| Index: milo/appengine/settings/acl_test.go
|
| diff --git a/milo/appengine/settings/acl_test.go b/milo/appengine/settings/acl_test.go
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..a432f500324ac89606d8bfe6479c4dda55da092d
|
| --- /dev/null
|
| +++ b/milo/appengine/settings/acl_test.go
|
| @@ -0,0 +1,169 @@
|
| +// Copyright 2016 The LUCI Authors. All rights reserved.
|
| +// Use of this source code is governed under the Apache License, Version 2.0
|
| +// that can be found in the LICENSE file.
|
| +
|
| +package settings
|
| +
|
| +import (
|
| + "net"
|
| + "strings"
|
| + "testing"
|
| +
|
| + "github.com/luci/gae/impl/memory"
|
| + lucicfg "github.com/luci/luci-go/common/config"
|
| + memcfg "github.com/luci/luci-go/common/config/impl/memory"
|
| + "github.com/luci/luci-go/common/logging/gologger"
|
| + "github.com/luci/luci-go/server/auth"
|
| + "github.com/luci/luci-go/server/auth/authdb"
|
| + "github.com/luci/luci-go/server/auth/identity"
|
| + "github.com/luci/luci-go/server/secrets"
|
| + "golang.org/x/net/context"
|
| +
|
| + . "github.com/smartystreets/goconvey/convey"
|
| +)
|
| +
|
| +func TestACL(t *testing.T) {
|
| + t.Parallel()
|
| +
|
| + Convey("Test Environment", t, func() {
|
| + c := memory.UseWithAppID(context.Background(), "dev~luci-milo")
|
| + c = gologger.StdConfig.Use(c)
|
| +
|
| + Convey("Set up projects", func() {
|
| + c = lucicfg.SetImplementation(c, memcfg.New(aclConfgs))
|
| + err := update(c)
|
| + So(err, ShouldBeNil)
|
| +
|
| + Convey("Anon wants to...", func() {
|
| + c = auth.WithState(c, fakeState{})
|
| + Convey("Read public project", func() {
|
| + ok := IsAllowed(c, "opensource", false)
|
| + So(ok, ShouldEqual, true)
|
| + })
|
| + Convey("Edit public project", func() {
|
| + c = auth.WithState(c, fakeState{})
|
| + ok := IsAllowed(c, "opensource", true)
|
| + So(ok, ShouldEqual, false)
|
| + })
|
| + Convey("Read private project", func() {
|
| + ok := IsAllowed(c, "secret", false)
|
| + So(ok, ShouldEqual, false)
|
| + })
|
| +
|
| + })
|
| +
|
| + Convey("Foobar wants to...", func() {
|
| + c = auth.WithState(c, fakeState{"foo@bar.com"})
|
| + Convey("Read public project", func() {
|
| + ok := IsAllowed(c, "opensource", false)
|
| + So(ok, ShouldEqual, true)
|
| + })
|
| +
|
| + Convey("Edit public project", func() {
|
| + ok := IsAllowed(c, "opensource", true)
|
| + So(ok, ShouldEqual, true)
|
| + })
|
| +
|
| + Convey("Edit private project", func() {
|
| + ok := IsAllowed(c, "secret", true)
|
| + So(ok, ShouldEqual, true)
|
| + })
|
| + })
|
| +
|
| + Convey("alicebob@google.com wants to...", func() {
|
| + c = auth.WithState(c, fakeState{"alicebob@google.com"})
|
| + Convey("Read private project", func() {
|
| + ok := IsAllowed(c, "secret", true)
|
| + So(ok, ShouldEqual, true)
|
| + })
|
| + })
|
| +
|
| + Convey("eve@notgoogle.com wants to...", func() {
|
| + c = auth.WithState(c, fakeState{"eve@notgoogle.com"})
|
| + Convey("Read private project", func() {
|
| + ok := IsAllowed(c, "secret", false)
|
| + So(ok, ShouldEqual, false)
|
| + })
|
| + })
|
| + })
|
| + })
|
| +}
|
| +
|
| +type testingAuthDB struct{}
|
| +
|
| +func (a testingAuthDB) IsAllowedOAuthClientID(
|
| + c context.Context, email, clientID string) (bool, error) {
|
| + panic("Not Implemented")
|
| +}
|
| +
|
| +func (a testingAuthDB) IsMember(
|
| + c context.Context, id identity.Identity, group string) (bool, error) {
|
| + if id.Kind() == identity.User &&
|
| + strings.HasSuffix(id.Value(), "@google.com") {
|
| + return true, nil
|
| + }
|
| + return false, nil
|
| +}
|
| +func (a testingAuthDB) SharedSecrets(c context.Context) (secrets.Store, error) {
|
| + panic("Not Implemented")
|
| +}
|
| +
|
| +func (a testingAuthDB) GetWhitelistForIdentity(
|
| + c context.Context, ident identity.Identity) (string, error) {
|
| +
|
| + panic("Not Implemented")
|
| +}
|
| +func (a testingAuthDB) IsInWhitelist(
|
| + c context.Context, ip net.IP, whitelist string) (bool, error) {
|
| +
|
| + panic("Not Implemented")
|
| +}
|
| +func (a testingAuthDB) GetAuthServiceURL(c context.Context) (string, error) {
|
| + panic("Not Implemented")
|
| +}
|
| +
|
| +type fakeState struct{ Who string }
|
| +
|
| +func (s fakeState) DB() authdb.DB {
|
| + return testingAuthDB{}
|
| +}
|
| +func (s fakeState) Method() auth.Method {
|
| + return nil
|
| +}
|
| +func (s fakeState) User() *auth.User {
|
| + if s.Who == "" {
|
| + return &auth.User{Identity: identity.AnonymousIdentity}
|
| + }
|
| + id, _ := identity.MakeIdentity("user:" + s.Who)
|
| + return &auth.User{
|
| + Identity: id,
|
| + Email: s.Who,
|
| + }
|
| +}
|
| +func (s fakeState) PeerIdentity() identity.Identity {
|
| + return identity.AnonymousIdentity
|
| +}
|
| +func (s fakeState) PeerIP() net.IP {
|
| + return nil
|
| +}
|
| +
|
| +var secretProjectCfg = `
|
| +ID: "secret"
|
| +Readers: "google.com"
|
| +Writers: "foo@bar.com"
|
| +`
|
| +
|
| +var publicProjectCfg = `
|
| +ID: "opensource"
|
| +Readers: "public"
|
| +Writers: "foo@bar.com"
|
| +`
|
| +
|
| +var aclConfgs = map[string]memcfg.ConfigSet{
|
| + "projects/secret.git": {
|
| + "luci-milo.cfg": secretProjectCfg,
|
| + },
|
| + "projects/opensource.git": {
|
| + "luci-milo.cfg": publicProjectCfg,
|
| + },
|
| +}
|
|
|
Chromium Code Reviews
Issue 2241853002:
Milo: ACL support (Closed)
Base URL: https://chromium.googlesource.com/external/github.com/luci/luci-go@lucicfg