diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-10 17:49:29 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-10 17:49:29 -0600 |
| commit | ef572ae666732e87a35417710669ce88233a754a (patch) | |
| tree | 3cc32004dee9600014417d404dbe01ac0e1faca9 /tests | |
| parent | 8417a15087cc6f42c77fe070011ac2207f8d852d (diff) | |
| parent | 6721aaffa33894624c87a54f4ed10eccd3c080e5 (diff) | |
Merge branch 'entities' into 'main'
Use a static ACL file(s) to make authorization decisions
See merge request gitlab-org/software-supply-chain-security/authorization/authzd!6
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/authorization/cedar_authorizer_test.rs | 132 | ||||
| -rw-r--r-- | tests/authorization/check_service_test.rs | 131 | ||||
| -rw-r--r-- | tests/support/common.rs | 12 | ||||
| -rw-r--r-- | tests/support/factory_bot.rs | 20 | ||||
| -rw-r--r-- | tests/support/mod.rs | 1 |
5 files changed, 148 insertions, 148 deletions
diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 490a0107..f056c8c7 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -1,34 +1,18 @@ #[cfg(test)] mod tests { use crate::support::factory_bot::*; + use crate::support::*; use authzd::Authorizer; use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; use std::collections::HashMap; fn subject() -> authzd::CedarAuthorizer { - build_cedar_authorizer() + common::setup(); + subject_with(cedar_policy::Entities::empty()) } - #[test] - fn test_cedar_authorizer_allows_valid_token() { - assert!(subject().authorize(build_request(|item: &mut HttpRequest| { - item.headers = build_headers(vec![( - "authorization".to_string(), - "Bearer valid-token".to_string(), - )]); - }))); - } - - #[test] - fn test_cedar_authorizer_denies_invalid_token() { - assert!( - !subject().authorize(build_request(|item: &mut HttpRequest| { - item.headers = build_headers(vec![( - "authorization".to_string(), - "Bearer invalid-token".to_string(), - )]); - })) - ); + fn subject_with(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer { + build_cedar_authorizer(entities) } #[test] @@ -41,38 +25,90 @@ mod tests { } #[test] - fn test_cedar_authorizer_allows_static_assets() { - assert!(subject().authorize(build_request(|item: &mut HttpRequest| { - let method = String::from("GET"); - let host = String::from("sparkle.staging.runway.gitlab.net"); - let path = "/public/style.css"; + fn test_unauthenticated_sparkle_endpoints() { + let hosts = vec![ + "localhost:10000", + "sparkle.runway.gitlab.net", + "sparkle.staging.runway.gitlab.net", + ]; - item.method = method.clone(); - item.path = path.to_string(); - item.host = host.to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method), - (String::from(":authority"), host), - ]); - }))); + let routes = vec![ + ("GET", "/", true), + ("GET", "/callback", true), + ("GET", "/dashboard/nav", true), + ("GET", "/health", true), + ("GET", "/signout", true), + ("GET", "/sparkles", true), + ("POST", "/sparkles/restore", true), + ("GET", "/dashboard", false), + ("POST", "/sparkles", false), + ]; + + let authorizer = subject(); + for host in hosts { + for (method, path, expected) in &routes { + let request = build_request(|item: &mut HttpRequest| { + item.method = method.to_string(); + item.path = path.to_string(); + item.host = host.to_string(); + item.headers = build_headers(vec![ + (String::from(":path"), path.to_string()), + (String::from(":method"), method.to_string()), + (String::from(":authority"), host.to_string()), + ]); + }); + + assert_eq!( + authorizer.authorize(request), + *expected, + "{} {}", + method, + path + ); + } + } } + // TODO:: Add entities to represent access to: + // * list of sparkles: `:read, gid://sparkle/Sparkle/*` + // * single sparkle: `:read, gid://sparkle/Sparkle/:id` + // * create sparkle: `:create, gid://sparkle/Sparkle/*` + // * update sparkles: `:update, gid://sparkle/Sparkle/*` + // * update single sparkle: `:update, gid://sparkle/Sparkle/:id` + // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` + // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` #[test] - fn test_cedar_authorizer_allows_js_assets() { - assert!