mirror of https://github.com/hashicorp/boundary
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
346 lines
9.3 KiB
346 lines
9.3 KiB
package roles_test
|
|
|
|
/*
|
|
type roleCrud interface {
|
|
CreateGroup(context.Context, *groups.Group) (*groups.Group, *api.Error, error)
|
|
CreateRole(context.Context, *roles.Role) (*roles.Role, *api.Error, error)
|
|
ReadRole(context.Context, *roles.Role) (*roles.Role, *api.Error, error)
|
|
UpdateRole(context.Context, *roles.Role) (*roles.Role, *api.Error, error)
|
|
DeleteRole(context.Context, *roles.Role) (bool, *api.Error, error)
|
|
ListRoles(ctx context.Context) ([]*roles.Role, *api.Error, error)
|
|
}
|
|
|
|
func TestCustom(t *testing.T) {
|
|
tc := controller.NewTestController(t, &controller.TestControllerOpts{DisableAuthorizationFailures: true})
|
|
defer tc.Shutdown()
|
|
|
|
client := tc.Client()
|
|
org := &scopes.Org{
|
|
Client: client,
|
|
}
|
|
proj, apiErr, err := org.CreateProject(context.Background(), &scopes.Project{})
|
|
require.NoError(t, err)
|
|
require.Nil(t, apiErr)
|
|
|
|
user, apiErr, err := org.CreateUser(context.Background(), &users.User{})
|
|
require.NoError(t, err)
|
|
require.Nil(t, apiErr)
|
|
|
|
cases := []struct {
|
|
name string
|
|
scope roleCrud
|
|
}{
|
|
{
|
|
name: "org",
|
|
scope: org,
|
|
},
|
|
{
|
|
name: "proj",
|
|
scope: proj,
|
|
},
|
|
}
|
|
|
|
hasPrincipal := func(role *roles.Role, principalId string) bool {
|
|
var foundInPrincipals bool
|
|
var foundInPrincipalIds bool
|
|
for _, v := range role.Principals {
|
|
if v.Id == principalId {
|
|
foundInPrincipals = true
|
|
}
|
|
}
|
|
for _, v := range role.PrincipalIds {
|
|
if v == principalId {
|
|
foundInPrincipalIds = true
|
|
}
|
|
}
|
|
return foundInPrincipals && foundInPrincipalIds
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
require := require.New(t)
|
|
ctx := context.Background()
|
|
g, apiErr, err := tc.scope.CreateGroup(ctx, &groups.Group{})
|
|
require.NoError(err)
|
|
require.Nil(apiErr)
|
|
require.NotNil(g)
|
|
|
|
r, apiErr, err := tc.scope.CreateRole(ctx, &roles.Role{Name: api.String("foo")})
|
|
require.NoError(err)
|
|
require.Nil(apiErr)
|
|
require.NotNil(r)
|
|
|
|
updatedRole, apiErr, err := r.AddPrincipals(ctx, []string{g.Id})
|
|
require.NoError(err)
|
|
require.Nil(apiErr, "Got error ", apiErr)
|
|
assert.Equal(t, updatedRole.Version, r.Version+1)
|
|
assert.True(t, hasPrincipal(updatedRole, g.Id))
|
|
|
|
r = updatedRole
|
|
updatedRole, apiErr, err = r.SetPrincipals(ctx, []string{user.Id})
|
|
require.NoError(err)
|
|
require.Nil(apiErr, "Got error ", apiErr)
|
|
assert.Equal(t, updatedRole.Version, r.Version+1)
|
|
assert.True(t, hasPrincipal(updatedRole, user.Id))
|
|
|
|
r = updatedRole
|
|
updatedRole, apiErr, err = r.RemovePrincipals(ctx, []string{user.Id})
|
|
require.NoError(err)
|
|
require.Nil(apiErr, "Got error ", apiErr)
|
|
assert.Equal(t, updatedRole.Version, r.Version+1)
|
|
assert.Empty(t, updatedRole.Principals)
|
|
|
|
r = updatedRole
|
|
updatedRole, apiErr, err = r.AddGrants(ctx, []string{"id=*;actions=read"})
|
|
require.NoError(err)
|
|
require.Nil(apiErr, "Got error ", apiErr)
|
|
assert.Equal(t, updatedRole.Version, r.Version+1)
|
|
assert.Contains(t, updatedRole.GrantStrings, "id=*;actions=read")
|
|
|
|
r = updatedRole
|
|
updatedRole, apiErr, err = r.SetGrants(ctx, []string{"id=*;actions=*"})
|
|
require.NoError(err)
|
|
