From 814a864184affab624f7d1e5314cd1f55d72b90c Mon Sep 17 00:00:00 2001 From: mo khan Date: Thu, 17 Jul 2025 12:37:14 -0600 Subject: refactor: remove cedar --- tests/authorization/cedar_authorizer_test.rs | 149 --------------------------- tests/authorization/check_service_test.rs | 4 +- tests/authorization/mod.rs | 1 - tests/support/factory_bot.rs | 24 +---- 4 files changed, 3 insertions(+), 175 deletions(-) delete mode 100644 tests/authorization/cedar_authorizer_test.rs (limited to 'tests') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs deleted file mode 100644 index 4938033c..00000000 --- a/tests/authorization/cedar_authorizer_test.rs +++ /dev/null @@ -1,149 +0,0 @@ -#[cfg(test)] -mod tests { - use crate::support::factory_bot::*; - use crate::support::*; - use authzd::Authorizer; - use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; - use std::collections::HashMap; - - fn subject() -> authzd::authorization::cedar::Authorizer { - common::setup(); - subject_with(cedar_policy::Entities::empty()) - } - - fn subject_with(entities: cedar_policy::Entities) -> authzd::authorization::cedar::Authorizer { - build_cedar_authorizer(entities) - } - - #[test] - fn test_cedar_authorizer_denies_missing_header() { - assert!( - !subject().authorize(build_request(|item: &mut HttpRequest| { - item.headers = HashMap::new(); - })) - ); - } - - #[test] - fn test_unauthenticated_sparkle_endpoints() { - let hosts = vec![ - "localhost:10000", - "sparkle.runway.gitlab.net", - "sparkle.staging.runway.gitlab.net", - ]; - - let routes = vec![ - ("GET", "/", true), - ("GET", "/callback", true), - ("GET", "/dashboard/nav", true), - ("GET", "/health", true), - ("GET", "/signout", true), - ("GET", "/sparkles", true), - ("POST", "/sparkles/restore", true), - ("GET", "/dashboard", false), - ("POST", "/sparkles", false), - ]; - - let authorizer = subject(); - for host in hosts { - for (method, path, expected) in &routes { - let request = build_request(|item: &mut HttpRequest| { - item.method = method.to_string(); - item.path = path.to_string(); - item.host = host.to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), path.to_string()), - (String::from(":method"), method.to_string()), - (String::from(":authority"), host.to_string()), - ]); - }); - - assert_eq!( - authorizer.authorize(request), - *expected, - "{} {}", - method, - path - ); - } - } - } - - // TODO:: Add entities to represent access to: - // * list of sparkles: `:read, gid://sparkle/Sparkle/*` - // * single sparkle: `:read, gid://sparkle/Sparkle/:id` - // * create sparkle: `:create, gid://sparkle/Sparkle/*` - // * update sparkles: `:update, gid://sparkle/Sparkle/*` - // * update single sparkle: `:update, gid://sparkle/Sparkle/:id` - // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` - // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` - #[test] - fn test_authenticated_create_sparkle() { - let request = build_request(|item: &mut HttpRequest| { - item.method = "POST".to_string(); - item.path = "/sparkles".to_string(); - item.host = "sparkle.staging.runway.gitlab.net".to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), item.path.to_string()), - (String::from(":method"), item.method.to_string()), - (String::from(":authority"), item.host.to_string()), - (String::from("x-jwt-claim-sub"), "1675940".to_string()), - ]); - }); - - let mut attrs = std::collections::HashMap::new(); - attrs.insert( - "username".to_string(), - cedar_policy::RestrictedExpression::new_string("tanuki".to_string()), - ); - let user = build_user("1675940", attrs); - let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); - let authorizer = subject_with(entities); - assert!(authorizer.authorize(request.clone())); - - let mut attrs = std::collections::HashMap::new(); - attrs.insert( - "username".to_string(), - cedar_policy::RestrictedExpression::new_string("root".to_string()), - ); - let user = build_user("1", attrs); - let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); - let authorizer = subject_with(entities); - assert!(!authorizer.authorize(request.clone())); - } - - #[test] - fn test_sparkle_homepage() { - let request = build_request(|item: &mut HttpRequest| { - item.method = "GET".to_string(); - item.path = "/".to_string(); - item.host = "localhost:10000".to_string(); - item.headers = build_headers(vec![ - (String::from(":path"), item.path.to_string()), - (String::from(":method"), item.method.to_string()), - (String::from(":authority"), item.host.to_string()), - ]); - }); - - let authorizer = subject(); - assert_eq!(authorizer.authorize(request), true); - } - - #[test] - fn test_sparkle_dashboard() { - let request = build_request(|item: &mut HttpRequest| { - item.method = "GET".to_string(); - item.path = "/dashboard".to_string(); - item.host = "localhost:10000".to_string(); - item.headers = build_headers(vec![ - (String::from("x-jwt-claim-sub"), "1".to_string()), - (String::from(":path"), item.path.to_string()), - (String::from(":method"), item.method.to_string()), - (String::from(":authority"), item.host.to_string()), - ]); - }); - - let authorizer = subject(); - assert_eq!(authorizer.authorize(request), true); - } -} diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs index 30450134..acf2d4a1 100644 --- a/tests/authorization/check_service_test.rs +++ b/tests/authorization/check_service_test.rs @@ -7,9 +7,7 @@ mod tests { use std::sync::Arc; fn subject() -> CheckService { - CheckService::new(Arc::new(build_cedar_authorizer( - cedar_policy::Entities::empty(), - ))) + CheckService::new(Arc::new(build_spice_authorizer())) } #[tokio::test] diff --git a/tests/authorization/mod.rs b/tests/authorization/mod.rs index 7cad6c25..a1313cb7 100644 --- a/tests/authorization/mod.rs +++ b/tests/authorization/mod.rs @@ -1,4 +1,3 @@ -mod cedar_authorizer_test; mod check_service_test; mod server_test; mod spice; diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs index 7ebe75ec..f06d0b4f 100644 --- a/tests/support/factory_bot.rs +++ b/tests/support/factory_bot.rs @@ -3,7 +3,6 @@ use envoy_types::pb::envoy::service::auth::v3::CheckRequest; use envoy_types::pb::envoy::service::auth::v3::attribute_context::{HttpRequest, Request}; use std::collections::HashMap; use std::net::SocketAddr; -use std::str::FromStr; use tonic::transport::Channel; #[allow(dead_code)] @@ -37,14 +36,6 @@ pub fn build_headers(headers: Vec<(String, String)>) -> HashMap }) } -pub fn build_cedar_authorizer( - entities: cedar_policy::Entities, -) -> authzd::authorization::cedar::Authorizer { - let realpath = std::fs::canonicalize("./etc/authzd").unwrap(); - let path = realpath.as_path(); - authzd::authorization::cedar::Authorizer::new_from(path, entities) -} - pub async fn build_channel(addr: SocketAddr) -> Channel { Channel::from_shared(format!("http://{}", addr)) .expect("Failed to create channel") @@ -60,17 +51,6 @@ where f(build_channel(addr).await) } -pub fn build_user( - id: &str, - attrs: std::collections::HashMap, -) -> cedar_policy::Entity { - cedar_policy::Entity::new( - cedar_policy::EntityUid::from_type_name_and_id( - cedar_policy::EntityTypeName::from_str("User").unwrap(), - cedar_policy::EntityId::from_str(id).unwrap(), - ), - attrs, - std::collections::HashSet::new(), - ) - .unwrap() +pub fn build_spice_authorizer() -> authzd::authorization::spice::Authorizer { + authzd::authorization::spice::Authorizer::default() } -- cgit v1.2.3