Skip to content

test: Add unit test for rbac Authorize() function #853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 44 commits into from
Closed

test: Add unit test for rbac Authorize() function #853

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
ab61328
WIP: This is a massive WIP
Emyrk Mar 26, 2022
03e4d0f
More info in the print
Emyrk Mar 26, 2022
9981291
Fix all()
Emyrk Mar 27, 2022
3ab32da
reduce the amount of memoery allocated
Emyrk Mar 27, 2022
e1d5893
Reuse a buffer
Emyrk Mar 28, 2022
84a90f3
fix: use return size over size
Emyrk Mar 29, 2022
1fac0d9
WIP: don't look at this
Emyrk Mar 29, 2022
1e3aac0
WIP: 🍐 auth-> testdata, refactoring and restructuring
johnstcn Mar 30, 2022
e977e84
testdata -> authztest
johnstcn Mar 30, 2022
00a7c3f
WIP: start work on SVO
johnstcn Mar 30, 2022
1f04c01
reduce allocations for union sets
Emyrk Mar 31, 2022
fbf4db1
fix: Fix nil permissions as Strings()
Emyrk Mar 31, 2022
4946897
chore: Make all permission variant levels
Emyrk Mar 31, 2022
7e6cc66
First full draft of the authz authorize test
Emyrk Mar 31, 2022
a0017e5
Tally up failed tests
Emyrk Mar 31, 2022
4b110b3
Change test pkg
Emyrk Mar 31, 2022
65ef4e3
Use an interface for the object
Emyrk Mar 31, 2022
d294786
fix: make authztest.Objects return correct type
johnstcn Apr 1, 2022
c1f8945
refactor: rename consts {Read,Write,Modify,Delete}Action to Action$1
johnstcn Apr 1, 2022
01f3d40
chore: Define object interface
Emyrk Apr 1, 2022
de7de6e
test: Unit test extra properties
Emyrk Apr 1, 2022
4c86e44
Merge remote-tracking branch 'origin/stevenmasley/rbac' into stevenma…
Emyrk Apr 1, 2022
30c6568
put back interface assertion
Emyrk Apr 1, 2022
a419a65
Fix some compile errors from merge
Emyrk Apr 1, 2022
bbd1c4c
test: Roles, sets, permissions, iterators
Emyrk Apr 1, 2022
def010f
Test string functions
Emyrk Apr 1, 2022
c4ee590
test: Unit test permission string
Emyrk Apr 4, 2022
84e3ab9
Add A+ and A-
Emyrk Apr 4, 2022
c2eec18
Parallelize tests
Emyrk Apr 4, 2022
5a2834a
fix code line in readme
Emyrk Apr 4, 2022
913d141
Merge remote-tracking branch 'origin/main' into stevenmasley/rbac
Emyrk Apr 4, 2022
2804b92
test: ParsePermissions from strings
Emyrk Apr 4, 2022
5698938
use fmt over str builder for easier to read
Emyrk Apr 4, 2022
75ed8ef
Linting
Emyrk Apr 4, 2022
b2db661
authz: README.md: update table formatting
johnstcn Apr 5, 2022
26ef1e6
Make action CRUD
Emyrk Apr 5, 2022
19aba30
LevelID -> OrganizationID
Emyrk Apr 5, 2022
ceee9cd
feat: authztest: categorize test failures by test name
johnstcn Apr 5, 2022
ee8bf04
fixup! feat: authztest: categorize test failures by test name
johnstcn Apr 5, 2022
44c02a1
chore: add documentation for authz and authztest
johnstcn Apr 6, 2022
dfb9ad1
fixup! chore: add documentation for authz and authztest
johnstcn Apr 6, 2022
e482d2c
chore: more authz/authztest docs
johnstcn Apr 6, 2022
a4e038f
Remove underscore from test names
Emyrk Apr 6, 2022
9918c16
zObject does not need exported fields
Emyrk Apr 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
chore: Define object interface 
- Cleanup some code too
  • Loading branch information
@Emyrk
Emyrk committed Apr 1, 2022
commit 01f3d40924d8838f351bcb4541416b5ceb91ed9d
1 change: 1 addition & 0 deletions coderd/authz/action.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package authz
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be named rbac instead? I think it might more accurately scope what we're trying to do.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When authn comes in, I think it'll be like this. authz is not my term, https://www.cloudflare.com/learning/access-management/authn-vs-authz/. It's more clear than rbac, as it's the authorize function. TBD on where the roles go.