require.Nil(apiErr, "Got error ", apiErr)
|
|
assert.Equal(t, updatedRole.Version, r.Version+1)
|
|
assert.Contains(t, updatedRole.GrantStrings, "id=*;actions=*")
|
|
|
|
r = updatedRole
|
|
updatedRole, apiErr, err = r.RemoveGrants(ctx, []string{"id=*;actions=*"})
|
|
require.NoError(err)
|
|
require.Nil(apiErr, "Got error ", apiErr)
|
|
assert.Equal(t, updatedRole.Version, r.Version+1)
|
|
assert.Empty(t, updatedRole.Grants)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestRole_List(t *testing.T) {
|
|
tc := controller.NewTestController(t, &controller.TestControllerOpts{DisableAuthorizationFailures: true})
|
|
defer tc.Shutdown()
|
|
|
|
client := tc.Client()
|
|
org := &scopes.Org{
|
|
Client: client,
|
|
}
|
|
proj, apiErr, err := org.CreateProject(context.Background(), &scopes.Project{})
|
|
require.NoError(t, err)
|
|
require.Nil(t, apiErr)
|
|
|
|
cases := []struct {
|
|
name string
|
|
scope roleCrud
|
|
}{
|
|
{
|
|
name: "org",
|
|
scope: org,
|
|
},
|
|
{
|
|
name: "proj",
|
|
scope: proj,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
assert, require := assert.New(t), require.New(t)
|
|
ctx := context.Background()
|
|
|
|
p1, apiErr, err := tc.scope.ListRoles(ctx)
|
|
require.NoError(err)
|
|
assert.Nil(apiErr)
|
|
var defaultRoleIds []string
|
|
if tc.name == "org" {
|
|
require.True(2 == len(p1))
|
|
defaultRoleIds = []string{p1[0].Id, p1[1].Id}
|
|
} else {
|
|
require.Empty(p1)
|
|
}
|
|
|
|
var expected []*roles.Role
|
|
for i := 0; i < 10; i++ {
|
|
expected = append(expected, &roles.Role{Name: api.String(fmt.Sprint(i))})
|
|
}
|
|
|
|
expected[0], apiErr, err = tc.scope.CreateRole(ctx, expected[0])
|
|
require.NoError(err)
|
|
assert.Nil(apiErr)
|
|
|
|
p2, apiErr, err := tc.scope.ListRoles(ctx)
|
|
assert.NoError(err)
|
|
assert.Nil(apiErr)
|
|
var p2ForComparison []*roles.Role
|
|
for _, v := range p2 {
|
|
if !strutil.StrListContains(defaultRoleIds, v.Id) {
|
|
p2ForComparison = append(p2ForComparison, v)
|
|
}
|
|
}
|
|
assert.ElementsMatch(comparableSlice(expected[:1]), comparableSlice(p2ForComparison))
|
|
|
|
for i := 1; i < 10; i++ {
|
|
expected[i], apiErr, err = tc.scope.CreateRole(ctx, expected[i])
|
|
assert.NoError(err)
|
|
assert.Nil(apiErr)
|
|
}
|
|
p3, apiErr, err := tc.scope.ListRoles(ctx)
|
|
require.NoError(err)
|
|
assert.Nil(apiErr)
|
|
var p3ForComparison []*roles.Role
|
|
for _, v := range p3 {
|
|
if !strutil.StrListContains(defaultRoleIds, v.Id) {
|
|
p3ForComparison = append(p3ForComparison, v)
|
|
}
|
|
}
|
|
assert.ElementsMatch(comparableSlice(expected), comparableSlice(p3ForComparison))
|
|
})
|
|
}
|
|
}
|
|
|
|
func comparableSlice(in []*roles.Role) []roles.Role {
|
|
var filtered []roles.Role
|
|
for _, i := range in {
|
|
p := roles.Role{
|
|
Id: i.Id,
|
|
Name: i.Name,
|
|
Description: i.Description,
|
|
CreatedTime: i.CreatedTime,
|
|
UpdatedTime: i.UpdatedTime,
|
|
Disabled: i.Disabled,
|
|
}
|
|
filtered = append(filtered, p)
|
|
}
|
|
return filtered
|
|
}
|
|
|
|
func TestRole_Crud(t *testing.T) {
|
|
tc := controller.NewTestController(t, &controller.TestControllerOpts{DisableAuthorizationFailures: true})
|
|
defer tc.Shutdown()
|
|
|
|
client := tc.Client()
|
|
org := &scopes.Org{
|
|
Client: client,
|
|
}
|
|
|
|
proj, apiErr, err := org.CreateProject(tc.Context(), &scopes.Project{})
|
|
require.NoError(t, err)
|
|
require.Nil(t, apiErr)
|
|
|
|
checkRole := func(step string, g *roles.Role, apiErr *api.Error, err error, wantedName string) {
