1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
|
package tvm
import (
"testing"
"github.com/stretchr/testify/require"
)
func TestRolesPublicServiceTicket(t *testing.T) {
roles, err := NewRoles([]byte(`{"revision":"GYYDEMJUGBQWC","born_date":1612791978,"tvm":{"2012192":{"/group/system/system_on/abc/role/impersonator/":[{"scope":"/"},{"blank":""}],"/group/system/system_on/abc/role/tree_edit/":[{"scope":"/"}],"/group/system/system_on/abc/role/admin/":[]}},"user":{"1120000000000493":{"/group/system/system_on/abc/role/roles_manage/":[{"scope":"/services/meta_infra/tools/jobjira/"},{"scope":"/services/meta_edu/infrastructure/"}]}}}`))
require.NoError(t, err)
st := &CheckedServiceTicket{SrcID: 42}
require.Nil(t, roles.GetRolesForService(st))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", nil))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/admin/", nil))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", &CheckServiceOptions{Entity: Entity{"scope": "/"}}))
st = &CheckedServiceTicket{SrcID: 2012192}
r := roles.GetRolesForService(st)
require.NotNil(t, r)
require.EqualValues(t,
`{
"/group/system/system_on/abc/role/admin/": [],
"/group/system/system_on/abc/role/impersonator/": [
{
"scope": "/"
},
{
"blank": ""
}
],
"/group/system/system_on/abc/role/tree_edit/": [
{
"scope": "/"
}
]
}`,
r.DebugPrint(),
)
require.Equal(t, 3, len(r.GetRoles()))
require.False(t, r.HasRole("/"))
require.True(t, r.HasRole("/group/system/system_on/abc/role/impersonator/"))
require.True(t, r.HasRole("/group/system/system_on/abc/role/admin/"))
require.False(t, roles.CheckServiceRole(st, "/", nil))
require.True(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", nil))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", &CheckServiceOptions{Entity: Entity{"scope": "kek"}}))
require.True(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", &CheckServiceOptions{Entity{"scope": "/"}}))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", &CheckServiceOptions{Entity{"blank": "/"}}))
require.True(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", &CheckServiceOptions{Entity{"blank": ""}}))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/admin/", &CheckServiceOptions{Entity{"scope": "/"}}))
require.Nil(t, r.GetEntitiesForRole("/"))
en := r.GetEntitiesForRole("/group/system/system_on/abc/role/impersonator/")
require.NotNil(t, en)
require.False(t, en.ContainsExactEntity(Entity{"scope": "kek"}))
require.True(t, en.ContainsExactEntity(Entity{"scope": "/"}))
require.False(t, en.ContainsExactEntity(Entity{"blank": "/"}))
require.True(t, en.ContainsExactEntity(Entity{"blank": ""}))
require.Nil(t, en.GetEntitiesWithAttrs(Entity{"scope": "kek"}))
require.Equal(t, []Entity{{"scope": "/"}}, en.GetEntitiesWithAttrs(Entity{"scope": "/"}))
require.Nil(t, en.GetEntitiesWithAttrs(Entity{"blank": "kek"}))
require.Equal(t, []Entity{{"blank": ""}}, en.GetEntitiesWithAttrs(Entity{"blank": ""}))
require.ElementsMatch(t, []Entity{{"scope": "/"}, {"blank": ""}}, en.GetEntitiesWithAttrs(nil))
en = r.GetEntitiesForRole("/group/system/system_on/abc/role/admin/")
require.NotNil(t, en)
require.False(t, en.ContainsExactEntity(Entity{"scope": "/"}))
require.Nil(t, en.GetEntitiesWithAttrs(Entity{"scope": "/"}))
}
func TestRolesPublicServiceTicketWithNilEntities(t *testing.T) {
roles, err := NewRolesWithOpts(
[]byte(`{"revision":"GYYDEMJUGBQWC","born_date":1612791978,"tvm":{"2012192":{"/group/system/system_on/abc/role/impersonator/":[{"scope":"/"},{"blank":""}],"/group/system/system_on/abc/role/tree_edit/":[{"scope":"/"}],"/group/system/system_on/abc/role/admin/":[{}]}},"user":{"1120000000000493":{"/group/system/system_on/abc/role/roles_manage/":[{"scope":"/services/meta_infra/tools/jobjira/"},{"scope":"/services/meta_edu/infrastructure/"}]}}}`),
WithLightIndex(),
)
require.NoError(t, err)
st := &CheckedServiceTicket{SrcID: 42}
require.Nil(t, roles.GetRolesForService(st))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", nil))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/admin/", nil))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", &CheckServiceOptions{Entity: Entity{"scope": "/"}}))
