diff options
| author | mo khan <mo@mokhan.ca> | 2025-04-02 13:32:22 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-04-02 13:32:22 -0600 |
| commit | 894e270ab5a15de2b664cc6f4ee6fd8369985f75 (patch) | |
| tree | d778e426fcd1666dd35d978215434103e78acee8 /pkg/rpc | |
| parent | 2a37de4a34552feac221771278236fb23f8e83c0 (diff) | |
refactor: combine cedar policies and add tests
Diffstat (limited to 'pkg/rpc')
| -rw-r--r-- | pkg/rpc/ability_service.go | 7 | ||||
| -rw-r--r-- | pkg/rpc/server_test.go | 10 |
2 files changed, 9 insertions, 8 deletions
diff --git a/pkg/rpc/ability_service.go b/pkg/rpc/ability_service.go index bf299da9..18327d52 100644 --- a/pkg/rpc/ability_service.go +++ b/pkg/rpc/ability_service.go @@ -4,6 +4,7 @@ import ( context "context" "github.com/cedar-policy/cedar-go" + "gitlab.com/mokhax/spike/pkg/gid" "gitlab.com/mokhax/spike/pkg/policies" ) @@ -17,9 +18,9 @@ func NewAbilityService() *AbilityService { func (h *AbilityService) Allowed(ctx context.Context, req *AllowRequest) (*AllowReply, error) { ok := policies.Allowed(cedar.Request{ - Principal: cedar.NewEntityUID("User", cedar.String(req.Subject)), - Action: cedar.NewEntityUID("Action", cedar.String(req.Permission)), - Resource: cedar.NewEntityUID("Album", cedar.String(req.Resource)), + Principal: gid.NewEntityUID(req.Subject), + Action: cedar.NewEntityUID("Permission", cedar.String(req.Permission)), + Resource: gid.NewEntityUID(req.Resource), Context: cedar.NewRecord(cedar.RecordMap{}), }) return &AllowReply{Result: ok}, nil diff --git a/pkg/rpc/server_test.go b/pkg/rpc/server_test.go index 0871173b..66a177d5 100644 --- a/pkg/rpc/server_test.go +++ b/pkg/rpc/server_test.go @@ -31,7 +31,7 @@ func TestServer(t *testing.T) { defer connection.Close() client := NewAbilityClient(connection) - t.Run("returns false", func(t *testing.T) { + t.Run("forbids", func(t *testing.T) { reply, err := client.Allowed(t.Context(), &AllowRequest{ Subject: "", Permission: "", @@ -41,17 +41,17 @@ func TestServer(t *testing.T) { assert.False(t, reply.Result) }) - t.Run("returns true for alice:view:jane_vacation", func(t *testing.T) { + t.Run("allows alice:view:jane_vacation", func(t *testing.T) { reply, err := client.Allowed(t.Context(), &AllowRequest{ - Subject: "alice", + Subject: "gid://User/alice", Permission: "view", - Resource: "jane_vacation", + Resource: "gid://Album/jane_vacation", }) require.NoError(t, err) assert.True(t, reply.Result) }) - t.Run("returns gid://User/1:read:gid://Organization/2", func(t *testing.T) { + t.Run("allows gid://User/1 read gid://Organization/2", func(t *testing.T) { reply, err := client.Allowed(t.Context(), &AllowRequest{ Subject: "gid://User/1", Permission: "read", |