package accessctl import ( "errors" "testing" "dehub.dev/src/dehub.git/sigcred" ) func TestAssertCanCommit(t *testing.T) { tests := []struct { descr string acl []AccessControl req CommitRequest allowed bool }{ { descr: "first allows", acl: []AccessControl{ { Action: ActionAllow, Filters: []FilterUnion{{ PayloadType: &FilterPayloadType{Type: "foo"}, }}, }, { Action: ActionDeny, Filters: []FilterUnion{{ PayloadType: &FilterPayloadType{Type: "foo"}, }}, }, }, req: CommitRequest{Type: "foo"}, allowed: true, }, { descr: "first denies", acl: []AccessControl{ { Action: ActionDeny, Filters: []FilterUnion{{ PayloadType: &FilterPayloadType{Type: "foo"}, }}, }, { Action: ActionAllow, Filters: []FilterUnion{{ PayloadType: &FilterPayloadType{Type: "foo"}, }}, }, }, req: CommitRequest{Type: "foo"}, allowed: false, }, { descr: "second allows", acl: []AccessControl{ { Action: ActionDeny, Filters: []FilterUnion{{ PayloadType: &FilterPayloadType{Type: "bar"}, }}, }, { Action: ActionAllow, Filters: []FilterUnion{{ PayloadType: &FilterPayloadType{Type: "foo"}, }}, }, }, req: CommitRequest{Type: "foo"}, allowed: true, }, { descr: "second denies", acl: []AccessControl{ { Action: ActionDeny, Filters: []FilterUnion{{ PayloadType: &FilterPayloadType{Type: "bar"}, }}, }, { Action: ActionDeny, Filters: []FilterUnion{{ PayloadType: &FilterPayloadType{Type: "foo"}, }}, }, }, req: CommitRequest{Type: "foo"}, allowed: false, }, { descr: "default allows", acl: []AccessControl{ { Action: ActionDeny, Filters: []FilterUnion{{ PayloadType: &FilterPayloadType{Type: "bar"}, }}, }, }, req: CommitRequest{ Branch: "not_main", Type: "foo", Credentials: []sigcred.CredentialUnion{{ PGPSignature: new(sigcred.CredentialPGPSignature), AccountID: "a", }}, }, allowed: true, }, { descr: "default denies", acl: []AccessControl{ { Action: ActionDeny, Filters: []FilterUnion{{ PayloadType: &FilterPayloadType{Type: "bar"}, }}, }, }, req: CommitRequest{ Branch: "main", Type: "foo", Credentials: []sigcred.CredentialUnion{{ PGPSignature: new(sigcred.CredentialPGPSignature), AccountID: "a", }}, }, allowed: false, }, } for _, test := range tests { t.Run(test.descr, func(t *testing.T) { err := AssertCanCommit(test.acl, test.req) if test.allowed && err != nil { t.Fatalf("expected to be allowed but got: %v", err) } else if !test.allowed && !errors.As(err, new(ErrCommitRequestDenied)) { t.Fatalf("expected to be denied but got: %v", err) } }) } }