1package acl 2 3import ( 4 "testing" 5) 6 7type testAuthorizer EnforcementDecision 8 9var _ Authorizer = testAuthorizer(Allow) 10 11func (authz testAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision { 12 return EnforcementDecision(authz) 13} 14func (authz testAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision { 15 return EnforcementDecision(authz) 16} 17func (authz testAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision { 18 return EnforcementDecision(authz) 19} 20func (authz testAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision { 21 return EnforcementDecision(authz) 22} 23func (authz testAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision { 24 return EnforcementDecision(authz) 25} 26func (authz testAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision { 27 return EnforcementDecision(authz) 28} 29func (authz testAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision { 30 return EnforcementDecision(authz) 31} 32func (authz testAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision { 33 return EnforcementDecision(authz) 34} 35func (authz testAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision { 36 return EnforcementDecision(authz) 37} 38func (authz testAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision { 39 return EnforcementDecision(authz) 40} 41func (authz testAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision { 42 return EnforcementDecision(authz) 43} 44func (authz testAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision { 45 return EnforcementDecision(authz) 46} 47func (authz testAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision { 48 return EnforcementDecision(authz) 49} 50func (authz testAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision { 51 return EnforcementDecision(authz) 52} 53func (authz testAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision { 54 return EnforcementDecision(authz) 55} 56func (authz testAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision { 57 return EnforcementDecision(authz) 58} 59func (authz testAuthorizer) NodeReadAll(*AuthorizerContext) EnforcementDecision { 60 return EnforcementDecision(authz) 61} 62func (authz testAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision { 63 return EnforcementDecision(authz) 64} 65func (authz testAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision { 66 return EnforcementDecision(authz) 67} 68func (authz testAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision { 69 return EnforcementDecision(authz) 70} 71func (authz testAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision { 72 return EnforcementDecision(authz) 73} 74func (authz testAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision { 75 return EnforcementDecision(authz) 76} 77func (authz testAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision { 78 return EnforcementDecision(authz) 79} 80func (authz testAuthorizer) ServiceReadAll(*AuthorizerContext) EnforcementDecision { 81 return EnforcementDecision(authz) 82} 83func (authz testAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision { 84 return EnforcementDecision(authz) 85} 86func (authz testAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision { 87 return EnforcementDecision(authz) 88} 89func (authz testAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision { 90 return EnforcementDecision(authz) 91} 92func (authz testAuthorizer) Snapshot(*AuthorizerContext) EnforcementDecision { 93 return EnforcementDecision(authz) 94} 95 96func TestChainedAuthorizer(t *testing.T) { 97 t.Run("No Authorizers", func(t *testing.T) { 98 authz := NewChainedAuthorizer([]Authorizer{}) 99 checkDenyACLRead(t, authz, "foo", nil) 100 checkDenyACLWrite(t, authz, "foo", nil) 101 checkDenyAgentRead(t, authz, "foo", nil) 102 checkDenyAgentWrite(t, authz, "foo", nil) 103 checkDenyEventRead(t, authz, "foo", nil) 104 checkDenyEventWrite(t, authz, "foo", nil) 105 checkDenyIntentionDefaultAllow(t, authz, "foo", nil) 106 checkDenyIntentionRead(t, authz, "foo", nil) 107 checkDenyIntentionWrite(t, authz, "foo", nil) 108 checkDenyKeyRead(t, authz, "foo", nil) 109 checkDenyKeyList(t, authz, "foo", nil) 110 checkDenyKeyringRead(t, authz, "foo", nil) 111 checkDenyKeyringWrite(t, authz, "foo", nil) 112 checkDenyKeyWrite(t, authz, "foo", nil) 113 checkDenyKeyWritePrefix(t, authz, "foo", nil) 114 checkDenyNodeRead(t, authz, "foo", nil) 115 checkDenyNodeWrite(t, authz, "foo", nil) 116 checkDenyOperatorRead(t, authz, "foo", nil) 117 checkDenyOperatorWrite(t, authz, "foo", nil) 118 checkDenyPreparedQueryRead(t, authz, "foo", nil) 119 checkDenyPreparedQueryWrite(t, authz, "foo", nil) 120 checkDenyServiceRead(t, authz, "foo", nil) 121 checkDenyServiceWrite(t, authz, "foo", nil) 122 checkDenySessionRead(t, authz, "foo", nil) 123 checkDenySessionWrite(t, authz, "foo", nil) 124 checkDenySnapshot(t, authz, "foo", nil) 125 }) 126 127 t.Run("Authorizer Defaults", func(t *testing.T) { 128 authz := NewChainedAuthorizer([]Authorizer{testAuthorizer(Default)}) 129 checkDenyACLRead(t, authz, "foo", nil) 130 checkDenyACLWrite(t, authz, "foo", nil) 131 checkDenyAgentRead(t, authz, "foo", nil) 132 checkDenyAgentWrite(t, authz, "foo", nil) 133 checkDenyEventRead(t, authz, "foo", nil) 134 checkDenyEventWrite(t, authz, "foo", nil) 135 checkDenyIntentionDefaultAllow(t, authz, "foo", nil) 136 checkDenyIntentionRead(t, authz, "foo", nil) 137 checkDenyIntentionWrite(t, authz, "foo", nil) 138 checkDenyKeyRead(t, authz, "foo", nil) 139 checkDenyKeyList(t, authz, "foo", nil) 140 checkDenyKeyringRead(t, authz, "foo", nil) 141 checkDenyKeyringWrite(t, authz, "foo", nil) 142 checkDenyKeyWrite(t, authz, "foo", nil) 143 checkDenyKeyWritePrefix(t, authz, "foo", nil) 144 checkDenyNodeRead(t, authz, "foo", nil) 145 checkDenyNodeWrite(t, authz, "foo", nil) 146 checkDenyOperatorRead(t, authz, "foo", nil) 147 checkDenyOperatorWrite(t, authz, "foo", nil) 148 checkDenyPreparedQueryRead(t, authz, "foo", nil) 149 checkDenyPreparedQueryWrite(t, authz, "foo", nil) 150 checkDenyServiceRead(t, authz, "foo", nil) 151 checkDenyServiceWrite(t, authz, "foo", nil) 152 checkDenySessionRead(t, authz, "foo", nil) 153 checkDenySessionWrite(t, authz, "foo", nil) 154 checkDenySnapshot(t, authz, "foo", nil) 155 }) 156 157 t.Run("Authorizer No Defaults", func(t *testing.T) { 158 authz := NewChainedAuthorizer([]Authorizer{testAuthorizer(Allow)}) 159 checkAllowACLRead(t, authz, "foo", nil) 160 checkAllowACLWrite(t, authz, "foo", nil) 161 checkAllowAgentRead(t, authz, "foo", nil) 162 checkAllowAgentWrite(t, authz, "foo", nil) 163 checkAllowEventRead(t, authz, "foo", nil) 164 checkAllowEventWrite(t, authz, "foo", nil) 165 checkAllowIntentionDefaultAllow(t, authz, "foo", nil) 166 checkAllowIntentionRead(t, authz, "foo", nil) 167 checkAllowIntentionWrite(t, authz, "foo", nil) 168 checkAllowKeyRead(t, authz, "foo", nil) 169 checkAllowKeyList(t, authz, "foo", nil) 170 