// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: BUSL-1.1 package acl import ( "testing" ) type testAuthorizer EnforcementDecision var _ Authorizer = testAuthorizer(Allow) func (authz testAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) IdentityRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) IdentityReadAll(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) IdentityWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) IdentityWriteAny(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) NodeReadAll(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) MeshRead(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) MeshWrite(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) PeeringRead(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) PeeringWrite(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) ServiceReadAll(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) ServiceReadPrefix(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) ServiceWriteAny(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) Snapshot(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) TrafficPermissionsRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) TrafficPermissionsWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } func (authz testAuthorizer) ToAllowAuthorizer() AllowAuthorizer { return AllowAuthorizer{Authorizer: &authz} } func TestChainedAuthorizer(t *testing.T) { t.Run("No Authorizers", func(t *testing.T) { authz := NewChainedAuthorizer([]Authorizer{}) checkDenyACLRead(t, authz, "foo", nil) checkDenyACLWrite(t, authz, "foo", nil) checkDenyAgentRead(t, authz, "foo", nil) checkDenyAgentWrite(t, authz, "foo", nil) checkDenyEventRead(t, authz, "foo", nil) checkDenyEventWrite(t, authz, "foo", nil) checkDenyIntentionDefaultAllow(t, authz, "foo", nil) checkDenyIntentionRead(t, authz, "foo", nil) checkDenyIntentionWrite(t, authz, "foo", nil) checkDenyKeyRead(t, authz, "foo", nil) checkDenyKeyList(t, authz, "foo", nil) checkDenyKeyringRead(t, authz, "foo", nil) checkDenyKeyringWrite(t, authz, "foo", nil) checkDenyKeyWrite(t, authz, "foo", nil) checkDenyKeyWritePrefix(t, authz, "foo", nil) checkDenyNodeRead(t, authz, "foo", nil) checkDenyNodeWrite(t, authz, "foo", nil) checkDenyMeshRead(t, authz, "foo", nil) checkDenyMeshWrite(t, authz, "foo", nil) checkDenyPeeringRead(t, authz, "foo", nil) checkDenyPeeringWrite(t, authz, "foo", nil) checkDenyOperatorRead(t, authz, "foo", nil) checkDenyOperatorWrite(t, authz, "foo", nil) checkDenyPreparedQueryRead(t, authz, "foo", nil) checkDenyPreparedQueryWrite(t, authz, "foo", nil) checkDenyServiceRead(t, authz, "foo", nil) checkDenyServiceWrite(t, authz, "foo", nil) checkDenySessionRead(t, authz, "foo", nil) checkDenySessionWrite(t, authz, "foo", nil) checkDenySnapshot(t, authz, "foo", nil) }) t.Run("Authorizer Defaults", func(t *testing.T) { authz := NewChainedAuthorizer([]Authorizer{testAuthorizer(Default)}) checkDenyACLRead(t, authz, "foo", nil) checkDenyACLWrite(t, authz, "foo", nil) checkDenyAgentRead(t, authz, "foo", nil) checkDenyAgentWrite(t, authz, "foo", nil) checkDenyEventRead(t, authz, "foo", nil) checkDenyEventWrite(t, authz, "foo", nil) checkDenyIntentionDefaultAllow(t, authz, "foo", nil) checkDenyIntentionRead(t, authz, "foo", nil) checkDenyIntentionWrite(t, authz, "foo", nil) checkDenyKeyRead(t, authz, "foo", nil) checkDenyKeyList(t, authz, "foo", nil) checkDenyKeyringRead(t, authz, "foo", nil) checkDenyKeyringWrite(t, authz, "foo", nil) checkDenyKeyWrite(t, authz, "foo", nil) checkDenyKeyWritePrefix(t, authz, "foo", nil) checkDenyNodeRead(t, authz, "foo", nil) checkDenyNodeWrite(t, authz, "foo", nil) checkDenyMeshRead(t, authz, "foo", nil) checkDenyMeshWrite(t, authz, "foo", nil) checkDenyPeeringRead(t, authz, "foo", nil) checkDenyPeeringWrite(t, authz, "foo", nil) checkDenyOperatorRead(t, authz, "foo", nil) checkDenyOperatorWrite(t, authz, "foo", nil) checkDenyPreparedQueryRead(t, authz, "foo", nil) checkDenyPreparedQueryWrite(t, authz, "foo", nil) checkDenyServiceRead(t, authz, "foo", nil) checkDenyServiceWrite(t, authz, "foo", nil) checkDenySessionRead(t, authz, "foo", nil) checkDenySessionWrite(t, authz, "foo", nil) checkDenySnapshot(t, authz, "foo", nil) }) t.Run("Authorizer No