-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathpermcheck_test.go
120 lines (93 loc) · 3.27 KB
/
permcheck_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
// Copyright 2016 Canonical Ltd.
// Licensed under the LGPLv3, see LICENCE file for details.
package idmclient_test
import (
"time"
jc "github.com/juju/testing/checkers"
gc "gopkg.in/check.v1"
"github.com/juju/idmclient"
"github.com/juju/idmclient/idmtest"
)
type permCheckerSuite struct {
}
var _ = gc.Suite(&permCheckerSuite{})
func (s *permCheckerSuite) TestPermChecker(c *gc.C) {
srv := idmtest.NewServer()
srv.AddUser("server-user", idmtest.GroupListGroup)
srv.AddUser("alice", "somegroup")
client, err := idmclient.New(idmclient.NewParams{
BaseURL: srv.URL.String(),
Client: srv.Client("server-user"),
})
c.Assert(err, gc.IsNil)
pc := idmclient.NewPermChecker(client, time.Hour)
// No permissions always yields false.
ok, err := pc.Allow("bob", nil)
c.Assert(err, gc.IsNil)
c.Assert(ok, gc.Equals, false)
// If the user isn't found, we return a (false, nil)
ok, err = pc.Allow("bob", []string{"beatles"})
c.Assert(err, gc.IsNil)
c.Assert(ok, gc.Equals, false)
// If the perms allow everyone, it's ok
ok, err = pc.Allow("bob", []string{"noone", "everyone"})
c.Assert(err, gc.IsNil)
c.Assert(ok, gc.Equals, true)
// If the perms allow everyone@somewhere, it's ok.
ok, err = pc.Allow("bob@somewhere", []string{"everyone@somewhere"})
c.Assert(err, gc.IsNil)
c.Assert(ok, gc.Equals, true)
// Check that the everyone@x logic works with multiple @s.
ok, err = pc.Allow("bob@foo@somewhere@else", []string{"everyone@somewhere@else"})
c.Assert(err, gc.IsNil)
c.Assert(ok, gc.Equals, true)
// Check that we're careful enough about "everyone" as a prefix
// to a user name.
ok, err = pc.Allow("bobx", []string{"everyonex"})
c.Assert(err, gc.IsNil)
c.Assert(ok, gc.Equals, false)
// If the perms allow the user itself, it's ok
ok, err = pc.Allow("bob", []string{"noone", "bob"})
c.Assert(err, gc.IsNil)
c.Assert(ok, gc.Equals, true)
srv.AddUser("bob", "beatles")
// The group details are currently cached by the client,
// so the original request will still fail.
ok, err = pc.Allow("bob", []string{"beatles"})
c.Assert(err, gc.IsNil)
c.Assert(ok, gc.Equals, false)
// Clearing the cache allows it to succeed.
pc.CacheEvictAll()
ok, err = pc.Allow("bob", []string{"beatles"})
c.Assert(err, gc.IsNil)
c.Assert(ok, gc.Equals, true)
}
func (s *permCheckerSuite) TestGroupCache(c *gc.C) {
srv := idmtest.NewServer()
srv.AddUser("server-user", idmtest.GroupListGroup)
srv.AddUser("alice", "somegroup", "othergroup")
client, err := idmclient.New(idmclient.NewParams{
BaseURL: srv.URL.String(),
Client: srv.Client("server-user"),
})
c.Assert(err, gc.IsNil)
cache := idmclient.NewGroupCache(client, time.Hour)
// If the user isn't found, we retturn no groups.
g, err := cache.Groups("bob")
c.Assert(err, gc.IsNil)
c.Assert(g, gc.HasLen, 0)
g, err = cache.Groups("alice")
c.Assert(err, gc.IsNil)
c.Assert(g, jc.DeepEquals, []string{"othergroup", "somegroup"})
srv.AddUser("bob", "beatles")
// The group details are currently cached by the client,
// so we'll still see the original group membership.
g, err = cache.Groups("bob")
c.Assert(err, gc.IsNil)
c.Assert(g, gc.HasLen, 0)
// Clearing the cache allows it to succeed.
cache.CacheEvictAll()
g, err = cache.Groups("bob")
c.Assert(err, gc.IsNil)
c.Assert(g, jc.DeepEquals, []string{"beatles"})
}