blob: d657ab776d4128dc0fee75b0edbbcdc6f2988f79 [file] [log] [blame]
// Copyright 2021 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package acls
import (
"testing"
"go.chromium.org/luci/server/auth"
"go.chromium.org/luci/server/auth/authtest"
cfgpb "go.chromium.org/luci/cv/api/config/v2"
"go.chromium.org/luci/cv/internal/configs/prjcfg/prjcfgtest"
"go.chromium.org/luci/cv/internal/configs/validation"
"go.chromium.org/luci/cv/internal/cvtesting"
. "github.com/smartystreets/goconvey/convey"
)
func TestCheckLegacy(t *testing.T) {
t.Parallel()
Convey("CheckLegacyCQStatusAccess works", t, func() {
ct := cvtesting.Test{}
ctx := ct.SetUp(t)
cfg := &cfgpb.Config{
CqStatusHost: "", // modified in tests below
ConfigGroups: []*cfgpb.ConfigGroup{{
Name: "first",
}},
}
Convey("not existing project", func() {
allowed, err := checkLegacyCQStatusAccess(ctx, "non-existing")
So(err, ShouldBeNil)
So(allowed, ShouldBeFalse)
})
Convey("existing but disabled project", func() {
// Even if the previously configured CqStatusHost is public.
cfg.CqStatusHost = validation.CQStatusHostPublic
prjcfgtest.Create(ctx, "disabled", cfg)
prjcfgtest.Disable(ctx, "disabled")
allowed, err := checkLegacyCQStatusAccess(ctx, "disabled")
So(err, ShouldBeNil)
So(allowed, ShouldBeFalse)
})
Convey("without configured CQ Status", func() {
cfg.CqStatusHost = ""
prjcfgtest.Create(ctx, "no-legacy", cfg)
allowed, err := checkLegacyCQStatusAccess(ctx, "no-legacy")
So(err, ShouldBeNil)
So(allowed, ShouldBeFalse)
})
Convey("with misconfigured CQ Status", func() {
cfg.CqStatusHost = "misconfigured.example.com"
prjcfgtest.Create(ctx, "misconfigured", cfg)
allowed, err := checkLegacyCQStatusAccess(ctx, "misconfigured")
So(err, ShouldBeNil)
So(allowed, ShouldBeFalse)
})
Convey("public access", func() {
cfg.CqStatusHost = validation.CQStatusHostPublic
prjcfgtest.Create(ctx, "public", cfg)
allowed, err := checkLegacyCQStatusAccess(ctx, "public")
So(err, ShouldBeNil)
So(allowed, ShouldBeTrue)
})
Convey("internal CQ Status", func() {
cfg.CqStatusHost = validation.CQStatusHostInternal
prjcfgtest.Create(ctx, "internal", cfg)
Convey("request by Googler is allowed", func() {
ctx = auth.WithState(ctx, &authtest.FakeState{
Identity: "user:googler@example.com",
IdentityGroups: []string{cqStatusInternalCrIAGroup},
})
allowed, err := checkLegacyCQStatusAccess(ctx, "internal")
So(err, ShouldBeNil)
So(allowed, ShouldBeTrue)
})
Convey("request by non-Googler is not allowed", func() {
ctx = auth.WithState(ctx, &authtest.FakeState{
Identity: "user:hacker@example.com",
IdentityGroups: []string{},
})
allowed, err := checkLegacyCQStatusAccess(ctx, "internal")
So(err, ShouldBeNil)
So(allowed, ShouldBeFalse)
})
})
})
}