TestAuthorizeDomain test the very basic roles that are commonly used.
(t *testing.T)
| 279 | |
| 280 | // TestAuthorizeDomain test the very basic roles that are commonly used. |
| 281 | func TestAuthorizeDomain(t *testing.T) { |
| 282 | t.Parallel() |
| 283 | defOrg := uuid.New() |
| 284 | unusedID := uuid.New() |
| 285 | allUsersGroup := "Everyone" |
| 286 | |
| 287 | // orphanedUser has no organization |
| 288 | orphanedUser := Subject{ |
| 289 | ID: "me", |
| 290 | Scope: must(ExpandScope(ScopeAll)), |
| 291 | Groups: []string{}, |
| 292 | Roles: Roles{ |
| 293 | must(RoleByName(RoleMember())), |
| 294 | }, |
| 295 | } |
| 296 | testAuthorize(t, "OrphanedUser", orphanedUser, []authTestCase{ |
| 297 | {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(orphanedUser.ID), actions: ResourceWorkspace.AvailableActions(), allow: false}, |
| 298 | |
| 299 | // Orphaned user cannot create workspaces in any organization |
| 300 | {resource: ResourceWorkspace.AnyOrganization().WithOwner(orphanedUser.ID), actions: []policy.Action{policy.ActionCreate}, allow: false}, |
| 301 | }) |
| 302 | |
| 303 | user := Subject{ |
| 304 | ID: "me", |
| 305 | Scope: must(ExpandScope(ScopeAll)), |
| 306 | Groups: []string{allUsersGroup}, |
| 307 | Roles: Roles{ |
| 308 | must(RoleByName(RoleMember())), |
| 309 | orgMemberRole(defOrg), |
| 310 | }, |
| 311 | } |
| 312 | |
| 313 | testAuthorize(t, "UserACLList", user, []authTestCase{ |
| 314 | { |
| 315 | resource: ResourceWorkspace.WithOwner(unusedID.String()).InOrg(unusedID).WithACLUserList(map[string][]policy.Action{ |
| 316 | user.ID: ResourceWorkspace.AvailableActions(), |
| 317 | }), |
| 318 | actions: ResourceWorkspace.AvailableActions(), |
| 319 | allow: true, |
| 320 | }, |
| 321 | { |
| 322 | resource: ResourceWorkspace.WithOwner(unusedID.String()).InOrg(unusedID).WithACLUserList(map[string][]policy.Action{ |
| 323 | user.ID: {policy.WildcardSymbol}, |
| 324 | }), |
| 325 | actions: ResourceWorkspace.AvailableActions(), |
| 326 | allow: true, |
| 327 | }, |
| 328 | { |
| 329 | resource: ResourceWorkspace.WithOwner(unusedID.String()).InOrg(unusedID).WithACLUserList(map[string][]policy.Action{ |
| 330 | user.ID: {policy.ActionRead, policy.ActionUpdate}, |
| 331 | }), |
| 332 | actions: []policy.Action{policy.ActionCreate, policy.ActionDelete}, |
| 333 | allow: false, |
| 334 | }, |
| 335 | { |
| 336 | // By default users cannot update templates |
| 337 | resource: ResourceTemplate.InOrg(defOrg).WithACLUserList(map[string][]policy.Action{ |
| 338 | user.ID: {policy.ActionUpdate}, |
nothing calls this directly
no test coverage detected