From 203ed8abfbf47c8a41a455c1f8baf7c53b7c51cc Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 09:33:33 -0600 Subject: test: add sparkle public endpoint tests --- tests/authorization/cedar_authorizer_test.rs | 48 ++++++++++++++++++++++++++++ tests/authorization/check_service_test.rs | 4 --- 2 files changed, 48 insertions(+), 4 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 490a0107..50fdd7a5 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -75,4 +75,52 @@ mod tests { ]); }))); } + + #[test] + fn test_public_sparkle_endpoints() { + let hosts = vec![ + "localhost:10000", + "sparkle.runway.gitlab.net", + "sparkle.staging.runway.gitlab.net", + ]; + + let routes = vec![ + ("GET", "/", true), + ("GET", "/application.js", true), + ("GET", "/callback", true), + ("GET", "/dashboard/nav", true), + ("GET", "/favicon.ico", true), + ("GET", "/favicon.png", true), + ("GET", "/health", true), + ("GET", "/htmx.js", true), + ("GET", "/index.html", true), + ("GET", "/logo.png", true), + ("GET", "/pico.min.css", true), + ("GET", "/signout", true), + ("GET", "/sparkles", true), + ("GET", "/vue.global.js", true), + ("POST", "/sparkles/restore", true), + ("GET", "/dashboard", false), + ("POST", "/sparkles", false), + ]; + + let authorizer = subject(); + + for host in hosts { + for (method, path, expected) in &routes { + let request = build_request(|item: &mut HttpRequest| { + item.method = method.to_string(); + item.path = path.to_string(); + item.host = host.to_string(); + item.headers = build_headers(vec![ + (String::from(":path"), path.to_string()), + (String::from(":method"), method.to_string()), + (String::from(":authority"), host.to_string()), + ]); + }); + + assert_eq!(authorizer.authorize(request), *expected); + } + } + } } diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index c5c824fc..60cbc11c 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -131,10 +131,6 @@ mod tests { #[tokio::test] async fn test_public_sparkle_endpoints() { - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, - // {status: tonic::Code::Ok, http: &HTTPRequest{Method: "POST", Path: "/sparkles", Headers: loggedInHeaders}}, - // {status: tonic::Code::PermissionDenied, http: &HTTPRequest{Method: "GET", Path: "/dashboard", Headers: invalidHeaders}}, - let hosts = vec![ "localhost:10000", "sparkle.runway.gitlab.net", -- cgit v1.2.3 From 3d7745e618dfd824afb83d860abcc8af90b0bd14 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 09:45:31 -0600 Subject: chore: start to provide entities to cedar --- tests/authorization/cedar_authorizer_test.rs | 13 +++++++++++-- tests/authorization/check_service_test.rs | 4 +++- tests/support/factory_bot.rs | 4 ++-- 3 files changed, 16 insertions(+), 5 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 50fdd7a5..47dde0c8 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -6,7 +6,7 @@ mod tests { use std::collections::HashMap; fn subject() -> authzd::CedarAuthorizer { - build_cedar_authorizer() + build_cedar_authorizer(cedar_policy::Entities::empty()) } #[test] @@ -105,7 +105,6 @@ mod tests { ]; let authorizer = subject(); - for host in hosts { for (method, path, expected) in &routes { let request = build_request(|item: &mut HttpRequest| { @@ -123,4 +122,14 @@ mod tests { } } } + + #[test] + fn test_allow_access_to_developer_in_sparkle_project() { + let request = build_request(|item: &mut HttpRequest| { + item.method = "GET".to_string(); + item.path = "/dashboard".to_string(); + item.host = "sparkle.staging.runway.gitlab.net".to_string(); + }); + assert!(subject().authorize(request)); + } } diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 60cbc11c..ae8c1de5 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -8,7 +8,9 @@ mod tests { use std::sync::Arc; fn subject() -> CheckService { - CheckService::new(Arc::new(build_cedar_authorizer())) + CheckService::new(Arc::new(build_cedar_authorizer( + cedar_policy::Entities::empty(), + ))) } #[tokio::test] diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs index 007f0cb7..14969f87 100644 --- a/tests/support/factory_bot.rs +++ b/tests/support/factory_bot.rs @@ -36,10 +36,10 @@ pub fn build_headers(headers: Vec<(String, String)>) -> HashMap }) } -pub fn build_cedar_authorizer() -> authzd::CedarAuthorizer { +pub fn build_cedar_authorizer(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer { let realpath = std::fs::canonicalize("./etc/authzd").unwrap(); let path = realpath.as_path(); - authzd::CedarAuthorizer::new_from(path, cedar_policy::Entities::empty()) + authzd::CedarAuthorizer::new_from(path, entities) } pub async fn build_channel(addr: SocketAddr) -> Channel { -- cgit v1.2.3 From f160106ceaaeb4bca1f9bc3976d875429430dd44 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 11:52:48 -0600 Subject: test: define the types of scenarios that I want to cover using the x-jwt-claim-sub --- tests/authorization/cedar_authorizer_test.rs | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 47dde0c8..0090f1a5 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -6,7 +6,11 @@ mod tests { use std::collections::HashMap; fn subject() -> authzd::CedarAuthorizer { - build_cedar_authorizer(cedar_policy::Entities::empty()) + subject_with(cedar_policy::Entities::empty()) + } + + fn subject_with(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer { + build_cedar_authorizer(entities) } #[test] @@ -129,7 +133,26 @@ mod tests { item.method = "GET".to_string(); item.path = "/dashboard".to_string(); item.host = "sparkle.staging.runway.gitlab.net".to_string(); + item.headers = build_headers(vec![ + (String::from(":path"), item.path.to_string()), + (String::from(":method"), item.method.to_string()), + (String::from(":authority"), item.host.to_string()), + ( + String::from("x-jwt-claim-sub"), + "gid://gitlab/User/1".to_string(), + ), + ]); }); - assert!(subject().authorize(request)); + let entities = cedar_policy::Entities::empty(); + // TODO:: Add entities to represent access to: + // * list of sparkles: `:read, gid://sparkle/Sparkle/*` + // * single sparkle: `:read, gid://sparkle/Sparkle/:id` + // * create sparkle: `:create, gid://sparkle/Sparkle/*` + // * update sparkles: `:update, gid://sparkle/Sparkle/*` + // * update single sparkle: `:update, gid://sparkle/Sparkle/:id` + // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` + // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` + let authorizer = subject_with(entities); + assert!(authorizer.authorize(request)); } } -- cgit v1.2.3 From e6a1c6661f3e900d47395695ccb8d8c9942be68f Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 15:30:28 -0600 Subject: test: update test to focus on :read, Sparkle --- tests/authorization/cedar_authorizer_test.rs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 0090f1a5..27801bb1 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -127,11 +127,19 @@ mod tests { } } + // TODO:: Add entities to represent access to: + // * list of sparkles: `:read, gid://sparkle/Sparkle/*` + // * single sparkle: `:read, gid://sparkle/Sparkle/:id` + // * create sparkle: `:create, gid://sparkle/Sparkle/*` + // * update sparkles: `:update, gid://sparkle/Sparkle/*` + // * update single sparkle: `:update, gid://sparkle/Sparkle/:id` + // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` + // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` #[test] - fn test_allow_access_to_developer_in_sparkle_project() { + fn test_allow_read_sparkles() { let request = build_request(|item: &mut HttpRequest| { item.method = "GET".to_string(); - item.path = "/dashboard".to_string(); + item.path = "/sparkles".to_string(); item.host = "sparkle.staging.runway.gitlab.net".to_string(); item.headers = build_headers(vec![ (String::from(":path"), item.path.to_string()), @@ -144,14 +152,6 @@ mod tests { ]); }); let entities = cedar_policy::Entities::empty(); - // TODO:: Add entities to represent access to: - // * list of sparkles: `:read, gid://sparkle/Sparkle/*` - // * single sparkle: `:read, gid://sparkle/Sparkle/:id` - // * create sparkle: `:create, gid://sparkle/Sparkle/*` - // * update sparkles: `:update, gid://sparkle/Sparkle/*` - // * update single sparkle: `:update, gid://sparkle/Sparkle/:id` - // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` - // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` let authorizer = subject_with(entities); assert!