1 package integration_test
2
3 import (
4 "context"
5
6 "edge-infra.dev/pkg/edge/api/bsl/types"
7 "edge-infra.dev/pkg/edge/api/graph/model"
8 "edge-infra.dev/pkg/edge/api/middleware"
9 "edge-infra.dev/test/framework/integration"
10 )
11
12 func (s *Suite) TestRoleValidation() {
13 integration.SkipIf(s.Framework)
14 hr := s.Resolver.HasRole()
15 c := middleware.NewContext(context.Background(), &types.AuthUser{
16 Roles: []string{"random", string(model.RoleEdgeBannerOperator)},
17 })
18 _, err := hr(c, map[string]string{}, func(_ context.Context) (_ interface{}, _ error) { return nil, nil }, []model.Role{model.RoleEdgeBannerOperator})
19 s.Assert().NoError(err)
20 hr = s.Resolver.HasRole()
21 c = middleware.NewContext(context.Background(), &types.AuthUser{
22 Roles: []string{"random", "random2", string(model.RoleEdgeOrgAdmin)},
23 })
24 _, err = hr(c, map[string]string{}, func(_ context.Context) (_ interface{}, _ error) { return nil, nil }, []model.Role{model.RoleEdgeBannerOperator})
25 s.Assert().Error(err)
26 }
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64 func (s *Suite) TestBannerValidation() {
65 integration.SkipIf(s.Framework)
66 hr := s.Resolver.HasBannerAccess()
67
68 c := middleware.NewContext(context.Background(), &types.AuthUser{
69 Organization: "test-org",
70 Username: testUser,
71 })
72 _, err := hr(c, map[string]interface{}{"bannerEdgeId": "3396a52c-6a22-4049-9593-5a63b596a100"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "bannerEdgeId")
73 s.Assert().NoError(err, "user should have access to this banner")
74
75 c = middleware.NewContext(context.Background(), &types.AuthUser{
76 Organization: "test-org-2",
77 Username: testUser,
78 })
79 _, err = hr(c, map[string]interface{}{"bannerEdgeId": "3396a52c-6a22-4049-9593-5a63b596a100"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "bannerEdgeId")
80 s.Assert().Error(err, "user should not have access to this banner")
81
82 _, err = hr(c, map[string]interface{}{"bannerEdgeId": nil}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "bannerEdgeId")
83 s.Assert().NoError(err, "nil id should not error")
84
85 c = middleware.NewContext(context.Background(), &types.AuthUser{
86 Organization: "test-org-2",
87 Roles: []string{string(model.RoleTotpRole)},
88 })
89 _, err = hr(c, map[string]interface{}{"bannerEdgeId": "3396a52c-6a22-4049-9593-5a63b596a100"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "bannerEdgeId")
90 s.Assert().NoError(err, "should not validate totp token role")
91
92 c = middleware.NewContext(context.Background(), &types.AuthUser{
93 Organization: "test-org-3",
94 Username: testUser,
95 })
96 _, err = hr(c, map[string]interface{}{"bannerEdgeId": "3396a52c-6a22-4049-9593-5a63b596a106"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "bannerEdgeId")
97 s.Assert().Error(err, "user should not have access to this banner")
98 }
99
100 func (s *Suite) TestLabelValidation() {
101 integration.SkipIf(s.Framework)
102 hr := s.Resolver.HasLabelAccess()
103
104 c := middleware.NewContext(context.Background(), &types.AuthUser{
105 Organization: testUsername,
106 Username: testUserName,
107 AuthProvider: model.AuthProviderBsl.String(),
108 })
109 _, err := hr(c, map[string]interface{}{"labelEdgeId": "442f2e77-279d-45af-acae-4ec5458b7e25"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeId")
110 s.Assert().NoError(err, "user should have access to this label")
111
112 c = middleware.NewContext(context.Background(), &types.AuthUser{
113 Organization: "test-org-2",
114 })
