forked from microsoft/agent-governance-toolkit
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconflict_test.go
More file actions
90 lines (81 loc) · 2.79 KB
/
conflict_test.go
File metadata and controls
90 lines (81 loc) · 2.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
package agentmesh
import "testing"
func TestDenyOverrides(t *testing.T) {
r := &PolicyConflictResolver{Strategy: DenyOverrides}
candidates := []CandidateDecision{
{Rule: PolicyRule{Action: "data.read", Effect: Allow}, Decision: Allow},
{Rule: PolicyRule{Action: "data.read", Effect: Deny}, Decision: Deny},
}
if d := r.Resolve(candidates); d != Deny {
t.Errorf("DenyOverrides = %q, want deny", d)
}
}
func TestDenyOverridesAllAllow(t *testing.T) {
r := &PolicyConflictResolver{Strategy: DenyOverrides}
candidates := []CandidateDecision{
{Rule: PolicyRule{Action: "data.read", Effect: Allow}, Decision: Allow},
{Rule: PolicyRule{Action: "data.read", Effect: Review}, Decision: Review},
}
if d := r.Resolve(candidates); d != Allow {
t.Errorf("DenyOverrides with no deny = %q, want allow", d)
}
}
func TestAllowOverrides(t *testing.T) {
r := &PolicyConflictResolver{Strategy: AllowOverrides}
candidates := []CandidateDecision{
{Rule: PolicyRule{Action: "data.read", Effect: Deny}, Decision: Deny},
{Rule: PolicyRule{Action: "data.read", Effect: Allow}, Decision: Allow},
}
if d := r.Resolve(candidates); d != Allow {
t.Errorf("AllowOverrides = %q, want allow", d)
}
}
func TestAllowOverridesNoneAllow(t *testing.T) {
r := &PolicyConflictResolver{Strategy: AllowOverrides}
candidates := []CandidateDecision{
{Rule: PolicyRule{Action: "data.read", Effect: Deny}, Decision: Deny},
{Rule: PolicyRule{Action: "data.read", Effect: Review}, Decision: Review},
}
if d := r.Resolve(candidates); d != Deny {
t.Errorf("AllowOverrides with no allow = %q, want deny", d)
}
}
func TestPriorityFirstMatch(t *testing.T) {
r := &PolicyConflictResolver{Strategy: PriorityFirstMatch}
candidates := []CandidateDecision{
{Rule: PolicyRule{Action: "data.read", Effect: Deny, Priority: 10}, Decision: Deny},
{Rule: PolicyRule{Action: "data.read", Effect: Allow, Priority: 1}, Decision: Allow},
}
if d := r.Resolve(candidates); d != Allow {
t.Errorf("PriorityFirstMatch = %q, want allow (priority 1)", d)
}
}
func TestMostSpecificWins(t *testing.T) {
r := &PolicyConflictResolver{Strategy: MostSpecificWins}
candidates := []CandidateDecision{
{
Rule: PolicyRule{Action: "*", Effect: Deny, Scope: Global},
Decision: Deny,
},
{
Rule: PolicyRule{
Action: "data.read",
Effect: Allow,
Scope: Agent,
Conditions: map[string]interface{}{"role": "admin"},
},
Decision: Allow,
},
}
if d := r.Resolve(candidates); d != Allow {
t.Errorf("MostSpecificWins = %q, want allow (more specific)", d)
}
}
func TestResolveEmptyCandidates(t *testing.T) {
r := &PolicyConflictResolver{Strategy: DenyOverrides}
if d := r.Resolve(nil); d != Deny {
t.Errorf("empty candidates = %q, want deny", d)
}
}