-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathrbac_test.go
389 lines (347 loc) · 12.2 KB
/
rbac_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
package rbac
import (
"bytes"
"encoding/json"
"errors"
"io"
"os"
"strings"
"testing"
)
func TestRBAC(t *testing.T) {
// Add Actions
R := New(nil) //NewConsoleLogger()
crudActions := []Action{Create, Read, Update, Delete}
ApproveAction := Action("approve")
// Add permissions
if tPerm := R.GetPermission("users"); tPerm != nil {
t.Fatalf("usersPerm should not exist yet")
}
usersPerm, err := R.RegisterPermission("users", "User resource", crudActions...)
if err != nil {
t.Fatalf("can not register users permission, err: %v", err)
}
_, err = R.RegisterPermission("users", "User resource", crudActions...)
if err == nil {
t.Fatalf("should not be able to register users permission twice")
}
if tPerm := R.GetPermission("users"); tPerm == nil {
t.Fatalf("usersPerm should exist")
}
if !R.IsPermissionExist(usersPerm.ID, "") {
t.Fatalf("users role should exit")
}
for _, action := range crudActions {
if !R.IsPermissionExist(usersPerm.ID, action) {
t.Fatalf("users permission with action %s should exit", action)
}
}
postPerm, err := R.RegisterPermission("post", "Post resource", Create, Read, Update, Delete, ApproveAction)
if err != nil {
t.Fatalf("can not register posts permission, err: %v", err)
}
if !R.IsPermissionExist(postPerm.ID, ApproveAction) {
t.Fatalf("posts permission with approve action should exit")
}
if len(R.Permissions()) != 2 {
t.Fatalf("should have 2 permissions registered, got %d", len(R.Permissions()))
}
var viewSomething *Permission
viewSomething, err = R.RegisterPermission("viewSomething", "view something", Read)
if err != nil {
t.Fatalf("can not register viewSomething permission, err: %v", err)
}
if !R.IsPermissionExist(viewSomething.ID, Read) {
t.Fatalf("viewSomething permission with Read action should exit")
}
if len(R.Permissions()) != 3 {
t.Fatalf("should have 3 permissions registered, got %d", len(R.Permissions()))
}
// Test GetRole/RemoveRole
if tRole := R.GetRole("test_role"); tRole != nil {
t.Fatalf("test_role should not exists yet")
}
if err := R.RemoveRole("test_role"); err == nil {
t.Fatalf("test_role should not exists yet")
}
_, err = R.RegisterRole("test_role", "NoParent role")
if err != nil {
t.Fatalf("can not add test_role role, err: %v", err)
}
if tRole := R.GetRole("test_role"); tRole == nil {
t.Fatalf("test_role should exists")
}
if err := R.RemoveRole("test_role"); err != nil {
t.Fatalf("test_role get removed, err: %v", err)
}
// Add Roles
// noparent - stand alone role
//
// viewer - has viewSomething.Read permission
// `-> admin - inherits from viewer. has users.CRUD permission
// `-> sysAdmin - inherits admin. Has post.CURD AND post.Approve permissions`
// noparent Role
noparentRole, err := R.RegisterRole("noparent", "NoParent role")
if err != nil {
t.Fatalf("can not add noparent role, err: %v", err)
}
if tRole := R.GetRole(noparentRole.ID); tRole == nil {
t.Fatalf("noparentRole should exists")
}
// viewer Role
viewerRole, err := R.RegisterRole("viewer", "Viewer role")
if err != nil {
t.Fatalf("can not add viewer role, err: %v", err)
}
if err = R.Permit(viewerRole.ID, viewSomething, Read); err != nil {
t.Fatalf("can not permit Read action to role %s", viewerRole.ID)
}
if !R.IsGranted(viewerRole.ID, viewSomething, Read) {
t.Fatalf("viewerRole role should have Read actions granted")
}
// admin Role
adminRole, err := R.RegisterRole("admin", "Admin role")
if err != nil {
t.Fatalf("can not add admin role, err: %v", err)
}
if _, err = R.RegisterRole("admin", "Admin role"); err == nil {
t.Fatalf("should get error when re-registering role")
}
if err = R.Permit(adminRole.ID, usersPerm, crudActions...); err != nil {
