUILDBUCKET_READER, groups = ["grr1", "grr2"]),
    48          roles = [acl.BUILDBUCKET_READER],
    49          groups = ["grr1", "grr2"],
    50      )
    51  
    52      # Empty list is OK.
    53      check_entry(
    54          entry = acl.entry(acl.BUILDBUCKET_READER, groups = []),
    55          roles = [acl.BUILDBUCKET_READER],
    56          groups = [],
    57      )
    58  
    59      # Wrong type is not OK.
    60      assert.fails(
    61          lambda: acl.entry(acl.BUILDBUCKET_READER, groups = 123),
    62          'bad "groups": got int, want string',
    63      )
    64  
    65      # Empty group name is not OK.
    66      assert.fails(
    67          lambda: acl.entry(acl.BUILDBUCKET_READER, groups = ""),
    68          'bad "groups": must not be empty',
    69      )
    70  
    71  def test_users_validation():
    72      # Singular user is OK.
    73      check_entry(
    74          entry = acl.entry(acl.BUILDBUCKET_READER, users = "a@example.com"),
    75          roles = [acl.BUILDBUCKET_READER],
    76          users = ["a@example.com"],
    77      )
    78  
    79      # Multiple users is OK.
    80      check_entry(
    81          entry = acl.entry(
    82              acl.BUILDBUCKET_READER,
    83              users = ["a@example.com", "b@example.com"],
    84          ),
    85          roles = [acl.BUILDBUCKET_READER],
    86          users = ["a@example.com", "b@example.com"],
    87      )
    88  
    89      # Empty list is OK.
    90      check_entry(
    91          entry = acl.entry(acl.BUILDBUCKET_READER, users = []),
    92          roles = [acl.BUILDBUCKET_READER],
    93          users = [],
    94      )
    95  
    96      # Wrong type is not OK.
    97      assert.fails(
    98          lambda: acl.entry(acl.BUILDBUCKET_READER, users = 123),
    99          'bad "users": got int, want string',
   100      )
   101  
   102      # Empty user name is not OK.
   103      assert.fails(
   104          lambda: acl.entry(acl.BUILDBUCKET_READER, users = ""),
   105          'bad "users": must not be empty',
   106      )
   107  
   108  def test_projects_validation():
   109      # Singular project is OK.
   110      check_entry(
   111          entry = acl.entry(acl.BUILDBUCKET_READER, projects = "a"),
   112          roles = [acl.BUILDBUCKET_READER],
   113          projects = ["a"],
   114      )
   115  
   116      # Multiple project is OK.
   117      check_entry(
   118          entry = acl.entry(
   119              acl.BUILDBUCKET_READER,
   120              projects = ["a", "b"],
   121          ),
   122          roles = [acl.BUILDBUCKET_READER],
   123          projects = ["a", "b"],
   124      )
   125  
   126      # Empty list is OK.
   127      check_entry(
   128          entry = acl.entry(acl.BUILDBUCKET_READER, projects = []),
   129          roles = [acl.BUILDBUCKET_READER],
   130          projects = [],
   131      )
   132  
   133      # Wrong type is not OK.
   134      assert.fails(
   135          lambda: acl.entry(acl.BUILDBUCKET_READER, projects = 123),
   136          'bad "projects": got int, want string',
   137      )
   138  
   139      # Empty user name is not OK.
   140      assert.fails(
   141          lambda: acl.entry(acl.BUILDBUCKET_READER, projects = ""),
   142          'bad "projects": must not be empty',
   143      )
   144  
   145  def test_group_only_roles():
   146      assert.true(acl.LOGDOG_READER.groups_only)
   147  
   148      # Works with groups.
   149      check_entry(
   150          entry = acl.entry(acl.LOGDOG_READER, groups = "group"),
   151          roles = [acl.LOGDOG_READER],
   152          groups = ["group"],
   153      )
   154  
   155      # Fails with users.
   156      assert.fails(
   157          lambda: acl.entry(acl.LOGDOG_READER, users = "a@example.com"),
   158          "role LOGDOG_READER can be assigned only to groups",
   159      )
   160  
   161  test_roles_validation()
   162  test_groups_validation()
   163  test_users_validation()
   164  test_group_only_roles()