| OLD | NEW |
|---|
| 1 // Copyright 2017 The LUCI Authors. | 1 // Copyright 2017 The LUCI Authors. |
| 2 // | 2 // |
| 3 // Licensed under the Apache License, Version 2.0 (the "License"); | 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 // you may not use this file except in compliance with the License. | 4 // you may not use this file except in compliance with the License. |
| 5 // You may obtain a copy of the License at | 5 // You may obtain a copy of the License at |
| 6 // | 6 // |
| 7 // http://www.apache.org/licenses/LICENSE-2.0 | 7 // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 // | 8 // |
| 9 // Unless required by applicable law or agreed to in writing, software | 9 // Unless required by applicable law or agreed to in writing, software |
| 10 // distributed under the License is distributed on an "AS IS" BASIS, | 10 // distributed under the License is distributed on an "AS IS" BASIS, |
| (...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 61 _, err := ValidateAclSets(sets) | 61 _, err := ValidateAclSets(sets) |
| 62 So(err, ShouldNotBeNil) | 62 So(err, ShouldNotBeNil) |
| 63 } | 63 } |
| 64 | 64 |
| 65 shouldError(&messages.AclSet{Name: "one"}) | 65 shouldError(&messages.AclSet{Name: "one"}) |
| 66 shouldError(&messages.AclSet{Name: "?bad i'd", Acls: validGrants
}) | 66 shouldError(&messages.AclSet{Name: "?bad i'd", Acls: validGrants
}) |
| 67 shouldError(validAclSet, validAclSet) | 67 shouldError(validAclSet, validAclSet) |
| 68 }) | 68 }) |
| 69 | 69 |
| 70 Convey("Task Acls", t, func() { | 70 Convey("Task Acls", t, func() { |
| 71 » » Convey("Without AclSets", func() { | 71 » » Convey("READER and OWNER ACLs are required", func() { |
| 72 » » » jobAcls, err := ValidateTaskAcls(nil, []string{}, validG
rants) | 72 » » » _, err := ValidateTaskAcls(nil, []string{}, |
| 73 » » » So(err, ShouldBeNil) | 73 » » » » []*messages.Acl{{Role: messages.Acl_READER, Gran
tedTo: "group:readers"}}) |
| 74 » » » So(jobAcls.Owners, ShouldResemble, []string{}) | 74 » » » So(err.Error(), ShouldResemble, "Job or Trigger must hav
e OWNER acl set") |
| 75 » » » So(jobAcls.Readers, ShouldResemble, []string{"group:all"
}) | 75 |
| 76 » » » _, err = ValidateTaskAcls(nil, []string{}, |
| 77 » » » » []*messages.Acl{{Role: messages.Acl_OWNER, Grant
edTo: "group:owners"}}) |
| 78 » » » So(err.Error(), ShouldResemble, "Job or Trigger must hav
e READER acl set") |
| 76 }) | 79 }) |
| 77 | 80 |
| 78 Convey("Without AclSets but with bad ACLs", func() { | 81 Convey("Without AclSets but with bad ACLs", func() { |
| 79 _, err := ValidateTaskAcls(nil, []string{}, []*messages.
Acl{ | 82 _, err := ValidateTaskAcls(nil, []string{}, []*messages.
