| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2016 The LUCI Authors. All rights reserved. |
| 2 // Use of this source code is governed under the Apache License, Version 2.0 |
| 3 // that can be found in the LICENSE file. |
| 4 |
| 5 package settings |
| 6 |
| 7 import ( |
| 8 "net" |
| 9 "strings" |
| 10 "testing" |
| 11 |
| 12 "github.com/luci/gae/impl/memory" |
| 13 lucicfg "github.com/luci/luci-go/common/config" |
| 14 memcfg "github.com/luci/luci-go/common/config/impl/memory" |
| 15 "github.com/luci/luci-go/common/logging/gologger" |
| 16 "github.com/luci/luci-go/server/auth" |
| 17 "github.com/luci/luci-go/server/auth/authdb" |
| 18 "github.com/luci/luci-go/server/auth/identity" |
| 19 "github.com/luci/luci-go/server/secrets" |
| 20 "golang.org/x/net/context" |
| 21 |
| 22 . "github.com/smartystreets/goconvey/convey" |
| 23 ) |
| 24 |
| 25 func TestACL(t *testing.T) { |
| 26 t.Parallel() |
| 27 |
| 28 Convey("Test Environment", t, func() { |
| 29 c := memory.UseWithAppID(context.Background(), "dev~luci-milo") |
| 30 c = gologger.StdConfig.Use(c) |
| 31 |
| 32 Convey("Set up projects", func() { |
| 33 c = lucicfg.SetImplementation(c, memcfg.New(aclConfgs)) |
| 34 err := update(c) |
| 35 So(err, ShouldBeNil) |
| 36 |
| 37 Convey("Anon wants to...", func() { |
| 38 c = auth.WithState(c, fakeState{}) |
| 39 Convey("Read public project", func() { |
| 40 ok := IsAllowed(c, "opensource", false) |
| 41 So(ok, ShouldEqual, true) |
| 42 }) |
| 43 Convey("Edit public project", func() { |
| 44 c = auth.WithState(c, fakeState{}) |
| 45 ok := IsAllowed(c, "opensource", true) |
| 46 So(ok, ShouldEqual, false) |
| 47 }) |
| 48 Convey("Read private project", func() { |
| 49 ok := IsAllowed(c, "secret", false) |
| 50 So(ok, ShouldEqual, false) |
| 51 }) |
| 52 |
| 53 }) |
| 54 |
| 55 Convey("Foobar wants to...", func() { |
| 56 c = auth.WithState(c, fakeState{"foo@bar.com"}) |
| 57 Convey("Read public project", func() { |
| 58 ok := IsAllowed(c, "opensource", false) |
| 59 So(ok, ShouldEqual, true) |
| 60 }) |
| 61 |
| 62 Convey("Edit public project", func() { |
| 63 ok := IsAllowed(c, "opensource", true) |
| 64 So(ok, ShouldEqual, true) |
| 65 }) |
| 66 |
| 67 Convey("Edit private project", func() { |
| 68 ok := IsAllowed(c, "secret", true) |
| 69 So(ok, ShouldEqual, true) |
| 70 }) |
| 71 }) |
| 72 |
| 73 Convey("alicebob@google.com wants to...", func() { |
| 74 c = auth.WithState(c, fakeState{"alicebob@google
.com"}) |
| 75 Convey("Read private project", func() { |
| 76 ok := IsAllowed(c, "secret", true) |
| 77 So(ok, ShouldEqual, true) |
| 78 }) |
| 79 }) |
| 80 |
| 81 Convey("eve@notgoogle.com wants to...", func() { |
| 82 c = auth.WithState(c, fakeState{"eve@notgoogle.c
om"}) |
| 83 Convey("Read private project", func() { |
| 84 ok := IsAllowed(c, "secret", false) |
| 85 So(ok, ShouldEqual, false) |
| 86 }) |
| 87 }) |
| 88 }) |
| 89 }) |
| 90 } |
| 91 |
| 92 type testingAuthDB struct{} |
| 93 |
| 94 func (a testingAuthDB) IsAllowedOAuthClientID( |
| 95 c context.Context, email, clientID string) (bool, error) { |
| 96 panic("Not Implemented") |
| 97 } |
| 98 |
| 99 func (a testingAuthDB) IsMember( |
| 100 c context.Context, id identity.Identity, group string) (bool, error) { |
| 101 if id.Kind() == identity.User && |
| 102 strings.HasSuffix(id.Value(), "@google.com") { |
| 103 return true, nil |
| 104 } |
| 105 return false, nil |
| 106 } |
| 107 func (a testingAuthDB) SharedSecrets(c context.Context) (secrets.Store, error) { |
| 108 panic("Not Implemented") |
| 109 } |
| 110 |
| 111 func (a testingAuthDB) GetWhitelistForIdentity( |
| 112 c context.Context, ident identity.Identity) (string, error) { |
| 113 |
| 114 panic("Not Implemented") |
| 115 } |
| 116 func (a testingAuthDB) IsInWhitelist( |
| 117 c context.Context, ip net.IP, whitelist string) (bool, error) { |
| 118 |
| 119 panic("Not Implemented") |
| 120 } |
| 121 func (a testingAuthDB) GetAuthServiceURL(c context.Context) (string, error) { |
| 122 panic("Not Implemented") |
| 123 } |
| 124 |
| 125 type fakeState struct{ Who string } |
| 126 |
| 127 func (s fakeState) DB() authdb.DB { |
| 128 return testingAuthDB{} |
| 129 } |
| 130 func (s fakeState) Method() auth.Method { |
| 131 return nil |
| 132 } |
| 133 func (s fakeState) User() *auth.User { |
| 134 if s.Who == "" { |
| 135 return &auth.User{Identity: identity.AnonymousIdentity} |
| 136 } |
| 137 id, _ := identity.MakeIdentity("user:" + s.Who) |
| 138 return &auth.User{ |
| 139 Identity: id, |
| 140 Email: s.Who, |
| 141 } |
| 142 } |
| 143 func (s fakeState) PeerIdentity() identity.Identity { |
| 144 return identity.AnonymousIdentity |
| 145 } |
| 146 func (s fakeState) PeerIP() net.IP { |
| 147 return nil |
| 148 } |
| 149 |
| 150 var secretProjectCfg = ` |
| 151 ID: "secret" |
| 152 Readers: "google.com" |
| 153 Writers: "foo@bar.com" |
| 154 ` |
| 155 |
| 156 var publicProjectCfg = ` |
| 157 ID: "opensource" |
| 158 Readers: "public" |
| 159 Writers: "foo@bar.com" |
| 160 ` |
| 161 |
| 162 var aclConfgs = map[string]memcfg.ConfigSet{ |
| 163 "projects/secret.git": { |
| 164 "luci-milo.cfg": secretProjectCfg, |
| 165 }, |
| 166 "projects/opensource.git": { |
| 167 "luci-milo.cfg": publicProjectCfg, |
| 168 }, |
| 169 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2241853002:
Milo: ACL support (Closed)
Base URL: https://chromium.googlesource.com/external/github.com/luci/luci-go@lucicfg