samples-server/extensibility/authorizer/myAuthorizer_test.go at main · temporalio/samples-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
package authorizer

import (
	"context"
	"testing"

	"go.temporal.io/server/common/authorization"
)

func TestMyAuthorizer(t *testing.T) {
	a := NewMyAuthorizer()
	ctx := context.Background()

	tests := []struct {
		name     string
		claims   *authorization.Claims
		target   *authorization.CallTarget
		decision authorization.Decision
	}{
		{
			name:     "allow temporal-system namespace",
			claims:   nil,
			target:   &authorization.CallTarget{Namespace: "temporal-system", APIName: "UpdateNamespace"},
			decision: authorization.DecisionAllow,
		},
		{
			name:     "allow system admin",
			claims:   &authorization.Claims{System: authorization.RoleAdmin},
			target:   &authorization.CallTarget{Namespace: "test", APIName: "UpdateNamespace"},
			decision: authorization.DecisionAllow,
		},
		{
			name:     "deny UpdateNamespace without claims",
			claims:   nil,
			target:   &authorization.CallTarget{Namespace: "test", APIName: "UpdateNamespace"},
			decision: authorization.DecisionDeny,
		},
		{
			name:     "deny UpdateNamespace with reader role",
			claims:   &authorization.Claims{Namespaces: map[string]authorization.Role{"test": authorization.RoleReader}},
			target:   &authorization.CallTarget{Namespace: "test", APIName: "UpdateNamespace"},
			decision: authorization.DecisionDeny,
		},
		{
			name:     "allow UpdateNamespace with namespace writer role",
			claims:   &authorization.Claims{Namespaces: map[string]authorization.Role{"test": authorization.RoleWriter}},
			target:   &authorization.CallTarget{Namespace: "test", APIName: "UpdateNamespace"},
			decision: authorization.DecisionAllow,
		},
		{
			name:     "allow other calls without claims",
			claims:   nil,
			target:   &authorization.CallTarget{Namespace: "test", APIName: "ListNamespaces"},
			decision: authorization.DecisionAllow,
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			result, err := a.Authorize(ctx, tt.claims, tt.target)
			if err != nil {
				t.Fatalf("unexpected error: %v", err)
			}
			if result.Decision != tt.decision {
				t.Fatalf("expected %v, got %v", tt.decision, result.Decision)
			}
		})
	}
}