Acl{ |
| 80 {Role: messages.Acl_OWNER, GrantedTo: ""}}) | 83 {Role: messages.Acl_OWNER, GrantedTo: ""}}) |
| 81 So(err, ShouldNotBeNil) | 84 So(err, ShouldNotBeNil) |
| 82 }) | 85 }) |
| 83 | 86 |
| 84 Convey("Many ACLs", func() { | 87 Convey("Many ACLs", func() { |
| 85 taskGrants := make([]*messages.Acl, maxGrantsPerJob) | 88 taskGrants := make([]*messages.Acl, maxGrantsPerJob) |
| 86 » » » for i := 0; i < maxGrantsPerJob; i++ { | 89 » » » taskGrants[0] = &messages.Acl{Role: messages.Acl_READER,
GrantedTo: "group:readers"} |
| 90 » » » for i := 1; i < maxGrantsPerJob; i++ { |
| 87 taskGrants[i] = &messages.Acl{Role: messages.Acl
_OWNER, GrantedTo: fmt.Sprintf("group:%d", i)} | 91 taskGrants[i] = &messages.Acl{Role: messages.Acl
_OWNER, GrantedTo: fmt.Sprintf("group:%d", i)} |
| 88 } | 92 } |
| 93 So(len(taskGrants), ShouldEqual, maxGrantsPerJob) |
| 89 Convey("Hitting max is OK", func() { | 94 Convey("Hitting max is OK", func() { |
| 90 r, err := ValidateTaskAcls(nil, []string{}, task
Grants) | 95 r, err := ValidateTaskAcls(nil, []string{}, task
Grants) |
| 91 So(err, ShouldBeNil) | 96 So(err, ShouldBeNil) |
| 92 » » » » So(len(r.Owners), ShouldEqual, maxGrantsPerJob) | 97 » » » » So(len(r.Readers), ShouldEqual, 1) |
| 98 » » » » So(len(r.Owners), ShouldEqual, maxGrantsPerJob-1
) |
| 93 }) | 99 }) |
| 94 Convey("1 too many", func() { | 100 Convey("1 too many", func() { |
| 95 aclSets := map[string][]*messages.Acl{ | 101 aclSets := map[string][]*messages.Acl{ |
| 96 "public": {{Role: messages.Acl_READER, G
rantedTo: "group:all"}}, | 102 "public": {{Role: messages.Acl_READER, G
rantedTo: "group:all"}}, |
| 97 } | 103 } |
| 98 _, err := ValidateTaskAcls(aclSets, []string{"pu
blic"}, taskGrants) | 104 _, err := ValidateTaskAcls(aclSets, []string{"pu
blic"}, taskGrants) |
| 99 So(err.Error(), ShouldResemble, "Job or Trigger
can have at most 32 acls, but 33 given") | 105 So(err.Error(), ShouldResemble, "Job or Trigger
can have at most 32 acls, but 33 given") |
| 100 }) | 106 }) |
| 101 }) | 107 }) |
| 102 | 108 |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 209 Convey("GrantsByRole.Equal", t, func() { | 215 Convey("GrantsByRole.Equal", t, func() { |
| 210 x1 := GrantsByRole{Readers: []string{"a"}, Owners: []string{"b",
"c"}} | 216 x1 := GrantsByRole{Readers: []string{"a"}, Owners: []string{"b",
"c"}} |
| 211 x2 := GrantsByRole{Readers: []string{"a"}, Owners: []string{"b",
"c"}} | 217 x2 := GrantsByRole{Readers: []string{"a"}, Owners: []string{"b",
"c"}} |
| 212 So(x1.Equal(&x2), ShouldBeTrue) | 218 So(x1.Equal(&x2), ShouldBeTrue) |
| 213 y := GrantsByRole{Readers: []string{"e", "g"}, Owners: []string{
"b", "d"}} | 219 y := GrantsByRole{Readers: []string{"e", "g"}, Owners: []string{
"b", "d"}} |
| 214 z := GrantsByRole{Readers: []string{"e", "g"}, Owners: []string{
"b", "c", "d"}} | 220 z := GrantsByRole{Readers: []string{"e", "g"}, Owners: []string{
"b", "c", "d"}} |
| 215 So(x1.Equal(&y), ShouldBeFalse) | 221 So(x1.Equal(&y), ShouldBeFalse) |
| 216 So(y.Equal(&z), ShouldBeFalse) | 222 So(y.Equal(&z), ShouldBeFalse) |
| 217 }) | 223 }) |
| 218 } | 224 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2993793003:
[scheduler]: ACLs phase 3 - require ACLs specs for each Job/Trigger. (Closed)
