linting
This commit is contained in:
Stephan D
@@ -48,7 +48,7 @@ func (db *ProtectedDBImp[T]) enforce(ctx context.Context, action model.Action, o
|
||||
|
||||
func (db *ProtectedDBImp[T]) Create(ctx context.Context, accountRef, organizationRef bson.ObjectID, object T) error {
|
||||
db.DBImp.Logger.Debug("Attempting to create object", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", db.Collection))
|
||||
|
||||
if object.GetPermissionRef() == bson.NilObjectID {
|
||||
object.SetPermissionRef(db.PermissionRef)
|
||||
@@ -61,12 +61,12 @@ func (db *ProtectedDBImp[T]) Create(ctx context.Context, accountRef, organizatio
|
||||
|
||||
if err := db.DBImp.Create(ctx, object); err != nil {
|
||||
db.DBImp.Logger.Warn("Failed to create object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", db.Collection))
|
||||
return err
|
||||
}
|
||||
|
||||
db.DBImp.Logger.Debug("Successfully created object", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", db.Collection))
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -76,7 +76,7 @@ func (db *ProtectedDBImp[T]) InsertMany(ctx context.Context, accountRef, organiz
|
||||
}
|
||||
|
||||
db.DBImp.Logger.Debug("Attempting to insert many objects", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", string(db.Collection)),
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", db.Collection),
|
||||
zap.Int("count", len(objects)))
|
||||
|
||||
// Set permission and organization refs for all objects and enforce permissions
|
||||
@@ -93,13 +93,13 @@ func (db *ProtectedDBImp[T]) InsertMany(ctx context.Context, accountRef, organiz
|
||||
|
||||
if err := db.DBImp.InsertMany(ctx, objects); err != nil {
|
||||
db.DBImp.Logger.Warn("Failed to insert many objects", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", string(db.Collection)),
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", db.Collection),
|
||||
zap.Int("count", len(objects)))
|
||||
return err
|
||||
}
|
||||
|
||||
db.DBImp.Logger.Debug("Successfully inserted many objects", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", string(db.Collection)),
|
||||
mzap.ObjRef("organization_ref", organizationRef), zap.String("collection", db.Collection),
|
||||
zap.Int("count", len(objects)))
|
||||
return nil
|
||||
}
|
||||
@@ -127,7 +127,7 @@ func (db *ProtectedDBImp[T]) Get(ctx context.Context, accountRef, objectRef bson
|
||||
|
||||
if err := db.DBImp.Get(ctx, objectRef, result); err != nil {
|
||||
db.DBImp.Logger.Warn("Failed to get object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", db.Collection))
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -182,18 +182,18 @@ func (db *ProtectedDBImp[T]) ListIDs(
|
||||
query builder.Query,
|
||||
) ([]bson.ObjectID, error) {
|
||||
db.DBImp.Logger.Debug("Attempting to list object IDs",
|
||||
mzap.AccRef(accountRef), zap.String("collection", string(db.Collection)), zap.Any("filter", query.BuildQuery()))
|
||||
mzap.AccRef(accountRef), zap.String("collection", db.Collection), zap.Any("filter", query.BuildQuery()))
|
||||
|
||||
// 1. Fetch all candidate IDs from the underlying DB
|
||||
allIDs, err := db.DBImp.ListPermissionBound(ctx, query)
|
||||
if err != nil {
|
||||
db.DBImp.Logger.Warn("Failed to list object IDs", zap.Error(err), mzap.AccRef(accountRef),
|
||||
zap.String("collection", string(db.Collection)), zap.String("action", string(action)))
|
||||
zap.String("collection", db.Collection), zap.String("action", string(action)))
