zitadel/internal/api/authz/permissions_test.go

package authz

import (
	"context"
	"testing"

	caos_errs "github.com/caos/zitadel/internal/errors"
)

func getTestCtx(userID, orgID string) context.Context {
	return context.WithValue(context.Background(), dataKey, CtxData{UserID: userID, OrgID: orgID})
}

type testVerifier struct {
	grant *Grant
}

func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, error) {
	return "userID", "agentID", "de", nil
}

func (v *testVerifier) ResolveGrants(ctx context.Context) (*Grant, error) {
	return v.grant, nil
}

func (v *testVerifier) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (string, []string, error) {
	return "", nil, nil
}

func (v *testVerifier) ExistsOrg(ctx context.Context, orgID string) error {
	return nil
}

func (v *testVerifier) VerifierClientID(ctx context.Context, appName string) (string, error) {
	return "clientID", nil
}

func equalStringArray(a, b []string) bool {
	if len(a) != len(b) {
		return false
	}
	for i, v := range a {
		if v != b[i] {
			return false
		}
	}
	return true
}

func Test_GetUserMethodPermissions(t *testing.T) {
	type args struct {
		ctx          context.Context
		verifier     *TokenVerifier
		requiredPerm string
		authConfig   Config
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
		errFunc func(err error) bool
		result  []string
	}{
		{
			name: "Empty Context",
			args: args{
				ctx: getTestCtx("", ""),
				verifier: Start(&testVerifier{grant: &Grant{
					Roles: []string{"ORG_OWNER"},
				}}),
				requiredPerm: "project.read",
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "IAM_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
			},
			wantErr: true,
			errFunc: caos_errs.IsUnauthenticated,
			result:  []string{"project.read"},
		},
		{
			name: "No Grants",
			args: args{
				ctx:          getTestCtx("", ""),
				verifier:     Start(&testVerifier{grant: &Grant{}}),
				requiredPerm: "project.read",
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "IAM_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
			},
			result: make([]string, 0),
		},
		{
			name: "Get Permissions",
			args: args{
				ctx: getTestCtx("userID", "orgID"),
				verifier: Start(&testVerifier{grant: &Grant{
					Roles: []string{"ORG_OWNER"},
				}}),
				requiredPerm: "project.read",
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "IAM_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
			},
			result: []string{"project.read"},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			_, perms, err := getUserMethodPermissions(tt.args.ctx, tt.args.verifier, tt.args.requiredPerm, tt.args.authConfig)

			if tt.wantErr && err == nil {
				t.Errorf("got wrong result, should get err: actual: %v ", err)
			}

			if tt.wantErr && !tt.errFunc(err) {
				t.Errorf("got wrong err: %v ", err)
			}

			if !tt.wantErr && !equalStringArray(perms, tt.result) {
				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, perms)
			}
		})
	}
}

func Test_MapGrantsToPermissions(t *testing.T) {
	type args struct {
		requiredPerm string
		grant        *Grant
		authConfig   Config
	}
	tests := []struct {
		name         string
		args         args
		requestPerms []string
		allPerms     []string
	}{
		{
			name: "One Role existing perm",
			args: args{
				requiredPerm: "project.read",
				grant:        &Grant{Roles: []string{"ORG_OWNER"}},
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "IAM_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
			},
			requestPerms: []string{"project.read"},
			allPerms:     []string{"org.read", "project.read"},
		},
		{
			name: "One Role not existing perm",
			args: args{
				requiredPerm: "project.write",
				grant:        &Grant{Roles: []string{"ORG_OWNER"}},
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "IAM_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
			},
			requestPerms: []string{},
			allPerms:     []string{"org.read", "project.read"},
		},
		{
			name: "Multiple Roles one existing",
			args: args{
				requiredPerm: "project.read",
				grant:        &Grant{Roles: []string{"ORG_OWNER", "IAM_OWNER"}},
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "IAM_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
			},
			requestPerms: []string{"project.read"},
			allPerms:     []string{"org.read", "project.read"},
		},
		{
			name: "Multiple Roles, global and specific",
			args: args{
				requiredPerm: "project.read",
				grant:        &Grant{Roles: []string{"ORG_OWNER", "PROJECT_OWNER:1"}},
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "PROJECT_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
			},
			requestPerms: []string{"project.read", "project.read:1"},
			allPerms:     []string{"org.read", "project.read", "project.read:1"},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			requestPerms, allPerms := mapGrantToPermissions(tt.args.requiredPerm, tt.args.grant, tt.args.authConfig)
			if !equalStringArray(requestPerms, tt.requestPerms) {
				t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
			}
			if !equalStringArray(allPerms, tt.allPerms) {
				t.Errorf("got wrong allPerms, expecting: %v, actual: %v ", tt.allPerms, allPerms)
			}
		})
	}
}

