...

Source file src/edge-infra.dev/pkg/edge/api/graph/integration/roles_test.go

Documentation: edge-infra.dev/pkg/edge/api/graph/integration

     1  package integration_test
     2  
     3  import (
     4  	"context"
     5  
     6  	"edge-infra.dev/pkg/edge/api/bsl/types"
     7  	"edge-infra.dev/pkg/edge/api/graph/model"
     8  	"edge-infra.dev/pkg/edge/api/middleware"
     9  	"edge-infra.dev/test/framework/integration"
    10  )
    11  
    12  func (s *Suite) TestRoleValidation() {
    13  	integration.SkipIf(s.Framework)
    14  	hr := s.Resolver.HasRole()
    15  	c := middleware.NewContext(context.Background(), &types.AuthUser{
    16  		Roles: []string{"random", string(model.RoleEdgeBannerOperator)},
    17  	})
    18  	_, err := hr(c, map[string]string{}, func(_ context.Context) (_ interface{}, _ error) { return nil, nil }, []model.Role{model.RoleEdgeBannerOperator})
    19  	s.Assert().NoError(err)
    20  	hr = s.Resolver.HasRole()
    21  	c = middleware.NewContext(context.Background(), &types.AuthUser{
    22  		Roles: []string{"random", "random2", string(model.RoleEdgeOrgAdmin)},
    23  	})
    24  	_, err = hr(c, map[string]string{}, func(_ context.Context) (_ interface{}, _ error) { return nil, nil }, []model.Role{model.RoleEdgeBannerOperator})
    25  	s.Assert().Error(err)
    26  }
    27  
    28  // TODO(pa250194_ncrvoyix): rewrite test once we get the testing strategy ironed out
    29  //func (s *Suite) TestClusterValidation() { //nolint:dupl
    30  //	integration.SkipIf(s.Framework)
    31  //	hr := s.Resolver.HasClusterAccess()
    32  //	//standard access test
    33  //	c := middleware.NewContext(context.Background(), &types.AuthUser{
    34  //		Organization: testUsername,
    35  //		Username:     "multiple",
    36  //		AuthProvider: model.AuthProviderBsl.String(),
    37  //	})
    38  //	_, err := hr(c, map[string]interface{}{"clusterEdgeId": "5af7b37a-c149-4df4-ad0d-2b0e03bd9ed1"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "clusterEdgeId")
    39  //	s.Assert().NoError(err, "user should have access to this cluster")
    40  //	//no access test
    41  //	c = middleware.NewContext(context.Background(), &types.AuthUser{
    42  //		Organization: "test-org",
    43  //	})
    44  //	_, err = hr(c, map[string]interface{}{"clusterEdgeId": "3396a52c-6a22-4049-9593-5a63b596a201"}, func(_ context.Context) (res interface{}, err error) { return nil, errors.New("") }, "clusterEdgeId")
    45  //	s.Assert().Error(err, "user should not have organization access to this cluster")
    46  //	//nil id test
    47  //	_, err = hr(c, map[string]interface{}{"clusterEdgeId": nil}, func(_ context.Context) (_ interface{}, _ error) { return nil, nil }, "clusterEdgeId")
    48  //	s.Assert().NoError(err, "nil id should not error")
    49  //	//totp token test
    50  //	c = middleware.NewContext(context.Background(), &types.AuthUser{
    51  //		Organization: "test-org",
    52  //		Roles:        []string{string(model.RoleTotpRole)},
    53  //	})
    54  //	_, err = hr(c, map[string]interface{}{"clusterEdgeId": "3396a52c-6a22-4049-9593-5a63b596a201"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "clusterEdgeId")
    55  //	s.Assert().NoError(err, "should not validate totp token role")
    56  //	//no banner access test
    57  //	c = middleware.NewContext(context.Background(), &types.AuthUser{
    58  //		Organization: "test-org",
    59  //	})
    60  //	_, err = hr(c, map[string]interface{}{"clusterEdgeId": "3396a52c-6a22-4049-9593-5a63b596a521"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "clusterEdgeId")
    61  //	s.Assert().Error(err, "user should not have banner access to this cluster")
