test: authorizeRole SecurityLogic tests

hyperledger · Jan 11, 2024 · 2245e9c · 2245e9c
1 parent 96669ce
commit 2245e9c
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/...-agent/service/server/src/main/scala/io/iohk/atala/iam/authentication/SecurityLogic.scala b/...-agent/service/server/src/main/scala/io/iohk/atala/iam/authentication/SecurityLogic.scala
@@ -79,10 +79,10 @@ object SecurityLogic {
         case Right(entity) => authorizeWalletAdmin(entity)(authorizer).map(entity -> _)
       }
 
-  def authorizeRoleWith[E <: BaseEntity](credentials: (AdminApiKeyCredentials, JwtCredentials))(
+  def authorizeRole[E <: BaseEntity](credentials: Credentials, others: Credentials*)(
       authenticator: Authenticator[E],
   )(permittedRole: EntityRole): IO[ErrorResponse, BaseEntity] = {
-    authenticate[E](credentials._1, credentials._2)(authenticator)
+    authenticate[E](credentials, others: _*)(authenticator)
       .flatMap { ee =>
         val entity = ee.fold(identity, identity)
         for {
@@ -101,4 +101,9 @@ object SecurityLogic {
       }
   }
 
+  def authorizeRoleWith[E <: BaseEntity](credentials: (AdminApiKeyCredentials, JwtCredentials))(
+      authenticator: Authenticator[E],
+  )(permittedRole: EntityRole): IO[ErrorResponse, BaseEntity] =
+    authorizeRole(credentials._1, credentials._2)(authenticator)(permittedRole)
+
 }
diff --git a/...nt/service/server/src/test/scala/io/iohk/atala/iam/authentication/SecurityLogicSpec.scala b/...nt/service/server/src/test/scala/io/iohk/atala/iam/authentication/SecurityLogicSpec.scala
@@ -1,6 +1,7 @@
 package io.iohk.atala.iam.authentication
 
 import io.iohk.atala.agent.walletapi.model.Entity
+import io.iohk.atala.agent.walletapi.model.EntityRole
 import io.iohk.atala.iam.authentication.AuthenticationError.InvalidCredentials
 import io.iohk.atala.iam.authentication.apikey.ApiKeyCredentials
 import zio.*
@@ -78,6 +79,38 @@ object SecurityLogicSpec extends ZIOSpecDefault {
           .exit
       } yield assert(exit)(fails(hasField("status", _.status, equalTo(sttp.model.StatusCode.Forbidden.code))))
     },
+    test("authorizeRole accept if the role is matched") {
+      val tenantentity = Entity("alice", UUID.randomUUID())
+      val adminEntity = Entity.Admin
+      for {
+        entity1 <- SecurityLogic
+          .authorizeRole(ApiKeyCredentials(Some(tenantentity.id.toString())))(testAuthenticator(tenantentity))(
+            EntityRole.Tenant
+          )
+        entity2 <- SecurityLogic
+          .authorizeRole(ApiKeyCredentials(Some(adminEntity.id.toString())))(testAuthenticator(adminEntity))(
+            EntityRole.Admin
+          )
+      } yield assert(entity1.role)(isRight(equalTo(EntityRole.Tenant))) &&
+        assert(entity2.role)(isRight(equalTo(EntityRole.Admin)))
+    },
+    test("authorizeRole reject if the role is not matched") {
+      val tenantentity = Entity("alice", UUID.randomUUID())
+      val adminEntity = Entity.Admin
+      for {
+        exit1 <- SecurityLogic
+          .authorizeRole(ApiKeyCredentials(Some(tenantentity.id.toString())))(testAuthenticator(tenantentity))(
+            EntityRole.Admin
+          )
+          .exit
+        exit2 <- SecurityLogic
+          .authorizeRole(ApiKeyCredentials(Some(adminEntity.id.toString())))(testAuthenticator(tenantentity))(
+            EntityRole.Tenant
+          )
+          .exit
+      } yield assert(exit1)(fails(hasField("status", _.status, equalTo(sttp.model.StatusCode.Forbidden.code)))) &&
+        assert(exit2)(fails(hasField("status", _.status, equalTo(sttp.model.StatusCode.Forbidden.code))))
+    },
     test("display first error message that is not MethodNotEnabled error") {
       val alice = Entity("alice", UUID.randomUUID())
       val bob = Entity("bob", UUID.randomUUID())