|
||||
return nil, err
|
||||
}
|
||||
if len(allIDs) == 0 {
|
||||
db.DBImp.Logger.Debug("No objects found matching filter", mzap.AccRef(accountRef),
|
||||
zap.String("collection", string(db.Collection)), zap.Any("filter", query.BuildQuery()))
|
||||
zap.String("collection", db.Collection), zap.Any("filter", query.BuildQuery()))
|
||||
return []bson.ObjectID{}, merrors.NoData(fmt.Sprintf("no %s found", db.Collection))
|
||||
}
|
||||
|
||||
@@ -203,12 +203,12 @@ func (db *ProtectedDBImp[T]) ListIDs(
|
||||
enforceErr := db.enforce(ctx, action, desc, accountRef, *desc.GetID())
|
||||
if enforceErr == nil {
|
||||
allowedIDs = append(allowedIDs, *desc.GetID())
|
||||
} else if !errors.Is(err, merrors.ErrAccessDenied) {
|
||||
} else if !errors.Is(enforceErr, merrors.ErrAccessDenied) {
|
||||
// If the error is something other than AccessDenied, we want to fail
|
||||
db.DBImp.Logger.Warn("Error while enforcing read permission", zap.Error(enforceErr),
|
||||
mzap.ObjRef("permission_ref", desc.GetPermissionRef()), zap.String("action", string(action)),
|
||||
mzap.AccRef(accountRef), mzap.ObjRef("organization_ref", desc.GetOrganizationRef()),
|
||||
mzap.ObjRef("object_ref", *desc.GetID()), zap.String("collection", string(db.Collection)),
|
||||
mzap.ObjRef("object_ref", *desc.GetID()), zap.String("collection", db.Collection),
|
||||
)
|
||||
return nil, enforceErr
|
||||
}
|
||||
@@ -217,7 +217,7 @@ func (db *ProtectedDBImp[T]) ListIDs(
|
||||
|
||||
db.DBImp.Logger.Debug("Successfully enforced read permission on IDs", zap.Int("fetched_count", len(allIDs)),
|
||||
zap.Int("allowed_count", len(allowedIDs)), mzap.AccRef(accountRef),
|
||||
zap.String("collection", string(db.Collection)), zap.String("action", string(action)))
|
||||
zap.String("collection", db.Collection), zap.String("action", string(action)))
|
||||
|
||||
// 3. Return only the IDs that passed permission checks
|
||||
return allowedIDs, nil
|
||||
@@ -249,7 +249,7 @@ func CreateDBImp[T model.PermissionBoundStorable](
|
||||
logger := l.Named("protected")
|
||||
var policy model.PolicyDescription
|
||||
if err := pdb.GetBuiltInPolicy(ctx, collection, &policy); err != nil {
|
||||
logger.Warn("Failed to fetch policy description", zap.Error(err), zap.String("resource_type", string(collection)))
|
||||
logger.Warn("Failed to fetch policy description", zap.Error(err), zap.String("resource_type", collection))
|
||||
return nil, err
|
||||
}
|
||||
p := &ProtectedDBImp[T]{
|
||||
@@ -261,7 +261,7 @@ func CreateDBImp[T model.PermissionBoundStorable](
|
||||
if err := p.DBImp.Repository.CreateIndex(&ri.Definition{
|
||||
Keys: []ri.Key{{Field: storable.OrganizationRefField, Sort: ri.Asc}},
|
||||
}); err != nil {
|
||||
logger.Warn("Failed to create index", zap.Error(err), zap.String("resource_type", string(collection)))
|
||||
logger.Warn("Failed to create index", zap.Error(err), zap.String("resource_type", collection))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
||||
@@ -89,7 +89,7 @@ func (db *AccountBoundDBImp[T]) enforceInterface(ctx context.Context, action mod
|
||||
func (db *AccountBoundDBImp[T]) Create(ctx context.Context, accountRef bson.ObjectID, object T) error {
|
||||
orgRef := object.GetOrganizationRef()
|
||||
db.Logger.Debug("Attempting to create object", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", orgRef), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("organization_ref", orgRef), zap.String("collection", db.Collection))
