Skip to content
This repository has been archived by the owner on Aug 19, 2022. It is now read-only.

Commit

Permalink
authorization tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@mihaidma
mihaidma committed Oct 4, 2017
1 parent 013305d commit 761ac45
Show file tree
Hide file tree
Showing 2 changed files with 131 additions and 21 deletions.
14 changes: 12 additions & 2 deletions lib/core/lib/ops/policyOps.js
View file
Expand Up @@ -276,6 +276,7 @@ function buildPolicyOps (db, config) {
* @param {Function} cb
*/
listAllUserPolicies: function listAllUserPolicies ({ userId, organizationId }, cb) {
const rootOrgId = config.get('authorization.superUser.organization.id')
const sql = SQL`
WITH user_teams AS (
SELECT id FROM teams WHERE path @> (
Expand Down Expand Up @@ -310,6 +311,9 @@ function buildPolicyOps (db, config) {
users u ON u.org_id = op.org_id
WHERE
u.id = ${userId}
),
is_root_user AS (
SELECT FROM users WHERE id=${userId} AND org_id = ${rootOrgId}
)
SELECT
id,
Expand All @@ -318,8 +322,14 @@ function buildPolicyOps (db, config) {
statements
FROM
policies
WHERE
org_id IN (SELECT org_id FROM users WHERE id = ${userId})
WHERE (
org_id = ${organizationId}
OR (
EXISTS (SELECT FROM is_root_user)
AND
org_id = ${rootOrgId}
)
)
AND (
id IN (SELECT policy_id FROM policies_from_user)
OR
Expand Down
138 changes: 119 additions & 19 deletions test/integration/endToEnd/authorization.test.js
View file
Expand Up @@ -108,32 +108,46 @@ lab.experiment('Authorization', () => {
})

lab.experiment('Authorization inherited org policies', () => {
const newOrgPolicyId = 'newOrgPolicyId'
const newOrgId = 'newOrgId'
const testUserId = 'testUserId'
const orgId1 = 'orgId1'
const orgId2 = 'orgId2'
const testUserId1 = 'testUserId1'
const testUserId2 = 'testUserId2'
const org1PolicyId = 'org1PolicyId'

Factory(lab, {
organizations: {
org1: {
id: newOrgId,
id: orgId1,
name: 'Test Organization',
description: 'Test Organization',
policies: ['testPolicy'],
users: ['TestUser']
policies: ['testPolicy1', 'checkAccessPolicy1'],
users: ['TestUser1']
},
org2: {
id: orgId2,
name: 'Test Organization',
description: 'Test Organization',
policies: ['checkAccessPolicy2'],
users: ['TestUser2']
}
},
users: {
TestUser: {
id: testUserId,
name: 'Test User',
organizationId: newOrgId
TestUser1: {
id: testUserId1,
name: 'Test User1',
organizationId: orgId1
},
TestUser2: {
id: testUserId2,
name: 'Test User2',
organizationId: orgId2
}
},
policies: {
testPolicy: {
id: newOrgPolicyId,
name: 'newOrgPolicyId',
organizationId: newOrgId,
testPolicy1: {
id: org1PolicyId,
name: 'org1Policy',
organizationId: orgId1,
statements: {
Statement: [
{
Expand All @@ -143,18 +157,43 @@ lab.experiment('Authorization inherited org policies', () => {
}
]
}
},
checkAccessPolicy1: {
name: 'checkaccess',
organizationId: orgId1,
statements: {
Statement: [
{
Effect: 'Allow',
Action: ['authorization:authn:access'],
Resource: ['authorization/access']
}
]
}
},
checkAccessPolicy2: {
name: 'checkaccess',
organizationId: orgId2,
statements: {
Statement: [
{
Effect: 'Allow',
Action: ['authorization:authn:access'],
Resource: ['authorization/access']
}
]
}
}
}
})

lab.test('User authorized against policies inherited from organization', (done) => {
const userId = testUserId
lab.test('User authorized against policies inherited from its own organization', (done) => {
const userId = testUserId1
const options = utils.requestOptions({
method: 'GET',
url: `/authorization/access/${userId}/read/org:documents`,
headers: {
authorization: 'ROOTid',
org: newOrgId
authorization: testUserId1
}
})

Expand All @@ -168,14 +207,75 @@ lab.experiment('Authorization inherited org policies', () => {
})
})

lab.test('User checks authorization for another org user', (done) => {
const userId = testUserId1
const options = utils.requestOptions({
method: 'GET',
url: `/authorization/access/${userId}/read/org:documents`,
headers: {
authorization: testUserId2
}
})

server.inject(options, (response) => {
const result = response.result

expect(response.statusCode).to.equal(200)
expect(result.access).to.equal(false)

done()
})
})

lab.test('Non-existing user has no access to existing organization policies', (done) => {
const userId = 'abcd1234'
const options = utils.requestOptions({
method: 'GET',
url: `/authorization/access/${userId}/read/org:documents`,
headers: {
authorization: testUserId1
}
})

server.inject(options, (response) => {
const result = response.result

expect(response.statusCode).to.equal(200)
expect(result.access).to.equal(false)

done()
})
})

lab.test('Root impersonates org in which checked authorization exists', (done) => {
const userId = testUserId1
const options = utils.requestOptions({
method: 'GET',
url: `/authorization/access/${userId}/read/org:documents`,
headers: {
authorization: 'ROOTid',
org: orgId1
}
})

server.inject(options, (response) => {
const result = response.result

expect(response.statusCode).to.equal(200)
expect(result.access).to.equal(true)

done()
})
})

lab.test('Root impersonates org in which checked authorization exists but provides valid other org data', (done) => {
const userId = testUserId1
const options = utils.requestOptions({
method: 'GET',
url: `/authorization/access/${userId}/read/org:documents`,
headers: {
authorization: 'ROOTid',
org: newOrgId
org: orgId2
}
})

Expand Down

0 comments on commit 761ac45

Please sign in to comment.