go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/lucicfg/testdata/acl/validate_acls.star (about) 1 load("@stdlib//internal/luci/lib/acl.star", "acl", "aclimpl") 2 3 def test_works(): 4 # Works in general. 5 acls = [ 6 acl.entry(acl.BUILDBUCKET_READER), 7 acl.entry(acl.BUILDBUCKET_OWNER), 8 ] 9 assert.eq(aclimpl.validate_acls(acls), acls) 10 11 # None or [] is OK. 12 assert.eq(aclimpl.validate_acls(None), []) 13 assert.eq(aclimpl.validate_acls([]), []) 14 15 # Wrong type is NOT ok. 16 assert.fails( 17 lambda: aclimpl.validate_acls(111), 18 'bad "acls": got int, want list', 19 ) 20 assert.fails( 21 lambda: aclimpl.validate_acls([111]), 22 'bad "acls": got int, want acl.entry', 23 ) 24 25 # Checks project_level_only. 26 assert.true(acl.PROJECT_CONFIGS_READER.project_level_only) 27 acls = acls + [acl.entry(acl.PROJECT_CONFIGS_READER)] 28 assert.eq(aclimpl.validate_acls(acls, project_level = True), acls) 29 assert.fails( 30 lambda: aclimpl.validate_acls(acls), 31 "role PROJECT_CONFIGS_READER can only be set at the project level", 32 ) 33 34 # Checks allowed_roles. 35 acls = [acl.entry(acl.BUILDBUCKET_READER)] 36 assert.eq(aclimpl.validate_acls(acls, allowed_roles = [acl.BUILDBUCKET_READER]), acls) 37 assert.fails( 38 lambda: aclimpl.validate_acls(acls, allowed_roles = [acl.BUILDBUCKET_OWNER]), 39 "role BUILDBUCKET_READER is not allowed in this context", 40 ) 41 42 test_works()