blob: bf99b98088b315706b8a3cc8e433bd3accc8b8cd [file]
// Copyright 2018 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package server
import (
"testing"
pb "github.com/casbin/casbin-server/proto"
"github.com/casbin/casbin/v2/util"
"github.com/stretchr/testify/assert"
)
func testGetRoles(t *testing.T, e *testEngine, name string, res []string) {
t.Helper()
reply, err := e.s.GetRolesForUser(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, User: name})
assert.NoError(t, err)
t.Log("Roles for ", name, ": ", reply.Array)
if !util.SetEquals(res, reply.Array) {
t.Error("Roles for ", name, ": ", reply.Array, ", supposed to be ", res)
}
}
func testGetImplicitRoles(t *testing.T, e *testEngine, name string, res []string) {
t.Helper()
reply, err := e.s.GetImplicitRolesForUser(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, User: name})
assert.NoError(t, err)
t.Log("Implicit Roles for ", name, ": ", reply.Array)
if !util.SetEquals(res, reply.Array) {
t.Error("Implicit Roles for ", name, ": ", reply.Array, ", supposed to be ", res)
}
}
func testGetUsers(t *testing.T, e *testEngine, name string, res []string) {
t.Helper()
reply, err := e.s.GetUsersForRole(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, Role: name})
assert.NoError(t, err)
t.Log("Users for ", name, ": ", reply.Array)
if !util.SetEquals(res, reply.Array) {
t.Error("Users for ", name, ": ", reply.Array, ", supposed to be ", res)
}
}
func testHasRole(t *testing.T, e *testEngine, name string, role string, res bool) {
t.Helper()
reply, err := e.s.HasRoleForUser(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, User: name, Role: role})
assert.NoError(t, err)
t.Log(name, " has role ", role, ": ", reply.Res)
if res != reply.Res {
t.Error(name, " has role ", role, ": ", reply.Res, ", supposed to be ", res)
}
}
func TestRoleAPI(t *testing.T) {
e := newTestEngine(t, "file", "../examples/rbac_policy.csv", "../examples/rbac_model.conf")
testGetRoles(t, e, "alice", []string{"data2_admin"})
testGetRoles(t, e, "bob", []string{})
testGetRoles(t, e, "data2_admin", []string{})
testGetRoles(t, e, "non_exist", []string{})
testHasRole(t, e, "alice", "data1_admin", false)
testHasRole(t, e, "alice", "data2_admin", true)
_, err := e.s.AddRoleForUser(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, User: "alice", Role: "data1_admin"})
assert.NoError(t, err)
testGetRoles(t, e, "alice", []string{"data1_admin", "data2_admin"})
testGetRoles(t, e, "bob", []string{})
testGetRoles(t, e, "data2_admin", []string{})
_, err = e.s.DeleteRoleForUser(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, User: "alice", Role: "data1_admin"})
assert.NoError(t, err)
testGetRoles(t, e, "alice", []string{"data2_admin"})
testGetRoles(t, e, "bob", []string{})
testGetRoles(t, e, "data2_admin", []string{})
testGetImplicitRoles(t, e, "alice", []string{"data2_admin"})
testGetImplicitRoles(t, e, "bob", []string{})
testGetImplicitRoles(t, e, "george", []string{"data3_admin", "data4_admin"})
_, err = e.s.DeleteRolesForUser(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, User: "alice"})
assert.NoError(t, err)
testGetRoles(t, e, "alice", []string{})
testGetRoles(t, e, "bob", []string{})
testGetRoles(t, e, "data2_admin", []string{})
_, err = e.s.AddRoleForUser(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, User: "alice", Role: "data1_admin"})
assert.NoError(t, err)
_, err = e.s.DeleteUser(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, User: "alice"})
assert.NoError(t, err)
testGetRoles(t, e, "alice", []string{})
testGetRoles(t, e, "bob", []string{})
testGetRoles(t, e, "data2_admin", []string{})
_, err = e.s.AddRoleForUser(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, User: "alice", Role: "data2_admin"})
assert.NoError(t, err)
testEnforce(t, e, "alice", "data1", "read", true)
testEnforce(t, e, "alice", "data1", "write", false)
testEnforce(t, e, "alice", "data2", "read", true)
testEnforce(t, e, "alice", "data2", "write", true)
testEnforce(t, e, "bob", "data1", "read", false)
testEnforce(t, e, "bob", "data1", "write", false)
testEnforce(t, e, "bob", "data2", "read", false)
testEnforce(t, e, "bob", "data2", "write", true)
testEnforce(t, e, "bob", "data4", "read", false)
testEnforce(t, e, "george", "data4", "write", false)
testEnforce(t, e, "george", "data4", "read", true)
_, err = e.s.DeleteRole(e.ctx, &pb.UserRoleRequest{EnforcerHandler: e.h, Role: "data2_admin"})
assert.NoError(t, err)
testEnforce(t, e, "alice", "data1", "read", true)
testEnforce(t, e, "alice", "data1", "write", false)
testEnforce(t, e, "alice", "data2", "read", false)
testEnforce(t, e, "alice", "data2", "write", false)
testEnforce(t, e, "bob", "data1", "read", false)
testEnforce(t, e, "bob", "data1", "write", false)
testEnforce(t, e, "bob", "data2", "read", false)
testEnforce(t, e, "bob", "data2", "write", true)
testGetPermissions(t, e, "alice", [][]string{{"alice", "data1", "read"}}) //Added these in this class as it's part of RBAC.