(authorizer.authorize(request)); } -- cgit v1.2.3 From 4a59c375b6bfe2613618937f8e03c5d38193fc78 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 15:54:01 -0600 Subject: test: build a cedar entity with my user record id --- tests/authorization/cedar_authorizer_test.rs | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 27801bb1..4a319c09 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -4,6 +4,7 @@ mod tests { use authzd::Authorizer; use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; use std::collections::HashMap; + use std::str::FromStr; fn subject() -> authzd::CedarAuthorizer { subject_with(cedar_policy::Entities::empty()) @@ -145,13 +146,20 @@ mod tests { (String::from(":path"), item.path.to_string()), (String::from(":method"), item.method.to_string()), (String::from(":authority"), item.host.to_string()), - ( - String::from("x-jwt-claim-sub"), - "gid://gitlab/User/1".to_string(), - ), + (String::from("x-jwt-claim-sub"), "1675940".to_string()), ]); }); - let entities = cedar_policy::Entities::empty(); + + let user = cedar_policy::Entity::new( + cedar_policy::EntityUid::from_type_name_and_id( + cedar_policy::EntityTypeName::from_str("User").unwrap(), + cedar_policy::EntityId::from_str("1675940").unwrap(), + ), + std::collections::HashMap::new(), + std::collections::HashSet::new(), + ); + + let entities = cedar_policy::Entities::from_entities([user.unwrap()], None).unwrap(); let authorizer = subject_with(entities); assert!(authorizer.authorize(request)); } -- cgit v1.2.3 From 5abf4b1db876161ef028398c9d600dd5ab9f6f6e Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 16:28:12 -0600 Subject: test: extract common test setup to initialize logger --- tests/authorization/cedar_authorizer_test.rs | 2 ++ tests/support/common.rs | 12 ++++++++++++ tests/support/mod.rs | 1 + 3 files changed, 15 insertions(+) create mode 100644 tests/support/common.rs (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 4a319c09..27b676ba 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -1,12 +1,14 @@ #[cfg(test)] mod tests { use crate::support::factory_bot::*; + use crate::support::*; use authzd::Authorizer; use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; use std::collections::HashMap; use std::str::FromStr; fn subject() -> authzd::CedarAuthorizer { + common::setup(); subject_with(cedar_policy::Entities::empty()) } diff --git a/tests/support/common.rs b/tests/support/common.rs new file mode 100644 index 00000000..8db5c52b --- /dev/null +++ b/tests/support/common.rs @@ -0,0 +1,12 @@ +use std::sync::Once; + +static INIT: Once = Once::new(); + +pub fn setup() { + INIT.call_once(|| { + tracing_subscriber::fmt() + .with_test_writer() + .with_max_level(tracing::Level::WARN) + .init(); + }); +} diff --git a/tests/support/mod.rs b/tests/support/mod.rs index 5e2a6d78..c46f39e5 100644 --- a/tests/support/mod.rs +++ b/tests/support/mod.rs @@ -1 +1,2 @@ +pub mod common; pub mod factory_bot; -- cgit v1.2.3 From 2bfefb123605f48f3b21fea260d5f680402dc410 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 16:53:36 -0600 Subject: test: consolidate some of the duplicate tests --- etc/authzd/policy0.cedar | 8 -- tests/authorization/cedar_authorizer_test.rs | 70 +--------------- tests/authorization/check_service_test.rs | 115 ++++++--------------------- 3 files changed, 25 insertions(+), 168 deletions(-) (limited to 'tests/authorization') diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar index 7c0aed08..bf2e705a 100644 --- a/etc/authzd/policy0.cedar +++ b/etc/authzd/policy0.cedar @@ -1,11 +1,3 @@ -@id("placeholder_example") -permit ( - principal, - action == Action::"check", - resource -) -when { context has bearer_token && context.bearer_token == "valid-token" }; - @id("static_assets") permit (principal, action, resource) when diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 27b676ba..88357058 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -16,28 +16,6 @@ mod tests { build_cedar_authorizer(entities) } - #[test] - fn test_cedar_authorizer_allows_valid_token() { - assert!(subject().authorize(build_request(|item: &mut HttpRequest| { - item.headers = build_headers(vec![( - "authorization".to_string(), - "Bearer valid-token".to_string(), - )]); - }))); - } - - #[test] - fn test_cedar_authorizer_denies_invalid_token() { - assert!