cipd/appengine/impl/repo/acl_test.go - infra/luci/luci-go - Git at Google

 // Copyright 2018 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package repo

 import (
 	"context"
 	"fmt"
 	"testing"

 	"go.chromium.org/luci/auth/identity"
 	"go.chromium.org/luci/server/auth"
 	"go.chromium.org/luci/server/auth/authtest"

 	api "go.chromium.org/luci/cipd/api/cipd/v1"

 	. "github.com/smartystreets/goconvey/convey"
 )

 func TestRoles(t *testing.T) {
 	t.Parallel()

 	Convey("Works", t, func() {
 		fakeDB := authtest.NewFakeDB(
 			authtest.MockMembership("user:admin@example.com", "admins"),

 			authtest.MockMembership("user:top-owner@example.com", "top-owners"),
 			authtest.MockMembership("user:top-writer@example.com", "top-writers"),
 			authtest.MockMembership("user:top-reader@example.com", "top-readers"),

 			authtest.MockMembership("user:inner-owner@example.com", "inner-owners"),
 			authtest.MockMembership("user:inner-writer@example.com", "inner-writers"),
 			authtest.MockMembership("user:inner-reader@example.com", "inner-readers"),
 		)

 		metas := []*api.PrefixMetadata{}
 		metas = addPrefixACLs(metas, "", map[api.Role][]string{
 			api.Role_OWNER: {"group:admins"},
 		})
 		metas = addPrefixACLs(metas, "top", map[api.Role][]string{
 			api.Role_OWNER:  {"user:direct-owner@example.com", "group:top-owners"},
 			api.Role_WRITER: {"group:top-writers"},
 			api.Role_READER: {"group:top-readers"},
 		})
 		metas = addPrefixACLs(metas, "top/something/else", map[api.Role][]string{
 			api.Role_OWNER:  {"group:inner-owners"},
 			api.Role_WRITER: {"group:inner-writers"},
 			api.Role_READER: {"group:inner-readers"},
 		})

 		allRoles := []api.Role{api.Role_READER, api.Role_WRITER, api.Role_OWNER}
 		writerRoles := []api.Role{api.Role_READER, api.Role_WRITER}
 		readerRoles := []api.Role{api.Role_READER}
 		noRoles := []api.Role{}

 		expectedRoles := []struct {
 			user          identity.Identity
 			expectedRoles []api.Role
 		}{
 			{"user:admin@example.com", allRoles},
 			{"user:direct-owner@example.com", allRoles},
 			{"user:top-owner@example.com", allRoles},
 			{"user:inner-owner@example.com", allRoles},

 			{"user:top-writer@example.com", writerRoles},
 			{"user:inner-writer@example.com", writerRoles},

 			{"user:top-reader@example.com", readerRoles},
 			{"user:inner-reader@example.com", readerRoles},

 			{"user:someone-else@example.com", noRoles},
 			{"anonymous:anonymous", noRoles},
 		}

 		for _, tc := range expectedRoles {
 			Convey(fmt.Sprintf("User %s roles", tc.user), func() {
 				ctx := auth.WithState(context.Background(), &authtest.FakeState{
 					Identity: tc.user,
 					FakeDB:   fakeDB,
 				})

 				// Get the roles by checking explicitly each one via hasRole.
 				Convey("hasRole works", func() {
 					haveRoles := []api.Role{}
 					for _, r := range allRoles {
 						yes, err := hasRole(ctx, metas, r)
 						So(err, ShouldBeNil)
 						if yes {
 							haveRoles = append(haveRoles, r)
 						}
 					}
 					So(haveRoles, ShouldResemble, tc.expectedRoles)
 				})

 				// Get the same set of roles through rolesInPrefix.
 				Convey("rolesInPrefix", func() {
 					haveRoles, err := rolesInPrefix(ctx, tc.user, metas)
 					So(err, ShouldBeNil)
 					So(haveRoles, ShouldResemble, tc.expectedRoles)
 				})
 			})
 		}
 	})
 }

 func addPrefixACLs(metas []*api.PrefixMetadata, prefix string, acls map[api.Role][]string) []*api.PrefixMetadata {
 	a := make([]*api.PrefixMetadata_ACL, 0, len(acls))
 	for role, principals := range acls {
 		a = append(a, &api.PrefixMetadata_ACL{
 			Role:       role,
 			Principals: principals,
 		})
 	}
 	return append(metas, &api.PrefixMetadata{
 		Prefix: prefix,
 		Acls:   a,
 	})
 }
	// Copyright 2018 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package repo

	import (
	"context"
	"fmt"
	"testing"

