dehub/accessctl/access_control_test.go

package accessctl

import (
	"errors"
	"testing"

	"dehub.dev/src/dehub.git/sigcred"
)

func TestAssertCanCommit(t *testing.T) {
	tests := []struct {
		descr   string
		acl     []AccessControl
		req     CommitRequest
		allowed bool
	}{
		{
			descr: "first allows",
			acl: []AccessControl{
				{
					Action: ActionAllow,
					Filters: []FilterUnion{{
						PayloadType: &FilterPayloadType{Type: "foo"},
					}},
				},
				{
					Action: ActionDeny,
					Filters: []FilterUnion{{
						PayloadType: &FilterPayloadType{Type: "foo"},
					}},
				},
			},
			req:     CommitRequest{Type: "foo"},
			allowed: true,
		},
		{
			descr: "first denies",
			acl: []AccessControl{
				{
					Action: ActionDeny,
					Filters: []FilterUnion{{
						PayloadType: &FilterPayloadType{Type: "foo"},
					}},
				},
				{
					Action: ActionAllow,
					Filters: []FilterUnion{{
						PayloadType: &FilterPayloadType{Type: "foo"},
					}},
				},
			},
			req:     CommitRequest{Type: "foo"},
			allowed: false,
		},
		{
			descr: "second allows",
			acl: []AccessControl{
				{
					Action: ActionDeny,
					Filters: []FilterUnion{{
						PayloadType: &FilterPayloadType{Type: "bar"},
					}},
				},
				{
					Action: ActionAllow,
					Filters: []FilterUnion{{
						PayloadType: &FilterPayloadType{Type: "foo"},
					}},
				},
			},
			req:     CommitRequest{Type: "foo"},
			allowed: true,
		},
		{
			descr: "second denies",
			acl: []AccessControl{
				{
					Action: ActionDeny,
					Filters: []FilterUnion{{
						PayloadType: &FilterPayloadType{Type: "bar"},
					}},
				},
				{
					Action: ActionDeny,
					Filters: []FilterUnion{{
						PayloadType: &FilterPayloadType{Type: "foo"},
					}},
				},
			},
			req:     CommitRequest{Type: "foo"},
			allowed: false,
		},
		{
			descr: "default allows",
			acl: []AccessControl{
				{
					Action: ActionDeny,
					Filters: []FilterUnion{{
						PayloadType: &FilterPayloadType{Type: "bar"},
					}},
				},
			},
			req: CommitRequest{
				Branch: "not_main",
				Type:   "foo",
				Credentials: []sigcred.CredentialUnion{{
					PGPSignature: new(sigcred.CredentialPGPSignature),
					AccountID:    "a",
				}},
			},
			allowed: true,
		},
		{
			descr: "default denies",
			acl: []AccessControl{
				{
					Action: ActionDeny,
					Filters: []FilterUnion{{
						PayloadType: &FilterPayloadType{Type: "bar"},
					}},
				},
			},
			req: CommitRequest{
				Branch: "main",
				Type:   "foo",
				Credentials: []sigcred.CredentialUnion{{
					PGPSignature: new(sigcred.CredentialPGPSignature),
					AccountID:    "a",
				}},
			},
			allowed: false,
		},
	}

	for _, test := range tests {
		t.Run(test.descr, func(t *testing.T) {
			err := AssertCanCommit(test.acl, test.req)
			if test.allowed && err != nil {
				t.Fatalf("expected to be allowed but got: %v", err)
			} else if !test.allowed && !errors.As(err, new(ErrCommitRequestDenied)) {
				t.Fatalf("expected to be denied but got: %v", err)
			}
		})
	}
}