summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/authzd/policy0.cedar8
-rw-r--r--tests/authorization/cedar_authorizer_test.rs70
-rw-r--r--tests/authorization/check_service_test.rs115
3 files changed, 25 insertions, 168 deletions
diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar
index 7c0aed08..bf2e705a 100644
--- a/etc/authzd/policy0.cedar
+++ b/etc/authzd/policy0.cedar
@@ -1,11 +1,3 @@
-@id("placeholder_example")
-permit (
- principal,
- action == Action::"check",
- resource
-)
-when { context has bearer_token && context.bearer_token == "valid-token" };
-
@id("static_assets")
permit (principal, action, resource)
when
diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs
index 27b676ba..88357058 100644
--- a/tests/authorization/cedar_authorizer_test.rs
+++ b/tests/authorization/cedar_authorizer_test.rs
@@ -17,28 +17,6 @@ mod tests {
}
#[test]
- fn test_cedar_authorizer_allows_valid_token() {
- assert!(subject().authorize(build_request(|item: &mut HttpRequest| {
- item.headers = build_headers(vec![(
- "authorization".to_string(),
- "Bearer valid-token".to_string(),
- )]);
- })));
- }
-
- #[test]
- fn test_cedar_authorizer_denies_invalid_token() {
- assert!(
- !subject().authorize(build_request(|item: &mut HttpRequest| {
- item.headers = build_headers(vec![(
- "authorization".to_string(),
- "Bearer invalid-token".to_string(),
- )]);
- }))
- );
- }
-
- #[test]
fn test_cedar_authorizer_denies_missing_header() {
assert!(
!subject().authorize(build_request(|item: &mut HttpRequest| {
@@ -48,43 +26,7 @@ mod tests {
}
#[test]
- fn test_cedar_authorizer_allows_static_assets() {
- assert!(subject().authorize(build_request(|item: &mut HttpRequest| {
- let method = String::from("GET");
- let host = String::from("sparkle.staging.runway.gitlab.net");
- let path = "/public/style.css";
-
- item.method = method.clone();
- item.path = path.to_string();
- item.host = host.to_string();
- item.headers = build_headers(vec![
- (String::from(":path"), path.to_string()),
- (String::from(":method"), method),
- (String::from(":authority"), host),
- ]);
- })));
- }
-
- #[test]
- fn test_cedar_authorizer_allows_js_assets() {
- assert!(subject().authorize(build_request(|item: &mut HttpRequest| {
- let method = String::from("GET");
- let host = String::from("sparkle.staging.runway.gitlab.net");
- let path = "/app.js";
-
- item.method = method.clone();
- item.path = path.to_string();
- item.host = host.to_string();
- item.headers = build_headers(vec![
- (String::from(":path"), path.to_string()),
- (String::from(":method"), method),
- (String::from(":authority"), host),
- ]);
- })));
- }
-
- #[test]
- fn test_public_sparkle_endpoints() {
+ fn test_unauthenticated_sparkle_endpoints() {
let hosts = vec![
"localhost:10000",
"sparkle.runway.gitlab.net",
@@ -93,19 +35,11 @@ mod tests {
let routes = vec![
("GET", "/", true),
- ("GET", "/application.js", true),
("GET", "/callback", true),
("GET", "/dashboard/nav", true),
- ("GET", "/favicon.ico", true),
- ("GET", "/favicon.png", true),
("GET", "/health", true),
- ("GET", "/htmx.js", true),
- ("GET", "/index.html", true),
- ("GET", "/logo.png", true),
- ("GET", "/pico.min.css", true),
("GET", "/signout", true),
("GET", "/sparkles", true),
- ("GET", "/vue.global.js", true),
("POST", "/sparkles/restore", true),
("GET", "/dashboard", false),
("POST", "/sparkles", false),
@@ -139,7 +73,7 @@ mod tests {
// * delete sparkles: `:delete, gid://sparkle/Sparkle/*`
// * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id`
#[test]
- fn test_allow_read_sparkles() {
+ fn test_authenticated_sparkle_endpoints() {
let request = build_request(|item: &mut HttpRequest| {
item.method = "GET".to_string();
item.path = "/sparkles".to_string();
diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs
index ae8c1de5..24921846 100644
--- a/tests/authorization/check_service_test.rs
+++ b/tests/authorization/check_service_test.rs
@@ -4,7 +4,6 @@ mod tests {
use authzd::CheckService;
use envoy_types::ext_authz::v3::pb::Authorization;
use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest;
- use std::collections::HashMap;
use std::sync::Arc;
fn subject() -> CheckService {
@@ -14,30 +13,8 @@ mod tests {
}
#[tokio::test]
- async fn test_check_allows_valid_bearer_token() {
- let request = tonic::Request::new(build_request(|item: &mut HttpRequest| {
- item.path = String::from("/");
- item.headers = build_headers(vec![(
- "authorization".to_string(),
- format!("Bearer {}", String::from("valid-token")),
- )])
- }));
-