.
├── auth
│  ├── authz/
│  └── authn/
├── subject.go
├── object.go
├── action.go
├── roles.go
└── authorize.go

Maybe auth/rbac can have roles? Still in the air, just needed to stub until Dean was ready.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to not call them authorization and authentication? I've rarely seen the terms authn and authz used in the wild, so it's confusing to me at a glance.

Copy link
Member

@johnstcn johnstcn Apr 5, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's only common in this particular domain. Cloudflare for example uses the terms fairly prominently. (EDIT: Steven already linked it 😆)


// Action represents the allowed actions to be done on an object.
type Action string

const (
Expand Down
5 changes: 3 additions & 2 deletions coderd/authz/authz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
package authz

// TODO: Implement Authorize
func Authorize(subj Subject, obj Object, action Action) error {
func Authorize(subj Subject, obj Resource, action Action) error {
// TODO: Expand subject roles into their permissions as appropriate. Apply scopes.
return AuthorizePermissions(subj.ID(), []Permission{}, obj, action)
}

// AuthorizePermissions runs the authorize function with the raw permissions in a single list.
func AuthorizePermissions(subjID string, permissions []Permission, object Object, action Action) error {
func AuthorizePermissions(subjID string, permissions []Permission, object Resource, action Action) error {

return nil
}
2 changes: 1 addition & 1 deletion coderd/authz/authz_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ func Test_ExhaustiveAuthorize(t *testing.T) {

testCases := []struct {
Name string
Objs []authz.Object
Objs []authz.Resource
// Action is constant
// Subject comes from roleVariants
Result func(pv string) bool
Expand Down
18 changes: 0 additions & 18 deletions coderd/authz/authztest/group.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,21 +14,3 @@ var (
)

var nilSet = Set{nil}

// *.*.*.*
//var PermissionSetWPlus = NewRole(
// all.Wildcard().Positive(),
// Union(all.Wildcard().Abstain(), nilSet),
//
// Union(all.Site().Positive(), nilSet),
// Union(all.Site().Negative(), nilSet),
// Union(all.Site().Abstain(), nilSet),
//
// Union(all.AllOrgs().Positive(), nilSet),
// Union(all.AllOrgs().Negative(), nilSet),
// Union(all.AllOrgs().Abstain(), nilSet),
//
// Union(all.User().Positive(), nilSet),
// Union(all.User().Negative(), nilSet),
// Union(all.User().Abstain(), nilSet),
//)
37 changes: 0 additions & 37 deletions coderd/authz/authztest/group_test.go
View file
Open in desktop

This file was deleted.

13 changes: 5 additions & 8 deletions coderd/authz/authztest/object.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,12 @@ package authztest

import "github.com/coder/coder/coderd/authz"

func Objects(pairs ...[]string) []authz.Object {
objs := make([]authz.Object, 0, len(pairs))
func Objects(pairs ...[]string) []authz.Resource {
objs := make([]authz.Resource, 0, len(pairs))
for _, p := range pairs {
objs = append(objs, authz.Object{
ObjectID: PermObjectID,
OwnerID: p[0],
OrgOwnerID: p[1],
ObjectType: PermObjectType,
})
objs = append(objs,
authz.ResourceType(PermObjectType).Owner(p[0]).Org(p[1]).AsID(PermObjectID),
)
}
return objs
}
119 changes: 0 additions & 119 deletions coderd/authz/authztest/parser.go
View file
Open in desktop

This file was deleted.

109 changes: 0 additions & 109 deletions coderd/authz/authztest/set_test.go
View file
Open in desktop

This file was deleted.

Loading