@@ -2,20 +2,13 @@ package authz_test
22
33import (
44 "context"
5- "errors"
65 "testing"
76
87 "github.com/google/go-cmp/cmp"
9- "github.com/nais/api/internal/auth/authz/authzsql"
10- "github.com/nais/api/internal/slug"
8+ "github.com/nais/api/internal/auth/authz"
119 "github.com/nais/api/internal/user"
1210)
1311
14- const (
15- authTeamCreateError = `required authorization: "teams:create"`
16- authTeamUpdateError = `required authorization: "teams:metadata:update"`
17- )
18-
1912func TestContextWithUser (t * testing.T ) {
2013 ctx := context .Background ()
2114 if authz .ActorFromContext (ctx ) != nil {
@@ -41,108 +34,3 @@ func TestContextWithUser(t *testing.T) {
4134 t .Errorf ("diff: -want +got\n %s" , diff )
4235 }
4336}
44-
45- func TestRequireGlobalAuthorization (t * testing.T ) {
46- u := & user.User {
47- Name : "User Name" ,
48-
49- }
50-
51- t .Run ("Nil user" , func (t * testing.T ) {
52- if ! errors .Is (authz .RequireGlobalAuthorization (nil , authz .AuthorizationTeamsCreate ), authz .ErrNotAuthenticated ) {
53- t .Fatal ("RequireGlobalAuthorization(ctx): expected ErrNotAuthenticated" )
54- }
55- })
56-
57- t .Run ("User with no roles" , func (t * testing.T ) {
58- contextUser := authz .ActorFromContext (authz .ContextWithActor (context .Background (), u , []* authz.Role {}))
59- if authz .RequireGlobalAuthorization (contextUser , authz .AuthorizationTeamsCreate ).Error () != authTeamCreateError {
60- t .Fatalf ("RequireGlobalAuthorization(ctx): expected error text to match %q" , authTeamCreateError )
61- }
62- })
63-
64- t .Run ("User with insufficient roles" , func (t * testing.T ) {
65- userRoles := []* authz.Role {{Name : authzsql .RoleNameTeamviewer }}
66- contextUser := authz .ActorFromContext (authz .ContextWithActor (context .Background (), u , userRoles ))
67- if authz .RequireGlobalAuthorization (contextUser , authz .AuthorizationTeamsCreate ).Error () != authTeamCreateError {
68- t .Fatalf ("RequireGlobalAuthorization(ctx): expected error text to match %q" , authTeamCreateError )
69- }
70- })
71-
72- t .Run ("User with sufficient role" , func (t * testing.T ) {
73- userRoles := []* authz.Role {{Name : authzsql .RoleNameTeamcreator }}
74- contextUser := authz .ActorFromContext (authz .ContextWithActor (context .Background (), u , userRoles ))
75- if authz .RequireGlobalAuthorization (contextUser , authz .AuthorizationTeamsCreate ) != nil {
76- t .Fatal ("RequireGlobalAuthorization(ctx): expected nil error" )
77- }
78- })
79- }
80-
81- func TestRequireAuthorizationForTeamTarget (t * testing.T ) {
82- u := & user.User {
83- Name : "User Name" ,
84-
85- }
86- targetTeamSlug := slug .Slug ("slug" )
87-
88- t .Run ("Nil user" , func (t * testing.T ) {
89- if ! errors .Is (authz .RequireTeamAuthorization (nil , authz .AuthorizationTeamsCreate , targetTeamSlug ), authz .ErrNotAuthenticated ) {
90- t .Fatal ("RequireTeamAuthorization(ctx): expected ErrNotAuthenticated" )
91- }
92- })
93-
94- t .Run ("User with no roles" , func (t * testing.T ) {
95- contextUser := authz .ActorFromContext (authz .ContextWithActor (context .Background (), u , []* authz.Role {}))
96- if authz .RequireTeamAuthorization (contextUser , authz .AuthorizationTeamsCreate , targetTeamSlug ).Error () != authTeamCreateError {
97- t .Fatalf ("RequireTeamAuthorization(ctx): expected error text to match %q" , authTeamCreateError )
98- }
99- })
100-
101- t .Run ("User with insufficient roles" , func (t * testing.T ) {
102- userRoles := []* authz.Role {{Name : authzsql .RoleNameTeamviewer }}
103- contextUser := authz .ActorFromContext (authz .ContextWithActor (context .Background (), u , userRoles ))
104- err := authz .RequireTeamAuthorization (contextUser , authz .AuthorizationTeamsMetadataUpdate , targetTeamSlug )
105- if err .Error () != authTeamUpdateError {
106- t .Fatalf ("RequireTeamAuthorization(ctx): expected error text to match %q" , authTeamUpdateError )
107- }
108- })
109-
110- t .Run ("User with targeted role" , func (t * testing.T ) {
111- userRoles := []* authz.Role {
112- {
113- Name : authzsql .RoleNameTeamowner ,
114- TargetTeamSlug : & targetTeamSlug ,
115- },
116- }
117- contextUser := authz .ActorFromContext (authz .ContextWithActor (context .Background (), u , userRoles ))
118- if authz .RequireTeamAuthorization (contextUser , authz .AuthorizationTeamsMetadataUpdate , targetTeamSlug ) != nil {
119- t .Fatal ("RequireTeamAuthorization(ctx): expected nil error" )
120- }
121- })
122-
123- t .Run ("User with targeted role for wrong target" , func (t * testing.T ) {
124- wrongSlug := slug .Slug ("other-team" )
125- userRoles := []* authz.Role {
126- {
127- Name : authzsql .RoleNameTeamowner ,
128- TargetTeamSlug : & wrongSlug ,
129- },
130- }
131- contextUser := authz .ActorFromContext (authz .ContextWithActor (context .Background (), u , userRoles ))
132- if authz .RequireTeamAuthorization (contextUser , authz .AuthorizationTeamsMetadataUpdate , targetTeamSlug ).Error () != authTeamUpdateError {
133- t .Fatalf ("RequireTeamAuthorization(ctx): expected error text to match %q" , authTeamUpdateError )
134- }
135- })
136-
137- t .Run ("User with global role" , func (t * testing.T ) {
138- userRoles := []* authz.Role {
139- {
140- Name : authzsql .RoleNameAdmin ,
141- },
142- }
143- contextUser := authz .ActorFromContext (authz .ContextWithActor (context .Background (), u , userRoles ))
144- if authz .RequireTeamAuthorization (contextUser , authz .AuthorizationTeamsMetadataUpdate , targetTeamSlug ) != nil {
145- t .Fatal ("RequireTeamAuthorization(ctx): expected nil error" )
146- }
147- })
148- }
0 commit comments