Skip to content

test: Add unit test for rbac Authorize() function #853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 44 commits into from
Closed

test: Add unit test for rbac Authorize() function #853

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
ab61328
WIP: This is a massive WIP
Emyrk Mar 26, 2022
03e4d0f
More info in the print
Emyrk Mar 26, 2022
9981291
Fix all()
Emyrk Mar 27, 2022
3ab32da
reduce the amount of memoery allocated
Emyrk Mar 27, 2022
e1d5893
Reuse a buffer
Emyrk Mar 28, 2022
84a90f3
fix: use return size over size
Emyrk Mar 29, 2022
1fac0d9
WIP: don't look at this
Emyrk Mar 29, 2022
1e3aac0
WIP: 🍐 auth-> testdata, refactoring and restructuring
johnstcn Mar 30, 2022
e977e84
testdata -> authztest
johnstcn Mar 30, 2022
00a7c3f
WIP: start work on SVO
johnstcn Mar 30, 2022
1f04c01
reduce allocations for union sets
Emyrk Mar 31, 2022
fbf4db1
fix: Fix nil permissions as Strings()
Emyrk Mar 31, 2022
4946897
chore: Make all permission variant levels
Emyrk Mar 31, 2022
7e6cc66
First full draft of the authz authorize test
Emyrk Mar 31, 2022
a0017e5
Tally up failed tests
Emyrk Mar 31, 2022
4b110b3
Change test pkg
Emyrk Mar 31, 2022
65ef4e3
Use an interface for the object
Emyrk Mar 31, 2022
d294786
fix: make authztest.Objects return correct type
johnstcn Apr 1, 2022
c1f8945
refactor: rename consts {Read,Write,Modify,Delete}Action to Action$1
johnstcn Apr 1, 2022
01f3d40
chore: Define object interface
Emyrk Apr 1, 2022
de7de6e
test: Unit test extra properties
Emyrk Apr 1, 2022
4c86e44
Merge remote-tracking branch 'origin/stevenmasley/rbac' into stevenma…
Emyrk Apr 1, 2022
30c6568
put back interface assertion
Emyrk Apr 1, 2022
a419a65
Fix some compile errors from merge
Emyrk Apr 1, 2022
bbd1c4c
test: Roles, sets, permissions, iterators
Emyrk Apr 1, 2022
def010f
Test string functions
Emyrk Apr 1, 2022
c4ee590
test: Unit test permission string
Emyrk Apr 4, 2022
84e3ab9
Add A+ and A-
Emyrk Apr 4, 2022
c2eec18
Parallelize tests
Emyrk Apr 4, 2022
5a2834a
fix code line in readme
Emyrk Apr 4, 2022
913d141
Merge remote-tracking branch 'origin/main' into stevenmasley/rbac
Emyrk Apr 4, 2022
2804b92
test: ParsePermissions from strings
Emyrk Apr 4, 2022
5698938
use fmt over str builder for easier to read
Emyrk Apr 4, 2022
75ed8ef
Linting
Emyrk Apr 4, 2022
b2db661
authz: README.md: update table formatting
johnstcn Apr 5, 2022
26ef1e6
Make action CRUD
Emyrk Apr 5, 2022
19aba30
LevelID -> OrganizationID
Emyrk Apr 5, 2022
ceee9cd
feat: authztest: categorize test failures by test name
johnstcn Apr 5, 2022
ee8bf04
fixup! feat: authztest: categorize test failures by test name
johnstcn Apr 5, 2022
44c02a1
chore: add documentation for authz and authztest
johnstcn Apr 6, 2022
dfb9ad1
fixup! chore: add documentation for authz and authztest
johnstcn Apr 6, 2022
e482d2c
chore: more authz/authztest docs
johnstcn Apr 6, 2022
a4e038f
Remove underscore from test names
Emyrk Apr 6, 2022
9918c16
zObject does not need exported fields
Emyrk Apr 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
WIP: don't look at this
  • Loading branch information
@Emyrk @johnstcn
Emyrk authored and johnstcn committed Mar 31, 2022
commit 1fac0d9c1eb6f4e44452eeec97b7f622bde49f3a
36 changes: 26 additions & 10 deletions coderd/authz/authztest/set_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,27 @@ import (
"testing"
)

func BenchmarkRole(b *testing.B) {
all := GroupedPermissions(AllPermissions())
r := ParseRole(all, "w(pa) s(*e) s(*e) s(*e) s(pe) s(pe) s(*) s(*)")
b.ResetTimer()
for n := 0; n < b.N; n++ {
if !r.Next() {
r.Reset()
}
FakeAuthorize(r.Permissions())
}
}

func TestRole(t *testing.T) {
all := GroupedPermissions(AllPermissions())
testCases := []struct {
Name string
Permutations *Role
Access bool
}{
}{ // 410,367,658
{
// [w] x [s1, s2, ""] = (w, s1), (w, s2), (w, "")
Name: "W+",
Permutations: ParseRole(all, "w(pa) s(*e) o(*e) u(*e)"),
Access: true,
Expand Down Expand Up @@ -71,20 +84,23 @@ func TestRole(t *testing.T) {
fmt.Printf("Total cases=%d\n", total)

