mirror of https://github.com/veypi/OneAuth.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
152 lines
4.6 KiB
Go
152 lines
4.6 KiB
Go
package tests
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/veypi/vbase/auth"
|
|
)
|
|
|
|
func TestScopedAuth(t *testing.T) {
|
|
ensureUsers(t)
|
|
|
|
ctx := context.Background()
|
|
|
|
// 1. Test Scoped Permission Assignment
|
|
t.Run("Scoped Permission Assignment", func(t *testing.T) {
|
|
scope := "test_scope_1"
|
|
testAuth := auth.Factory.New(scope)
|
|
|
|
// Grant 'resource:read' to User1 in test_scope
|
|
permID := "resource:read"
|
|
level := auth.LevelRead
|
|
|
|
if err := testAuth.Grant(ctx, User1ID, permID, level); err != nil {
|
|
t.Fatalf("Failed to grant permission: %v", err)
|
|
}
|
|
|
|
// Verify Check within the same scope
|
|
if !testAuth.Check(ctx, User1ID, permID, level) {
|
|
t.Errorf("Expected User1 to have %s in %s scope", permID, scope)
|
|
}
|
|
|
|
// Verify Check in global VBaseAuth scope (should be false)
|
|
if auth.VBaseAuth.Check(ctx, User1ID, permID, level) {
|
|
t.Errorf("Expected User1 NOT to have %s in 'vb' scope", permID)
|
|
}
|
|
})
|
|
|
|
// 2. Test Hierarchy (Admin Inheritance vs Normal Strictness)
|
|
t.Run("Hierarchy Checks", func(t *testing.T) {
|
|
scope := "test_scope_2"
|
|
testAuth := auth.Factory.New(scope)
|
|
|
|
// Case A: Normal Level (Read) - Exact Match Only
|
|
// Grant "project:p1" (Read)
|
|
if err := testAuth.Grant(ctx, User1ID, "project:p1", auth.LevelRead); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Check Exact Match -> Should Pass
|
|
if !testAuth.Check(ctx, User1ID, "project:p1", auth.LevelRead) {
|
|
t.Error("Exact match 'project:p1' failed")
|
|
}
|
|
|
|
// Check Child "project:p1:task:t1" -> Should Fail (Normal levels don't inherit downwards)
|
|
if testAuth.Check(ctx, User1ID, "project:p1:task:t1", auth.LevelRead) {
|
|
t.Error("Normal level 'project:p1' should NOT imply 'project:p1:task:t1'")
|
|
}
|
|
|
|
// Case B: Admin Level - Downward Inheritance
|
|
// Grant "org:o1" (Admin)
|
|
if err := testAuth.Grant(ctx, User1ID, "org:o1", auth.LevelAdmin); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Check Child "org:o1:project:p2" -> Should Pass
|
|
if !testAuth.Check(ctx, User1ID, "org:o1:project:p2", auth.LevelRead) {
|
|
t.Error("Admin level 'org:o1' SHOULD imply 'org:o1:project:p2'")
|
|
}
|
|
|
|
// Check Wildcard "*" (Admin)
|
|
if err := testAuth.Grant(ctx, User1ID, "*", auth.LevelAdmin); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
// Should have access to everything
|
|
if !testAuth.Check(ctx, User1ID, "anything:anywhere", auth.LevelAdmin) {
|
|
t.Error("Wildcard '*' should grant access to everything")
|
|
}
|
|
})
|
|
|
|
// 3. Test ListResources
|
|
t.Run("ListResources", func(t *testing.T) {
|
|
scope := "test_scope_3"
|
|
testAuth := auth.Factory.New(scope)
|
|
|
|
// Setup:
|
|
// User1 has:
|
|
// - project:p1 (Read)
|
|
// - project:p2:task:t1 (Write) -> Should imply project:p2 (Read)
|
|
// - project:p3 (Admin)
|
|
|
|
testAuth.Grant(ctx, User1ID, "project:p1", auth.LevelRead)
|
|
testAuth.Grant(ctx, User1ID, "project:p2:task:t1", auth.LevelWrite)
|
|
testAuth.Grant(ctx, User1ID, "project:p3", auth.LevelAdmin)
|
|
|
|
resources, err := testAuth.ListResources(ctx, User1ID, "project")
|
|
if err != nil {
|
|
t.Fatalf("ListResources failed: %v", err)
|
|
}
|
|
|
|
// Check p1
|
|
if l, ok := resources["p1"]; !ok || l != auth.LevelRead {
|
|
t.Errorf("Expected p1: %d, got %v", auth.LevelRead, l)
|
|
}
|
|
|
|
// Check p2 (Implication from child)
|
|
if l, ok := resources["p2"]; !ok || l != auth.LevelRead {
|
|
t.Errorf("Expected p2: %d (implied read), got %v", auth.LevelRead, l)
|
|
}
|
|
|
|
// Check p3
|
|
if l, ok := resources["p3"]; !ok || l != auth.LevelAdmin {
|
|
t.Errorf("Expected p3: %d, got %v", auth.LevelAdmin, l)
|
|
}
|
|
})
|
|
|
|
// 4. Test ListUsers
|
|
t.Run("ListUsers", func(t *testing.T) {
|
|
scope := "test_scope_4"
|
|
testAuth := auth.Factory.New(scope)
|
|
|
|
// Setup:
|
|
// User1 has group:g1:project:p1 (Read)
|
|
// User2 has group:g1:project:p1 (Admin)
|
|
// User3 has group:g1 (Admin) -> Parent Admin (Valid even depth)
|
|
// User4 has group:g1:project:p1:task:t1 (Read) -> Child
|
|
|
|
testAuth.Grant(ctx, User1ID, "group:g1:project:p1", auth.LevelRead)
|
|
testAuth.Grant(ctx, User2ID, "group:g1:project:p1", auth.LevelAdmin)
|
|
testAuth.Grant(ctx, AdminID, "group:g1", auth.LevelAdmin) // Parent (depth 2)
|
|
testAuth.Grant(ctx, "user4", "group:g1:project:p1:task:t1", auth.LevelRead)
|
|
|
|
users, err := testAuth.ListUsers(ctx, "group:g1:project:p1")
|
|
if err != nil {
|
|
t.Fatalf("ListUsers failed: %v", err)
|
|
}
|
|
|
|
if users[User1ID] != auth.LevelRead {
|
|
t.Errorf("Expected User1: Read, got %v", users[User1ID])
|
|
}
|
|
if users[User2ID] != auth.LevelAdmin {
|
|
t.Errorf("Expected User2: Admin, got %v", users[User2ID])
|
|
}
|
|
if users[AdminID] != auth.LevelAdmin {
|
|
t.Errorf("Expected Admin: Admin (inherited), got %v", users[AdminID])
|
|
}
|
|
if _, ok := users["user4"]; ok {
|
|
t.Error("User4 should NOT appear in ListUsers('group:g1:project:p1')")
|
|
}
|
|
})
|
|
}
|