(t *testing.T, name string, subject Subject, sets ...[]authTestCase)
| 1315 | } |
| 1316 | |
| 1317 | func testAuthorize(t *testing.T, name string, subject Subject, sets ...[]authTestCase) { |
| 1318 | t.Helper() |
| 1319 | authorizer := NewAuthorizer(prometheus.NewRegistry()) |
| 1320 | for i, cases := range sets { |
| 1321 | for j, c := range cases { |
| 1322 | caseName := fmt.Sprintf("%s/Set%d/Case%d", name, i, j) |
| 1323 | t.Run(caseName, func(t *testing.T) { |
| 1324 | t.Parallel() |
| 1325 | for _, a := range c.actions { |
| 1326 | ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort) |
| 1327 | t.Cleanup(cancel) |
| 1328 | |
| 1329 | authError := authorizer.Authorize(ctx, subject, a, c.resource) |
| 1330 | |
| 1331 | d, _ := json.Marshal(map[string]interface{}{ |
| 1332 | // This is not perfect marshal, but it is good enough for debugging this test. |
| 1333 | "subject": authSubject{ |
| 1334 | ID: subject.ID, |
| 1335 | Roles: must(subject.Roles.Expand()), |
| 1336 | Groups: subject.Groups, |
| 1337 | Scope: must(subject.Scope.Expand()), |
| 1338 | }, |
| 1339 | "object": c.resource, |
| 1340 | "action": a, |
| 1341 | }) |
| 1342 | |
| 1343 | // Logging only |
| 1344 | t.Logf("input: %s", string(d)) |
| 1345 | if authError != nil { |
| 1346 | var uerr *UnauthorizedError |
| 1347 | if xerrors.As(authError, &uerr) { |
| 1348 | t.Logf("internal error: %+v", uerr.Internal().Error()) |
| 1349 | t.Logf("output: %+v", uerr.Output()) |
| 1350 | } |
| 1351 | } |
| 1352 | |
| 1353 | if c.allow { |
| 1354 | assert.NoError(t, authError, "expected no error for testcase action %s", a) |
| 1355 | } else { |
| 1356 | assert.Error(t, authError, "expected unauthorized") |
| 1357 | } |
| 1358 | |
| 1359 | prepared, err := authorizer.Prepare(ctx, subject, a, c.resource.Type) |
| 1360 | require.NoError(t, err, "make prepared authorizer") |
| 1361 | |
| 1362 | // For unit testing logging and assertions, we want the PartialAuthorizer |
| 1363 | // struct. |
| 1364 | partialAuthz, ok := prepared.(*PartialAuthorizer) |
| 1365 | require.True(t, ok, "prepared authorizer is partial") |
| 1366 | |
| 1367 | // Ensure the partial can compile to a SQL clause. |
| 1368 | // This does not guarantee that the clause is valid SQL. |
| 1369 | _, err = Compile(ConfigWithACL(), partialAuthz) |
| 1370 | require.NoError(t, err, "compile prepared authorizer") |
| 1371 | |
| 1372 | // Also check the rego policy can form a valid partial query result. |
| 1373 | // This ensures we can convert the queries into SQL WHERE clauses in the future. |
| 1374 | // If this function returns 'Support' sections, then we cannot convert the query into SQL. |
no test coverage detected