|
||||
|
||||
// Check organization update permission for create operations
|
||||
if err := db.enforce(ctx, model.ActionUpdate, object, accountRef); err != nil {
|
||||
@@ -98,12 +98,12 @@ func (db *AccountBoundDBImp[T]) Create(ctx context.Context, accountRef bson.Obje
|
||||
|
||||
if err := db.DBImp.Create(ctx, object); err != nil {
|
||||
db.Logger.Warn("Failed to create object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", orgRef), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("organization_ref", orgRef), zap.String("collection", db.Collection))
|
||||
return err
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully created object", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", orgRef), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("organization_ref", orgRef), zap.String("collection", db.Collection))
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -113,7 +113,7 @@ func (db *AccountBoundDBImp[T]) Get(ctx context.Context, accountRef, objectRef b
|
||||
// First get the object to check its organization
|
||||
if err := db.DBImp.Get(ctx, objectRef, result); err != nil {
|
||||
db.Logger.Warn("Failed to get object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", db.Collection))
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -123,7 +123,7 @@ func (db *AccountBoundDBImp[T]) Get(ctx context.Context, accountRef, objectRef b
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully retrieved object", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", result.GetOrganizationRef()), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("organization_ref", result.GetOrganizationRef()), zap.String("collection", db.Collection))
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -167,7 +167,7 @@ func (db *AccountBoundDBImp[T]) Patch(ctx context.Context, accountRef, objectRef
|
||||
|
||||
if err := db.DBImp.Patch(ctx, objectRef, patch); err != nil {
|
||||
db.Logger.Warn("Failed to patch object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", db.Collection))
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -195,7 +195,7 @@ func (db *AccountBoundDBImp[T]) Delete(ctx context.Context, accountRef, objectRe
|
||||
|
||||
if err := db.DBImp.Delete(ctx, objectRef); err != nil {
|
||||
db.Logger.Warn("Failed to delete object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", string(db.Collection)))
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", db.Collection))
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -204,7 +204,7 @@ func (db *AccountBoundDBImp[T]) Delete(ctx context.Context, accountRef, objectRe
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) DeleteMany(ctx context.Context, accountRef bson.ObjectID, query builder.Query) error {
|
||||
db.Logger.Debug("Attempting to delete many objects", mzap.AccRef(accountRef), zap.String("collection", string(db.Collection)))
|
||||
db.Logger.Debug("Attempting to delete many objects", mzap.AccRef(accountRef), zap.String("collection", db.Collection))
|
||||
|
||||
// Get all candidate objects for batch permission checking
|
||||
allObjects, err := db.DBImp.Repository.ListPermissionBound(ctx, query)
|
||||
@@ -245,7 +245,7 @@ func (db *AccountBoundDBImp[T]) DeleteMany(ctx context.Context, accountRef bson.
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) FindOne(ctx context.Context, accountRef bson.ObjectID, query builder.Query, result T) error {
