-
Notifications
You must be signed in to change notification settings - Fork 2
/
authorization_test.go
109 lines (92 loc) · 2.83 KB
/
authorization_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
package frame_test
import (
"context"
"encoding/json"
"errors"
"fmt"
"github.com/pitabwire/frame"
"net/http"
"testing"
)
func authorizationControlListWrite(ctx context.Context, writeServerURL string, action string, subject string) error {
authClaims := frame.ClaimsFromContext(ctx)
service := frame.FromContext(ctx)
if authClaims == nil {
return errors.New("only authenticated requsts should be used to check authorization")
}
payload := map[string]any{
"namespace": authClaims.GetTenantId(),
"object": authClaims.GetPartitionId(),
"relation": action,
"subject_id": subject,
}
status, result, err := service.InvokeRestService(ctx,
http.MethodPut, writeServerURL, payload, nil)
if err != nil {
return err
}
if status > 299 || status < 200 {
return fmt.Errorf(" invalid response status %d had message %s", status, string(result))
}
var response map[string]any
err = json.Unmarshal(result, &response)
if err != nil {
return err
}
return nil
}
func TestAuthorizationControlListWrite(t *testing.T) {
authorizationServerURL := "http://localhost:4467/admin/relation-tuples"
ctx, srv := frame.NewService("Test Srv", frame.Config(&frame.ConfigurationDefault{
AuthorizationServiceWriteURI: authorizationServerURL,
}))
ctx = frame.ToContext(ctx, srv)
authClaim := frame.AuthenticationClaims{
Ext: map[string]any{
"partition_id": "partition",
"tenant_id": "default",
"access_id": "access",
},
}
authClaim.Subject = "profile"
ctx = authClaim.ClaimsToContext(ctx)
err := authorizationControlListWrite(ctx, authorizationServerURL, "read", "tested")
if err != nil {
t.Errorf("Authorization write was not possible see %s", err)
return
}
}
func TestAuthHasAccess(t *testing.T) {
authorizationServerURL := "http://localhost:4467/admin/relation-tuples"
ctx, srv := frame.NewService("Test Srv", frame.Config(
&frame.ConfigurationDefault{
AuthorizationServiceReadURI: "http://localhost:4466/relation-tuples/check",
AuthorizationServiceWriteURI: authorizationServerURL,
}))
ctx = frame.ToContext(ctx, srv)
authClaim := frame.AuthenticationClaims{
Ext: map[string]any{
"partition_id": "partition",
"tenant_id": "default",
"access_id": "access",
}}
authClaim.Subject = "profile"
ctx = authClaim.ClaimsToContext(ctx)
err := authorizationControlListWrite(ctx, authorizationServerURL, "read", "reader")
if err != nil {
t.Errorf("Authorization write was not possible see %s", err)
return
}
access, err := frame.AuthHasAccess(ctx, "read", "reader")
if err != nil {
t.Errorf("Authorization check was not possible see %s", err)
} else if !access {
t.Errorf("Authorization check was forbidden")
return
}
access, err = frame.AuthHasAccess(ctx, "read", "read-master")
if err == nil || access {
t.Errorf("Authorization check was not forbidden yet shouldn't exist")
return
}
}