zitadel/internal/command/permission_checks_test.go

package command

import (
	"context"
	"database/sql"
	"errors"
	"testing"

	"github.com/stretchr/testify/assert"

	"github.com/zitadel/zitadel/internal/api/authz"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/eventstore"
	"github.com/zitadel/zitadel/internal/eventstore/repository"
	"github.com/zitadel/zitadel/internal/zerrors"
)

func TestCommands_CheckPermission(t *testing.T) {
	type fields struct {
		eventstore            func(*testing.T) *eventstore.Eventstore
		domainPermissionCheck func(*testing.T) domain.PermissionCheck
	}
	type args struct {
		ctx                        context.Context
		permission                 string
		aggregateType              eventstore.AggregateType
		resourceOwner, aggregateID string
	}
	type want struct {
		err func(error) bool
	}
	ctx := context.Background()
	filterErr := errors.New("filter error")
	tests := []struct {
		name   string
		fields fields
		args   args
		want   want
	}{
		{
			name: "resource owner is given, no query",
			fields: fields{
				domainPermissionCheck: mockDomainPermissionCheck(
					ctx,
					"permission",
					"resourceOwner",
					"aggregateID"),
			},
			args: args{
				ctx:           ctx,
				permission:    "permission",
				resourceOwner: "resourceOwner",
				aggregateID:   "aggregateID",
			},
		},
		{
			name: "resource owner is empty, query for resource owner",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(&repository.Event{
						AggregateID:   "aggregateID",
						ResourceOwner: sql.NullString{String: "resourceOwner"},
					}),
				),
				domainPermissionCheck: mockDomainPermissionCheck(ctx, "permission", "resourceOwner", "aggregateID"),
			},
			args: args{
				ctx:           ctx,
				permission:    "permission",
				resourceOwner: "",
				aggregateID:   "aggregateID",
			},
		},
		{
			name: "resource owner is empty, query for resource owner, error",
			fields: fields{
				eventstore: expectEventstore(
					expectFilterError(filterErr),
				),
			},
			args: args{
				ctx:           ctx,
				permission:    "permission",
				resourceOwner: "",
				aggregateID:   "aggregateID",
			},
			want: want{
				err: func(err error) bool {
					return errors.Is(err, filterErr)
				},
			},
		},
		{
			name: "resource owner is empty, query for resource owner, no events",
			fields: fields{
				eventstore: expectEventstore(
					expectFilter(),
				),
			},
			args: args{
				ctx:           ctx,
				permission:    "permission",
				resourceOwner: "",
				aggregateID:   "aggregateID",
			},
			want: want{
				err: zerrors.IsNotFound,
			},
		},
		{
			name: "no aggregateID, internal error",
			args: args{
				ctx: ctx,
			},
			want: want{
				err: zerrors.IsInternal,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &Commands{
				checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
					assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
					return nil
				},
				eventstore: expectEventstore()(t),
			}
			if tt.fields.domainPermissionCheck != nil {
				c.checkPermission = tt.fields.domainPermissionCheck(t)
			}
			if tt.fields.eventstore != nil {
				c.eventstore = tt.fields.eventstore(t)
			}
			err := c.newPermissionCheck(tt.args.ctx, tt.args.permission, tt.args.aggregateType)(tt.args.resourceOwner, tt.args.aggregateID)
			if tt.want.err != nil {
				assert.True(t, tt.want.err(err))
			}
		})
	}
}

func TestCommands_CheckPermissionUserWrite(t *testing.T) {
	type fields struct {
		domainPermissionCheck func(*testing.T) domain.PermissionCheck
	}
	type args struct {
		ctx                        context.Context
		resourceOwner, aggregateID string
		allowSelfManagement        bool
	}
	type want struct {
		err func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		want   want
	}{
		{
			name: "self, no permission check",
			args: args{
				ctx: authz.SetCtxData(context.Background(), authz.CtxData{
					UserID: "aggregateID",
				}),
				resourceOwner:       "resourceOwner",
				aggregateID:         "aggregateID",
				allowSelfManagement: true,
			},
		},
		{
			name: "self, no selfManagementAllowed, permission check",
			fields: fields{
				domainPermissionCheck: mockDomainPermissionCheck(
					authz.SetCtxData(context.Background(), authz.CtxData{
						UserID: "aggregateID",
					}),
					"user.write",
					"resourceOwner",
					"aggregateID"),
			},
			args: args{
				ctx: authz.SetCtxData(context.Background(), authz.CtxData{
					UserID: "aggregateID",
				}),
				resourceOwner:       "resourceOwner",
				aggregateID:         "aggregateID",
				allowSelfManagement: false,
			},
		},
		{
			name: "not self, permission check",
			fields: fields{
				domainPermissionCheck: mockDomainPermissionCheck(
					context.Background(),
					"user.write",
					"resourceOwner",
					"foreignAggregateID"),
			},
			args: args{
				ctx:           context.Background(),
				resourceOwner: "resourceOwner",
				aggregateID:   "foreignAggregateID",
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &Commands{
				checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
					assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
					return nil
				},
			}
			if tt.fields.domainPermissionCheck != nil {
				c.checkPermission = tt.fields.domainPermissionCheck(t)
			}
			err := c.NewPermissionCheckUserWrite(tt.args.ctx, tt.args.allowSelfManagement)(tt.args.resourceOwner, tt.args.aggregateID)
			if tt.want.err != nil {
				assert.True(t, tt.want.err(err))
			}
		})
	}
}

