add rbac tests

parseablehq · Oct 26, 2023 · f33019d · f33019d
1 parent 9face7d
commit f33019d
Show file tree

Hide file tree

Showing 3 changed files with 109 additions and 6 deletions.
diff --git a/model.go b/model.go
@@ -368,6 +368,6 @@ func RoleReader(stream string) string {
 	return fmt.Sprintf(`[{"privilege": "reader", "resource": {"stream": "%s", "tag": null}}]`, stream)
 }
 
-func RoleIngestor(stream string) string {
+func RoleIngester(stream string) string {
 	return fmt.Sprintf(`[{"privilege": "ingest", "resource": {"stream": "%s"}}]`, stream)
 }
diff --git a/quest_test.go b/quest_test.go
@@ -129,8 +129,45 @@ func TestSmokeGetRetention(t *testing.T) {
 	require.JSONEq(t, RetentionBody, body, "Get retention response doesn't match with retention config returned")
 }
 
+// This test calls all the User API endpoints
+// in a sequence to check if they work as expected.
+func TestSmoke_AllUsersAPI(t *testing.T) {
+	CreateRole(t, NewGlob.Client, "dummyrole", dummyRole)
+	AssertRole(t, NewGlob.Client, "dummyrole", dummyRole)
+
+	CreateUser(t, NewGlob.Client, "dummyuser")
+	AssignRolesToUser(t, NewGlob.Client, "dummyuser", []string{"dummyrole"})
+	AssertUserRole(t, NewGlob.Client, "dummyuser", "dummyrole", dummyRole)
+	RegenPassword(t, NewGlob.Client, "dummyuser")
+	DeleteUser(t, NewGlob.Client, "dummyuser")
+
+	CreateUserWithRole(t, NewGlob.Client, "dummyuser", []string{"dummyrole"})
+	AssertUserRole(t, NewGlob.Client, "dummyuser", "dummyrole", dummyRole)
+	RegenPassword(t, NewGlob.Client, "dummyuser")
+	DeleteUser(t, NewGlob.Client, "dummyuser")
+
+	DeleteRole(t, NewGlob.Client, "dummyrole")
+}
+
+// This test checks that a new user doesn't get any role by default
+// even if a default role is set.
+func TestSmoke_NewUserNoRole(t *testing.T) {
+	CreateRole(t, NewGlob.Client, "dummyrole", dummyRole)
+	SetDefaultRole(t, NewGlob.Client, "dummyrole")
+	AssertDefaultRole(t, NewGlob.Client, "dummyrole")
+
+	password := CreateUser(t, NewGlob.Client, "dummyuser")
+	userClient := NewGlob.Client
+	userClient.Username = "dummyuser"
+	userClient.Password = password
+
+	PutSingleEventExpectErr(t, userClient, NewGlob.Stream)
+
+	DeleteUser(t, NewGlob.Client, "dummyuser")
+}
+
 func TestSmokeRbacBasic(t *testing.T) {
-	SetRole(t, NewGlob.Client, "dummy", dummyRole)
+	CreateRole(t, NewGlob.Client, "dummy", dummyRole)
 	AssertRole(t, NewGlob.Client, "dummy", dummyRole)
 	CreateUserWithRole(t, NewGlob.Client, "dummy", []string{"dummy"})
 	userClient := NewGlob.Client
@@ -160,13 +197,13 @@ func TestSmokeRoles(t *testing.T) {
 		},
 		{
 			roleName: "ingest",
-			body:     RoleIngestor(NewGlob.Stream),
+			body:     RoleIngester(NewGlob.Stream),
 		},
 	}
 
 	for _, tc := range cases {
 		t.Run(tc.roleName, func(t *testing.T) {
-			SetRole(t, NewGlob.Client, tc.roleName, tc.body)
+			CreateRole(t, NewGlob.Client, tc.roleName, tc.body)
 			AssertRole(t, NewGlob.Client, tc.roleName, tc.body)
 			username := tc.roleName + "_user"
 			password := CreateUserWithRole(t, NewGlob.Client, username, []string{tc.roleName})

diff --git a/test_utils.go b/test_utils.go
@@ -90,7 +90,7 @@ func AssertStreamSchema(t *testing.T, client HTTPClient, stream string, schema s
 	require.JSONEq(t, schema, body, "Get schema response doesn't match with expected schema")
 }
 