	"go.chromium.org/luci/auth/identity"
	"go.chromium.org/luci/server/auth"
	"go.chromium.org/luci/server/auth/authtest"

	api "go.chromium.org/luci/cipd/api/cipd/v1"

	. "github.com/smartystreets/goconvey/convey"
	)

	func TestRoles(t *testing.T) {
	t.Parallel()

	Convey("Works", t, func() {
	fakeDB := authtest.NewFakeDB(
	authtest.MockMembership("user:admin@example.com", "admins"),

	authtest.MockMembership("user:top-owner@example.com", "top-owners"),
	authtest.MockMembership("user:top-writer@example.com", "top-writers"),
	authtest.MockMembership("user:top-reader@example.com", "top-readers"),

	authtest.MockMembership("user:inner-owner@example.com", "inner-owners"),
	authtest.MockMembership("user:inner-writer@example.com", "inner-writers"),
	authtest.MockMembership("user:inner-reader@example.com", "inner-readers"),
	)

	metas := []*api.PrefixMetadata{}
	metas = addPrefixACLs(metas, "", map[api.Role][]string{
	api.Role_OWNER: {"group:admins"},
	})
	metas = addPrefixACLs(metas, "top", map[api.Role][]string{
	api.Role_OWNER: {"user:direct-owner@example.com", "group:top-owners"},
	api.Role_WRITER: {"group:top-writers"},
	api.Role_READER: {"group:top-readers"},
	})
	metas = addPrefixACLs(metas, "top/something/else", map[api.Role][]string{
	api.Role_OWNER: {"group:inner-owners"},
	api.Role_WRITER: {"group:inner-writers"},
	api.Role_READER: {"group:inner-readers"},
	})

	allRoles := []api.Role{api.Role_READER, api.Role_WRITER, api.Role_OWNER}
	writerRoles := []api.Role{api.Role_READER, api.Role_WRITER}
	readerRoles := []api.Role{api.Role_READER}
	noRoles := []api.Role{}

	expectedRoles := []struct {
	user identity.Identity
	expectedRoles []api.Role
	}{
	{"user:admin@example.com", allRoles},
	{"user:direct-owner@example.com", allRoles},
	{"user:top-owner@example.com", allRoles},
	{"user:inner-owner@example.com", allRoles},

	{"user:top-writer@example.com", writerRoles},
	{"user:inner-writer@example.com", writerRoles},

	{"user:top-reader@example.com", readerRoles},
	{"user:inner-reader@example.com", readerRoles},

	{"user:someone-else@example.com", noRoles},
	{"anonymous:anonymous", noRoles},
	}

	for _, tc := range expectedRoles {
	Convey(fmt.Sprintf("User %s roles", tc.user), func() {
	ctx := auth.WithState(context.Background(), &authtest.FakeState{
	Identity: tc.user,
	FakeDB: fakeDB,
	})

	// Get the roles by checking explicitly each one via hasRole.
	Convey("hasRole works", func() {
	haveRoles := []api.Role{}
	for _, r := range allRoles {
	yes, err := hasRole(ctx, metas, r)
	So(err, ShouldBeNil)
	if yes {
	haveRoles = append(haveRoles, r)
	}
	}
	So(haveRoles, ShouldResemble, tc.expectedRoles)
	})

	// Get the same set of roles through rolesInPrefix.
	Convey("rolesInPrefix", func() {
	haveRoles, err := rolesInPrefix(ctx, tc.user, metas)
	So(err, ShouldBeNil)
	So(haveRoles, ShouldResemble, tc.expectedRoles)
	})
	})
	}
	})
	}

	func addPrefixACLs(metas []api.PrefixMetadata, prefix string, acls map[api.Role][]string) []api.PrefixMetadata {
	a := make([]*api.PrefixMetadata_ACL, 0, len(acls))
	for role, principals := range acls {
	a = append(a, &api.PrefixMetadata_ACL{
	Role: role,
	Principals: principals,
	})
	}
	return append(metas, &api.PrefixMetadata{
	Prefix: prefix,
	Acls: a,
	})
	}