( - !subject().authorize(build_request(|item: &mut HttpRequest| { - item.headers = build_headers(vec![( - "authorization".to_string(), - "Bearer invalid-token".to_string(), - )]); - })) - ); - } - #[test] fn test_cedar_authorizer_denies_missing_header() { assert!( @@ -48,43 +26,7 @@ mod tests { } #[test] - fn test_cedar_authorizer_allows_static_assets() { - assert!(subject().authorize(build_request(|item: &mut HttpRequest| { - let method = String::from("GET"); - let host = String::from("sparkle.staging.runway.gitlab.net"); - let path = "/public/style.css"; - - item.method = method.clone(); - item.path = path.to_string(); - item.host = host.to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method), - (String::from(":authority"), host), - ]); - }))); - } - - #[test] - fn test_cedar_authorizer_allows_js_assets() { - assert!(subject().authorize(build_request(|item: &mut HttpRequest| { - let method = String::from("GET"); - let host = String::from("sparkle.staging.runway.gitlab.net"); - let path = "/app.js"; - - item.method = method.clone(); - item.path = path.to_string(); - item.host = host.to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method), - (String::from(":authority"), host), - ]); - }))); - } - - #[test] - fn test_public_sparkle_endpoints() { + fn test_unauthenticated_sparkle_endpoints() { let hosts = vec![ "localhost:10000", "sparkle.runway.gitlab.net", @@ -93,19 +35,11 @@ mod tests { let routes = vec![ ("GET", "/", true), - ("GET", "/application.js", true), ("GET", "/callback", true), ("GET", "/dashboard/nav", true), - ("GET", "/favicon.ico", true), - ("GET", "/favicon.png", true), ("GET", "/health", true), - ("GET", "/htmx.js", true), - ("GET", "/index.html", true), - ("GET", "/logo.png", true), - ("GET", "/pico.min.css", true), ("GET", "/signout", true), ("GET", "/sparkles", true), - ("GET", "/vue.global.js", true), ("POST", "/sparkles/restore", true), ("GET", "/dashboard", false), ("POST", "/sparkles", false), @@ -139,7 +73,7 @@ mod tests { // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` #[test] - fn test_allow_read_sparkles() { + fn test_authenticated_sparkle_endpoints() { let request = build_request(|item: &mut HttpRequest| { item.method = "GET".to_string(); item.path = "/sparkles".to_string(); diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index ae8c1de5..24921846 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -4,7 +4,6 @@ mod tests { use authzd::CheckService; use envoy_types::ext_authz::v3::pb::Authorization; use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; - use std::collections::HashMap; use std::sync::Arc; fn subject() -> CheckService { @@ -14,30 +13,8 @@ mod tests { } #[tokio::test] - async fn test_check_allows_valid_bearer_token() { - let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - item.path = String::from("/"); - item.headers = build_headers(vec![( - "authorization".to_string(), - format!("Bearer {}", String::from("valid-token")), - )]) - })); - - let response = subject().check(request).await; - assert!(response.is_ok()); - - let check_response = response.unwrap().into_inner(); - assert!(check_response.status.is_some()); - - let status = check_response.status.unwrap(); - assert_eq!(tonic::Code::from_i32(status.code), tonic::Code::Ok); - } - - #[tokio::test] - async fn test_check_denies_invalid_bearer_token() { - let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - item.headers = HashMap::new(); - })); + async fn test_no_headers() { + let request = tonic::Request::new(build_request(|_http| {})); let response = subject().check(request).await; assert!(response.is_ok()); @@ -54,27 +31,31 @@ mod tests { #[tokio::test] async fn test_static_assets() { - let static_paths = vec![ - "app.js", - "favicon.ico", - "image.jpg", - "index.html", - "logo.png", - "style.css", + let routes = vec![ + ("GET", "/app.js", tonic::Code::Ok), + ("GET", "/application.js", tonic::Code::Ok), + ("GET", "/favicon.ico", tonic::Code::Ok), + ("GET", "/favicon.png", tonic::Code::Ok), + ("GET", "/image.jpg", tonic::Code::Ok), + ("GET", "/assets/image.jpg", tonic::Code::Ok), + ("GET", "/assets/style.css", tonic::Code::Ok), + ("GET", "/assets/application.js", tonic::Code::Ok), + ("GET", "/htmx.js", tonic::Code::Ok), + ("GET", "/index.html", tonic::Code::Ok), + ("GET", "/logo.png", tonic::Code::Ok), + ("GET", "/pico.min.css", tonic::Code::Ok), + ("GET", "/vue.global.js", tonic::Code::Ok), ]; - for