t.Fatalf("can not permit all crud actions to role %s", adminRole.ID)
}
if !R.IsGranted(adminRole.ID, usersPerm, crudActions...) {
t.Fatalf("admin role should have all crud actions granted")
}
if R.IsGranted(adminRole.ID, usersPerm, "unknown") {
t.Fatalf("admin role should not have unknown action granted")
}
if err = adminRole.AddParent(viewerRole); err != nil {
t.Fatalf("adding parent role failed with: %v", err)
}
// sysAdmin Role
sysAdminRole, err := R.RegisterRole("sysAdmin", "System admin role")
if err != nil {
t.Fatalf("can not add agent role, err: %v", err)
}
if err = R.Permit(sysAdminRole.ID, postPerm, append(crudActions, ApproveAction)...); err != nil {
t.Fatalf("can not permit all crud actions to role %s", adminRole.ID)
}
if err = sysAdminRole.AddParent(adminRole); err != nil {
t.Fatalf("adding parent role failed with: %v", err)
}
// Test Permit branches
if err = R.Permit(sysAdminRole.ID, nil, ApproveAction); err == nil {
t.Fatalf("Permit should fail with nil permission")
}
if err = R.Permit(sysAdminRole.ID, viewSomething, ApproveAction); err == nil {
t.Fatalf("Permit should fail with invalid action for permission")
}
if err = R.Permit("fake_role", viewSomething, ApproveAction); err == nil {
t.Fatalf("Permit should fail with nonexisting role")
}
// Test Revoke branches
if err = R.Revoke(sysAdminRole.ID, nil, ApproveAction); err == nil {
t.Fatalf("Revoke should fail with nil permission")
}
if err = R.Revoke(sysAdminRole.ID, viewSomething, ApproveAction); err == nil {
t.Fatalf("Revoke should fail with invalid action for permission")
}
if err = R.Revoke("fake_role", viewSomething, ApproveAction); err == nil {
t.Fatalf("Revoke should fail with nonexisting role")
}
// Test IsGranted branches
if R.IsGranted(sysAdminRole.ID, nil, ApproveAction) {
t.Fatalf("IsGranted should fail with nil permission")
}
if !R.IsGranted(adminRole.ID, usersPerm, crudActions...) {
t.Fatalf("sysAdmin role should have all crud actions granted")
}
if !adminRole.isGranted(usersPerm, crudActions...) {
t.Fatalf("admin role should have all crud actions granted")
}
// Test IsGrantInherited branches
if R.IsGrantInherited(sysAdminRole.ID, nil, ApproveAction) {
t.Fatalf("IsGrantInherited should fail with nil permission")
}
if R.IsGrantInherited(sysAdminRole.ID, usersPerm, ApproveAction) {
t.Fatalf("IsGrantInherited should fail with invalid action for permission")
}
if !R.IsGrantInherited(sysAdminRole.ID, usersPerm, crudActions...) {
t.Fatalf("sysAdmin role should have all crud actions granted")
}
if !adminRole.isGrantInherited(usersPerm, crudActions...) {
t.Fatalf("admin role should have all crud actions granted")
}
if R.IsGrantInherited("fake_role", usersPerm, crudActions...) {
t.Fatalf("noexisting role should not have all crud actions granted")
}
// Check circular heritage.
if err = sysAdminRole.AddParent(adminRole); err == nil {
t.Fatalf("Should not be able to add adminRole as parent to sysAdminRole again.")
}
if err = viewerRole.AddParent(sysAdminRole); strings.Index(err.Error(), "circular") == -1 {
t.Fatalf("circular parent check failed with err: %v", err)
}
// Check inheritance
if ok := adminRole.HasParent(viewerRole.ID); !ok {
t.Fatalf("adminRole should have viewerRole as parent.")
}
if ok := adminRole.HasAncestor(viewerRole.ID); !ok {
t.Fatalf("adminRole should have viewerRole as ancestor.")
}
if ok := sysAdminRole.HasParent(viewerRole.ID); ok {
t.Fatalf("sysAdminRole should not have viewerRole as parent.")
}
if ok := sysAdminRole.HasAncestor(viewerRole.ID); !ok {
t.Fatalf("sysAdminRole should have viewerRole as ancestor.")
}
if ok := sysAdminRole.HasParent(noparentRole.ID); ok {
t.Fatalf("sysAdminRole should not have noparentRole as parent.")
}
if ok := sysAdminRole.HasAncestor(noparentRole.ID); ok {
t.Fatalf("sysAdminRole should not have noparentRole as ancestor.")