// This is how you run the test cases
//for _, c := range testCases {
// t.Run(c.Name, func(t *testing.T) {
// c.Permutations.Each(func(set Set) {
// // Actually printing all the errors would be insane
// //require.Equal(t, c.Access, FakeAuthorize(set))
// FakeAuthorize(set)
// })
// })
//}
for _, c := range testCases {
//t.Run(c.Name, func(t *testing.T) {
c.Permutations.Each(func(set Set) {
// Actually printing all the errors would be insane
//require.Equal(t, c.Access, FakeAuthorize(set))
FakeAuthorize(set)
})
//})
}
}

func FakeAuthorize(s Set) bool {
var f bool
for _, i := range s {
if i == nil {
continue
}
if i.Type() == "+" {
f = true
}
Expand Down
53 changes: 53 additions & 0 deletions coderd/authz/permission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package authz

import "strings"

type permLevel string

const (
LevelWildcard permLevel = "*"
LevelSite permLevel = "site"
LevelOrg permLevel = "org"
LevelUser permLevel = "user"
)

var PermissionLevels = [4]permLevel{LevelWildcard, LevelSite, LevelOrg, LevelUser}

type Permission struct {
// Sign is positive or negative.
// True = Positive, False = negative
Sign bool
Level permLevel
// LevelID is used for identifying a particular org.
// org:1234
LevelID string

ResourceType string
ResourceID string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of our resource identifiers are UUIDs, can this be one too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought some ids from v1 are still strings. I would like uuid yes, I can change if this is true

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is true! All v1 IDs have been converted to UUIDs.

Action string
}

// String returns the <level>.<resource_type>.<id>.<action> string formatted permission.
// A string builder is used to be the most efficient.
func (p Permission) String() string {
var s strings.Builder
// This could be 1 more than the actual capacity. But being 1 byte over for capacity is ok.
s.Grow(1 + 4 + len(p.Level) + len(p.LevelID) + len(p.ResourceType) + len(p.ResourceID) + len(p.Action))
if p.Sign {
s.WriteRune('+')
} else {
s.WriteRune('-')
}
s.WriteString(string(p.Level))
if p.LevelID != "" {
s.WriteRune(':')
s.WriteString(p.LevelID)
}
s.WriteRune('.')
s.WriteString(p.ResourceType)
s.WriteRune('.')
s.WriteString(p.ResourceID)
s.WriteRune('.')
s.WriteString(p.Action)
return s.String()
}
13 changes: 13 additions & 0 deletions coderd/authz/testdata/group.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package testdata

type permissionSet string

const (
SetPositive permissionSet = "j"
SetNegative permissionSet = "j!"
SetNeutral permissionSet = "a"
)

var (
PermissionSets = []permissionSet{SetPositive, SetNegative, SetNeutral}
)
53 changes: 53 additions & 0 deletions coderd/authz/testdata/permissions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package testdata

import (
. "github.com/coder/coder/coderd/authz"
)

type level string

const (
otherOption = "other"

levelWild level = "*"
levelSite level = "site"
levelOrg level = "org"
levelOrgMem level = "org:mem"
// levelOrgAll is a helper to get both org levels above
levelOrgAll level = "org:*"
levelUser level = "user"
)

var (
PermissionTypes = []bool{true, false}
Levels = PermissionLevels
LevelIDs = []string{"", "mem"}
ResourceTypes = []string{"resource", "*", otherOption}
ResourceIDs = []string{"rid", "*", otherOption}
Actions = []string{"action", "*", otherOption}
)

func AllPermissions() Set {
all := make(Set, 0, 2*len(Levels)*len(LevelIDs)*len(ResourceTypes)*len(ResourceIDs)*len(Actions))
for _, p := range PermissionTypes {
for _, l := range Levels {
for _, lid := range LevelIDs {
for _, t := range ResourceTypes {
for _, i := range ResourceIDs {
for _, a := range Actions {
all = append(all, &Permission{
Sign: p,
Level: l,
LevelID: lid,
ResourceType: t,
ResourceID: i,
Action: a,
})
}
}
}
}
}
}
return all
}
10 changes: 10 additions & 0 deletions coderd/authz/testdata/role.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
package testdata

import (
. "github.com/coder/coder/coderd/authz"
)

var _ Permission

type Role struct {
}
20 changes: 20 additions & 0 deletions coderd/authz/testdata/set.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
package testdata

import (
"strings"

. "github.com/coder/coder/coderd/authz"
)

type Set []*Permission

func (s Set) String() string {
var str strings.Builder
sep := ""
for _, v := range s {
str.WriteString(sep)
str.WriteString(v.String())
sep = ", "
}
return str.String()
}