|
||||
db.Logger.Debug("Attempting to find one object", mzap.AccRef(accountRef), zap.String("collection", string(db.Collection)))
|
||||
db.Logger.Debug("Attempting to find one object", mzap.AccRef(accountRef), zap.String("collection", db.Collection))
|
||||
|
||||
// For FindOne, we need to check read permission after finding the object
|
||||
if err := db.DBImp.FindOne(ctx, query, result); err != nil {
|
||||
@@ -264,7 +264,7 @@ func (db *AccountBoundDBImp[T]) FindOne(ctx context.Context, accountRef bson.Obj
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) ListIDs(ctx context.Context, accountRef bson.ObjectID, query builder.Query) ([]bson.ObjectID, error) {
|
||||
db.Logger.Debug("Attempting to list object IDs", mzap.AccRef(accountRef), zap.String("collection", string(db.Collection)))
|
||||
db.Logger.Debug("Attempting to list object IDs", mzap.AccRef(accountRef), zap.String("collection", db.Collection))
|
||||
|
||||
// Get all candidate objects for batch permission checking
|
||||
allObjects, err := db.DBImp.Repository.ListPermissionBound(ctx, query)
|
||||
@@ -294,7 +294,7 @@ func (db *AccountBoundDBImp[T]) ListIDs(ctx context.Context, accountRef bson.Obj
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) ListAccountBound(ctx context.Context, accountRef, organizationRef bson.ObjectID, query builder.Query) ([]model.AccountBoundStorable, error) {
|
||||
db.Logger.Debug("Attempting to list account bound objects", mzap.AccRef(accountRef), zap.String("collection", string(db.Collection)))
|
||||
db.Logger.Debug("Attempting to list account bound objects", mzap.AccRef(accountRef), zap.String("collection", db.Collection))
|
||||
|
||||
// Build query to find objects where accountRef matches OR is null/absent
|
||||
accountQuery := repository.WithOrg(accountRef, organizationRef)
|
||||
|
||||
@@ -6,7 +6,6 @@ import (
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/tech/sendico/pkg/merrors"
|
||||
"github.com/tech/sendico/pkg/mlogger"
|
||||
"github.com/tech/sendico/pkg/model"
|
||||
"go.mongodb.org/mongo-driver/v2/bson"
|
||||
"go.uber.org/zap"
|
||||
@@ -14,7 +13,7 @@ import (
|
||||
|
||||
// TestAccountBoundDBImp_Enforce tests the enforce method
|
||||
func TestAccountBoundDBImp_Enforce(t *testing.T) {
|
||||
logger := mlogger.Logger(zap.NewNop())
|
||||
logger := zap.NewNop()
|
||||
db := &AccountBoundDBImp[model.AccountBoundStorable]{
|
||||
Logger: logger,
|
||||
PermissionRef: bson.NewObjectID(),
|
||||
@@ -34,13 +33,13 @@ func TestAccountBoundDBImp_Enforce(t *testing.T) {
|
||||
|
||||
t.Run("CollectionSet", func(t *testing.T) {
|
||||
// Test that Collection is properly set
|
||||
assert.Equal(t, "test_collection", string(db.Collection))
|
||||
assert.Equal(t, "test_collection", db.Collection)
|
||||
})
|
||||
}
|
||||
|
||||
// TestAccountBoundDBImp_InterfaceCompliance tests that the struct implements required interfaces
|
||||
func TestAccountBoundDBImp_InterfaceCompliance(t *testing.T) {
|
||||
logger := mlogger.Logger(zap.NewNop())
|
||||
logger := zap.NewNop()
|
||||
db := &AccountBoundDBImp[model.AccountBoundStorable]{
|
||||
Logger: logger,
|
||||
PermissionRef: bson.NewObjectID(),
|
||||
|
||||
@@ -1,23 +0,0 @@
|
||||
package casbin
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/tech/sendico/pkg/merrors"
|
||||
"github.com/tech/sendico/pkg/model"
|
||||
)
|
||||
|
||||
func stringToAction(actionStr string) (model.Action, error) {
