mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-04 12:56:02 +02:00
168 lines
5.3 KiB
Go
168 lines
5.3 KiB
Go
package criteria
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/pomerium/pomerium/pkg/grpc/device"
|
|
"github.com/pomerium/pomerium/pkg/grpc/session"
|
|
)
|
|
|
|
func TestDevice(t *testing.T) {
|
|
mkDeviceSession := func(sessionID, deviceType, deviceCredentialID string) *session.Session {
|
|
return &session.Session{
|
|
Id: sessionID,
|
|
DeviceCredentials: []*session.Session_DeviceCredential{
|
|
{TypeId: deviceType, Credential: &session.Session_DeviceCredential_Id{Id: deviceCredentialID}},
|
|
},
|
|
}
|
|
}
|
|
|
|
t.Run("no session", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- device:
|
|
is: dc1
|
|
`, []dataBrokerRecord{}, Input{Session: InputSession{ID: "s1"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{false, A{ReasonUserUnauthenticated}, M{"device_type": "any"}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("no device credential", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- device:
|
|
is: dc1
|
|
`, []dataBrokerRecord{
|
|
mkDeviceSession("s1", "any", "dc1"),
|
|
}, Input{Session: InputSession{ID: "s1"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{false, A{ReasonDeviceUnauthenticated}, M{"device_type": "any"}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("allowed by is", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- device:
|
|
is: dc1
|
|
`, []dataBrokerRecord{
|
|
mkDeviceSession("s1", "any", "dc1"),
|
|
&device.Credential{Id: "dc1", EnrollmentId: "de1"},
|
|
&device.Enrollment{Id: "de1"},
|
|
}, Input{Session: InputSession{ID: "s1"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{true, A{ReasonDeviceOK}, M{"device_type": "any"}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("not allowed by is", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- device:
|
|
is: dc2
|
|
`, []dataBrokerRecord{
|
|
mkDeviceSession("s1", "any", "dc1"),
|
|
&device.Credential{Id: "dc1", EnrollmentId: "de1"},
|
|
&device.Enrollment{Id: "de1"},
|
|
&device.Credential{Id: "dc2", EnrollmentId: "de2"},
|
|
&device.Enrollment{Id: "de2"},
|
|
}, Input{Session: InputSession{ID: "s1"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{false, A{ReasonDeviceUnauthorized}, M{"device_type": "any"}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("allowed by approved", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- device:
|
|
approved: true
|
|
`, []dataBrokerRecord{
|
|
mkDeviceSession("s1", "any", "dc1"),
|
|
&device.Credential{Id: "dc1", EnrollmentId: "de1"},
|
|
&device.Enrollment{Id: "de1", ApprovedBy: "u1"},
|
|
}, Input{Session: InputSession{ID: "s1"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{true, A{ReasonDeviceOK}, M{"device_type": "any"}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("not allowed by approved", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- device:
|
|
approved: true
|
|
`, []dataBrokerRecord{
|
|
mkDeviceSession("s1", "any", "dc1"),
|
|
&device.Credential{Id: "dc1", EnrollmentId: "de1"},
|
|
&device.Enrollment{Id: "de1"},
|
|
}, Input{Session: InputSession{ID: "s1"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{false, A{ReasonDeviceUnauthorized}, M{"device_type": "any"}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("allowed by not approved", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- device:
|
|
approved: false
|
|
`, []dataBrokerRecord{
|
|
mkDeviceSession("s1", "any", "dc1"),
|
|
&device.Credential{Id: "dc1", EnrollmentId: "de1"},
|
|
&device.Enrollment{Id: "de1"},
|
|
}, Input{Session: InputSession{ID: "s1"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{true, A{ReasonDeviceOK}, M{"device_type": "any"}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("not allowed by not approved", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- device:
|
|
approved: false
|
|
`, []dataBrokerRecord{
|
|
mkDeviceSession("s1", "any", "dc1"),
|
|
&device.Credential{Id: "dc1", EnrollmentId: "de1"},
|
|
&device.Enrollment{Id: "de1", ApprovedBy: "u1"},
|
|
}, Input{Session: InputSession{ID: "s1"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{false, A{ReasonDeviceUnauthorized}, M{"device_type": "any"}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("allowed by type", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- device:
|
|
type: t1
|
|
`, []dataBrokerRecord{
|
|
mkDeviceSession("s1", "t1", "dc1"),
|
|
&device.Credential{Id: "dc1", EnrollmentId: "de1", TypeId: "t1"},
|
|
&device.Enrollment{Id: "de1", ApprovedBy: "u1"},
|
|
}, Input{Session: InputSession{ID: "s1"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{true, A{ReasonDeviceOK}, M{"device_type": "t1"}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
t.Run("not allowed by type", func(t *testing.T) {
|
|
res, err := evaluate(t, `
|
|
allow:
|
|
and:
|
|
- device:
|
|
type: t2
|
|
`, []dataBrokerRecord{
|
|
mkDeviceSession("s1", "t1", "dc1"),
|
|
&device.Credential{Id: "dc1", EnrollmentId: "de1", TypeId: "t1"},
|
|
&device.Enrollment{Id: "de1", ApprovedBy: "u1"},
|
|
}, Input{Session: InputSession{ID: "s1"}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, A{false, A{ReasonDeviceUnauthenticated}, M{"device_type": "t2"}}, res["allow"])
|
|
require.Equal(t, A{false, A{}}, res["deny"])
|
|
})
|
|
}
|