go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/server/auth/rpcacl/rpcacl_test.go (about) 1 // Copyright 2022 The LUCI Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package rpcacl 16 17 import ( 18 "context" 19 "fmt" 20 "testing" 21 22 "google.golang.org/grpc" 23 "google.golang.org/grpc/codes" 24 "google.golang.org/grpc/status" 25 26 "go.chromium.org/luci/server/auth" 27 "go.chromium.org/luci/server/auth/authtest" 28 29 . "github.com/smartystreets/goconvey/convey" 30 ) 31 32 func TestInterceptor(t *testing.T) { 33 t.Parallel() 34 35 interceptor := Interceptor(Map{ 36 "/all/*": All, 37 "/authenticated/*": Authenticated, 38 "/authorized/*": "some-group", 39 "/mixed/all": All, 40 "/mixed/authenticated": Authenticated, 41 "/mixed/authorized": "some-group", 42 }).Unary() 43 44 check := func(ctx context.Context, service, method string) codes.Code { 45 info := &grpc.UnaryServerInfo{ 46 FullMethod: fmt.Sprintf("/%s/%s", service, method), 47 } 48 _, err := interceptor(ctx, nil, info, func(context.Context, any) (any, error) { 49 return nil, nil 50 }) 51 return status.Code(err) 52 } 53 54 Convey("Anonymous", t, func() { 55 ctx := auth.WithState(context.Background(), &authtest.FakeState{}) 56 57 So(check(ctx, "all", "method"), ShouldEqual, codes.OK) 58 So(check(ctx, "authenticated", "method"), ShouldEqual, codes.Unauthenticated) 59 So(check(ctx, "authorized", "method"), ShouldEqual, codes.PermissionDenied) 60 So(check(ctx, "unknown", "method"), ShouldEqual, codes.PermissionDenied) 61 62 So(check(ctx, "mixed", "all"), ShouldEqual, codes.OK) 63 So(check(ctx, "mixed", "authenticated"), ShouldEqual, codes.Unauthenticated) 64 So(check(ctx, "mixed", "authorized"), ShouldEqual, codes.PermissionDenied) 65 So(check(ctx, "mixed", "unknown"), ShouldEqual, codes.PermissionDenied) 66 }) 67 68 Convey("Authenticated, but not authorized", t, func() { 69 ctx := auth.WithState(context.Background(), &authtest.FakeState{ 70 Identity: "user:someone@example.com", 71 IdentityGroups: []string{"some-random-group"}, 72 }) 73 74 So(check(ctx, "all", "method"), ShouldEqual, codes.OK) 75 So(check(ctx, "authenticated", "method"), ShouldEqual, codes.OK) 76 So(check(ctx, "authorized", "method"), ShouldEqual, codes.PermissionDenied) 77 So(check(ctx, "unknown", "method"), ShouldEqual, codes.PermissionDenied) 78 79 So(check(ctx, "mixed", "all"), ShouldEqual, codes.OK) 80 So(check(ctx, "mixed", "authenticated"), ShouldEqual, codes.OK) 81 So(check(ctx, "mixed", "authorized"), ShouldEqual, codes.PermissionDenied) 82 So(check(ctx, "mixed", "unknown"), ShouldEqual, codes.PermissionDenied) 83 }) 84 85 Convey("Authorized", t, func() { 86 ctx := auth.WithState(context.Background(), &authtest.FakeState{ 87 Identity: "user:someone@example.com", 88 IdentityGroups: []string{"some-group"}, 89 }) 90 91 So(check(ctx, "all", "method"), ShouldEqual, codes.OK) 92 So(check(ctx, "authenticated", "method"), ShouldEqual, codes.OK) 93 So(check(ctx, "authorized", "method"), ShouldEqual, codes.OK) 94 So(check(ctx, "unknown", "method"), ShouldEqual, codes.PermissionDenied) 95 96 So(check(ctx, "mixed", "all"), ShouldEqual, codes.OK) 97 So(check(ctx, "mixed", "authenticated"), ShouldEqual, codes.OK) 98 So(check(ctx, "mixed", "authorized"), ShouldEqual, codes.OK) 99 So(check(ctx, "mixed", "unknown"), ShouldEqual, codes.PermissionDenied) 100 }) 101 }