|
||||
switch actionStr {
|
||||
case string(model.ActionCreate):
|
||||
return model.ActionCreate, nil
|
||||
case string(model.ActionRead):
|
||||
return model.ActionRead, nil
|
||||
case string(model.ActionUpdate):
|
||||
return model.ActionUpdate, nil
|
||||
case string(model.ActionDelete):
|
||||
return model.ActionDelete, nil
|
||||
default:
|
||||
return "", merrors.InvalidArgument(fmt.Sprintf("invalid action: %s", actionStr), "action")
|
||||
}
|
||||
}
|
||||
@@ -80,9 +80,10 @@ func getEnvBoolValue(logger mlogger.Logger, varName, envVarName string, value *b
|
||||
|
||||
if envValue != nil {
|
||||
envStr := os.Getenv(*envValue)
|
||||
if envStr == "true" || envStr == "1" {
|
||||
switch envStr {
|
||||
case "true", "1":
|
||||
return true
|
||||
} else if envStr == "false" || envStr == "0" {
|
||||
case "false", "0":
|
||||
return false
|
||||
}
|
||||
logger.Warn("Invalid environment variable value for boolean", zap.String("environment_variable", envVarName), zap.String("value", envStr))
|
||||
|
||||
@@ -116,7 +116,7 @@ func NewPoliciesDB(logger mlogger.Logger, db *mongo.Database) (*PermissionsDBImp
|
||||
{Field: "policy.objectRef", Sort: ri.Asc},
|
||||
},
|
||||
}
|
||||
if err := p.DBImp.Repository.CreateIndex(policiesQueryIndex); err != nil {
|
||||
if err := p.Repository.CreateIndex(policiesQueryIndex); err != nil {
|
||||
p.Logger.Warn("Failed to prepare policies query index", zap.Error(err))
|
||||
return nil, err
|
||||
}
|
||||
@@ -127,7 +127,7 @@ func NewPoliciesDB(logger mlogger.Logger, db *mongo.Database) (*PermissionsDBImp
|
||||
{Field: "policy.effect.action", Sort: ri.Asc},
|
||||
},
|
||||
}
|
||||
if err := p.DBImp.Repository.CreateIndex(roleBasedQueriesIndex); err != nil {
|
||||
if err := p.Repository.CreateIndex(roleBasedQueriesIndex); err != nil {
|
||||
p.Logger.Warn("Failed to prepare role based query index", zap.Error(err))
|
||||
return nil, err
|
||||
}
|
||||
@@ -142,7 +142,7 @@ func NewPoliciesDB(logger mlogger.Logger, db *mongo.Database) (*PermissionsDBImp
|
||||
},
|
||||
Unique: true,
|
||||
}
|
||||
if err := p.DBImp.Repository.CreateIndex(uniquePolicyConstaint); err != nil {
|
||||
if err := p.Repository.CreateIndex(uniquePolicyConstaint); err != nil {
|
||||
p.Logger.Warn("Failed to unique policy assignment index", zap.Error(err))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -68,14 +68,14 @@ func NewRolesDB(logger mlogger.Logger, db *mongo.Database) (*RolesDBImp, error)
|
||||
DBImp: *template.Create[*nstructures.RoleAssignment](logger, "role_assignments", db),
|
||||
}
|
||||
|
||||
if err := p.DBImp.Repository.CreateIndex(&ri.Definition{
|
||||
if err := p.Repository.CreateIndex(&ri.Definition{
|
||||
Keys: []ri.Key{{Field: "role.organizationRef", Sort: ri.Asc}},
|
||||
}); err != nil {
|
||||
p.Logger.Warn("Failed to prepare venue index", zap.Error(err))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := p.DBImp.Repository.CreateIndex(&ri.Definition{
|
||||
if err := p.Repository.CreateIndex(&ri.Definition{
|
||||
Keys: []ri.Key{{Field: "role.descriptionRef", Sort: ri.Asc}},
|
||||
}); err != nil {
|
||||
p.Logger.Warn("Failed to prepare role description index", zap.Error(err))
|
||||
@@ -90,7 +90,7 @@ func NewRolesDB(logger mlogger.Logger, db *mongo.Database) (*RolesDBImp, error)
|
||||
},
|
||||
Unique: true,
|
||||
}
|
||||
if err := p.DBImp.Repository.CreateIndex(uniqueRoleConstaint); err != nil {