115 _, err = hr(c, map[string]interface{}{"labelEdgeId": "aac1f183-50bc-453f-a822-9ab11aa70916"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeId")
116 s.Assert().Error(err, "user should not have organization access to this label")
117
118 _, err = hr(c, map[string]interface{}{"labelEdgeId": nil}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeId")
119 s.Assert().NoError(err, "nil id should not error")
120
121 c = middleware.NewContext(context.Background(), &types.AuthUser{
122 Organization: "test-org-2",
123 Roles: []string{string(model.RoleTotpRole)},
124 })
125 _, err = hr(c, map[string]interface{}{"labelEdgeId": "aac1f183-50bc-453f-a822-9ab11aa70916"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeId")
126 s.Assert().NoError(err, "should not validate totp token role")
127
128 c = middleware.NewContext(context.Background(), &types.AuthUser{
129 Organization: "test-org",
130 })
131 _, err = hr(c, map[string]interface{}{"labelEdgeId": "442f2e77-279d-45af-acae-4ec5458b7e21"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeId")
132 s.Assert().Error(err, "user should not have banner access to this label")
133 }
134
135 func (s *Suite) TestLabelsValidation() {
136 integration.SkipIf(s.Framework)
137 hr := s.Resolver.HasLabelAccess()
138
139 c := middleware.NewContext(context.Background(), &types.AuthUser{
140 Organization: testUsername,
141 Username: testUserName,
142 AuthProvider: model.AuthProviderBsl.String(),
143 })
144 _, err := hr(c, map[string]interface{}{
145 "labelEdgeIds": []interface{}{
146 "442f2e77-279d-45af-acae-4ec5458b7e25",
147 }}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeIds")
148 s.Assert().NoError(err, "user should have access to these labels")
149
150 c = middleware.NewContext(context.Background(), &types.AuthUser{
151 Organization: "test-org",
152 })
153 _, err = hr(c, map[string]interface{}{"labelEdgeIds": []interface{}{"aac1f183-50bc-453f-a822-9ab11aa70916", "442f2e77-279d-45af-acae-4ec5458b7e25", "442f2e77-279d-45af-acae-4ec5458b7e21"}}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeIds")
154 s.Assert().Error(err, "user should not have access to one or more of these labels")
155 }
156
157 func (s *Suite) TestCanAssignRoleValidation() {
158 integration.SkipIf(s.Framework)
159 hr := s.Resolver.CanAssignRole()
160 abilityMap := map[string]interface{}{"EDGE_ORG_ADMIN": []interface{}{"EDGE_ORG_ADMIN", "EDGE_BANNER_ADMIN", "EDGE_BANNER_OPERATOR", "EDGE_BANNER_VIEWER"}}
161
162 c := middleware.NewContext(context.Background(), &types.AuthUser{
163 Organization: "test-org",
164 Roles: []string{"EDGE_TEST_ROLE", "EDGE_ORG_ADMIN"},
165 })
166 _, err = hr(c, map[string]interface{}{"role": "EDGE_TEST_ROLE"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, abilityMap)
167 s.Assert().Error(err, "user should not be able to assign this role")
168
169 c = middleware.NewContext(context.Background(), &types.AuthUser{
170 Organization: "test-org",
171 Roles: []string{"EDGE_BANNER_ADMIN", "EDGE_BANNER_OPERATOR"},
172 })
173 _, err = hr(c, map[string]interface{}{"role": "EDGE_BANNER_ADMIN"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, abilityMap)
174 s.Assert().Error(err, "user should not be able to assign this role")
175
176 _, err = hr(c, "invalid object", func(_ context.Context) (res interface{}, err error) { return nil, nil }, abilityMap)
177 s.Assert().Error(err, "input object is not a map")
178
179 _, err = hr(c, map[string]interface{}{"edgeRole": "EDGE_BANNER_ADMIN"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, abilityMap)
180 s.Assert().Error(err, "there is no role field in the input map")
181 }
182
View as plain text