forked from euforia/ladon
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathladon_test.go
154 lines (144 loc) · 4.11 KB
/
ladon_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
package ladon_test
import (
"fmt"
"testing"
. "github.com/d3sw/ladon"
. "github.com/d3sw/ladon/manager/memory"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// A bunch of exemplary policies
var pols = []Policy{
&DefaultPolicy{
ID: "1",
Description: `This policy allows max, peter, zac and ken to create, delete and get the listed resources,
but only if the client ip matches and the request states that they are the owner of those resources as well.`,
Subjects: []string{"max", "peter", "<zac|ken>"},
Resources: []string{"myrn:some.domain.com:resource:123", "myrn:some.domain.com:resource:345", "myrn:something:foo:<.+>"},
Actions: []string{"<create|delete>", "get"},
Effect: AllowAccess,
Conditions: Conditions{
"owner": &EqualsSubjectCondition{},
"clientIP": &CIDRCondition{
CIDR: "127.0.0.1/32",
},
},
},
&DefaultPolicy{
ID: "2",
Description: "This policy allows max to update any resource",
Subjects: []string{"max"},
Actions: []string{"update"},
Resources: []string{"<.*>"},
Effect: AllowAccess,
},
&DefaultPolicy{
ID: "3",
Description: "This policy denies max to broadcast any of the resources",
Subjects: []string{"max"},
Actions: []string{"broadcast"},
Resources: []string{"<.*>"},
Effect: DenyAccess,
},
}
// Some test cases
var cases = []struct {
description string
accessRequest *Request
expectErr bool
}{
{
description: "should fail because no policy is matching as field clientIP does not satisfy the CIDR condition of policy 1.",
accessRequest: &Request{
Subjects: []string{"peter"},
Action: "delete",
Resource: "myrn:some.domain.com:resource:123",
Context: Context{
"owner": "peter",
"clientIP": "0.0.0.0",
},
},
expectErr: true,
},
{
description: "should fail because no policy is matching as the owner of the resource 123 is zac, not peter!",
accessRequest: &Request{
Subjects: []string{"peter"},
Action: "delete",
Resource: "myrn:some.domain.com:resource:123",
Context: Context{
"owner": "zac",
"clientIP": "127.0.0.1",
},
},
expectErr: true,
},
{
description: "should pass because policy 1 is matching and has effect allow.",
accessRequest: &Request{
Subjects: []string{"peter"},
Action: "delete",
Resource: "myrn:some.domain.com:resource:123",
Context: Context{
"owner": "peter",
"clientIP": "127.0.0.1",
},
},
expectErr: false,
},
{
description: "should pass because max is allowed to update all resources.",
accessRequest: &Request{
Subjects: []string{"max"},
Action: "update",
Resource: "myrn:some.domain.com:resource:123",
},
expectErr: false,
},
{
description: "should pass because max is allowed to update all resource, even if none is given.",
accessRequest: &Request{
Subjects: []string{"max"},
Action: "update",
Resource: "",
},
expectErr: false,
},
{
description: "should fail because max is not allowed to broadcast any resource.",
accessRequest: &Request{
Subjects: []string{"max"},
Action: "broadcast",
Resource: "myrn:some.domain.com:resource:123",
},
expectErr: true,
},
{
description: "should fail because max is not allowed to broadcast any resource, even empty ones!",
accessRequest: &Request{
Subjects: []string{"max"},
Action: "broadcast",
},
expectErr: true,
},
}
func TestLadon(t *testing.T) {
// Instantiate ladon with the default in-memory store.
warden := &Ladon{Manager: NewMemoryManager()}
// Add the policies defined above to the memory manager.
for _, pol := range pols {
require.Nil(t, warden.Manager.Create(pol))
}
for k, c := range cases {
t.Run(fmt.Sprintf("case=%d-%s", k, c.description), func(t *testing.T) {
// This is where we ask the warden if the access requests should be granted
err := warden.IsAllowed(c.accessRequest)
assert.Equal(t, c.expectErr, err != nil)
})
}
}
func TestLadonEmpty(t *testing.T) {
// If no policy was given, the warden must return an error!
warden := &Ladon{Manager: NewMemoryManager()}
assert.NotNil(t, warden.IsAllowed(&Request{}))
}