|
||||
if err := p.Repository.CreateIndex(uniqueRoleConstaint); err != nil {
|
||||
p.Logger.Warn("Failed to prepare role assignment index", zap.Error(err))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -215,14 +215,14 @@ func createTestRoleAssignment(roleRef, accountRef, organizationRef bson.ObjectID
|
||||
}
|
||||
}
|
||||
|
||||
func createTestPolicyAssignment(roleRef bson.ObjectID, action model.Action, effect model.Effect, organizationRef, descriptionRef bson.ObjectID, objectRef *bson.ObjectID) nstructures.PolicyAssignment {
|
||||
func createTestPolicyAssignment(roleRef bson.ObjectID, effect model.Effect, organizationRef, descriptionRef bson.ObjectID, objectRef *bson.ObjectID) nstructures.PolicyAssignment {
|
||||
return nstructures.PolicyAssignment{
|
||||
Policy: model.Policy{
|
||||
OrganizationRef: organizationRef,
|
||||
DescriptionRef: descriptionRef,
|
||||
ObjectRef: objectRef,
|
||||
Effect: model.ActionEffect{
|
||||
Action: action,
|
||||
Action: model.ActionRead,
|
||||
Effect: effect,
|
||||
},
|
||||
},
|
||||
@@ -259,7 +259,7 @@ func TestEnforcer_Enforce(t *testing.T) {
|
||||
mockRDB.On("Roles", ctx, accountRef, organizationRef).Return([]nstructures.RoleAssignment{roleAssignment}, nil)
|
||||
|
||||
// Mock policy assignment with ALLOW effect
|
||||
policyAssignment := createTestPolicyAssignment(roleRef, model.ActionRead, model.EffectAllow, organizationRef, permissionRef, &objectRef)
|
||||
policyAssignment := createTestPolicyAssignment(roleRef, model.EffectAllow, organizationRef, permissionRef, &objectRef)
|
||||
mockPDB.On("PoliciesForPermissionAction", ctx, roleRef, permissionRef, model.ActionRead).Return([]nstructures.PolicyAssignment{policyAssignment}, nil)
|
||||
|
||||
// Create enforcer
|
||||
@@ -284,7 +284,7 @@ func TestEnforcer_Enforce(t *testing.T) {
|
||||
mockRDB.On("Roles", ctx, accountRef, organizationRef).Return([]nstructures.RoleAssignment{roleAssignment}, nil)
|
||||
|
||||
// Mock policy assignment with DENY effect
|
||||
policyAssignment := createTestPolicyAssignment(roleRef, model.ActionRead, model.EffectDeny, organizationRef, permissionRef, &objectRef)
|
||||
policyAssignment := createTestPolicyAssignment(roleRef, model.EffectDeny, organizationRef, permissionRef, &objectRef)
|
||||
mockPDB.On("PoliciesForPermissionAction", ctx, roleRef, permissionRef, model.ActionRead).Return([]nstructures.PolicyAssignment{policyAssignment}, nil)
|
||||
|
||||
enforcer := createTestEnforcer(mockPDB, mockRDB)
|
||||
@@ -312,11 +312,11 @@ func TestEnforcer_Enforce(t *testing.T) {
|
||||
mockRDB.On("Roles", ctx, accountRef, organizationRef).Return([]nstructures.RoleAssignment{roleAssignment1, roleAssignment2}, nil)
|
||||
|
||||
// First role has ALLOW policy
|
||||
allowPolicy := createTestPolicyAssignment(role1Ref, model.ActionRead, model.EffectAllow, organizationRef, permissionRef, &objectRef)
|
||||
allowPolicy := createTestPolicyAssignment(role1Ref, model.EffectAllow, organizationRef, permissionRef, &objectRef)
|
||||
mockPDB.On("PoliciesForPermissionAction", ctx, role1Ref, permissionRef, model.ActionRead).Return([]nstructures.PolicyAssignment{allowPolicy}, nil)
|
||||
|
||||
// Second role has DENY policy - should take precedence
|
||||
denyPolicy := createTestPolicyAssignment(role2Ref, model.ActionRead, model.EffectDeny, organizationRef, permissionRef, &objectRef)
|
||||
denyPolicy := createTestPolicyAssignment(role2Ref, model.EffectDeny, organizationRef, permissionRef, &objectRef)
