go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/lucicfg/testdata/realms/conditions.star

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/lucicfg/testdata/realms/conditions.star (about)

     1  luci.project(
     2      name = "proj",
     3      bindings = [
     4          # Binding across different roles are independent.
     5          luci.binding(
     6              roles = "role/a",
     7              groups = "g1",
     8              conditions = [
     9                  luci.restrict_attribute("attr1", ["val1"]),
    10              ],
    11          ),
    12          luci.binding(
    13              roles = "role/b",
    14              groups = "g1",
    15              conditions = [
    16                  luci.restrict_attribute("attr1", ["val1"]),
    17              ],
    18          ),
    19  
    20          # Groups bindings with semantically identical conditions.
    21          luci.binding(
    22              roles = "role/a",
    23              groups = "g3",
    24              conditions = [
    25                  luci.restrict_attribute("attr1", ["val1", "val2"]),
    26                  luci.restrict_attribute("attr2", ["val1", "val2"]),
    27              ],
    28          ),
    29          luci.binding(
    30              roles = "role/a",
    31              groups = "g4",
    32              conditions = [
    33                  luci.restrict_attribute("attr2", ["val2", "val1"]),
    34                  luci.restrict_attribute("attr1", ["val2", "val1"]),
    35              ],
    36          ),
    37  
    38          # Condition-less binding must sort before conditional ones.
    39          luci.binding(
    40              roles = "role/a",
    41              groups = "g1",
    42          ),
    43      ],
    44  )
    45  
    46  # Expect configs:
    47  #
    48  # === project.cfg
    49  # name: "proj"
    50  # ===
    51  #
    52  # === realms.cfg
    53  # realms {
    54  #   name: "@root"
    55  #   bindings {
    56  #     role: "role/a"
    57  #     principals: "group:g1"
    58  #   }
    59  #   bindings {
    60  #     role: "role/a"
    61  #     principals: "group:g1"
    62  #     conditions {
    63  #       restrict {
    64  #         attribute: "attr1"
    65  #         values: "val1"
    66  #       }
    67  #     }
    68  #   }
    69  #   bindings {
    70  #     role: "role/a"
    71  #     principals: "group:g3"
    72  #     principals: "group:g4"
    73  #     conditions {
    74  #       restrict {
    75  #         attribute: "attr1"
    76  #         values: "val1"
    77  #         values: "val2"
    78  #       }
    79  #     }
    80  #     conditions {
    81  #       restrict {
    82  #         attribute: "attr2"
    83  #         values: "val1"
    84  #         values: "val2"
    85  #       }
    86  #     }
    87  #   }
    88  #   bindings {
    89  #     role: "role/b"
    90  #     principals: "group:g1"
    91  #     conditions {
    92  #       restrict {
    93  #         attribute: "attr1"
    94  #         values: "val1"
    95  #       }
    96  #     }
    97  #   }
    98  # }
    99  # ===