-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathscope_test.go
More file actions
127 lines (121 loc) · 3.44 KB
/
scope_test.go
File metadata and controls
127 lines (121 loc) · 3.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
// SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0
package authz
import (
"testing"
)
func TestParseScope(t *testing.T) {
tests := []struct {
name string
input string
action string
resource string
identifier string
wantErr bool
}{
{"valid specific", "read:Customers:12345", "read", "Customers", "12345", false},
{"valid wildcard", "read:Customers:*", "read", "Customers", "*", false},
{"valid admin", "admin:launch-tokens:*", "admin", "launch-tokens", "*", false},
{"missing parts", "read:Customers", "", "", "", true},
{"single part", "read", "", "", "", true},
{"empty string", "", "", "", "", true},
{"empty action", ":Customers:*", "", "", "", true},
{"empty resource", "read::*", "", "", "", true},
{"empty identifier", "read:Customers:", "", "", "", true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
action, resource, identifier, err := ParseScope(tt.input)
if tt.wantErr {
if err == nil {
t.Errorf("expected error for %q, got nil", tt.input)
}
return
}
if err != nil {
t.Fatalf("unexpected error for %q: %v", tt.input, err)
}
if action != tt.action || resource != tt.resource || identifier != tt.identifier {
t.Errorf("ParseScope(%q) = (%q, %q, %q), want (%q, %q, %q)",
tt.input, action, resource, identifier, tt.action, tt.resource, tt.identifier)
}
})
}
}
func TestScopeIsSubset(t *testing.T) {
tests := []struct {
name string
requested []string
allowed []string
want bool
}{
{
name: "exact match",
requested: []string{"read:Customers:*"},
allowed: []string{"read:Customers:*"},
want: true,
},
{
name: "wildcard covers specific",
requested: []string{"read:Customers:12345"},
allowed: []string{"read:Customers:*"},
want: true,
},
{
name: "specific does not cover wildcard",
requested: []string{"read:Customers:*"},
allowed: []string{"read:Customers:12345"},
want: false,
},
{
name: "different action",
requested: []string{"write:Customers:*"},
allowed: []string{"read:Customers:*"},
want: false,
},
{
name: "different resource",
requested: []string{"read:Orders:*"},
allowed: []string{"read:Customers:*"},
want: false,
},
{
name: "multiple requested all covered",
requested: []string{"read:Customers:12345", "read:Customers:67890"},
allowed: []string{"read:Customers:*"},
want: true,
},
{
name: "multiple requested one not covered",
requested: []string{"read:Customers:12345", "write:Customers:*"},
allowed: []string{"read:Customers:*"},
want: false,
},
{
name: "multiple allowed scopes",
requested: []string{"read:Customers:12345", "write:Orders:*"},
allowed: []string{"read:Customers:*", "write:Orders:*"},
want: true,
},
{
name: "empty requested is subset",
requested: []string{},
allowed: []string{"read:Customers:*"},
want: true,
},
{
name: "admin scope exact",
requested: []string{"admin:launch-tokens:*"},
allowed: []string{"admin:launch-tokens:*", "admin:revoke:*", "admin:audit:*"},
want: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := ScopeIsSubset(tt.requested, tt.allowed)
if got != tt.want {
t.Errorf("ScopeIsSubset(%v, %v) = %v, want %v",
tt.requested, tt.allowed, got, tt.want)
}
})
}
}