|
||||
mockPDB.On("PoliciesForPermissionAction", ctx, role2Ref, permissionRef, model.ActionRead).Return([]nstructures.PolicyAssignment{denyPolicy}, nil)
|
||||
|
||||
enforcer := createTestEnforcer(mockPDB, mockRDB)
|
||||
@@ -445,7 +445,7 @@ func TestEnforcer_Enforce(t *testing.T) {
|
||||
mockRDB.On("Roles", ctx, accountRef, organizationRef).Return([]nstructures.RoleAssignment{roleAssignment}, nil)
|
||||
|
||||
// Mock corrupted policy with invalid effect
|
||||
corruptedPolicy := createTestPolicyAssignment(roleRef, model.ActionRead, "invalid_effect", organizationRef, permissionRef, &objectRef)
|
||||
corruptedPolicy := createTestPolicyAssignment(roleRef, "invalid_effect", organizationRef, permissionRef, &objectRef)
|
||||
mockPDB.On("PoliciesForPermissionAction", ctx, roleRef, permissionRef, model.ActionRead).Return([]nstructures.PolicyAssignment{corruptedPolicy}, nil)
|
||||
|
||||
enforcer := createTestEnforcer(mockPDB, mockRDB)
|
||||
@@ -539,7 +539,7 @@ func TestEnforcer_EnforceBatch(t *testing.T) {
|
||||
mockRDB.On("Roles", ctx, accountRef, organizationRef).Return([]nstructures.RoleAssignment{roleAssignment}, nil)
|
||||
|
||||
// Mock policy assignment with ALLOW effect
|
||||
policyAssignment := createTestPolicyAssignment(roleRef, model.ActionRead, model.EffectAllow, organizationRef, permissionRef, nil)
|
||||
policyAssignment := createTestPolicyAssignment(roleRef, model.EffectAllow, organizationRef, permissionRef, nil)
|
||||
mockPDB.On("PoliciesForRoles", ctx, []bson.ObjectID{roleRef}, model.ActionRead).Return([]nstructures.PolicyAssignment{policyAssignment}, nil)
|
||||
|
||||
enforcer := createTestEnforcer(mockPDB, mockRDB)
|
||||
@@ -664,7 +664,7 @@ func TestEnforcer_GetPermissions(t *testing.T) {
|
||||
mockRDB.On("Roles", ctx, accountRef, organizationRef).Return([]nstructures.RoleAssignment{roleAssignment}, nil)
|
||||
|
||||
// Mock policy assignment
|
||||
policyAssignment := createTestPolicyAssignment(roleRef, model.ActionRead, model.EffectAllow, organizationRef, createTestObjectID(), nil)
|
||||
policyAssignment := createTestPolicyAssignment(roleRef, model.EffectAllow, organizationRef, createTestObjectID(), nil)
|
||||
mockPDB.On("PoliciesForRole", ctx, roleRef).Return([]nstructures.PolicyAssignment{policyAssignment}, nil)
|
||||
|
||||
enforcer := createTestEnforcer(mockPDB, mockRDB)
|
||||
@@ -702,8 +702,8 @@ func TestEnforcer_SecurityScenarios(t *testing.T) {
|
||||
mockRDB.On("Roles", ctx, accountRef, organizationRef).Return([]nstructures.RoleAssignment{roleAssignment}, nil)
|
||||
|
||||
// Mock multiple policies: both ALLOW and DENY
|
||||
allowPolicy := createTestPolicyAssignment(roleRef, model.ActionRead, model.EffectAllow, organizationRef, permissionRef, &objectRef)
|
||||
denyPolicy := createTestPolicyAssignment(roleRef, model.ActionRead, model.EffectDeny, organizationRef, permissionRef, &objectRef)
|
||||
allowPolicy := createTestPolicyAssignment(roleRef, model.EffectAllow, organizationRef, permissionRef, &objectRef)
|
||||
denyPolicy := createTestPolicyAssignment(roleRef, model.EffectDeny, organizationRef, permissionRef, &objectRef)
|
||||
mockPDB.On("PoliciesForPermissionAction", ctx, roleRef, permissionRef, model.ActionRead).Return([]nstructures.PolicyAssignment{allowPolicy, denyPolicy}, nil)
|
||||
|
||||
enforcer := createTestEnforcer(mockPDB, mockRDB)
|
||||
|
||||
Reference in New Issue
Block a user