(subject().authorize(build_request(|item: &mut HttpRequest| { - let method = String::from("GET"); - let host = String::from("sparkle.staging.runway.gitlab.net"); - let path = "/app.js"; - - item.method = method.clone(); - item.path = path.to_string(); - item.host = host.to_string(); + fn test_authenticated_create_sparkle() { + let request = build_request(|item: &mut HttpRequest| { + item.method = "POST".to_string(); + item.path = "/sparkles".to_string(); + item.host = "sparkle.staging.runway.gitlab.net".to_string(); item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method), - (String::from(":authority"), host), + (String::from(":path"), item.path.to_string()), + (String::from(":method"), item.method.to_string()), + (String::from(":authority"), item.host.to_string()), + (String::from("x-jwt-claim-sub"), "1675940".to_string()), ]); - }))); + }); + + let mut attrs = std::collections::HashMap::new(); + attrs.insert( + "username".to_string(), + cedar_policy::RestrictedExpression::new_string("tanuki".to_string()), + ); + let user = build_user("1675940", attrs); + let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); + let authorizer = subject_with(entities); + assert!(authorizer.authorize(request.clone())); + + let mut attrs = std::collections::HashMap::new(); + attrs.insert( + "username".to_string(), + cedar_policy::RestrictedExpression::new_string("root".to_string()), + ); + let user = build_user("1", attrs); + let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); + let authorizer = subject_with(entities); + assert!(!authorizer.authorize(request.clone())); } } diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index c5c824fc..3db0ec9e 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -4,38 +4,17 @@ mod tests { use authzd::CheckService; use envoy_types::ext_authz::v3::pb::Authorization; use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; - use std::collections::HashMap; use std::sync::Arc; fn subject() -> CheckService { - CheckService::new(Arc::new(build_cedar_authorizer())) + CheckService::new(Arc::new(build_cedar_authorizer( + cedar_policy::Entities::empty(), + ))) } #[tokio::test] - async fn test_check_allows_valid_bearer_token() { - let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - item.path = String::from("/"); - item.headers = build_headers(vec![( - "authorization".to_string(), - format!("Bearer {}", String::from("valid-token")), - )]) - })); - - let response = subject().check(request).await; - assert!(response.is_ok()); - - let check_response = response.unwrap().into_inner(); - assert!(check_response.status.is_some()); - - let status = check_response.status.unwrap(); - assert_eq!(tonic::Code::from_i32(status.code), tonic::Code::Ok); - } - - #[tokio::test] - async fn test_check_denies_invalid_bearer_token() { - let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - item.headers = HashMap::new(); - })); + async fn test_no_headers() { + let request = tonic::Request::new(build_request(|_http| {})); let response = subject().check(request).await; assert!(response.is_ok()); @@ -52,27 +31,31 @@ mod tests { #[tokio::test] async fn test_static_assets() { - let static_paths = vec![ - "app.js", - "favicon.ico", - "image.jpg", - "index.html", - "logo.png", - "style.css", + let routes = vec![ + ("GET", "/app.js", tonic::Code::Ok), + ("GET", "/application.js", tonic::Code::Ok), + ("GET", "/favicon.ico", tonic::Code::Ok), + ("GET", "/favicon.png", tonic::Code::Ok), + ("GET", "/image.jpg", tonic::Code::Ok), + ("GET", "/assets/image.jpg", tonic::Code::Ok), + ("GET", "/assets/style.css", tonic::Code::Ok), + ("GET", "/assets/application.js", tonic::Code::Ok), + ("GET", "/htmx.js", tonic::Code::Ok), + ("GET", "/index.html", tonic::Code::Ok), + ("GET", "/logo.png", tonic::Code::Ok), + ("GET", "/pico.min.css", tonic::Code::Ok), + ("GET", "/vue.global.js", tonic::Code::Ok), ]; - for path in static_paths { + for (method, path, expected_status_code) in &routes { let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - let method = String::from("GET"); - let host = String::from("sparkle.staging.runway.gitlab.net"); - - item.method = method.clone(); + item.method = method.to_string(); item.path = path.to_string(); - item.host = host.to_string(); + item.host = "localhost:3000".to_string(); item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method), - (String::from(":authority"), host), + (String::from(":path"), item.path.to_string()), + (String::from(":method"), item.method.to_string()), + (String::from(":authority"), item.host.to_string()), ]); })); @@ -83,58 +66,12 @@ mod tests { assert!(check_response.status.is_some()); let status = check_response.status.unwrap(); - assert_eq!(tonic::Code::from_i32(status.code), tonic::Code::Ok); - } - } - - #[tokio::test] - async fn test_no_headers() { - let request = tonic::Request::new(build_request(|_http| {})); - - let response = subject().check(request).await; - assert!