st = &CheckedServiceTicket{SrcID: 2012192}
r := roles.GetRolesForService(st)
require.NotNil(t, r)
require.EqualValues(t,
`{
"/group/system/system_on/abc/role/admin/": null,
"/group/system/system_on/abc/role/impersonator/": [
{
"scope": "/"
},
{
"blank": ""
}
],
"/group/system/system_on/abc/role/tree_edit/": [
{
"scope": "/"
}
]
}`,
r.DebugPrint(),
)
require.Equal(t, 3, len(r.GetRoles()))
require.False(t, r.HasRole("/"))
require.True(t, r.HasRole("/group/system/system_on/abc/role/impersonator/"))
require.True(t, r.HasRole("/group/system/system_on/abc/role/admin/"))
require.False(t, roles.CheckServiceRole(st, "/", nil))
require.True(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", nil))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", &CheckServiceOptions{Entity: Entity{"scope": "kek"}}))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", &CheckServiceOptions{Entity{"scope": "/"}}))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", &CheckServiceOptions{Entity{"blank": "/"}}))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/impersonator/", &CheckServiceOptions{Entity{"blank": ""}}))
require.False(t, roles.CheckServiceRole(st, "/group/system/system_on/abc/role/admin/", &CheckServiceOptions{Entity{"scope": "/"}}))
require.Nil(t, r.GetEntitiesForRole("/"))
en := r.GetEntitiesForRole("/group/system/system_on/abc/role/impersonator/")
require.NotNil(t, en)
require.False(t, en.ContainsExactEntity(Entity{"scope": "kek"}))
require.False(t, en.ContainsExactEntity(Entity{"scope": "/"}))
require.False(t, en.ContainsExactEntity(Entity{"blank": "/"}))
require.False(t, en.ContainsExactEntity(Entity{"blank": ""}))
require.Nil(t, en.GetEntitiesWithAttrs(Entity{"scope": "kek"}))
require.Nil(t, en.GetEntitiesWithAttrs(Entity{"scope": "/"}))
require.Nil(t, en.GetEntitiesWithAttrs(Entity{"blank": "kek"}))
require.Nil(t, en.GetEntitiesWithAttrs(Entity{"blank": ""}))
require.ElementsMatch(t, []Entity{{"scope": "/"}, {"blank": ""}}, en.GetEntitiesWithAttrs(nil))
en = r.GetEntitiesForRole("/group/system/system_on/abc/role/admin/")
require.Nil(t, en)
require.False(t, en.ContainsExactEntity(Entity{"scope": "/"}))
require.Nil(t, en.GetEntitiesWithAttrs(Entity{"scope": "/"}))
}
func TestRolesPublicUserTicket(t *testing.T) {
roles, err := NewRoles([]byte(`{"revision":"GYYDEMJUGBQWC","born_date":1612791978,"tvm":{"2012192":{"/group/system/system_on/abc/role/impersonator/":[{"scope":"/"},{"blank":""}],"/group/system/system_on/abc/role/tree_edit/":[{"scope":"/"}]}},"user":{"1120000000000493":{"/group/system/system_on/abc/role/roles_manage/":[{"scope":"/services/meta_infra/tools/jobjira/"},{"scope":"/services/meta_edu/infrastructure/"}],"/group/system/system_on/abc/role/roles_admin/":[]}}}`))
require.NoError(t, err)
ut := &CheckedUserTicket{DefaultUID: 42}
_, err = roles.GetRolesForUser(ut, nil)
require.EqualError(t, err, "user ticket must be from ProdYateam, got from Prod")
ut.Env = BlackboxProdYateam
r, err := roles.GetRolesForUser(ut, nil)
require.NoError(t, err)
require.Nil(t, r)
ok, err := roles.CheckUserRole(ut, "/group/system/system_on/abc/role/impersonator/", nil)
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/impersonator/", &CheckUserOptions{Entity: Entity{"scope": "/"}})
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/admin/", nil)
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_admin/", &CheckUserOptions{Entity: Entity{"scope": "/"}})
require.NoError(t, err)
require.False(t, ok)
ut = &CheckedUserTicket{DefaultUID: 1120000000000493, UIDs: []UID{42}, Env: BlackboxProdYateam}
r, err = roles.GetRolesForUser(ut, nil)
require.NoError(t, err)
require.NotNil(t, r)
require.EqualValues(t,
`{
"/group/system/system_on/abc/role/roles_admin/": [],
"/group/system/system_on/abc/role/roles_manage/": [
{
"scope": "/services/meta_infra/tools/jobjira/"
},
{
"scope": "/services/meta_edu/infrastructure/"
}
]
}`,
r.DebugPrint(),
)
require.Equal(t, 2, len(r.GetRoles()))
require.False(t, r.HasRole("/"))
require.True(t, r.HasRole("/group/system/system_on/abc/role/roles_manage/"))
ok, err = roles.CheckUserRole(ut, "/", nil)
