@@ -198,17 +198,19 @@ func TestAuthorizeDomain(t *testing.T) {
198198 t .Parallel ()
199199 defOrg := uuid .New ()
200200 unuseID := uuid .New ()
201+ allUsersGroup := "all_users"
201202
202203 user := subject {
203204 UserID : "me" ,
204205 Scope : must (ScopeRole (ScopeAll )),
206+ Groups : []string {allUsersGroup },
205207 Roles : []Role {
206208 must (RoleByName (RoleMember ())),
207209 must (RoleByName (RoleOrgMember (defOrg ))),
208210 },
209211 }
210212
211- testAuthorize (t , "ACLList " , user , []authTestCase {
213+ testAuthorize (t , "UserACLList " , user , []authTestCase {
212214 {
213215 resource : ResourceWorkspace .WithOwner (unuseID .String ()).InOrg (unuseID ).WithACLUserList (map [string ][]Action {
214216 user .UserID : allActions (),
@@ -240,6 +242,38 @@ func TestAuthorizeDomain(t *testing.T) {
240242 },
241243 })
242244
245+ testAuthorize (t , "GroupACLList" , user , []authTestCase {
246+ {
247+ resource : ResourceWorkspace .WithOwner (unuseID .String ()).InOrg (unuseID ).WithGroups (map [string ][]Action {
248+ allUsersGroup : allActions (),
249+ }),
250+ actions : allActions (),
251+ allow : true ,
252+ },
253+ {
254+ resource : ResourceWorkspace .WithOwner (unuseID .String ()).InOrg (unuseID ).WithGroups (map [string ][]Action {
255+ allUsersGroup : {WildcardSymbol },
256+ }),
257+ actions : allActions (),
258+ allow : true ,
259+ },
260+ {
261+ resource : ResourceWorkspace .WithOwner (unuseID .String ()).InOrg (unuseID ).WithGroups (map [string ][]Action {
262+ allUsersGroup : {ActionRead , ActionUpdate },
263+ }),
264+ actions : []Action {ActionCreate , ActionDelete },
265+ allow : false ,
266+ },
267+ {
268+ // By default users cannot update templates
269+ resource : ResourceTemplate .InOrg (defOrg ).WithGroups (map [string ][]Action {
270+ allUsersGroup : {ActionUpdate },
271+ }),
272+ actions : []Action {ActionRead , ActionUpdate },
273+ allow : true ,
274+ },
275+ })
276+
243277 testAuthorize (t , "Member" , user , []authTestCase {
244278 // Org + me
245279 {resource : ResourceWorkspace .InOrg (defOrg ).WithOwner (user .UserID ), actions : allActions (), allow : true },
@@ -790,21 +824,19 @@ func testAuthorize(t *testing.T, name string, subject subject, sets ...[]authTes
790824
791825 authError := authorizer .Authorize (ctx , subject .UserID , subject .Roles , subject .Scope , subject .Groups , a , c .resource )
792826
827+ d , _ := json .Marshal (map [string ]interface {}{
828+ "subject" : subject ,
829+ "object" : c .resource ,
830+ "action" : a ,
831+ })
832+
793833 // Logging only
834+ t .Logf ("input: %s" , string (d ))
794835 if authError != nil {
795836 var uerr * UnauthorizedError
796837 xerrors .As (authError , & uerr )
797- d , _ := json .Marshal (uerr .Input ())
798- t .Logf ("input: %s" , string (d ))
799838 t .Logf ("internal error: %+v" , uerr .Internal ().Error ())
800839 t .Logf ("output: %+v" , uerr .Output ())
801- } else {
802- d , _ := json .Marshal (map [string ]interface {}{
803- "subject" : subject ,
804- "object" : c .resource ,
805- "action" : a ,
806- })
807- t .Log (string (d ))
808840 }
809841
810842 if c .allow {
@@ -819,8 +851,6 @@ func testAuthorize(t *testing.T, name string, subject subject, sets ...[]authTes
819851 // Also check the rego policy can form a valid partial query result.
820852 // This ensures we can convert the queries into SQL WHERE clauses in the future.
821853 // If this function returns 'Support' sections, then we cannot convert the query into SQL.
822- d , _ := json .Marshal (partialAuthz .input )
823- t .Logf ("input: %s" , string (d ))
824854 for _ , q := range partialAuthz .partialQueries .Queries {
825855 t .Logf ("query: %+v" , q .String ())
826856 }
0 commit comments