}
// Check hasAction branches
if hasAction([]Action{ApproveAction}, Read) {
t.Fatalf("Read should not be in this action list")
}
// Check AnyGranted branches
if !R.AnyGranted([]string{adminRole.ID, sysAdminRole.ID}, usersPerm, Delete) {
t.Fatalf("roles should have users.delete")
}
if R.AllGranted([]string{adminRole.ID, sysAdminRole.ID}, usersPerm, Create) {
t.Fatalf("roles should not have users.create")
}
// Check AnyGrantInherited branches
if !R.AnyGrantInherited([]string{adminRole.ID, sysAdminRole.ID}, postPerm, ApproveAction) {
t.Fatalf("one role should have postPerm.ApproveAction")
}
if !R.AllGrantInherited([]string{adminRole.ID, sysAdminRole.ID}, viewSomething, Read) {
t.Fatalf("roles should all have viewSomething.Read")
}
if R.AllGrantInherited([]string{adminRole.ID, viewerRole.ID}, usersPerm, Create) {
t.Fatalf("veiwer role should not have userPerm.Create")
}
if err = sysAdminRole.RemoveParent(adminRole); err != nil {
t.Fatalf("removing parent role failed with: %v", err)
}
if err = sysAdminRole.AddParent(adminRole); err != nil {
t.Fatalf("adding parent role failed with: %v", err)
}
b, err := json.Marshal(R)
if err != nil {
t.Fatalf("rback marshall failed with %v", err)
}
filename := "/tmp/rbac.json"
RNew := R.Clone(false)
fw, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0644)
if err != nil {
t.Fatalf("unable to create json file, err:%v", err)
}
if err = R.SaveJSON(fw); err != nil {
t.Fatalf("unable to save to json file, err:%v", err)
}
defer fw.Close()
f, err := os.Open(filename)
if err != nil {
t.Fatalf("can not open temp file: %v", err)
}
defer f.Close()
if err = RNew.LoadJSON(f); err != nil {
t.Fatalf("unable to load from json file, err:%v", err)
}
if !RNew.IsGranted(adminRole.ID, usersPerm, crudActions...) {
t.Fatalf("sysAdmin role should have all crud actions granted")
}
R2 := R.Clone(false)
if err = json.Unmarshal(b, R2); err != nil {
t.Fatalf("rback unmarshall failed with %v", err)
}
if len(R.Roles()) != len(R2.Roles()) {
t.Fatalf("role counts differ, expected %d, got %d", len(R.Roles()), len(R2.Roles()))
}
if !R2.IsGranted(adminRole.ID, usersPerm, crudActions...) {
t.Fatalf("loaded admin role should have all crud actions granted")
}
aPerms := R2.GetAllPermissions([]string{adminRole.ID})
if us, ok := aPerms[usersPerm.ID]; !ok {
t.Fatalf("users permission must exit in all perms of sysAdmin role(inherited)")
} else {
found := false
for _, a := range us {
if a == Delete {
found = true
break
}
}
if !found {
t.Fatalf("Delete action is missing in users permission for all permissions of sysAdmin role(inherited)")
}
}
sPerms := R2.GetAllPermissions([]string{sysAdminRole.ID})
if us, ok := sPerms[usersPerm.ID]; !ok {
t.Fatalf("users permission must exit in all perms of admin role")
} else {
found := false
for _, a := range us {
if a == Delete {
found = true
break
}
}
if !found {
t.Fatalf("Delete action is missing in users permission for all permissions of admin role")
}
}
if R2.RemoveRole(sysAdminRole.ID); err != nil {
t.Fatalf("removing role failed with: %v", err)
}
if R2.Revoke(adminRole.ID, usersPerm, Delete); err != nil {
t.Fatalf("removing perm from role failed with: %v", err)
}
if !hasAction(usersPerm.Actions(), Delete) {
t.Fatalf("perm should have delete action")
}
if R2.AnyGranted([]string{adminRole.ID, sysAdminRole.ID}, usersPerm, Delete) {
t.Fatalf("roles should not have users.delete")
}
if R2.AllGranted([]string{adminRole.ID, sysAdminRole.ID}, usersPerm, Create) {
t.Fatalf("roles should have users.create")
}
// Test Remove parent.
if !adminRole.HasParent(viewerRole.ID) {
t.Fatal("viewerRole should be a parent of adminRole.")
}
if R.RemoveRole(viewerRole.ID); err != nil {
t.Fatalf("removing role failed with: %v", err)
}
if adminRole.HasParent(viewerRole.ID) {
t.Fatal("viewerRole should no longer be a parent of adminRole.")
}
if sysAdminRole.HasAncestor(viewerRole.ID) {
t.Fatal("viewerRole should no longer be an ancestor of sysAdminRole.")
}
}
func TestDefaultLogger(t *testing.T) {
var buf bytes.Buffer
old := os.Stdout // keep backup of the real stdout
r, w, _ := os.Pipe()
os.Stdout = w
logger := NewNullLogger()
SetLogger(logger)
log.Debugf("TEST %v", 1)
log.Errorf("TEST2 %v", errors.New("test"))
outC := make(chan string)
// copy the output in a separate goroutine so printing can't block indefinitely
go func() {
io.Copy(&buf, r)
outC <- buf.String()
}()
w.Close()
os.Stdout = old // restoring the real stdout
_ = <-outC
if string(buf.Bytes()) != "" {
t.Fatalf("logger output is not compatible, expected: `%s`, got: `%s`", "", buf.Bytes())
}
}