(t *testing.T)
| 845 | } |
| 846 | |
| 847 | func TestAuthorizeScope(t *testing.T) { |
| 848 | t.Parallel() |
| 849 | |
| 850 | defOrg := uuid.New() |
| 851 | unusedID := uuid.New() |
| 852 | user := Subject{ |
| 853 | ID: "me", |
| 854 | Roles: Roles{must(RoleByName(RoleOwner()))}, |
| 855 | Scope: must(ExpandScope(ScopeApplicationConnect)), |
| 856 | } |
| 857 | |
| 858 | testAuthorize(t, "Admin_ScopeApplicationConnect", user, |
| 859 | cases(func(c authTestCase) authTestCase { |
| 860 | c.actions = []policy.Action{policy.ActionRead, policy.ActionUpdate, policy.ActionDelete} |
| 861 | return c |
| 862 | }, []authTestCase{ |
| 863 | {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), allow: false}, |
| 864 | {resource: ResourceWorkspace.InOrg(defOrg), allow: false}, |
| 865 | {resource: ResourceWorkspace.WithOwner(user.ID), allow: false}, |
| 866 | {resource: ResourceWorkspace.All(), allow: false}, |
| 867 | {resource: ResourceWorkspace.InOrg(unusedID).WithOwner(user.ID), allow: false}, |
| 868 | {resource: ResourceWorkspace.InOrg(unusedID), allow: false}, |
| 869 | {resource: ResourceWorkspace.InOrg(defOrg).WithOwner("not-me"), allow: false}, |
| 870 | {resource: ResourceWorkspace.WithOwner("not-me"), allow: false}, |
| 871 | {resource: ResourceWorkspace.InOrg(unusedID).WithOwner("not-me"), allow: false}, |
| 872 | {resource: ResourceWorkspace.InOrg(unusedID), allow: false}, |
| 873 | {resource: ResourceWorkspace.WithOwner("not-me"), allow: false}, |
| 874 | }), |
| 875 | // Allowed by scope: |
| 876 | []authTestCase{ |
| 877 | {resource: ResourceWorkspace.InOrg(defOrg).WithOwner("not-me"), actions: []policy.Action{policy.ActionApplicationConnect}, allow: true}, |
| 878 | {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), actions: []policy.Action{policy.ActionApplicationConnect}, allow: true}, |
| 879 | {resource: ResourceWorkspace.InOrg(unusedID).WithOwner("not-me"), actions: []policy.Action{policy.ActionApplicationConnect}, allow: true}, |
| 880 | }, |
| 881 | ) |
| 882 | |
| 883 | user = Subject{ |
| 884 | ID: "me", |
| 885 | Roles: Roles{ |
| 886 | must(RoleByName(RoleMember())), |
| 887 | orgMemberRole(defOrg), |
| 888 | }, |
| 889 | Scope: must(ExpandScope(ScopeApplicationConnect)), |
| 890 | } |
| 891 | |
| 892 | testAuthorize(t, "User_ScopeApplicationConnect", user, |
| 893 | cases(func(c authTestCase) authTestCase { |
| 894 | c.actions = []policy.Action{policy.ActionRead, policy.ActionUpdate, policy.ActionDelete} |
| 895 | c.allow = false |
| 896 | return c |
| 897 | }, []authTestCase{ |
| 898 | {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID)}, |
| 899 | {resource: ResourceWorkspace.InOrg(defOrg)}, |
| 900 | {resource: ResourceWorkspace.WithOwner(user.ID)}, |
| 901 | {resource: ResourceWorkspace.All()}, |
| 902 | {resource: ResourceWorkspace.InOrg(unusedID).WithOwner(user.ID)}, |
| 903 | {resource: ResourceWorkspace.InOrg(unusedID)}, |
| 904 | {resource: ResourceWorkspace.InOrg(defOrg).WithOwner("not-me")}, |
nothing calls this directly
no test coverage detected