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_manage/", nil)
require.NoError(t, err)
require.True(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_manage/", &CheckUserOptions{Entity: Entity{"scope": "kek"}})
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_manage/", &CheckUserOptions{Entity: Entity{"scope": "/services/meta_infra/tools/jobjira/"}})
require.NoError(t, err)
require.True(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_admin/", nil)
require.NoError(t, err)
require.True(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_admin/", &CheckUserOptions{Entity: Entity{"scope": "/"}})
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_manage/", &CheckUserOptions{UID: UID(42)})
require.NoError(t, err)
require.False(t, ok)
ut = &CheckedUserTicket{DefaultUID: 0, UIDs: []UID{42}, Env: BlackboxProdYateam}
_, err = roles.GetRolesForUser(ut, nil)
require.EqualError(t, err, "default uid is 0 - it cannot have any role")
uid := UID(83)
_, err = roles.GetRolesForUser(ut, &uid)
require.EqualError(t, err, "'uid' must be in user ticket but it is not: 83")
}
func TestRolesPublicUserTicketWithNilEntities(t *testing.T) {
roles, err := NewRolesWithOpts(
[]byte(`{"revision":"GYYDEMJUGBQWC","born_date":1612791978,"tvm":{"2012192":{"/group/system/system_on/abc/role/impersonator/":[{"scope":"/"},{"blank":""}],"/group/system/system_on/abc/role/tree_edit/":[{"scope":"/"}]}},"user":{"1120000000000493":{"/group/system/system_on/abc/role/roles_manage/":[{"scope":"/services/meta_infra/tools/jobjira/"},{"scope":"/services/meta_edu/infrastructure/"}],"/group/system/system_on/abc/role/roles_admin/":[{}]}}}`),
WithLightIndex(),
)
require.NoError(t, err)
ut := &CheckedUserTicket{DefaultUID: 42}
_, err = roles.GetRolesForUser(ut, nil)
require.EqualError(t, err, "user ticket must be from ProdYateam, got from Prod")
ut.Env = BlackboxProdYateam
r, err := roles.GetRolesForUser(ut, nil)
require.NoError(t, err)
require.Nil(t, r)
ok, err := roles.CheckUserRole(ut, "/group/system/system_on/abc/role/impersonator/", nil)
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/impersonator/", &CheckUserOptions{Entity: Entity{"scope": "/"}})
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/admin/", nil)
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_admin/", &CheckUserOptions{Entity: Entity{"scope": "/"}})
require.NoError(t, err)
require.False(t, ok)
ut = &CheckedUserTicket{DefaultUID: 1120000000000493, UIDs: []UID{42}, Env: BlackboxProdYateam}
r, err = roles.GetRolesForUser(ut, nil)
require.NoError(t, err)
require.NotNil(t, r)
require.EqualValues(t,
`{
"/group/system/system_on/abc/role/roles_admin/": null,
"/group/system/system_on/abc/role/roles_manage/": [
{
"scope": "/services/meta_infra/tools/jobjira/"
},
{
"scope": "/services/meta_edu/infrastructure/"
}
]
}`,
r.DebugPrint(),
)
require.Equal(t, 2, len(r.GetRoles()))
require.False(t, r.HasRole("/"))
require.True(t, r.HasRole("/group/system/system_on/abc/role/roles_manage/"))
ok, err = roles.CheckUserRole(ut, "/", nil)
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_manage/", nil)
require.NoError(t, err)
require.True(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_manage/", &CheckUserOptions{Entity: Entity{"scope": "kek"}})
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_manage/", &CheckUserOptions{Entity: Entity{"scope": "/services/meta_infra/tools/jobjira/"}})
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_admin/", nil)
require.NoError(t, err)
require.True(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_admin/", &CheckUserOptions{Entity: Entity{"scope": "/"}})
require.NoError(t, err)
require.False(t, ok)
ok, err = roles.CheckUserRole(ut, "/group/system/system_on/abc/role/roles_manage/", &CheckUserOptions{UID: UID(42)})
require.NoError(t, err)
require.False(t, ok)
ut = &CheckedUserTicket{DefaultUID: 0, UIDs: []UID{42}, Env: BlackboxProdYateam}
_, err = roles.GetRolesForUser(ut, nil)
require.EqualError(t, err, "default uid is 0 - it cannot have any role")
uid := UID(83)
_, err = roles.GetRolesForUser(ut, &uid)
require.EqualError(t, err, "'uid' must be in user ticket but it is not: 83")
}
|