|
|
assert := assert.New(t)
|
|
assert.NoError(err, step)
|
|
if !assert.Nil(apiErr, step) && apiErr.Message != "" {
|
|
t.Errorf("ApiError message: %q", apiErr.Message)
|
|
}
|
|
assert.NotNil(g, "returned no resource", step)
|
|
gotName := ""
|
|
if g.Name != nil {
|
|
gotName = *g.Name
|
|
}
|
|
assert.Equal(wantedName, gotName, step)
|
|
}
|
|
|
|
cases := []struct {
|
|
name string
|
|
scope roleCrud
|
|
}{
|
|
{
|
|
name: "org",
|
|
scope: org,
|
|
},
|
|
{
|
|
name: "project",
|
|
scope: proj,
|
|
},
|
|
}
|
|
|
|
for _, tt := range cases {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
assert, require := assert.New(t), require.New(t)
|
|
g, apiErr, err := tt.scope.CreateRole(tc.Context(), &roles.Role{Name: api.String("foo")})
|
|
checkRole("create", g, apiErr, err, "foo")
|
|
|
|
g, apiErr, err = tt.scope.ReadRole(tc.Context(), &roles.Role{Id: g.Id})
|
|
checkRole("read", g, apiErr, err, "foo")
|
|
|
|
g = &roles.Role{Id: g.Id}
|
|
g.Name = api.String("bar")
|
|
g, apiErr, err = tt.scope.UpdateRole(tc.Context(), g)
|
|
checkRole("update", g, apiErr, err, "bar")
|
|
|
|
g = &roles.Role{Id: g.Id}
|
|
g.SetDefault("name")
|
|
g, apiErr, err = tt.scope.UpdateRole(tc.Context(), g)
|
|
checkRole("update", g, apiErr, err, "")
|
|
|
|
existed, apiErr, err := tt.scope.DeleteRole(tc.Context(), g)
|
|
require.NoError(err)
|
|
assert.Nil(apiErr)
|
|
assert.True(existed, "Expected existing user when deleted, but it wasn't.")
|
|
|
|
existed, apiErr, err = tt.scope.DeleteRole(tc.Context(), g)
|
|
require.NoError(err)
|
|
assert.Nil(apiErr)
|
|
assert.False(existed, "Expected user to not exist when deleted, but it did.")
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestRole_Errors(t *testing.T) {
|
|
tc := controller.NewTestController(t, &controller.TestControllerOpts{DisableAuthorizationFailures: true})
|
|
defer tc.Shutdown()
|
|
ctx := tc.Context()
|
|
|
|
client := tc.Client()
|
|
org := &scopes.Org{
|
|
Client: client,
|
|
}
|
|
|
|
proj, apiErr, err := org.CreateProject(tc.Context(), &scopes.Project{})
|
|
require.NoError(t, err)
|
|
require.Nil(t, apiErr)
|
|
|
|
cases := []struct {
|
|
name string
|
|
scope roleCrud
|
|
}{
|
|
{
|
|
name: "org",
|
|
scope: org,
|
|
},
|
|
{
|
|
name: "project",
|
|
scope: proj,
|
|
},
|
|
}
|
|
|
|
for _, tt := range cases {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
assert, require := assert.New(t), require.New(t)
|
|
u, apiErr, err := tt.scope.CreateRole(ctx, &roles.Role{Name: api.String("first")})
|
|
require.NoError(err)
|
|
assert.Nil(apiErr)
|
|
assert.NotNil(u)
|
|
|
|
// Create another resource with the same name.
|
|
_, apiErr, err = tt.scope.CreateRole(ctx, &roles.Role{Name: api.String("first")})
|
|
require.NoError(err)
|
|
assert.NotNil(apiErr)
|
|
|
|
_, apiErr, err = tt.scope.ReadRole(ctx, &roles.Role{Id: iam.RolePrefix + "_doesntexis"})
|
|
require.NoError(err)
|
|
assert.NotNil(apiErr)
|
|
assert.EqualValues(http.StatusNotFound, apiErr.Status)
|
|
|
|
_, apiErr, err = tt.scope.ReadRole(ctx, &roles.Role{Id: "invalid id"})
|
|
require.NoError(err)
|
|
assert.NotNil(apiErr)
|
|
assert.EqualValues(http.StatusBadRequest, apiErr.Status)
|
|
|
|
_, apiErr, err = tt.scope.UpdateRole(ctx, &roles.Role{Id: u.Id})
|
|
require.NoError(err)
|
|
assert.NotNil(apiErr)
|
|
assert.EqualValues(http.StatusBadRequest, apiErr.Status)
|
|
})
|
|
}
|
|
}
|
|
*/
|