checkAllowKeyringRead(t, authz, "foo", nil) 171 checkAllowKeyringWrite(t, authz, "foo", nil) 172 checkAllowKeyWrite(t, authz, "foo", nil) 173 checkAllowKeyWritePrefix(t, authz, "foo", nil) 174 checkAllowNodeRead(t, authz, "foo", nil) 175 checkAllowNodeWrite(t, authz, "foo", nil) 176 checkAllowOperatorRead(t, authz, "foo", nil) 177 checkAllowOperatorWrite(t, authz, "foo", nil) 178 checkAllowPreparedQueryRead(t, authz, "foo", nil) 179 checkAllowPreparedQueryWrite(t, authz, "foo", nil) 180 checkAllowServiceRead(t, authz, "foo", nil) 181 checkAllowServiceWrite(t, authz, "foo", nil) 182 checkAllowSessionRead(t, authz, "foo", nil) 183 checkAllowSessionWrite(t, authz, "foo", nil) 184 checkAllowSnapshot(t, authz, "foo", nil) 185 }) 186 187 t.Run("First Found", func(t *testing.T) { 188 authz := NewChainedAuthorizer([]Authorizer{testAuthorizer(Deny), testAuthorizer(Allow)}) 189 checkDenyACLRead(t, authz, "foo", nil) 190 checkDenyACLWrite(t, authz, "foo", nil) 191 checkDenyAgentRead(t, authz, "foo", nil) 192 checkDenyAgentWrite(t, authz, "foo", nil) 193 checkDenyEventRead(t, authz, "foo", nil) 194 checkDenyEventWrite(t, authz, "foo", nil) 195 checkDenyIntentionDefaultAllow(t, authz, "foo", nil) 196 checkDenyIntentionRead(t, authz, "foo", nil) 197 checkDenyIntentionWrite(t, authz, "foo", nil) 198 checkDenyKeyRead(t, authz, "foo", nil) 199 checkDenyKeyList(t, authz, "foo", nil) 200 checkDenyKeyringRead(t, authz, "foo", nil) 201 checkDenyKeyringWrite(t, authz, "foo", nil) 202 checkDenyKeyWrite(t, authz, "foo", nil) 203 checkDenyKeyWritePrefix(t, authz, "foo", nil) 204 checkDenyNodeRead(t, authz, "foo", nil) 205 checkDenyNodeWrite(t, authz, "foo", nil) 206 checkDenyOperatorRead(t, authz, "foo", nil) 207 checkDenyOperatorWrite(t, authz, "foo", nil) 208 checkDenyPreparedQueryRead(t, authz, "foo", nil) 209 checkDenyPreparedQueryWrite(t, authz, "foo", nil) 210 checkDenyServiceRead(t, authz, "foo", nil) 211 checkDenyServiceWrite(t, authz, "foo", nil) 212 checkDenySessionRead(t, authz, "foo", nil) 213 checkDenySessionWrite(t, authz, "foo", nil) 214 checkDenySnapshot(t, authz, "foo", nil) 215 216 authz = NewChainedAuthorizer([]Authorizer{testAuthorizer(Default), testAuthorizer(Allow)}) 217 checkAllowACLRead(t, authz, "foo", nil) 218 checkAllowACLWrite(t, authz, "foo", nil) 219 checkAllowAgentRead(t, authz, "foo", nil) 220 checkAllowAgentWrite(t, authz, "foo", nil) 221 checkAllowEventRead(t, authz, "foo", nil) 222 checkAllowEventWrite(t, authz, "foo", nil) 223 checkAllowIntentionDefaultAllow(t, authz, "foo", nil) 224 checkAllowIntentionRead(t, authz, "foo", nil) 225 checkAllowIntentionWrite(t, authz, "foo", nil) 226 checkAllowKeyRead(t, authz, "foo", nil) 227 checkAllowKeyList(t, authz, "foo", nil) 228 checkAllowKeyringRead(t, authz, "foo", nil) 229 checkAllowKeyringWrite(t, authz, "foo", nil) 230 checkAllowKeyWrite(t, authz, "foo", nil) 231 checkAllowKeyWritePrefix(t, authz, "foo", nil) 232 checkAllowNodeRead(t, authz, "foo", nil) 233 checkAllowNodeWrite(t, authz, "foo", nil) 234 checkAllowOperatorRead(t, authz, "foo", nil) 235 checkAllowOperatorWrite(t, authz, "foo", nil) 236 checkAllowPreparedQueryRead(t, authz, "foo", nil) 237 checkAllowPreparedQueryWrite(t, authz, "foo", nil) 238 checkAllowServiceRead(t, authz, "foo", nil) 239 checkAllowServiceWrite(t, authz, "foo", nil) 240 checkAllowSessionRead(t, authz, "foo", nil) 241 checkAllowSessionWrite(t, authz, "foo", nil) 242 checkAllowSnapshot(t, authz, "foo", nil) 243 }) 244 245} 246