TestRegoInputValue ensures the custom rego input parser returns the same value as the default json parser. The json parser is always correct, and the custom parser is used to reduce allocations. This optimization should yield the same results. Anything different is a bug.
(t *testing.T)
| 70 | // and the custom parser is used to reduce allocations. This optimization |
| 71 | // should yield the same results. Anything different is a bug. |
| 72 | func TestRegoInputValue(t *testing.T) { |
| 73 | t.Parallel() |
| 74 | |
| 75 | // Expand all roles and make sure we have a good copy. |
| 76 | // This is because these tests modify the roles, and we don't want to |
| 77 | // modify the original roles. |
| 78 | roles, err := RoleIdentifiers{ScopedRoleOrgAuditor(uuid.New()), ScopedRoleOrgAdmin(uuid.New()), RoleMember()}.Expand() |
| 79 | require.NoError(t, err, "failed to expand roles") |
| 80 | for i := range roles { |
| 81 | // If all cached values are nil, then the role will not use |
| 82 | // the shared cached value. |
| 83 | roles[i].cachedRegoValue = nil |
| 84 | } |
| 85 | |
| 86 | actor := Subject{ |
| 87 | Roles: Roles(roles), |
| 88 | ID: uuid.NewString(), |
| 89 | Scope: ScopeAll, |
| 90 | Groups: []string{uuid.NewString(), uuid.NewString(), uuid.NewString()}, |
| 91 | } |
| 92 | |
| 93 | obj := ResourceTemplate. |
| 94 | WithID(uuid.New()). |
| 95 | InOrg(uuid.New()). |
| 96 | WithOwner(uuid.NewString()). |
| 97 | WithGroupACL(map[string][]policy.Action{ |
| 98 | uuid.NewString(): {policy.ActionRead, policy.ActionCreate}, |
| 99 | uuid.NewString(): {policy.ActionRead, policy.ActionCreate}, |
| 100 | uuid.NewString(): {policy.ActionRead, policy.ActionCreate}, |
| 101 | }).WithACLUserList(map[string][]policy.Action{ |
| 102 | uuid.NewString(): {policy.ActionRead, policy.ActionCreate}, |
| 103 | uuid.NewString(): {policy.ActionRead, policy.ActionCreate}, |
| 104 | }) |
| 105 | |
| 106 | action := policy.ActionRead |
| 107 | |
| 108 | t.Run("InputValue", func(t *testing.T) { |
| 109 | t.Parallel() |
| 110 | |
| 111 | // This is the input that would be passed to the rego policy. |
| 112 | jsonInput := map[string]any{ |
| 113 | "subject": authSubject{ |
| 114 | ID: actor.ID, |
| 115 | Roles: must(actor.Roles.Expand()), |
| 116 | Groups: actor.Groups, |
| 117 | Scope: must(actor.Scope.Expand()), |
| 118 | }, |
| 119 | "action": action, |
| 120 | "object": obj, |
| 121 | } |
| 122 | |
| 123 | manual, err := regoInputValue(actor, action, obj) |
| 124 | require.NoError(t, err) |
| 125 | |
| 126 | general, err := ast.InterfaceToValue(jsonInput) |
| 127 | require.NoError(t, err) |
| 128 | |
| 129 | // The custom parser does not set these fields because they are not needed. |
nothing calls this directly
no test coverage detected