-func SetRole(t *testing.T, client HTTPClient, name string, role string) {
+func CreateRole(t *testing.T, client HTTPClient, name string, role string) {
 	req, _ := client.NewRequest("PUT", "role/"+name, strings.NewReader(role))
 	response, err := client.Do(req)
 	require.NoErrorf(t, err, "Request failed: %s", err)
@@ -103,7 +103,16 @@ func AssertRole(t *testing.T, client HTTPClient, name string, role string) {
 	require.NoErrorf(t, err, "Request failed: %s", err)
 	body := readAsString(response.Body)
 	require.Equalf(t, 200, response.StatusCode, "Server returned http code: %s and response: %s", response.Status, body)
-	require.JSONEq(t, role, body, "Get retention response doesn't match with retention config returned")
+	require.JSONEq(t, role, body, "Get role response doesn't match with retention config returned")
+}
+
+func CreateUser(t *testing.T, client HTTPClient, user string) string {
+	req, _ := client.NewRequest("POST", "user/"+user, nil)
+	response, err := client.Do(req)
+	require.NoErrorf(t, err, "Request failed: %s", err)
+	body := readAsString(response.Body)
+	require.Equalf(t, 200, response.StatusCode, "Server returned http code: %s and response: %s", response.Status, body)
+	return body
 }
 
 func CreateUserWithRole(t *testing.T, client HTTPClient, user string, roles []string) string {
@@ -116,6 +125,24 @@ func CreateUserWithRole(t *testing.T, client HTTPClient, user string, roles []st
 	return body
 }
 
+func AssignRolesToUser(t *testing.T, client HTTPClient, user string, roles []string) {
+	payload, _ := json.Marshal(roles)
+	req, _ := client.NewRequest("PUT", "user/"+user+"/role", bytes.NewBuffer(payload))
+	response, err := client.Do(req)
+	require.NoErrorf(t, err, "Request failed: %s", err)
+	require.Equalf(t, 200, response.StatusCode, "Server returned http code: %s and response: %s", response.Status, readAsString(response.Body))
+}
+
+func AssertUserRole(t *testing.T, client HTTPClient, user string, roleName, roleBody string) {
+	req, _ := client.NewRequest("GET", "user/"+user+"/role", nil)
+	response, err := client.Do(req)
+	require.NoErrorf(t, err, "Request failed: %s", err)
+	userRoleBody := readAsString(response.Body)
+	require.Equalf(t, 200, response.StatusCode, "Server returned http code: %s and response: %s", response.Status, userRoleBody)
+	expectedRoleBody := fmt.Sprintf(`{"%s":%s}`, roleName, roleBody)
+	require.JSONEq(t, userRoleBody, expectedRoleBody, "Get user role response doesn't match with expected role")
+}
+
 func RegenPassword(t *testing.T, client HTTPClient, user string) string {
 	req, _ := client.NewRequest("POST", "user/"+user+"/generate-new-password", nil)
 	response, err := client.Do(req)
@@ -147,6 +174,45 @@ func DeleteRole(t *testing.T, client HTTPClient, roleName string) {
 	require.Equalf(t, 200, response.StatusCode, "Server returned http code: %s and response: %s", response.Status, readAsString(response.Body))
 }
 
+func SetDefaultRole(t *testing.T, client HTTPClient, roleName string) {
+	payload, _ := json.Marshal(roleName)
+	req, _ := client.NewRequest("PUT", "role/default", bytes.NewBuffer(payload))
+	response, err := client.Do(req)
+	require.NoErrorf(t, err, "Request failed: %s", err)
+	require.Equalf(t, 200, response.StatusCode, "Server returned http code: %s and response: %s", response.Status, readAsString(response.Body))
+}
+
+func AssertDefaultRole(t *testing.T, client HTTPClient, roleName string) {
+	req, _ := client.NewRequest("GET", "role/default", nil)
+	response, err := client.Do(req)
+	require.NoErrorf(t, err, "Request failed: %s", err)
+	body := readAsString(response.Body)
+	require.Equalf(t, 200, response.StatusCode, "Server returned http code: %s and response: %s", response.Status, body)
+	require.Equalf(t, roleName, body, "Get default role response doesn't match with expected role")
+}
+
+func PutSingleEventExpectErr(t *testing.T, client HTTPClient, stream string) {
+	payload := `{
+		"id": "id;objectId",
+		"maxRunDistance": "float;1;20;1",
+		"cpf": "cpf",
+		"cnpj": "cnpj",
+		"pretendSalary": "money",
+		"age": "int;20;80",
+		"gender": "gender",
+		"firstName": "firstName",
+		"lastName": "lastName",
+		"phone": "maskInt;+55 (83) 9####-####",
+		"address": "address",
+		"hairColor": "color"
+	}`
+	req, _ := client.NewRequest("POST", "logstream/"+stream, bytes.NewBufferString(payload))
+	response, err := client.Do(req)
+
+	require.Errorf(t, err, "Request passed: %s when expected to fail", err)
+	require.NotEqualf(t, 200, response.StatusCode, "Server returned http code: %s and response: %s", response.Status, readAsString(response.Body))
+}
+
 func PutSingleEvent(t *testing.T, client HTTPClient, stream string) {
 	payload := `{
 		"id": "id;objectId",