TestAuthorizeLevels ensures level overrides are acting appropriately
(t *testing.T)
| 716 | |
| 717 | // TestAuthorizeLevels ensures level overrides are acting appropriately |
| 718 | func TestAuthorizeLevels(t *testing.T) { |
| 719 | t.Parallel() |
| 720 | defOrg := uuid.New() |
| 721 | unusedID := uuid.New() |
| 722 | |
| 723 | user := Subject{ |
| 724 | ID: "me", |
| 725 | Scope: must(ExpandScope(ScopeAll)), |
| 726 | Roles: Roles{ |
| 727 | must(RoleByName(RoleOwner())), |
| 728 | { |
| 729 | Identifier: RoleIdentifier{Name: "org-deny:", OrganizationID: defOrg}, |
| 730 | ByOrgID: map[string]OrgPermissions{ |
| 731 | defOrg.String(): { |
| 732 | Org: []Permission{ |
| 733 | { |
| 734 | Negate: true, |
| 735 | ResourceType: "*", |
| 736 | Action: "*", |
| 737 | }, |
| 738 | }, |
| 739 | Member: []Permission{}, |
| 740 | }, |
| 741 | }, |
| 742 | }, |
| 743 | { |
| 744 | Identifier: RoleIdentifier{Name: "user-deny-all"}, |
| 745 | // List out deny permissions explicitly |
| 746 | User: []Permission{ |
| 747 | { |
| 748 | Negate: true, |
| 749 | ResourceType: policy.WildcardSymbol, |
| 750 | Action: policy.WildcardSymbol, |
| 751 | }, |
| 752 | }, |
| 753 | }, |
| 754 | }, |
| 755 | } |
| 756 | |
| 757 | testAuthorize(t, "AdminAlwaysAllow", user, |
| 758 | cases(func(c authTestCase) authTestCase { |
| 759 | c.actions = ResourceWorkspace.AvailableActions() |
| 760 | c.allow = true |
| 761 | return c |
| 762 | }, []authTestCase{ |
| 763 | // Org + me |
| 764 | {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID)}, |
| 765 | {resource: ResourceWorkspace.InOrg(defOrg)}, |
| 766 | |
| 767 | {resource: ResourceWorkspace.WithOwner(user.ID)}, |
| 768 | |
| 769 | {resource: ResourceWorkspace.All()}, |
| 770 | |
| 771 | // Other org + me |
| 772 | {resource: ResourceWorkspace.InOrg(unusedID).WithOwner(user.ID)}, |
| 773 | {resource: ResourceWorkspace.InOrg(unusedID)}, |
| 774 | |
| 775 | // Other org + other user |
nothing calls this directly
no test coverage detected