mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 10:26:29 +02:00
9e9ed8853f
* ppl: more flexible matchers * make the string list matcher "is" match arrays with only a single item * re-use has * default list matcher to has
175 lines
4.3 KiB
Go
175 lines
4.3 KiB
Go
package criteria
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/protobuf/types/known/structpb"
|
|
|
|
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
|
"github.com/pomerium/pomerium/pkg/grpc/session"
|
|
"github.com/pomerium/pomerium/pkg/grpc/user"
|
|
)
|
|
|
|
func TestClaim(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
t.Run("no session", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- claim/family_name: Smith
|
|
`, nil, Input{Session: InputSession{ID: "SESSION_ID"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{false, A{ReasonUserUnauthenticated}, M{}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("no claim", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- claim/family_name: Smith
|
|
`,
|
|
[]*databroker.Record{
|
|
makeRecord(&session.Session{
|
|
Id: "SESSION_ID",
|
|
UserId: "USER_ID",
|
|
}),
|
|
},
|
|
Input{Session: InputSession{ID: "SESSION_ID"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{false, A{ReasonClaimUnauthorized}, M{}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("by session claim", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- claim/family_name: Smith
|
|
`,
|
|
[]*databroker.Record{
|
|
makeRecord(&session.Session{
|
|
Id: "SESSION_ID",
|
|
UserId: "USER_ID",
|
|
Claims: map[string]*structpb.ListValue{
|
|
"family_name": {Values: []*structpb.Value{structpb.NewStringValue("Smith")}},
|
|
},
|
|
}),
|
|
makeRecord(&user.User{
|
|
Id: "USER_ID",
|
|
Email: "test@example.com",
|
|
}),
|
|
},
|
|
Input{Session: InputSession{ID: "SESSION_ID"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{true, A{ReasonClaimOK}, M{}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("by session claim via has", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- claim/family_name:
|
|
has: Smith
|
|
`,
|
|
[]*databroker.Record{
|
|
makeRecord(&session.Session{
|
|
Id: "SESSION_ID",
|
|
UserId: "USER_ID",
|
|
Claims: map[string]*structpb.ListValue{
|
|
"family_name": {Values: []*structpb.Value{structpb.NewStringValue("Smith")}},
|
|
},
|
|
}),
|
|
makeRecord(&user.User{
|
|
Id: "USER_ID",
|
|
Email: "test@example.com",
|
|
}),
|
|
},
|
|
Input{Session: InputSession{ID: "SESSION_ID"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{true, A{ReasonClaimOK}, M{}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("no claim via has", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- claim/family_name:
|
|
has: Smith
|
|
`,
|
|
[]*databroker.Record{
|
|
makeRecord(&session.Session{
|
|
Id: "SESSION_ID",
|
|
UserId: "USER_ID",
|
|
}),
|
|
makeRecord(&user.User{
|
|
Id: "USER_ID",
|
|
Email: "test@example.com",
|
|
}),
|
|
},
|
|
Input{Session: InputSession{ID: "SESSION_ID"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{false, A{ReasonClaimUnauthorized}, M{}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("by user claim", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- claim/family_name: Smith
|
|
`,
|
|
[]*databroker.Record{
|
|
makeRecord(&session.Session{
|
|
Id: "SESSION_ID",
|
|
UserId: "USER_ID",
|
|
}),
|
|
makeRecord(&user.User{
|
|
Id: "USER_ID",
|
|
Email: "test@example.com",
|
|
Claims: map[string]*structpb.ListValue{
|
|
"family_name": {Values: []*structpb.Value{structpb.NewStringValue("Smith")}},
|
|
},
|
|
}),
|
|
},
|
|
Input{Session: InputSession{ID: "SESSION_ID"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{true, A{ReasonClaimOK}, M{}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("special keys", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- claim/example.com/key: value
|
|
`,
|
|
[]*databroker.Record{
|
|
makeRecord(&session.Session{
|
|
Id: "SESSION_ID",
|
|
UserId: "USER_ID",
|
|
Claims: map[string]*structpb.ListValue{
|
|
"example.com/key": {Values: []*structpb.Value{structpb.NewStringValue("value")}},
|
|
},
|
|
}),
|
|
makeRecord(&user.User{
|
|
Id: "USER_ID",
|
|
Email: "test@example.com",
|
|
}),
|
|
},
|
|
Input{Session: InputSession{ID: "SESSION_ID"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{true, A{ReasonClaimOK}, M{}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
}
|