path in static_paths { + for (method, path, expected_status_code) in &routes { let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - let method = String::from("GET"); - let host = String::from("sparkle.staging.runway.gitlab.net"); - - item.method = method.clone(); + item.method = method.to_string(); item.path = path.to_string(); - item.host = host.to_string(); + item.host = "localhost:3000".to_string(); item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method), - (String::from(":authority"), host), + (String::from(":path"), item.path.to_string()), + (String::from(":method"), item.method.to_string()), + (String::from(":authority"), item.host.to_string()), ]); })); @@ -85,49 +66,7 @@ mod tests { assert!(check_response.status.is_some()); let status = check_response.status.unwrap(); - assert_eq!(tonic::Code::from_i32(status.code), tonic::Code::Ok); - } - } - - #[tokio::test] - async fn test_no_headers() { - let request = tonic::Request::new(build_request(|_http| {})); - - let response = subject().check(request).await; - assert!(response.is_ok()); - - let check_response = response.unwrap().into_inner(); - assert!(check_response.status.is_some()); - - let status = check_response.status.unwrap(); - assert_eq!( - tonic::Code::from_i32(status.code), - tonic::Code::Unauthenticated - ); - } - - #[tokio::test] - async fn test_table() { - let test_cases = vec![ - ("Bearer valid-token", tonic::Code::Ok), - ("Bearer invalid-token", tonic::Code::Unauthenticated), - ("Basic valid-token", tonic::Code::Unauthenticated), - ("", tonic::Code::Unauthenticated), - ]; - - for (auth_value, expected_status_code) in test_cases { - let request = tonic::Request::new(build_request(|item: &mut HttpRequest| { - item.headers = - build_headers(vec![("authorization".to_string(), auth_value.to_string())]); - })); - - let response = subject().check(request).await; - assert!(response.is_ok()); - - let check_response = response.unwrap().into_inner(); - let status = check_response.status.unwrap(); - - assert_eq!(tonic::Code::from_i32(status.code), expected_status_code); + assert_eq!(tonic::Code::from_i32(status.code), *expected_status_code); } } @@ -141,19 +80,11 @@ mod tests { let routes = vec![ ("GET", "/", tonic::Code::Ok), - ("GET", "/application.js", tonic::Code::Ok), ("GET", "/callback", tonic::Code::Ok), ("GET", "/dashboard/nav", tonic::Code::Ok), - ("GET", "/favicon.ico", tonic::Code::Ok), - ("GET", "/favicon.png", tonic::Code::Ok), ("GET", "/health", tonic::Code::Ok), - ("GET", "/htmx.js", tonic::Code::Ok), - ("GET", "/index.html", tonic::Code::Ok), - ("GET", "/logo.png", tonic::Code::Ok), - ("GET", "/pico.min.css", tonic::Code::Ok), ("GET", "/signout", tonic::Code::Ok), ("GET", "/sparkles", tonic::Code::Ok), - ("GET", "/vue.global.js", tonic::Code::Ok), ("POST", "/sparkles/restore", tonic::Code::Ok), ("GET", "/dashboard", tonic::Code::Unauthenticated), ("POST", "/sparkles", tonic::Code::Unauthenticated), -- cgit v1.2.3 From b3cbfaed168b8c28d1c740f705d92008608b6dcd Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 17:50:37 -0600 Subject: refactor: extract build_user function --- tests/authorization/cedar_authorizer_test.rs | 15 +++------------ tests/support/factory_bot.rs | 13 +++++++++++++ 2 files changed, 16 insertions(+), 12 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 88357058..8add9868 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -5,7 +5,6 @@ mod tests { use authzd::Authorizer; use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; use std::collections::HashMap; - use std::str::FromStr; fn subject() -> authzd::CedarAuthorizer { common::setup(); @@ -73,7 +72,7 @@ mod tests { // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` #[test] - fn test_authenticated_sparkle_endpoints() { + fn test_authenticated_create_sparkle() { let request = build_request(|item: &mut HttpRequest| { item.method = "GET".to_string(); item.path = "/sparkles".to_string(); @@ -86,16 +85,8 @@ mod tests { ]); }); - let user = cedar_policy::Entity::new( - cedar_policy::EntityUid::from_type_name_and_id( - cedar_policy::EntityTypeName::from_str("User").unwrap(), - cedar_policy::EntityId::from_str("1675940").unwrap(), - ), - std::collections::HashMap::new(), - std::collections::HashSet::new(), - ); - - let entities = cedar_policy::Entities::from_entities([user.unwrap()], None).unwrap(); + let user = build_user("1675940"); + let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); assert!