go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/milo/rpc/batch_check_permissions_test.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/milo/rpc/batch_check_permissions_test.go (about)

     1  // Copyright 2022 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package rpc
    16  
    17  import (
    18  	"context"
    19  	"fmt"
    20  	"strings"
    21  	"testing"
    22  
    23  	. "github.com/smartystreets/goconvey/convey"
    24  	"go.chromium.org/luci/buildbucket/bbperms"
    25  	. "go.chromium.org/luci/common/testing/assertions"
    26  	"go.chromium.org/luci/milo/internal/testutils"
    27  	milopb "go.chromium.org/luci/milo/proto/v1"
    28  	"go.chromium.org/luci/server/auth"
    29  	"go.chromium.org/luci/server/auth/authtest"
    30  	"google.golang.org/grpc/codes"
    31  )
    32  
    33  func TestBatchCheckPermissions(t *testing.T) {
    34  	t.Parallel()
    35  
    36  	Convey(`TestBatchCheckPermissions`, t, func() {
    37  		ctx := context.Background()
    38  		ctx = testutils.SetUpTestGlobalCache(ctx)
    39  		ctx = auth.WithState(
    40  			ctx,
    41  			&authtest.FakeState{
    42  				Identity: "user:someone@example.com",
    43  				IdentityPermissions: []authtest.RealmPermission{
    44  					{Realm: "testproject:testrealm", Permission: bbperms.BuildsList},
    45  					{Realm: "testproject:testrealm", Permission: bbperms.BuildsAdd},
    46  					{Realm: "testproject:testrealm2", Permission: bbperms.BuildsCancel},
    47  				},
    48  			})
    49  
    50  		srv := &MiloInternalService{}
    51  
    52  		Convey(`e2e`, func() {
    53  			res, err := srv.BatchCheckPermissions(ctx, &milopb.BatchCheckPermissionsRequest{
    54  				Realm:       "testproject:testrealm",
    55  				Permissions: []string{bbperms.BuildsAdd.Name(), bbperms.BuildsList.Name(), bbperms.BuildsCancel.Name()},
    56  			})
    57  
    58  			So(err, ShouldBeNil)
    59  			So(res.Results, ShouldResemble, map[string]bool{
    60  				bbperms.BuildsAdd.Name():    true,
    61  				bbperms.BuildsList.Name():   true,
    62  				bbperms.BuildsCancel.Name(): false,
    63  			})
    64  		})
    65  
    66  		Convey(`invalid request`, func() {
    67  			res, err := srv.BatchCheckPermissions(ctx, &milopb.BatchCheckPermissionsRequest{
    68  				Permissions: []string{bbperms.BuildsAdd.Name(), bbperms.BuildsList.Name(), bbperms.BuildsCancel.Name()},
    69  			})
    70  
    71  			So(err, ShouldHaveAppStatus, codes.InvalidArgument)
    72  			So(err, ShouldErrLike, "realm", "must be specified")
    73  			So(res, ShouldBeNil)
    74  		})
    75  
    76  		Convey(`invalid permission`, func() {
    77  			res, err := srv.BatchCheckPermissions(ctx, &milopb.BatchCheckPermissionsRequest{
    78  				Realm:       "testproject:testrealm",
    79  				Permissions: []string{bbperms.BuildsAdd.Name(), "testservice.testsubject.testaction"},
    80  			})
    81  
    82  			So(err, ShouldHaveAppStatus, codes.InvalidArgument)
    83  			So(err, ShouldErrLike, "testservice.testsubject.testaction", "permission not registered")
    84  			So(res, ShouldBeNil)
    85  		})
    86  	})
    87  }
    88  
    89  func TestValidateBatchCheckPermissionsRequest(t *testing.T) {
    90  	t.Parallel()
    91  
    92  	Convey(`TestValidateBatchCheckPermissionsRequest`, t, func() {
    93  		req := &milopb.BatchCheckPermissionsRequest{
    94  			Realm:       "testproject:testrealm",
    95  			Permissions: []string{bbperms.BuildsAdd.Name(), bbperms.BuildsList.Name()},
    96  		}
    97  
    98  		Convey(`valid`, func() {
    99  			err := validateBatchCheckPermissionsRequest(req)
   100  			So(err, ShouldBeNil)
   101  		})
   102  
   103  		Convey(`no realm`, func() {
   104  			req.Realm = ""
   105  			err := validateBatchCheckPermissionsRequest(req)
   106  			So(err, ShouldErrLike, "realm:", "must be specified")
   107  		})
   108  
   109  		Convey(`invalid realm`, func() {
   110  			req.Realm = "testinvalidrealm"
   111  			err := validateBatchCheckPermissionsRequest(req)
   112  			So(err, ShouldErrLike, "realm:", "testinvalidrealm", "should be <project>:<realm>")
   113  		})
   114  
   115  		Convey(`too many permissions`, func() {
   116  			perms := strings.Split(strings.Repeat(bbperms.BuildsAdd.Name()+" ", maxPermissions+1), " ")
   117  			// Trim the last one because it's an empty string.
   118  			req.Permissions = perms[0 : maxPermissions+1]
   119  			err := validateBatchCheckPermissionsRequest(req)
   120  			So(err, ShouldErrLike, "permissions:", fmt.Sprintf("at most %d", maxPermissions))
   121  		})
   122  	})
   123  }