porter/api/server/authz/policy/loader_test.go

package policy_test

import (
	"encoding/json"
	"net/http"
	"testing"

	"github.com/porter-dev/porter/api/server/authz/policy"
	"github.com/porter-dev/porter/api/types"
	"github.com/porter-dev/porter/internal/models"
	"github.com/porter-dev/porter/internal/repository/test"
	"github.com/stretchr/testify/assert"
)

func TestBasicPolicyDocumentLoader(t *testing.T) {
	assert := assert.New(t)

	// use the in-memory project repo
	projRepo := test.NewProjectRepository(true)
	projRoleRepo := test.NewProjectRoleRepository(true)
	policyRepo := test.NewPolicyRepository(true)

	project, err := projRepo.CreateProject(&models.Project{
		Name: "test-project",
	})

	if err != nil {
		t.Fatalf("%v", err)
	}

	policyBytes, err := json.Marshal(types.AdminPolicy)

	if err != nil {
		t.Fatalf("%v", err)
	}

	pol, err := policyRepo.CreatePolicy(&models.Policy{
		UniqueID:    "test-policy-uid",
		ProjectID:   project.ID,
		Name:        "test-policy",
		PolicyBytes: policyBytes,
	})

	if err != nil {
		t.Fatalf("%v", err)
	}

	role, err := projRoleRepo.CreateProjectRole(&models.ProjectRole{
		UniqueID:  "1-admin",
		ProjectID: project.ID,
		PolicyUID: pol.UniqueID,
		Name:      "admin",
	})

	if err != nil {
		t.Fatalf("%v", err)
	}

	err = projRoleRepo.UpdateUsersInProjectRole(project.ID, role.UniqueID, []uint{1})

	if err != nil {
		t.Fatalf("%v", err)
	}

	loader := policy.NewBasicPolicyDocumentLoader(projRoleRepo, policyRepo)

	docs, reqErr := loader.LoadPolicyDocuments(&policy.PolicyLoaderOpts{
		ProjectID: 1,
		UserID:    1,
	})

	assert.Equal(true, reqErr == nil)
	assert.Equal(1, len(docs))
	assert.Equal(types.AdminPolicy[0], docs[0])
}

func TestErrorForbiddenInvalidRole(t *testing.T) {
	assert := assert.New(t)

	// use the in-memory project repo
	projRepo := test.NewProjectRepository(true)
	projRoleRepo := test.NewProjectRoleRepository(true)
	policyRepo := test.NewPolicyRepository(true)

	loader := policy.NewBasicPolicyDocumentLoader(projRoleRepo, policyRepo)

	project, err := projRepo.CreateProject(&models.Project{
		Name: "test-project",
	})

	if err != nil {
		t.Fatalf("%v", err)
	}

	policyBytes, err := json.Marshal(types.RoleAdmin)

	if err != nil {
		t.Fatalf("%v", err)
	}

	pol, err := policyRepo.CreatePolicy(&models.Policy{
		UniqueID:    "test-policy-uid",
		ProjectID:   project.ID,
		Name:        "test-policy",
		PolicyBytes: policyBytes,
	})

	if err != nil {
		t.Fatalf("%v", err)
	}

	_, err = projRoleRepo.CreateProjectRole(&models.ProjectRole{
		UniqueID:  "1-admin",
		ProjectID: project.ID,
		PolicyUID: pol.UniqueID,
		Name:      "admin",
	})

	if err != nil {
		t.Fatalf("%v", err)
	}

	_, reqErr := loader.LoadPolicyDocuments(&policy.PolicyLoaderOpts{
		ProjectID: 1,
		UserID:    1,
	})

	if reqErr == nil {
		t.Fatalf("Expected forbidden error for invalid project role")
	}

	// check that external and internal errors are returned as well
	assert.Equal(
		http.StatusForbidden,
		reqErr.GetStatusCode(),
		"status is not status forbidden",
	)

	assert.Equal(
		"user does not have any roles assigned in this project",
		reqErr.Error(),
		"error message is not correct",
	)
}

func TestErrorCannotQuery(t *testing.T) {
	assert := assert.New(t)

	// use the in-memory project repo
	projRoleRepo := test.NewProjectRoleRepository(false)
	policyRepo := test.NewPolicyRepository(false)
	loader := policy.NewBasicPolicyDocumentLoader(projRoleRepo, policyRepo)

	_, reqErr := loader.LoadPolicyDocuments(&policy.PolicyLoaderOpts{
		ProjectID: 2,
		UserID:    1,
	})

	if reqErr == nil {
		t.Fatalf("Expected internal error for failing to query")
	}

	// check that external and internal errors are returned as well
	assert.Equal(
		http.StatusInternalServerError,
		reqErr.GetStatusCode(),
		"status is not status internal",
	)
}