(authorizer.authorize(request)); } diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs index 14969f87..969080a3 100644 --- a/tests/support/factory_bot.rs +++ b/tests/support/factory_bot.rs @@ -3,6 +3,7 @@ use envoy_types::pb::envoy::service::auth::v3::AttributeContext; use envoy_types::pb::envoy::service::auth::v3::attribute_context::{HttpRequest, Request}; use std::collections::HashMap; use std::net::SocketAddr; +use std::str::FromStr; use tonic::transport::Channel; #[allow(dead_code)] @@ -56,3 +57,15 @@ where { f(build_channel(addr).await) } + +pub fn build_user(id: &str) -> cedar_policy::Entity { + cedar_policy::Entity::new( + cedar_policy::EntityUid::from_type_name_and_id( + cedar_policy::EntityTypeName::from_str("User").unwrap(), + cedar_policy::EntityId::from_str(id).unwrap(), + ), + std::collections::HashMap::new(), + std::collections::HashSet::new(), + ) + .unwrap() +} -- cgit v1.2.3 From 539cf6a187637783ae11becfa9d7b2d5faba4c24 Mon Sep 17 00:00:00 2001 From: mo khan Date: Thu, 10 Jul 2025 08:22:16 -0600 Subject: feat: extract JWT subject claim header --- src/authorization/cedar_authorizer.rs | 9 +++++++-- tests/authorization/cedar_authorizer_test.rs | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'tests/authorization') diff --git a/src/authorization/cedar_authorizer.rs b/src/authorization/cedar_authorizer.rs index c6b886ec..ceaee51c 100644 --- a/src/authorization/cedar_authorizer.rs +++ b/src/authorization/cedar_authorizer.rs @@ -74,11 +74,16 @@ impl CedarAuthorizer { fn principal_from( &self, - _http_request: &envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, + http_request: &envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest, ) -> Result> { + let subject = http_request + .headers + .get("x-jwt-claim-sub") + .map_or("", |v| v); + Ok(cedar_policy::EntityUid::from_type_name_and_id( cedar_policy::EntityTypeName::from_str("User")?, - cedar_policy::EntityId::from_str("client")?, + cedar_policy::EntityId::from_str(subject)?, )) } diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 8add9868..0cffeb13 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -74,7 +74,7 @@ mod tests { #[test] fn test_authenticated_create_sparkle() { let request = build_request(|item: &mut HttpRequest| { - item.method = "GET".to_string(); + item.method = "POST".to_string(); item.path = "/sparkles".to_string(); item.host = "sparkle.staging.runway.gitlab.net".to_string(); item.headers = build_headers(vec![ -- cgit v1.2.3 From 04670ecf10906f90cd50c7ff5d6cdc3e6f1f777e Mon Sep 17 00:00:00 2001 From: mo khan Date: Thu, 10 Jul 2025 14:29:45 -0600 Subject: test: print failure details for table test --- tests/authorization/cedar_authorizer_test.rs | 8 +++++++- tests/authorization/check_service_test.rs | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 0cffeb13..1a04b6af 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -58,7 +58,13 @@ mod tests { ]); }); - assert_eq!(authorizer.authorize(request), *expected); + assert_eq!( + authorizer.authorize(request), + *expected, + "{} {}", + method, + path + ); } } } diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 24921846..3db0ec9e 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -110,7 +110,13 @@ mod tests { assert!(check_response.status.is_some()); let status = check_response.status.unwrap(); - assert_eq!(tonic::Code::from_i32(status.code), *expected_status_code); + assert_eq!( + tonic::Code::from_i32(status.code), + *expected_status_code, + "{} {}", + method, + path + ); } } } -- cgit v1.2.3 From e92f15ef82339d4d9dc4a04f8dce2599b6ef10da Mon Sep 17 00:00:00 2001 From: mo khan Date: Thu, 10 Jul 2025 14:44:54 -0600 Subject: test: ensure authenticated users that are not in the entities do not have access --- tests/authorization/cedar_authorizer_test.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'tests/authorization') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 1a04b6af..f2dfebd4 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -94,6 +94,11 @@ mod tests { let user = build_user("1675940"); let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); - assert!