1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
#[cfg(test)]
mod tests {
use crate::support::factory_bot::*;
use crate::support::*;
use authzd::Authorizer;
use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest;
use std::collections::HashMap;
fn subject() -> authzd::CedarAuthorizer {
common::setup();
subject_with(cedar_policy::Entities::empty())
}
fn subject_with(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer {
build_cedar_authorizer(entities)
}
#[test]
fn test_cedar_authorizer_denies_missing_header() {
assert!(
!subject().authorize(build_request(|item: &mut HttpRequest| {
item.headers = HashMap::new();
}))
);
}
#[test]
fn test_unauthenticated_sparkle_endpoints() {
let hosts = vec![
"localhost:10000",
"sparkle.runway.gitlab.net",
"sparkle.staging.runway.gitlab.net",
];
let routes = vec![
("GET", "/", true),
("GET", "/callback", true),
("GET", "/dashboard/nav", true),
("GET", "/health", true),
("GET", "/signout", true),
("GET", "/sparkles", true),
("POST", "/sparkles/restore", true),
("GET", "/dashboard", false),
("POST", "/sparkles", false),
];
let authorizer = subject();
for host in hosts {
for (method, path, expected) in &routes {
let request = build_request(|item: &mut HttpRequest| {
item.method = method.to_string();
item.path = path.to_string();
item.host = host.to_string();
item.headers = build_headers(vec![
(String::from(":path"), path.to_string()),
(String::from(":method"), method.to_string()),
(String::from(":authority"), host.to_string()),
]);
});
assert_eq!(authorizer.authorize(request), *expected);
}
}
}
// TODO:: Add entities to represent access to:
// * list of sparkles: `:read, gid://sparkle/Sparkle/*`
// * single sparkle: `:read, gid://sparkle/Sparkle/:id`
// * create sparkle: `:create, gid://sparkle/Sparkle/*`
// * update sparkles: `:update, gid://sparkle/Sparkle/*`
// * update single sparkle: `:update, gid://sparkle/Sparkle/:id`
// * delete sparkles: `:delete, gid://sparkle/Sparkle/*`
// * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id`
#[test]
fn test_authenticated_create_sparkle() {
let request = build_request(|item: &mut HttpRequest| {
item.method = "POST".to_string();
item.path = "/sparkles".to_string();
item.host = "sparkle.staging.runway.gitlab.net".to_string();
item.headers = build_headers(vec![
(String::from(":path"), item.path.to_string()),
(String::from(":method"), item.method.to_string()),
(String::from(":authority"), item.host.to_string()),
(String::from("x-jwt-claim-sub"), "1675940".to_string()),
]);
});
let user = build_user("1675940");
let entities = cedar_policy::Entities::from_entities([user], None).unwrap();
let authorizer = subject_with(entities);
assert!(authorizer.authorize(request));
}
}
|
