(t *testing.T)
| 1173 | } |
| 1174 | |
| 1175 | func TestScopeAllowList(t *testing.T) { |
| 1176 | t.Parallel() |
| 1177 | |
| 1178 | defOrg := uuid.New() |
| 1179 | |
| 1180 | // Some IDs to use |
| 1181 | wid := uuid.New() |
| 1182 | gid := uuid.New() |
| 1183 | |
| 1184 | user := Subject{ |
| 1185 | ID: "me", |
| 1186 | Roles: Roles{ |
| 1187 | must(RoleByName(RoleOwner())), |
| 1188 | }, |
| 1189 | Scope: Scope{ |
| 1190 | Role: Role{ |
| 1191 | Identifier: RoleIdentifier{ |
| 1192 | Name: "AllowList", |
| 1193 | OrganizationID: defOrg, |
| 1194 | }, |
| 1195 | DisplayName: "AllowList", |
| 1196 | // Allow almost everything |
| 1197 | Site: allPermsExcept(ResourceUser), |
| 1198 | }, |
| 1199 | AllowIDList: []AllowListElement{ |
| 1200 | {Type: ResourceWorkspace.Type, ID: wid.String()}, |
| 1201 | {Type: ResourceWorkspace.Type, ID: ""}, // Allow to create |
| 1202 | {Type: ResourceTemplate.Type, ID: policy.WildcardSymbol}, |
| 1203 | {Type: ResourceGroup.Type, ID: gid.String()}, |
| 1204 | |
| 1205 | // This scope allows all users, but the permissions do not. |
| 1206 | {Type: ResourceUser.Type, ID: policy.WildcardSymbol}, |
| 1207 | }, |
| 1208 | }, |
| 1209 | } |
| 1210 | |
| 1211 | testAuthorize(t, "AllowList", user, |
| 1212 | // Allowed: |
| 1213 | cases(func(c authTestCase) authTestCase { |
| 1214 | c.allow = true |
| 1215 | return c |
| 1216 | }, |
| 1217 | []authTestCase{ |
| 1218 | {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID).WithID(wid), actions: []policy.Action{policy.ActionRead}}, |
| 1219 | // matching on empty id |
| 1220 | {resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), actions: []policy.Action{policy.ActionCreate}}, |
| 1221 | |
| 1222 | // Template has wildcard ID, so any uuid is allowed, including the empty |
| 1223 | {resource: ResourceTemplate.InOrg(defOrg).WithID(uuid.New()), actions: AllActions()}, |
| 1224 | {resource: ResourceTemplate.InOrg(defOrg).WithID(uuid.New()), actions: AllActions()}, |
| 1225 | {resource: ResourceTemplate.InOrg(defOrg), actions: AllActions()}, |
| 1226 | |
| 1227 | // Group |
| 1228 | {resource: ResourceGroup.InOrg(defOrg).WithID(gid), actions: []policy.Action{policy.ActionRead}}, |
| 1229 | }, |
| 1230 | ), |
| 1231 | |
| 1232 | // Not allowed: |
nothing calls this directly
no test coverage detected