Skip to content

Commit

Permalink
add admin additional role to mlp.project.post (#91)
Browse files Browse the repository at this point in the history 
* Update bootstrap.go

* add bootstrap test

* Update admin role to have default permission

* update bootstrap test

* edit bootstrap config and add test

* update test name

* fix long test name
  • Loading branch information
@tkpd-hafizhan
tkpd-hafizhan authored Oct 25, 2023
1 parent cae72b7 commit b3d74d1
Show file tree
Hide file tree
Showing 2 changed files with 99 additions and 10 deletions.
23 changes: 13 additions & 10 deletions api/cmd/bootstrap.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,14 @@ var (
if err != nil {
log.Panicf("unable to load role members from input file: %v", err)
}
err = startKetoBootstrap(bootstrapConfig)
authEnforcer, err := enforcer.NewEnforcerBuilder().
KetoEndpoints(bootstrapConfig.KetoRemoteRead, bootstrapConfig.KetoRemoteWrite).
Build()
if err != nil {
log.Panicf("unable to create keto enforcer: %v", err)
}

err = startKetoBootstrap(authEnforcer, bootstrapConfig.ProjectReaders, bootstrapConfig.MLPAdmins)
if err != nil {
log.Panicf("unable to bootstrap keto: %v", err)
}
Expand Down Expand Up @@ -64,15 +71,11 @@ func loadBootstrapConfig(path string) (*BootstrapConfig, error) {
return bootstrapCfg, nil
}

func startKetoBootstrap(bootstrapCfg *BootstrapConfig) error {
authEnforcer, err := enforcer.NewEnforcerBuilder().
KetoEndpoints(bootstrapCfg.KetoRemoteRead, bootstrapCfg.KetoRemoteWrite).
Build()
if err != nil {
return err
}
func startKetoBootstrap(authEnforcer enforcer.Enforcer, projectReaders []string, mlpAdmins []string) error {
defaultMLPAdminPermissions := []string{"mlp.projects.post"}
updateRequest := enforcer.NewAuthorizationUpdateRequest()
updateRequest.SetRoleMembers(enforcer.MLPProjectsReaderRole, bootstrapCfg.ProjectReaders)
updateRequest.SetRoleMembers(enforcer.MLPAdminRole, bootstrapCfg.MLPAdmins)
updateRequest.SetRoleMembers(enforcer.MLPProjectsReaderRole, projectReaders)
updateRequest.SetRoleMembers(enforcer.MLPAdminRole, mlpAdmins)
updateRequest.AddRolePermissions(enforcer.MLPAdminRole, defaultMLPAdminPermissions)
return authEnforcer.UpdateAuthorization(context.Background(), updateRequest)
}
86 changes: 86 additions & 0 deletions api/cmd/bootstrap_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
package cmd

import (
"testing"

"github.com/caraml-dev/mlp/api/pkg/authz/enforcer"
enforcerMock "github.com/caraml-dev/mlp/api/pkg/authz/enforcer/mocks"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
)

func TestStartKetoBootsrap(t *testing.T) {
tests := []struct {
name string
projectReaders []string
mlpAdmins []string
expectedUpdateAuthorizationRequest enforcer.AuthorizationUpdateRequest
}{
{
"admin role must have project post even there are no project readers",
[]string{},
[]string{"admin1"},
enforcer.AuthorizationUpdateRequest{
RolePermissions: map[string][]string{
"mlp.administrator": {"mlp.projects.post"},
},
RoleMembers: map[string][]string{
"mlp.projects.reader": {},
"mlp.administrator": {"admin1"},
},
},
},
{
"admin role should have project post, even there are no mlp admins or project readers",
[]string{},
[]string{},
enforcer.AuthorizationUpdateRequest{
RolePermissions: map[string][]string{
"mlp.administrator": {"mlp.projects.post"},
},
RoleMembers: map[string][]string{
"mlp.projects.reader": {},
"mlp.administrator": {},
},
},
},
{
"only admin role should have project post, even no mlp admins and project readers exist",
[]string{"readers1", "readers2"},
[]string{},
enforcer.AuthorizationUpdateRequest{
RolePermissions: map[string][]string{
"mlp.administrator": {"mlp.projects.post"},
},
RoleMembers: map[string][]string{
"mlp.projects.reader": {"readers1", "readers2"},
"mlp.administrator": {},
},
},
},
{
"only admin role should have project post, even project readers exist",
[]string{"readers1", "readers2"},
[]string{"admin1"},
enforcer.AuthorizationUpdateRequest{
RolePermissions: map[string][]string{
"mlp.administrator": {"mlp.projects.post"},
},
RoleMembers: map[string][]string{
"mlp.projects.reader": {"readers1", "readers2"},
"mlp.administrator": {"admin1"},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authEnforcer := &enforcerMock.Enforcer{}

authEnforcer.On("UpdateAuthorization", mock.Anything, tt.expectedUpdateAuthorizationRequest).Return(nil)
err := startKetoBootstrap(authEnforcer, tt.projectReaders, tt.mlpAdmins)
authEnforcer.AssertExpectations(t)
require.NoError(t, err)
})
}
}

0 comments on commit b3d74d1

Please sign in to comment.