testGetPermissions(t, e, "bob", [][]string{{"bob", "data2", "write"}})
testGetPermissions(t, e, "george", [][]string{})
testGetPermissions(t, e, "data3_admin", [][]string{{"data3_admin", "data3", "admin"}})
testGetImplicitPermissions(t, e, "bob", [][]string{{"bob", "data2", "write"}})
testGetImplicitPermissions(t, e, "data3_admin", [][]string{{"data3_admin", "data3", "admin"}, {"data4_admin", "data4", "read"}})
}
func testGetPermissions(t *testing.T, e *testEngine, name string, res [][]string) {
t.Helper()
reply, err := e.s.GetPermissionsForUser(e.ctx, &pb.PermissionRequest{EnforcerHandler: e.h, User: name})
assert.NoError(t, err)
myRes := extractFromArray2DReply(reply)
t.Log("Permissions for ", name, ": ", myRes)
if !util.Array2DEquals(res, myRes) {
t.Error("Permissions for ", name, ": ", myRes, ", supposed to be ", res)
}
}
func testGetImplicitPermissions(t *testing.T, e *testEngine, name string, res [][]string) {
t.Helper()
reply, err := e.s.GetImplicitPermissionsForUser(e.ctx, &pb.PermissionRequest{EnforcerHandler: e.h, User: name})
assert.NoError(t, err)
myRes := extractFromArray2DReply(reply)
t.Log("Implicit Permissions for ", name, ": ", myRes)
if !util.Array2DEquals(res, myRes) {
t.Error("Implicit Permissions for ", name, ": ", myRes, ", supposed to be ", res)
}
}
func testHasPermission(t *testing.T, e *testEngine, name string, permission []string, res bool) {
t.Helper()
reply, err := e.s.HasPermissionForUser(e.ctx, &pb.PermissionRequest{EnforcerHandler: e.h, User: name, Permissions: permission})
assert.NoError(t, err)
t.Log(name, " has permission ", util.ArrayToString(permission), ": ", reply.Res)
if res != reply.Res {
t.Error(name, " has permission ", util.ArrayToString(permission), ": ", reply.Res, ", supposed to be ", res)
}
}
func TestPermissionAPI(t *testing.T) {
e := newTestEngine(t, "file", "../examples/basic_without_resources_policy.csv",
"../examples/basic_without_resources_model.conf")
testEnforceWithoutUsers(t, e, "alice", "read", true)
testEnforceWithoutUsers(t, e, "alice", "write", false)
testEnforceWithoutUsers(t, e, "bob", "read", false)
testEnforceWithoutUsers(t, e, "bob", "write", true)
testGetPermissions(t, e, "alice", [][]string{{"alice", "read"}})
testGetPermissions(t, e, "bob", [][]string{{"bob", "write"}})
testHasPermission(t, e, "alice", []string{"read"}, true)
testHasPermission(t, e, "alice", []string{"write"}, false)
testHasPermission(t, e, "bob", []string{"read"}, false)
testHasPermission(t, e, "bob", []string{"write"}, true)
_, err := e.s.DeletePermission(e.ctx, &pb.PermissionRequest{EnforcerHandler: e.h, Permissions: []string{"read"}})
assert.NoError(t, err)
testEnforceWithoutUsers(t, e, "alice", "read", false)
testEnforceWithoutUsers(t, e, "alice", "write", false)
testEnforceWithoutUsers(t, e, "bob", "read", false)
testEnforceWithoutUsers(t, e, "bob", "write", true)
_, err = e.s.AddPermissionForUser(e.ctx, &pb.PermissionRequest{EnforcerHandler: e.h, User: "bob", Permissions: []string{"read"}})
assert.NoError(t, err)
testEnforceWithoutUsers(t, e, "alice", "read", false)
testEnforceWithoutUsers(t, e, "alice", "write", false)
testEnforceWithoutUsers(t, e, "bob", "read", true)
testEnforceWithoutUsers(t, e, "bob", "write", true)
_, err = e.s.DeletePermissionForUser(e.ctx, &pb.PermissionRequest{EnforcerHandler: e.h, User: "bob", Permissions: []string{"read"}})
assert.NoError(t, err)
testEnforceWithoutUsers(t, e, "alice", "read", false)
testEnforceWithoutUsers(t, e, "alice", "write", false)
testEnforceWithoutUsers(t, e, "bob", "read", false)
testEnforceWithoutUsers(t, e, "bob", "write", true)
_, err = e.s.DeletePermissionsForUser(e.ctx, &pb.PermissionRequest{EnforcerHandler: e.h, User: "bob"})
assert.NoError(t, err)
testEnforceWithoutUsers(t, e, "alice", "read", false)
testEnforceWithoutUsers(t, e, "alice", "write", false)
testEnforceWithoutUsers(t, e, "bob", "read", false)
testEnforceWithoutUsers(t, e, "bob", "write", false)
}