From 9674cfaedfdb8d583cfe75e1c1738a1c1d66c7f9 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 23 Jul 2025 12:21:24 -0600
Subject: refactor: inject permission service into sparkle controller

---
 internal/stub/check.go | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 internal/stub/check.go

(limited to 'internal/stub')

diff --git a/internal/stub/check.go b/internal/stub/check.go
new file mode 100644
index 0000000..ec257e3
--- /dev/null
+++ b/internal/stub/check.go
@@ -0,0 +1,53 @@
+package stub
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
+	"github.com/stretchr/testify/require"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/authz"
+	"google.golang.org/grpc"
+)
+
+type Check func(context.Context, *v1.CheckPermissionRequest) (*v1.CheckPermissionResponse, error)
+
+func (m Check) CheckPermission(ctx context.Context, r *v1.CheckPermissionRequest, opts ...grpc.CallOption) (*v1.CheckPermissionResponse, error) {
+	return m(ctx, r)
+}
+
+func AllowWith(t *testing.T, subject string, permission string, resource string) authz.PermissionService {
+	user := strings.SplitN(subject, ":", 2)
+	model := strings.SplitN(resource, ":", 2)
+
+	return Check(func(ctx context.Context, r *v1.CheckPermissionRequest) (*v1.CheckPermissionResponse, error) {
+		require.Equal(t, user[0], r.Subject.Object.ObjectType)
+		require.Equal(t, user[1], r.Subject.Object.ObjectId)
+
+		require.Equal(t, permission, r.Permission)
+
+		require.Equal(t, model[0], r.Resource.ObjectType)
+		require.Equal(t, model[1], r.Resource.ObjectId)
+
+		return &v1.CheckPermissionResponse{
+			Permissionship: v1.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION,
+		}, nil
+	})
+}
+
+func Allow() authz.PermissionService {
+	return Check(func(ctx context.Context, r *v1.CheckPermissionRequest) (*v1.CheckPermissionResponse, error) {
+		return &v1.CheckPermissionResponse{
+			Permissionship: v1.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION,
+		}, nil
+	})
+}
+
+func Deny() authz.PermissionService {
+	return Check(func(ctx context.Context, r *v1.CheckPermissionRequest) (*v1.CheckPermissionResponse, error) {
+		return &v1.CheckPermissionResponse{
+			Permissionship: v1.CheckPermissionResponse_PERMISSIONSHIP_NO_PERMISSION,
+		}, nil
+	})
+}
-- 
cgit v1.2.3