forked from TrueCloudLab/frostfs-node
130 lines
3.5 KiB
Go
130 lines
3.5 KiB
Go
|
package util
|
||
|
|
||
|
import (
|
||
|
"testing"
|
||
|
|
||
|
policyengine "git.frostfs.info/TrueCloudLab/policy-engine"
|
||
|
"github.com/stretchr/testify/require"
|
||
|
)
|
||
|
|
||
|
func TestParseAPERule(t *testing.T) {
|
||
|
tests := [...]struct {
|
||
|
name string
|
||
|
rule string
|
||
|
expectErr error
|
||
|
expectRule policyengine.Rule
|
||
|
}{
|
||
|
{
|
||
|
name: "Valid allow rule",
|
||
|
rule: "allow Object.Put *",
|
||
|
expectRule: policyengine.Rule{
|
||
|
Status: policyengine.Allow,
|
||
|
Action: []string{"native:PutObject"},
|
||
|
Resource: []string{"native:::object/*"},
|
||
|
Condition: []policyengine.Condition{},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "Valid deny rule",
|
||
|
rule: "deny Object.Put *",
|
||
|
expectRule: policyengine.Rule{
|
||
|
Status: policyengine.AccessDenied,
|
||
|
Action: []string{"native:PutObject"},
|
||
|
Resource: []string{"native:::object/*"},
|
||
|
Condition: []policyengine.Condition{},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "Valid deny rule with action detail",
|
||
|
rule: "deny:QuotaLimitReached Object.Put *",
|
||
|
expectRule: policyengine.Rule{
|
||
|
Status: policyengine.QuotaLimitReached,
|
||
|
Action: []string{"native:PutObject"},
|
||
|
Resource: []string{"native:::object/*"},
|
||
|
Condition: []policyengine.Condition{},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "Valid allow rule with conditions",
|
||
|
rule: "allow Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
|
||
|
expectRule: policyengine.Rule{
|
||
|
Status: policyengine.Allow,
|
||
|
Action: []string{"native:GetObject"},
|
||
|
Resource: []string{"native:::object/*"},
|
||
|
Condition: []policyengine.Condition{
|
||
|
{
|
||
|
Op: policyengine.CondStringEquals,
|
||
|
Object: policyengine.ObjectResource,
|
||
|
Key: "Department",
|
||
|
Value: "HR",
|
||
|
},
|
||
|
{
|
||
|
Op: policyengine.CondStringNotEquals,
|
||
|
Object: policyengine.ObjectRequest,
|
||
|
Key: "Actor",
|
||
|
Value: "ownerA",
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "Valid rule with conditions with action detail",
|
||
|
rule: "deny:QuotaLimitReached Object.Get Object.Resource:Department=HR Object.Request:Actor!=ownerA *",
|
||
|
expectRule: policyengine.Rule{
|
||
|
Status: policyengine.QuotaLimitReached,
|
||
|
Action: []string{"native:GetObject"},
|
||
|
Resource: []string{"native:::object/*"},
|
||
|
Condition: []policyengine.Condition{
|
||
|
{
|
||
|
Op: policyengine.CondStringEquals,
|
||
|
Object: policyengine.ObjectResource,
|
||
|
Key: "Department",
|
||
|
Value: "HR",
|
||
|
},
|
||
|
{
|
||
|
Op: policyengine.CondStringNotEquals,
|
||
|
Object: policyengine.ObjectRequest,
|
||
|
Key: "Actor",
|
||
|
Value: "ownerA",
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
{
|
||
|
name: "Invalid rule with unknown action",
|
||
|
rule: "permit Object.Put *",
|
||
|
expectErr: errUnknownAction,
|
||
|
},
|
||
|
{
|
||
|
name: "Invalid rule with unknown operation",
|
||
|
rule: "allow Object.PutOut *",
|
||
|
expectErr: errUnknownOperation,
|
||
|
},
|
||
|
{
|
||
|
name: "Invalid rule with unknown action detail",
|
||
|
rule: "deny:UnknownActionDetail Object.Put *",
|
||
|
expectErr: errUnknownActionDetail,
|
||
|
},
|
||
|
{
|
||
|
name: "Invalid rule with unknown condition binary operator",
|
||
|
rule: "deny Object.Put Object.Resource:Department<HR *",
|
||
|
expectErr: errUnknownBinaryOperator,
|
||
|
},
|
||
|
{
|
||
|
name: "Invalid rule with unknown condition object type",
|
||
|
rule: "deny Object.Put Object.ResourZe:Department=HR *",
|
||
|
expectErr: errUnknownCondObjectType,
|
||
|
},
|
||
|
}
|
||
|
for _, test := range tests {
|
||
|
t.Run(test.name, func(t *testing.T) {
|
||
|
r := new(policyengine.Rule)
|
||
|
err := ParseAPERule(r, test.rule)
|
||
|
require.ErrorIs(t, err, test.expectErr)
|
||
|
if test.expectErr == nil {
|
||
|
require.Equal(t, test.expectRule, *r)
|
||
|
}
|
||
|
})
|
||
|
}
|
||
|
}
|