nolint:paralleltest,tparallel // Serially testing is easier
(t *testing.T)
| 119 | |
| 120 | // nolint:paralleltest,tparallel // Serially testing is easier |
| 121 | func TestCacheRBAC(t *testing.T) { |
| 122 | t.Parallel() |
| 123 | |
| 124 | db, cache, rec := cacheAuthzSetup(t) |
| 125 | ctx := testutil.Context(t, testutil.WaitMedium) |
| 126 | |
| 127 | file := dbgen.File(t, db, database.File{}) |
| 128 | |
| 129 | nobodyID := uuid.New() |
| 130 | nobody := dbauthz.As(ctx, rbac.Subject{ |
| 131 | ID: nobodyID.String(), |
| 132 | Roles: rbac.Roles{}, |
| 133 | Scope: rbac.ScopeAll, |
| 134 | }) |
| 135 | |
| 136 | userID := uuid.New() |
| 137 | userReader := dbauthz.As(ctx, rbac.Subject{ |
| 138 | ID: userID.String(), |
| 139 | Roles: rbac.Roles{ |
| 140 | must(rbac.RoleByName(rbac.RoleTemplateAdmin())), |
| 141 | }, |
| 142 | Scope: rbac.ScopeAll, |
| 143 | }) |
| 144 | |
| 145 | cacheReader := dbauthz.AsFileReader(ctx) |
| 146 | |
| 147 | t.Run("NoRolesOpen", func(t *testing.T) { |
| 148 | // Ensure start is clean |
| 149 | require.Equal(t, 0, cache.Count()) |
| 150 | rec.Reset() |
| 151 | |
| 152 | _, err := cache.Acquire(nobody, db, file.ID) |
| 153 | require.Error(t, err) |
| 154 | require.True(t, rbac.IsUnauthorizedError(err)) |
| 155 | |
| 156 | // Ensure that the cache is empty |
| 157 | require.Equal(t, 0, cache.Count()) |
| 158 | |
| 159 | // Check the assertions |
| 160 | rec.AssertActorID(t, nobodyID.String(), rec.Pair(policy.ActionRead, file)) |
| 161 | rec.AssertActorID(t, rbac.SubjectTypeFileReaderID, rec.Pair(policy.ActionRead, file)) |
| 162 | }) |
| 163 | |
| 164 | t.Run("CacheHasFile", func(t *testing.T) { |
| 165 | rec.Reset() |
| 166 | require.Equal(t, 0, cache.Count()) |
| 167 | |
| 168 | // Read the file with a file reader to put it into the cache. |
| 169 | a, err := cache.Acquire(cacheReader, db, file.ID) |
| 170 | require.NoError(t, err) |
| 171 | require.Equal(t, 1, cache.Count()) |
| 172 | |
| 173 | // "nobody" should not be able to read the file. |
| 174 | _, err = cache.Acquire(nobody, db, file.ID) |
| 175 | require.Error(t, err) |
| 176 | require.True(t, rbac.IsUnauthorizedError(err)) |
| 177 | require.Equal(t, 1, cache.Count()) |
| 178 |
nothing calls this directly
no test coverage detected