    62  //}
    63  
    64  func (s *Suite) TestBannerValidation() { //nolint:dupl
    65  	integration.SkipIf(s.Framework)
    66  	hr := s.Resolver.HasBannerAccess()
    67  	//standard access test
    68  	c := middleware.NewContext(context.Background(), &types.AuthUser{
    69  		Organization: "test-org",
    70  		Username:     testUser,
    71  	})
    72  	_, err := hr(c, map[string]interface{}{"bannerEdgeId": "3396a52c-6a22-4049-9593-5a63b596a100"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "bannerEdgeId")
    73  	s.Assert().NoError(err, "user should have access to this banner")
    74  	//no org access test
    75  	c = middleware.NewContext(context.Background(), &types.AuthUser{
    76  		Organization: "test-org-2",
    77  		Username:     testUser,
    78  	})
    79  	_, err = hr(c, map[string]interface{}{"bannerEdgeId": "3396a52c-6a22-4049-9593-5a63b596a100"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "bannerEdgeId")
    80  	s.Assert().Error(err, "user should not have access to this banner")
    81  	//nil id test
    82  	_, err = hr(c, map[string]interface{}{"bannerEdgeId": nil}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "bannerEdgeId")
    83  	s.Assert().NoError(err, "nil id should not error")
    84  	//totp token test
    85  	c = middleware.NewContext(context.Background(), &types.AuthUser{
    86  		Organization: "test-org-2",
    87  		Roles:        []string{string(model.RoleTotpRole)},
    88  	})
    89  	_, err = hr(c, map[string]interface{}{"bannerEdgeId": "3396a52c-6a22-4049-9593-5a63b596a100"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "bannerEdgeId")
    90  	s.Assert().NoError(err, "should not validate totp token role")
    91  	//no banner access test
    92  	c = middleware.NewContext(context.Background(), &types.AuthUser{
    93  		Organization: "test-org-3",
    94  		Username:     testUser,
    95  	})
    96  	_, err = hr(c, map[string]interface{}{"bannerEdgeId": "3396a52c-6a22-4049-9593-5a63b596a106"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "bannerEdgeId")
    97  	s.Assert().Error(err, "user should not have access to this banner")
    98  }
    99  
   100  func (s *Suite) TestLabelValidation() { //nolint:dupl
   101  	integration.SkipIf(s.Framework)
   102  	hr := s.Resolver.HasLabelAccess()
   103  	//standard access test
   104  	c := middleware.NewContext(context.Background(), &types.AuthUser{
   105  		Organization: testUsername,
   106  		Username:     testUserName,
   107  		AuthProvider: model.AuthProviderBsl.String(),
   108  	})
   109  	_, err := hr(c, map[string]interface{}{"labelEdgeId": "442f2e77-279d-45af-acae-4ec5458b7e25"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeId")
   110  	s.Assert().NoError(err, "user should have access to this label")
   111  	//no access test
   112  	c = middleware.NewContext(context.Background(), &types.AuthUser{
   113  		Organization: "test-org-2",
   114  	})
   115  	_, err = hr(c, map[string]interface{}{"labelEdgeId": "aac1f183-50bc-453f-a822-9ab11aa70916"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeId")
   116  	s.Assert().Error(err, "user should not have organization access to this label")
   117  	//nil id test
   118  	_, err = hr(c, map[string]interface{}{"labelEdgeId": nil}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeId")
   119  	s.Assert().NoError(err, "nil id should not error")
   120  	//totp token test
   121  	c = middleware.NewContext(context.Background(), &types.AuthUser{
   122  		Organization: "test-org-2",
   123  		Roles:        []string{string(model.RoleTotpRole)},
   124  	})
