#[cfg(test)] mod tests { use crate::support::factory_bot::*; use crate::support::*; use authzd::Authorizer; use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; use std::collections::HashMap; fn subject() -> authzd::CedarAuthorizer { common::setup(); subject_with(cedar_policy::Entities::empty()) } fn subject_with(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer { build_cedar_authorizer(entities) } #[test] fn test_cedar_authorizer_denies_missing_header() { assert!( !subject().authorize(build_request(|item: &mut HttpRequest| { item.headers = HashMap::new(); })) ); } #[test] fn test_unauthenticated_sparkle_endpoints() { let hosts = vec![ "localhost:10000", "sparkle.runway.gitlab.net", "sparkle.staging.runway.gitlab.net", ]; let routes = vec![ ("GET", "/", true), ("GET", "/callback", true), ("GET", "/dashboard/nav", true), ("GET", "/health", true), ("GET", "/signout", true), ("GET", "/sparkles", true), ("POST", "/sparkles/restore", true), ("GET", "/dashboard", false), ("POST", "/sparkles", false), ]; let authorizer = subject(); for host in hosts { for (method, path, expected) in &routes { let request = build_request(|item: &mut HttpRequest| { item.method = method.to_string(); item.path = path.to_string(); item.host = host.to_string(); item.headers = build_headers(vec![ (String::from(":path"), path.to_string()), (String::from(":method"), method.to_string()), (String::from(":authority"), host.to_string()), ]); }); assert_eq!( authorizer.authorize(request), *expected, "{} {}", method, path ); } } } // TODO:: Add entities to represent access to: // * list of sparkles: `:read, gid://sparkle/Sparkle/*` // * single sparkle: `:read, gid://sparkle/Sparkle/:id` // * create sparkle: `:create, gid://sparkle/Sparkle/*` // * update sparkles: `:update, gid://sparkle/Sparkle/*` // * update single sparkle: `:update, gid://sparkle/Sparkle/:id` // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` #[test] fn test_authenticated_create_sparkle() { let request = build_request(|item: &mut HttpRequest| { item.method = "POST".to_string(); item.path = "/sparkles".to_string(); item.host = "sparkle.staging.runway.gitlab.net".to_string(); item.headers = build_headers(vec![ (String::from(":path"), item.path.to_string()), (String::from(":method"), item.method.to_string()), (String::from(":authority"), item.host.to_string()), (String::from("x-jwt-claim-sub"), "1675940".to_string()), ]); }); let mut attrs = std::collections::HashMap::new(); attrs.insert( "username".to_string(), cedar_policy::RestrictedExpression::new_string("tanuki".to_string()), ); let user = build_user("1675940", attrs); let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); assert!(authorizer.authorize(request.clone())); let mut attrs = std::collections::HashMap::new(); attrs.insert( "username".to_string(), cedar_policy::RestrictedExpression::new_string("root".to_string()), ); let user = build_user("1", attrs); let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); assert!(!authorizer.authorize(request.clone())); } }