go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/milo/internal/projectconfig/acl_test.go (about) 1 // Copyright 2016 The LUCI Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package projectconfig 16 17 import ( 18 "context" 19 "testing" 20 21 "go.chromium.org/luci/auth/identity" 22 "go.chromium.org/luci/common/logging/gologger" 23 "go.chromium.org/luci/config" 24 "go.chromium.org/luci/config/cfgclient" 25 memcfg "go.chromium.org/luci/config/impl/memory" 26 "go.chromium.org/luci/gae/impl/memory" 27 "go.chromium.org/luci/milo/internal/testutils" 28 "go.chromium.org/luci/server/auth" 29 "go.chromium.org/luci/server/auth/authtest" 30 31 . "github.com/smartystreets/goconvey/convey" 32 ) 33 34 func TestACL(t *testing.T) { 35 t.Parallel() 36 37 Convey("Test Environment", t, func() { 38 c := memory.Use(context.Background()) 39 c = gologger.StdConfig.Use(c) 40 c = testutils.SetUpTestGlobalCache(c) 41 42 Convey("Set up projects", func() { 43 c = cfgclient.Use(c, memcfg.New(aclConfgs)) 44 err := UpdateProjects(c) 45 So(err, ShouldBeNil) 46 47 Convey("Anon wants to...", func() { 48 c = auth.WithState(c, &authtest.FakeState{ 49 Identity: identity.AnonymousIdentity, 50 IdentityGroups: []string{"all"}, 51 }) 52 Convey("Read public project", func() { 53 ok, err := IsAllowed(c, "opensource") 54 So(ok, ShouldEqual, true) 55 So(err, ShouldBeNil) 56 }) 57 Convey("Read private project", func() { 58 ok, err := IsAllowed(c, "secret") 59 So(ok, ShouldEqual, false) 60 So(err, ShouldBeNil) 61 }) 62 }) 63 64 Convey("admin@google.com wants to...", func() { 65 c = auth.WithState(c, &authtest.FakeState{ 66 Identity: "user:alicebob@google.com", 67 IdentityGroups: []string{"administrators", "googlers", "all"}, 68 }) 69 Convey("Read private project", func() { 70 ok, err := IsAllowed(c, "secret") 71 So(ok, ShouldEqual, true) 72 So(err, ShouldBeNil) 73 }) 74 Convey("Read un/misconfigured project", func() { 75 ok, err := IsAllowed(c, "misconfigured") 76 So(ok, ShouldEqual, false) 77 So(err, ShouldBeNil) 78 }) 79 }) 80 81 Convey("alicebob@google.com wants to...", func() { 82 c = auth.WithState(c, &authtest.FakeState{ 83 Identity: "user:alicebob@google.com", 84 IdentityGroups: []string{"googlers", "all"}, 85 }) 86 Convey("Read private project", func() { 87 ok, err := IsAllowed(c, "secret") 88 So(ok, ShouldEqual, true) 89 So(err, ShouldBeNil) 90 }) 91 Convey("Read un/misconfigured project", func() { 92 ok, err := IsAllowed(c, "misconfigured") 93 So(ok, ShouldEqual, false) 94 So(err, ShouldBeNil) 95 }) 96 }) 97 98 Convey("eve@notgoogle.com wants to...", func() { 99 c = auth.WithState(c, &authtest.FakeState{ 100 Identity: "user:eve@notgoogle.com", 101 IdentityGroups: []string{"all"}, 102 }) 103 Convey("Read public project", func() { 104 ok, err := IsAllowed(c, "opensource") 105 So(ok, ShouldEqual, true) 106 So(err, ShouldBeNil) 107 }) 108 Convey("Read private project", func() { 109 ok, err := IsAllowed(c, "secret") 110 So(ok, ShouldEqual, false) 111 So(err, ShouldBeNil) 112 }) 113 }) 114 }) 115 }) 116 } 117 118 var secretProjectCfg = ` 119 name: "secret" 120 access: "group:googlers" 121 ` 122 123 var publicProjectCfg = ` 124 name: "opensource" 125 access: "group:all" 126 ` 127 128 var aclConfgs = map[config.Set]memcfg.Files{ 129 "projects/secret": { 130 "project.cfg": secretProjectCfg, 131 }, 132 "projects/opensource": { 133 "project.cfg": publicProjectCfg, 134 }, 135 "project/misconfigured": { 136 "probject.cfg": secretProjectCfg, 137 }, 138 }