(response.is_ok()); - - let check_response = response.unwrap().into_inner(); - assert!(check_response.status.is_some()); - - let status = check_response.status.unwrap(); - assert_eq!( - tonic::Code::from_i32(status.code), - tonic::Code::Unauthenticated - ); - } - - #[tokio::test] - async fn test_table() { - let test_cases = vec![ - ("Bearer valid-token", tonic::Code::Ok), - ("Bearer invalid-token", tonic::Code::Unauthenticated), - ("Basic valid-token", tonic::Code::Unauthenticated), - ("", tonic::Code::Unauthenticated), - ]; - - for (auth_value, expected_status_code) in test_cases { - let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - item.headers = - build_headers(vec![("authorization".to_string(), auth_value.to_string())]); - })); - - let response = subject().check(request).await; - assert!(response.is_ok()); - - let check_response = response.unwrap().into_inner(); - let status = check_response.status.unwrap(); - - assert_eq!(tonic::Code::from_i32(status.code), expected_status_code); + assert_eq!(tonic::Code::from_i32(status.code), *expected_status_code); } } #[tokio::test] async fn test_public_sparkle_endpoints() { - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "POST", Path: "/sparkles", Headers: loggedInHeaders}}, - // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, - let hosts = vec![ "localhost:10000", "sparkle.runway.gitlab.net", @@ -143,19 +80,11 @@ mod tests { let routes = vec![ ("GET", "/", tonic::Code::Ok), - ("GET", "/application.js", tonic::Code::Ok), ("GET", "/callback", tonic::Code::Ok), ("GET", "/dashboard/nav", tonic::Code::Ok), - ("GET", "/favicon.ico", tonic::Code::Ok), - ("GET", "/favicon.png", tonic::Code::Ok), ("GET", "/health", tonic::Code::Ok), - ("GET", "/htmx.js", tonic::Code::Ok), - ("GET", "/index.html", tonic::Code::Ok), - ("GET", "/logo.png", tonic::Code::Ok), - ("GET", "/pico.min.css", tonic::Code::Ok), ("GET", "/signout", tonic::Code::Ok), ("GET", "/sparkles", tonic::Code::Ok), - ("GET", "/vue.global.js", tonic::Code::Ok), ("POST", "/sparkles/restore", tonic::Code::Ok), ("GET", "/dashboard", tonic::Code::Unauthenticated), ("POST", "/sparkles", tonic::Code::Unauthenticated), @@ -181,7 +110,13 @@ mod tests { assert!(check_response.status.is_some()); let status = check_response.status.unwrap(); - assert_eq!(tonic::Code::from_i32(status.code), *expected_status_code); + assert_eq!( + tonic::Code::from_i32(status.code), + *expected_status_code, + "{} {}", + method, + path + ); } } } diff --git a/tests/support/common.rs b/tests/support/common.rs new file mode 100644 index 00000000..8db5c52b --- /dev/null +++ b/tests/support/common.rs @@ -0,0 +1,12 @@ +use std::sync::Once; + +static INIT: Once = Once::new(); + +pub fn setup() { + INIT.call_once(|| { + tracing_subscriber::fmt() + .with_test_writer() + .with_max_level(tracing::Level::WARN) + .init(); + }); +} diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs index 007f0cb7..ba0d9c38 100644 --- a/tests/support/factory_bot.rs +++ b/tests/support/factory_bot.rs @@ -3,6 +3,7 @@ use envoy_types::pb::envoy::service::auth::v3::AttributeContext; use envoy_types::pb::envoy::service::auth::v3::attribute_context::{HttpRequest, Request}; use std::collections::HashMap; use std::net::SocketAddr; +use std::str::FromStr; use tonic::transport::Channel; #[allow(dead_code)] @@ -36,10 +37,10 @@ pub fn build_headers(headers: Vec<(String, String)>) -> HashMap<String, String> }) } -pub fn build_cedar_authorizer() -> authzd::CedarAuthorizer { +pub fn build_cedar_authorizer(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer { let realpath = std::fs::canonicalize("./etc/authzd").unwrap(); let path = realpath.as_path(); - authzd::CedarAuthorizer::new_from(path, cedar_policy::Entities::empty()) + authzd::CedarAuthorizer::new_from(path, entities) } pub async fn build_channel(addr: SocketAddr) -> Channel { @@ -56,3 +57,18 @@ where { f(build_channel(addr).await) } + +pub fn build_user( + id: &str, + attrs: std::collections::HashMap<String, cedar_policy::RestrictedExpression>, +) -> cedar_policy::Entity { + cedar_policy::Entity::new( + cedar_policy::EntityUid::from_type_name_and_id( + cedar_policy::EntityTypeName::from_str("User").unwrap(), + cedar_policy::EntityId::from_str(id).unwrap(), + ), + attrs, + std::collections::HashSet::new(), + ) + .unwrap() +} diff --git a/tests/support/mod.rs b/tests/support/mod.rs index 5e2a6d78..c46f39e5 100644 --- a/tests/support/mod.rs +++ b/tests/support/mod.rs @@ -1 +1,2 @@ +pub mod common; pub mod factory_bot; |