diff options
Diffstat (limited to 'app/middleware/require_permission_test.go')
| -rw-r--r-- | app/middleware/require_permission_test.go | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/app/middleware/require_permission_test.go b/app/middleware/require_permission_test.go new file mode 100644 index 0000000..34a04a7 --- /dev/null +++ b/app/middleware/require_permission_test.go @@ -0,0 +1,58 @@ +package middleware + +import ( + "context" + "net/http" + "testing" + + "github.com/stretchr/testify/require" + "github.com/xlgmokha/x/pkg/test" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain" +) + +type MockAbility func(context.Context, *rpc.AllowRequest) (*rpc.AllowReply, error) + +func (m MockAbility) Allowed(ctx context.Context, r *rpc.AllowRequest) (*rpc.AllowReply, error) { + return m(ctx, r) +} + +func TestRequirePermission(t *testing.T) { + user := &domain.User{ID: domain.ID("1")} + ctx := cfg.CurrentUser.With(t.Context(), user) + permission := Permission("read_sparkles") + + t.Run("when the permission is granted", func(t *testing.T) { + r, w := test.RequestResponse("GET", "/sparkles", test.WithContext(ctx)) + + middleware := RequirePermission(permission, MockAbility(func(ctx context.Context, r *rpc.AllowRequest) (*rpc.AllowReply, error) { + require.Equal(t, "gid://sparkle/User/"+user.ID.String(), r.Subject) + require.Equal(t, permission.ToGID(), r.Permission) + require.Equal(t, "gid://sparkle/Sparkle/*", r.Resource) + + return &rpc.AllowReply{Result: true}, nil + })) + server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusTeapot) + })) + server.ServeHTTP(w, r) + + require.Equal(t, http.StatusTeapot, w.Code) + }) + + t.Run("when the permission is denied", func(t *testing.T) { + r, w := test.RequestResponse("GET", "/sparkles", test.WithContext(ctx)) + + middleware := RequirePermission(permission, MockAbility(func(ctx context.Context, r *rpc.AllowRequest) (*rpc.AllowReply, error) { + return &rpc.AllowReply{Result: false}, nil + })) + server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + require.Fail(t, "unexpected call to handler") + })) + + server.ServeHTTP(w, r) + + require.Equal(t, http.StatusForbidden, w.Code) + }) +} |