func Test_MapRoleToPerm(t *testing.T) {
	type args struct {
		requiredPerm string
		actualRole   string
		authConfig   Config
		requestPerms []string
		allPerms     []string
	}
	tests := []struct {
		name         string
		args         args
		requestPerms []string
		allPerms     []string
	}{
		{
			name: "first perm without context id",
			args: args{
				requiredPerm: "project.read",
				actualRole:   "ORG_OWNER",
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "IAM_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
				requestPerms: []string{},
				allPerms:     []string{},
			},
			requestPerms: []string{"project.read"},
			allPerms:     []string{"org.read", "project.read"},
		},
		{
			name: "existing perm without context id",
			args: args{
				requiredPerm: "project.read",
				actualRole:   "ORG_OWNER",
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "IAM_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
				requestPerms: []string{"project.read"},
				allPerms:     []string{"org.read", "project.read"},
			},
			requestPerms: []string{"project.read"},
			allPerms:     []string{"org.read", "project.read"},
		},
		{
			name: "first perm with context id",
			args: args{
				requiredPerm: "project.read",
				actualRole:   "PROJECT_OWNER:1",
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "PROJECT_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
				requestPerms: []string{},
				allPerms:     []string{},
			},
			requestPerms: []string{"project.read:1"},
			allPerms:     []string{"project.read:1"},
		},
		{
			name: "perm with context id, existing global",
			args: args{
				requiredPerm: "project.read",
				actualRole:   "PROJECT_OWNER:1",
				authConfig: Config{
					RolePermissionMappings: []RoleMapping{
						{
							Role:        "PROJECT_OWNER",
							Permissions: []string{"project.read"},
						},
						{
							Role:        "ORG_OWNER",
							Permissions: []string{"org.read", "project.read"},
						},
					},
				},
				requestPerms: []string{"project.read"},
				allPerms:     []string{"org.read", "project.read"},
			},
			requestPerms: []string{"project.read", "project.read:1"},
			allPerms:     []string{"org.read", "project.read", "project.read:1"},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			requestPerms, allPerms := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.requestPerms, tt.args.allPerms)
			if !equalStringArray(requestPerms, tt.requestPerms) {
				t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
			}
			if !equalStringArray(allPerms, tt.allPerms) {
				t.Errorf("got wrong allPerms, expecting: %v, actual: %v ", tt.allPerms, allPerms)
			}
		})
	}
}

func Test_AddRoleContextIDToPerm(t *testing.T) {
	type args struct {
		perm  string
		ctxID string
	}
	tests := []struct {
		name   string
		args   args
		result string
	}{
		{
			name: "with ctx id",
			args: args{
				perm:  "perm1",
				ctxID: "2",
			},
			result: "perm1:2",
		},
		{
			name: "with ctx id",
			args: args{
				perm:  "perm1",
				ctxID: "",
			},
			result: "perm1",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			result := addRoleContextIDToPerm(tt.args.perm, tt.args.ctxID)
			if result != tt.result {
				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
			}
		})
	}
}

func Test_ExistisPerm(t *testing.T) {
	type args struct {
		existingPermissions []string
		perm                string
	}
	tests := []struct {
		name   string
		args   args
		result bool
	}{
		{
			name: "not existing perm",
			args: args{
				existingPermissions: []string{"perm1", "perm2", "perm3"},
				perm:                "perm4",
			},
			result: false,
		},
		{
			name: "existing perm",
			args: args{
				existingPermissions: []string{"perm1", "perm2", "perm3"},
				perm:                "perm2",
			},
			result: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			result := ExistsPerm(tt.args.existingPermissions, tt.args.perm)
			if result != tt.result {
				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
			}
		})
	}
}