(authorizer.authorize(request)); + assert!(authorizer.authorize(request.clone())); + + let user = build_user("1"); + let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); + let authorizer = subject_with(entities); + assert!(!authorizer.authorize(request.clone())); } } -- cgit v1.2.3 From 5d7f37c6508c7308c17659630cff35f4ead6dae4 Mon Sep 17 00:00:00 2001 From: mo khan Date: Thu, 10 Jul 2025 14:58:52 -0600 Subject: fix: allow authenticated+authorized users to create Sparkles --- etc/authzd/policy1.cedar | 12 ++++++++++++ .../authorization/sparkle/team/entities.json | 8 ++------ src/authorization/entities.rs | 2 -- src/gitlab/member.rs | 2 -- tests/authorization/cedar_authorizer_test.rs | 14 ++++++++++++-- tests/support/factory_bot.rs | 7 +++++-- 6 files changed, 31 insertions(+), 14 deletions(-) (limited to 'tests/authorization') diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar index 2306aaae..15776ab7 100644 --- a/etc/authzd/policy1.cedar +++ b/etc/authzd/policy1.cedar @@ -16,3 +16,15 @@ when context.path == "/sparkles")) || (context.method == "POST" && (context.path == "/sparkles/restore")))) }; + +permit ( + principal is User, + action == Action::"POST", + resource == Resource::"/sparkles" +) +when +{ + context has host && + context.host == "sparkle.staging.runway.gitlab.net" && + principal has username +}; diff --git a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json index ef479736..72d50bce 100644 --- a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json +++ b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json @@ -22,9 +22,7 @@ "id": "1675940" }, "attrs": { - "username": "mokhax", - "name": "mo khan", - "access_level": 50 + "username": "mokhax" }, "parents": [] }, @@ -34,9 +32,7 @@ "id": "1676317" }, "attrs": { - "username": "jayswain", - "name": "Jay Swain", - "access_level": 30 + "username": "jayswain" }, "parents": [] }, diff --git a/src/authorization/entities.rs b/src/authorization/entities.rs index a26cace2..dd5894f8 100644 --- a/src/authorization/entities.rs +++ b/src/authorization/entities.rs @@ -75,8 +75,6 @@ impl EntitiesRepository { }, attrs: serde_json::json!({ "username": member.username, - "name": member.name, - "access_level": member.access_level, }), parents: vec![], }); diff --git a/src/gitlab/member.rs b/src/gitlab/member.rs index 0b4997e9..7e7f212e 100644 --- a/src/gitlab/member.rs +++ b/src/gitlab/member.rs @@ -4,7 +4,5 @@ use serde::Deserialize; pub struct Member { pub id: u64, pub username: String, - pub name: String, pub state: String, - pub access_level: u8, } diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index f2dfebd4..f056c8c7 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -91,12 +91,22 @@ mod tests { ]); }); - let user = build_user("1675940"); + let mut attrs = std::collections::HashMap::new(); + attrs.insert( + "username".to_string(), + cedar_policy::RestrictedExpression::new_string("tanuki".to_string()), + ); + let user = build_user("1675940", attrs); let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); assert!(authorizer.authorize(request.clone())); - let user = build_user("1"); + let mut attrs = std::collections::HashMap::new(); + attrs.insert( + "username".to_string(), + cedar_policy::RestrictedExpression::new_string("root".to_string()), + ); + let user = build_user("1", attrs); let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); assert!(!authorizer.authorize(request.clone())); diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs index 969080a3..ba0d9c38 100644 --- a/tests/support/factory_bot.rs +++ b/tests/support/factory_bot.rs @@ -58,13 +58,16 @@ where f(build_channel(addr).await) } -pub fn build_user(id: &str) -> cedar_policy::Entity { +pub fn build_user( + id: &str, + attrs: std::collections::HashMap, +) -> cedar_policy::Entity { cedar_policy::Entity::new( cedar_policy::EntityUid::from_type_name_and_id( cedar_policy::EntityTypeName::from_str("User").unwrap(), cedar_policy::EntityId::from_str(id).unwrap(), ), - std::collections::HashMap::new(), + attrs, std::collections::HashSet::new(), ) .unwrap() -- cgit v1.2.3