   125  	_, err = hr(c, map[string]interface{}{"labelEdgeId": "aac1f183-50bc-453f-a822-9ab11aa70916"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeId")
   126  	s.Assert().NoError(err, "should not validate totp token role")
   127  	//no banner access test
   128  	c = middleware.NewContext(context.Background(), &types.AuthUser{
   129  		Organization: "test-org",
   130  	})
   131  	_, err = hr(c, map[string]interface{}{"labelEdgeId": "442f2e77-279d-45af-acae-4ec5458b7e21"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeId")
   132  	s.Assert().Error(err, "user should not have banner access to this label")
   133  }
   134  
   135  func (s *Suite) TestLabelsValidation() { //nolint:dupl
   136  	integration.SkipIf(s.Framework)
   137  	hr := s.Resolver.HasLabelAccess()
   138  	//test access for accessible labels
   139  	c := middleware.NewContext(context.Background(), &types.AuthUser{
   140  		Organization: testUsername,
   141  		Username:     testUserName,
   142  		AuthProvider: model.AuthProviderBsl.String(),
   143  	})
   144  	_, err := hr(c, map[string]interface{}{
   145  		"labelEdgeIds": []interface{}{
   146  			"442f2e77-279d-45af-acae-4ec5458b7e25",
   147  		}}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeIds")
   148  	s.Assert().NoError(err, "user should have access to these labels")
   149  	//test when user does not have access to one of the labels
   150  	c = middleware.NewContext(context.Background(), &types.AuthUser{
   151  		Organization: "test-org",
   152  	})
   153  	_, err = hr(c, map[string]interface{}{"labelEdgeIds": []interface{}{"aac1f183-50bc-453f-a822-9ab11aa70916", "442f2e77-279d-45af-acae-4ec5458b7e25", "442f2e77-279d-45af-acae-4ec5458b7e21"}}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, "labelEdgeIds")
   154  	s.Assert().Error(err, "user should not have access to one or more of these labels")
   155  }
   156  
   157  func (s *Suite) TestCanAssignRoleValidation() {
   158  	integration.SkipIf(s.Framework)
   159  	hr := s.Resolver.CanAssignRole()
   160  	abilityMap := map[string]interface{}{"EDGE_ORG_ADMIN": []interface{}{"EDGE_ORG_ADMIN", "EDGE_BANNER_ADMIN", "EDGE_BANNER_OPERATOR", "EDGE_BANNER_VIEWER"}}
   161  	//test when user can assign role
   162  	c := middleware.NewContext(context.Background(), &types.AuthUser{
   163  		Organization: "test-org",
   164  		Roles:        []string{"EDGE_TEST_ROLE", "EDGE_ORG_ADMIN"},
   165  	})
   166  	_, err = hr(c, map[string]interface{}{"role": "EDGE_TEST_ROLE"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, abilityMap)
   167  	s.Assert().Error(err, "user should not be able to assign this role")
   168  	//test when user cannot assign role #2
   169  	c = middleware.NewContext(context.Background(), &types.AuthUser{
   170  		Organization: "test-org",
   171  		Roles:        []string{"EDGE_BANNER_ADMIN", "EDGE_BANNER_OPERATOR"},
   172  	})
   173  	_, err = hr(c, map[string]interface{}{"role": "EDGE_BANNER_ADMIN"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, abilityMap)
   174  	s.Assert().Error(err, "user should not be able to assign this role")
   175  	//test when input object type is invalid
   176  	_, err = hr(c, "invalid object", func(_ context.Context) (res interface{}, err error) { return nil, nil }, abilityMap)
   177  	s.Assert().Error(err, "input object is not a map")
   178  	//test when object does not have role as a key
   179  	_, err = hr(c, map[string]interface{}{"edgeRole": "EDGE_BANNER_ADMIN"}, func(_ context.Context) (res interface{}, err error) { return nil, nil }, abilityMap)
   180  	s.Assert().Error(err, "there is no role field in the input map")
   181  }
   182  

View as plain text