Defaults", func(t *testing.T) { authz := NewChainedAuthorizer([]Authorizer{testAuthorizer(Allow)}) checkAllowACLRead(t, authz, "foo", nil) checkAllowACLWrite(t, authz, "foo", nil) checkAllowAgentRead(t, authz, "foo", nil) checkAllowAgentWrite(t, authz, "foo", nil) checkAllowEventRead(t, authz, "foo", nil) checkAllowEventWrite(t, authz, "foo", nil) checkAllowIntentionDefaultAllow(t, authz, "foo", nil) checkAllowIntentionRead(t, authz, "foo", nil) checkAllowIntentionWrite(t, authz, "foo", nil) checkAllowKeyRead(t, authz, "foo", nil) checkAllowKeyList(t, authz, "foo", nil) checkAllowKeyringRead(t, authz, "foo", nil) checkAllowKeyringWrite(t, authz, "foo", nil) checkAllowKeyWrite(t, authz, "foo", nil) checkAllowKeyWritePrefix(t, authz, "foo", nil) checkAllowNodeRead(t, authz, "foo", nil) checkAllowNodeWrite(t, authz, "foo", nil) checkAllowMeshRead(t, authz, "foo", nil) checkAllowMeshWrite(t, authz, "foo", nil) checkAllowPeeringRead(t, authz, "foo", nil) checkAllowPeeringWrite(t, authz, "foo", nil) checkAllowOperatorRead(t, authz, "foo", nil) checkAllowOperatorWrite(t, authz, "foo", nil) checkAllowPreparedQueryRead(t, authz, "foo", nil) checkAllowPreparedQueryWrite(t, authz, "foo", nil) checkAllowServiceRead(t, authz, "foo", nil) checkAllowServiceWrite(t, authz, "foo", nil) checkAllowSessionRead(t, authz, "foo", nil) checkAllowSessionWrite(t, authz, "foo", nil) checkAllowSnapshot(t, authz, "foo", nil) }) t.Run("First Found", func(t *testing.T) { authz := NewChainedAuthorizer([]Authorizer{testAuthorizer(Deny), testAuthorizer(Allow)}) checkDenyACLRead(t, authz, "foo", nil) checkDenyACLWrite(t, authz, "foo", nil) checkDenyAgentRead(t, authz, "foo", nil) checkDenyAgentWrite(t, authz, "foo", nil) checkDenyEventRead(t, authz, "foo", nil) checkDenyEventWrite(t, authz, "foo", nil) checkDenyIntentionDefaultAllow(t, authz, "foo", nil) checkDenyIntentionRead(t, authz, "foo", nil) checkDenyIntentionWrite(t, authz, "foo", nil) checkDenyKeyRead(t, authz, "foo", nil) checkDenyKeyList(t, authz, "foo", nil) checkDenyKeyringRead(t, authz, "foo", nil) checkDenyKeyringWrite(t, authz, "foo", nil) checkDenyKeyWrite(t, authz, "foo", nil) checkDenyKeyWritePrefix(t, authz, "foo", nil) checkDenyNodeRead(t, authz, "foo", nil) checkDenyNodeWrite(t, authz, "foo", nil) checkDenyMeshRead(t, authz, "foo", nil) checkDenyMeshWrite(t, authz, "foo", nil) checkDenyPeeringRead(t, authz, "foo", nil) checkDenyPeeringWrite(t, authz, "foo", nil) checkDenyOperatorRead(t, authz, "foo", nil) checkDenyOperatorWrite(t, authz, "foo", nil) checkDenyPreparedQueryRead(t, authz, "foo", nil) checkDenyPreparedQueryWrite(t, authz, "foo", nil) checkDenyServiceRead(t, authz, "foo", nil) checkDenyServiceWrite(t, authz, "foo", nil) checkDenySessionRead(t, authz, "foo", nil) checkDenySessionWrite(t, authz, "foo", nil) checkDenySnapshot(t, authz, "foo", nil) authz = NewChainedAuthorizer([]Authorizer{testAuthorizer(Default), testAuthorizer(Allow)}) checkAllowACLRead(t, authz, "foo", nil) checkAllowACLWrite(t, authz, "foo", nil) checkAllowAgentRead(t, authz, "foo", nil) checkAllowAgentWrite(t, authz, "foo", nil) checkAllowEventRead(t, authz, "foo", nil) checkAllowEventWrite(t, authz, "foo", nil) checkAllowIntentionDefaultAllow(t, authz, "foo", nil) checkAllowIntentionRead(t, authz, "foo", nil) checkAllowIntentionWrite(t, authz, "foo", nil) checkAllowKeyRead(t, authz, "foo", nil) checkAllowKeyList(t, authz, "foo", nil) checkAllowKeyringRead(t, authz, "foo", nil) checkAllowKeyringWrite(t, authz, "foo", nil) checkAllowKeyWrite(t, authz, "foo", nil) checkAllowKeyWritePrefix(t, authz, "foo", nil) checkAllowNodeRead(t, authz, "foo", nil) checkAllowNodeWrite(t, authz, "foo", nil) checkAllowMeshRead(t, authz, "foo", nil) checkAllowMeshWrite(t, authz, "foo", nil) checkAllowPeeringRead(t, authz, "foo", nil) checkAllowPeeringWrite(t, authz, "foo", nil) checkAllowOperatorRead(t, authz, "foo", nil) checkAllowOperatorWrite(t, authz, "foo", nil) checkAllowPreparedQueryRead(t, authz, "foo", nil) checkAllowPreparedQueryWrite(t, authz, "foo", nil) checkAllowServiceRead(t, authz, "foo", nil) checkAllowServiceWrite(t, authz, "foo", nil) checkAllowSessionRead(t, authz, "foo", nil) checkAllowSessionWrite(t, authz, "foo", nil) checkAllowSnapshot(t, authz, "foo", nil) }) }