func TestCommands_CheckPermissionUserDelete(t *testing.T) {
	type fields struct {
		domainPermissionCheck func(*testing.T) domain.PermissionCheck
	}
	type args struct {
		ctx                        context.Context
		resourceOwner, aggregateID string
	}
	type want struct {
		err func(error) bool
	}
	userCtx := authz.SetCtxData(context.Background(), authz.CtxData{
		UserID: "aggregateID",
	})
	tests := []struct {
		name   string
		fields fields
		args   args
		want   want
	}{
		{
			name: "self permission allowed, permission check",
			fields: fields{
				domainPermissionCheck: mockDomainPermissionCheck(
					userCtx,
					"user.delete",
					"resourceOwner",
					"aggregateID"),
			},
			args: args{
				ctx:           userCtx,
				resourceOwner: "resourceOwner",
				aggregateID:   "aggregateID",
			},
		},
		{
			name: "self user.delete not allowed, user.self.delete permission check",
			fields: fields{
				domainPermissionCheck: mockDomainPermissionChecks(
					expectedCheck{
						userCtx,
						"user.delete",
						"resourceOwner",
						"aggregateID",
						zerrors.ThrowPermissionDenied(nil, "id", "permission denied"),
					},
					expectedCheck{
						userCtx,
						"user.self.delete",
						"resourceOwner",
						"aggregateID",
						nil,
					},
				),
			},
			args: args{
				ctx:           userCtx,
				resourceOwner: "resourceOwner",
				aggregateID:   "aggregateID",
			},
		},
		{
			name: "not self, permission check",
			fields: fields{
				domainPermissionCheck: mockDomainPermissionCheck(
					context.Background(),
					"user.delete",
					"resourceOwner",
					"foreignAggregateID"),
			},
			args: args{
				ctx:           context.Background(),
				resourceOwner: "resourceOwner",
				aggregateID:   "foreignAggregateID",
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &Commands{
				checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
					assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
					return nil
				},
			}
			if tt.fields.domainPermissionCheck != nil {
				c.checkPermission = tt.fields.domainPermissionCheck(t)
			}
			err := c.checkPermissionDeleteUser(tt.args.ctx, tt.args.resourceOwner, tt.args.aggregateID)
			if tt.want.err != nil {
				assert.True(t, tt.want.err(err))
			}
		})
	}
}

func mockDomainPermissionCheck(expectCtx context.Context, expectPermission, expectResourceOwner, expectResourceID string) func(t *testing.T) domain.PermissionCheck {
	return func(t *testing.T) domain.PermissionCheck {
		return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
			assert.Equal(t, expectCtx, ctx)
			assert.Equal(t, expectPermission, permission)
			assert.Equal(t, expectResourceOwner, orgID)
			assert.Equal(t, expectResourceID, resourceID)
			return nil
		}
	}
}

type expectedCheck struct {
	ctx           context.Context
	permission    string
	resourceOwner string
	resourceID    string
	err           error
}

func mockDomainPermissionChecks(checks ...expectedCheck) func(t *testing.T) domain.PermissionCheck {
	var i int
	return func(t *testing.T) domain.PermissionCheck {
		t.Cleanup(func() {
			t.Helper()
			if i != len(checks) {
				t.Logf("not all expected checks were called, expected: %d, got: %d", len(checks), i)
				for ; i < len(checks); i++ {
					t.Logf("missing call: %+v", checks[i])
				}
				t.Fail()
			}
		})

		return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
			if i >= len(checks) {
				assert.Fail(t, "no more checks expected")
				return nil
			}
			expect := checks[i]
			assert.Equal(t, expect.ctx, ctx)
			assert.Equal(t, expect.permission, permission)
			assert.Equal(t, expect.resourceOwner, orgID)
			assert.Equal(t, expect.resourceID, resourceID)
			i++
			return expect.err
		}
	}
}