influxdb/authorizer/agent_test.go

299 lines
7.0 KiB
Go

package authorizer_test
import (
"context"
"testing"
"github.com/influxdata/influxdb/v2"
"github.com/influxdata/influxdb/v2/authorizer"
icontext "github.com/influxdata/influxdb/v2/context"
"github.com/influxdata/influxdb/v2/mock"
influxdbtesting "github.com/influxdata/influxdb/v2/testing"
"github.com/stretchr/testify/require"
)
func Test_Agent(t *testing.T) {
t.Run("OrgPermissions", func(t *testing.T) {
tests := []struct {
name string
action influxdb.Action
orgID influxdb.ID
permissions []influxdb.Permission
shouldErr bool
}{
{
name: "read valid org is successful",
action: influxdb.ReadAction,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.ReadAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
},
},
{
name: "write from valid org is successful",
action: influxdb.WriteAction,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.WriteAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
},
},
{
name: "read from org with only both privileges is successful",
action: influxdb.ReadAction,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.ReadAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
{
Action: influxdb.WriteAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
},
},
{
name: "write from org with only both privileges is successful",
action: influxdb.WriteAction,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.ReadAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
{
Action: influxdb.WriteAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
},
},
{
name: "read from invalid org errors",
action: influxdb.ReadAction,
orgID: 3333,
permissions: []influxdb.Permission{
{
Action: influxdb.ReadAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
},
shouldErr: true,
},
{
name: "write from invalid org errors",
action: influxdb.WriteAction,
orgID: 3333,
permissions: []influxdb.Permission{
{
Action: influxdb.WriteAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
},
shouldErr: true,
},
{
name: "read from org with only write privileges should errors",
action: influxdb.ReadAction,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.WriteAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
},
shouldErr: true,
},
{
name: "write from org with only read privileges should errors",
action: influxdb.WriteAction,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.ReadAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
},
shouldErr: true,
},
}
for _, tt := range tests {
fn := func(t *testing.T) {
ctx := icontext.SetAuthorizer(context.TODO(), mock.NewMockAuthorizer(false, tt.permissions))
agent := new(authorizer.AuthAgent)
err := agent.OrgPermissions(ctx, tt.orgID, tt.action)
if tt.shouldErr {
require.Error(t, err)
} else {
require.NoError(t, err)
}
}
t.Run(tt.name, fn)
}
})
t.Run("IsWritable", func(t *testing.T) {
tests := []struct {
name string
resourceType influxdb.ResourceType
orgID influxdb.ID
permissions []influxdb.Permission
shouldErr bool
}{
{
name: "valid org write perms is always successful",
resourceType: influxdb.LabelsResourceType,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.WriteAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
},
},
{
name: "valid resource write perm is always successful",
resourceType: influxdb.LabelsResourceType,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.WriteAction,
Resource: influxdb.Resource{
Type: influxdb.LabelsResourceType,
},
},
},
},
{
name: "valid org and resource write perm is always successful",
resourceType: influxdb.LabelsResourceType,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.WriteAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(3),
},
},
{
Action: influxdb.WriteAction,
Resource: influxdb.Resource{
Type: influxdb.LabelsResourceType,
},
},
},
},
{
name: "read only org perm errors",
resourceType: influxdb.LabelsResourceType,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.ReadAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: idPtr(3),
},
},
},
shouldErr: true,
},
{
name: "read only resource perms errors",
resourceType: influxdb.LabelsResourceType,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.ReadAction,
Resource: influxdb.Resource{
Type: influxdb.LabelsResourceType,
},
},
},
shouldErr: true,
},
{
name: "read only org and resource resource perms errors",
resourceType: influxdb.LabelsResourceType,
orgID: 3,
permissions: []influxdb.Permission{
{
Action: influxdb.ReadAction,
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
ID: idPtr(3),
},
},
{
Action: influxdb.ReadAction,
Resource: influxdb.Resource{
Type: influxdb.LabelsResourceType,
},
},
},
shouldErr: true,
},
}
for _, tt := range tests {
fn := func(t *testing.T) {
ctx := icontext.SetAuthorizer(context.TODO(), mock.NewMockAuthorizer(false, tt.permissions))
agent := new(authorizer.AuthAgent)
err := agent.IsWritable(ctx, tt.orgID, tt.resourceType)
if tt.shouldErr {
require.Error(t, err)
} else {
require.NoError(t, err)
}
}
t.Run(tt.name, fn)
}
})
}