- let response = subject().check(request).await;
- assert!(response.is_ok());
-
- let check_response = response.unwrap().into_inner();
- assert!(check_response.status.is_some());
-
- let status = check_response.status.unwrap();
- assert_eq!(tonic::Code::from_i32(status.code), tonic::Code::Ok);
- }
-
- #[tokio::test]
- async fn test_check_denies_invalid_bearer_token() {
- let request = tonic::Request::new(build_request(|item: &mut HttpRequest| {
- item.headers = HashMap::new();
- }));
+ async fn test_no_headers() {
+ let request = tonic::Request::new(build_request(|_http| {}));
let response = subject().check(request).await;
assert!(response.is_ok());
@@ -54,27 +31,31 @@ mod tests {
#[tokio::test]
async fn test_static_assets() {
- let static_paths = vec![
- "app.js",
- "favicon.ico",
- "image.jpg",
- "index.html",
- "logo.png",
- "style.css",
+ let routes = vec![
+ ("GET", "/app.js", tonic::Code::Ok),
+ ("GET", "/application.js", tonic::Code::Ok),
+ ("GET", "/favicon.ico", tonic::Code::Ok),
+ ("GET", "/favicon.png", tonic::Code::Ok),
+ ("GET", "/image.jpg", tonic::Code::Ok),
+ ("GET", "/assets/image.jpg", tonic::Code::Ok),
+ ("GET", "/assets/style.css", tonic::Code::Ok),
+ ("GET", "/assets/application.js", tonic::Code::Ok),
+ ("GET", "/htmx.js", tonic::Code::Ok),
+ ("GET", "/index.html", tonic::Code::Ok),
+ ("GET", "/logo.png", tonic::Code::Ok),
+ ("GET", "/pico.min.css", tonic::Code::Ok),
+ ("GET", "/vue.global.js", tonic::Code::Ok),
];
- for path in static_paths {
+ for (method, path, expected_status_code) in &routes {
let request = tonic::Request::new(build_request(|item: &mut HttpRequest| {
- let method = String::from("GET");
- let host = String::from("sparkle.staging.runway.gitlab.net");
-
- item.method = method.clone();
+ item.method = method.to_string();
item.path = path.to_string();
- item.host = host.to_string();
+ item.host = "localhost:3000".to_string();
item.headers = build_headers(vec![
- (String::from(":path"), path.to_string()),
- (String::from(":method"), method),
- (String::from(":authority"), host),
+ (String::from(":path"), item.path.to_string()),
+ (String::from(":method"), item.method.to_string()),
+ (String::from(":authority"), item.host.to_string()),
]);
}));
@@ -85,49 +66,7 @@ mod tests {
assert!(check_response.status.is_some());
let status = check_response.status.unwrap();
- assert_eq!(tonic::Code::from_i32(status.code), tonic::Code::Ok);
- }
- }
-
- #[tokio::test]
- async fn test_no_headers() {
- let request = tonic::Request::new(build_request(|_http| {}));
-
- let response = subject().check(request).await;
- assert!(response.is_ok());
-
- let check_response = response.unwrap().into_inner();
- assert!(check_response.status.is_some());
-
- let status = check_response.status.unwrap();
- assert_eq!(
- tonic::Code::from_i32(status.code),
- tonic::Code::Unauthenticated
- );
- }
-
- #[tokio::test]
- async fn test_table() {
- let test_cases = vec![
- ("Bearer valid-token", tonic::Code::Ok),
- ("Bearer invalid-token", tonic::Code::Unauthenticated),
- ("Basic valid-token", tonic::Code::Unauthenticated),
- ("", tonic::Code::Unauthenticated),
- ];
-
- for (auth_value, expected_status_code) in test_cases {
- let request = tonic::Request::new(build_request(|item: &mut HttpRequest| {
- item.headers =
- build_headers(vec![("authorization".to_string(), auth_value.to_string())]);
- }));
-
- let response = subject().check(request).await;
- assert!(response.is_ok());
-
- let check_response = response.unwrap().into_inner();
- let status = check_response.status.unwrap();
-
- assert_eq!(tonic::Code::from_i32(status.code), expected_status_code);
+ assert_eq!(tonic::Code::from_i32(status.code), *expected_status_code);
}
}
@@ -141,19 +80,11 @@ mod tests {
let routes = vec![
("GET", "/", tonic::Code::Ok),
- ("GET", "/application.js", tonic::Code::Ok),
("GET", "/callback", tonic::Code::Ok),
("GET", "/dashboard/nav", tonic::Code::Ok),
- ("GET", "/favicon.ico", tonic::Code::Ok),
- ("GET", "/favicon.png", tonic::Code::Ok),
("GET", "/health", tonic::Code::Ok),
- ("GET", "/htmx.js", tonic::Code::Ok),
- ("GET", "/index.html", tonic::Code::Ok),
- ("GET", "/logo.png", tonic::Code::Ok),
- ("GET", "/pico.min.css", tonic::Code::Ok),
("GET", "/signout", tonic::Code::Ok),
("GET", "/sparkles", tonic::Code::Ok),
- ("GET", "/vue.global.js", tonic::Code::Ok),
("POST", "/sparkles/restore", tonic::Code::Ok),
("GET", "/dashboard", tonic::Code::Unauthenticated),
("POST", "/sparkles", tonic::Code::Unauthenticated),
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 12:02:52 +0000