diff --git a/docs/content/policy-testing.md b/docs/content/policy-testing.md index 24728dcb75..7a8dd83805 100644 --- a/docs/content/policy-testing.md +++ b/docs/content/policy-testing.md @@ -50,23 +50,24 @@ To test this policy, we will create a separate Rego file that contains test case **example_test.rego**: ```live:example/test:module:read_only -package authz +package authz_test import rego.v1 +import authz test_post_allowed if { - allow with input as {"path": ["users"], "method": "POST"} + authz.allow with input as {"path": ["users"], "method": "POST"} } test_get_anonymous_denied if { - not allow with input as {"path": ["users"], "method": "GET"} + not authz.allow with input as {"path": ["users"], "method": "GET"} } test_get_user_allowed if { - allow with input as {"path": ["users", "bob"], "method": "GET", "user_id": "bob"} + authz.allow with input as {"path": ["users", "bob"], "method": "GET", "user_id": "bob"} } test_get_another_user_denied if { - not allow with input as {"path": ["users", "bob"], "method": "GET", "user_id": "alice"} + not authz.allow with input as {"path": ["users", "bob"], "method": "GET", "user_id": "alice"} } ``` @@ -81,10 +82,10 @@ To exercise the policy, run the `opa test` command in the directory containing t ```console $ opa test . -v -data.authz.test_post_allowed: PASS (1.417µs) -data.authz.test_get_anonymous_denied: PASS (426ns) -data.authz.test_get_user_allowed: PASS (367ns) -data.authz.test_get_another_user_denied: PASS (320ns) +data.authz_test.test_post_allowed: PASS (1.417µs) +data.authz_test.test_get_anonymous_denied: PASS (426ns) +data.authz_test.test_get_user_allowed: PASS (367ns) +data.authz_test.test_get_another_user_denied: PASS (320ns) -------------------------------------------------------------------------------- PASS: 4/4 ``` @@ -97,19 +98,19 @@ Try exercising the tests a bit more by removing the first rule in **example.rego $ opa test . -v FAILURES -------------------------------------------------------------------------------- -data.authz.test_post_allowed: FAIL (277.306µs) +data.authz_test.test_post_allowed: FAIL (277.306µs) - query:1 Enter data.authz.test_post_allowed = _ - example_test.rego:3 | Enter data.authz.test_post_allowed - example_test.rego:4 | | Fail data.authz.allow with input as {"method": "POST", "path": ["users"]} - query:1 | Fail data.authz.test_post_allowed = _ + query:1 Enter data.authz_test.test_post_allowed = _ + example_test.rego:3 | Enter data.authz_test.test_post_allowed + example_test.rego:4 | | Fail data.authz_test.allow with input as {"method": "POST", "path": ["users"]} + query:1 | Fail data.authz_test.test_post_allowed = _ SUMMARY -------------------------------------------------------------------------------- -data.authz.test_post_allowed: FAIL (277.306µs) -data.authz.test_get_anonymous_denied: PASS (124.287µs) -data.authz.test_get_user_allowed: PASS (242.2µs) -data.authz.test_get_another_user_denied: PASS (131.964µs) +data.authz_test.test_post_allowed: FAIL (277.306µs) +data.authz_test.test_get_anonymous_denied: PASS (124.287µs) +data.authz_test.test_get_user_allowed: PASS (242.2µs) +data.authz_test.test_get_another_user_denied: PASS (131.964µs) -------------------------------------------------------------------------------- PASS: 3/4 FAIL: 1/4 @@ -121,8 +122,9 @@ Tests are expressed as standard Rego rules with a convention that the rule name is prefixed with `test_`. ```live:example_format:module:read_only -package mypackage +package mypackage_test import rego.v1 +import mypackage test_some_descriptive_name if { # test logic @@ -153,8 +155,9 @@ by zero condition) the test result is marked as an `ERROR`. Tests prefixed with **pass_fail_error_test.rego**: ```live:example_results:module:read_only -package example +package example_test import rego.v1 +import example # This test will pass. test_ok if true @@ -167,7 +170,7 @@ test_error if 1 / 0 # This test will be skipped. todo_test_missing_implementation if { - allow with data.roles as ["not", "implemented"] + example.allow with data.roles as ["not", "implemented"] } ``` @@ -176,8 +179,8 @@ of the tests that failed or errored. ```console $ opa test pass_fail_error_test.rego -data.example.test_failure: FAIL (253ns) -data.example.test_error: ERROR (289ns) +data.example_test.test_failure: FAIL (253ns) +data.example_test.test_error: ERROR (289ns) pass_fail_error_test.rego:15: eval_builtin_error: div: divide by zero -------------------------------------------------------------------------------- PASS: 1/3 @@ -200,7 +203,7 @@ opa test --format=json pass_fail_error_test.rego "row": 4, "col": 1 }, - "package": "data.example", + "package": "data.example_test", "name": "test_ok", "duration": 618515 }, @@ -210,7 +213,7 @@ opa test --format=json pass_fail_error_test.rego "row": 9, "col": 1 }, - "package": "data.example", + "package": "data.example_test", "name": "test_failure", "fail": true, "duration": 322177 @@ -221,7 +224,7 @@ opa test --format=json pass_fail_error_test.rego "row": 14, "col": 1 }, - "package": "data.example", + "package": "data.example_test", "name": "test_error", "error": { "code": "eval_internal_error", @@ -271,14 +274,15 @@ Below is the Rego file to test the above policy. **authz_test.rego**: ```live:with_keyword/tests:module:read_only -package authz +package authz_test import rego.v1 +import authz policies := [{"name": "test_policy"}] roles := {"admin": ["alice"]} test_allow_with_data if { - allow with input as {"user": "alice", "role": "admin"} + authz.allow with input as {"user": "alice", "role": "admin"} with data.policies as policies with data.roles as roles } @@ -288,7 +292,7 @@ To exercise the policy, run the `opa test` command. ```console $ opa test -v authz.rego authz_test.rego -data.authz.test_allow_with_data: PASS (697ns) +data.authz_test.test_allow_with_data: PASS (697ns) -------------------------------------------------------------------------------- PASS: 1/1 ``` @@ -309,17 +313,18 @@ allow2 if 2 == 1 **authz_test.rego**: ```live:with_keyword_rules/tests:module:read_only -package authz +package authz_test import rego.v1 +impot authz test_replace_rule if { - allow1 with allow2 as true + authz.allow1 with authz.allow2 as true } ``` ```console $ opa test -v authz.rego authz_test.rego -data.authz.test_replace_rule: PASS (328ns) +data.authz_test.test_replace_rule: PASS (328ns) -------------------------------------------------------------------------------- PASS: 1/1 ``` @@ -342,14 +347,15 @@ allow if { **authz_test.rego**: ```live:with_keyword_builtins/tests:module:read_only -package authz +package authz_test import rego.v1 +import authz mock_decode_verify("my-jwt", _) := [true, {}, {}] mock_decode_verify(x, _) := [false, {}, {}] if x != "my-jwt" test_allow if { - allow with input.headers["x-token"] as "my-jwt" + authz.allow with input.headers["x-token"] as "my-jwt" with data.jwks.cert as "mock-cert" with io.jwt.decode_verify as mock_decode_verify } @@ -357,7 +363,7 @@ test_allow if { ```console $ opa test -v authz.rego authz_test.rego -data.authz.test_allow: PASS (458.752µs) +data.authz_test.test_allow: PASS (458.752µs) -------------------------------------------------------------------------------- PASS: 1/1 ``` @@ -366,7 +372,7 @@ In simple cases, a function can also be replaced with a value, as in ```live:with_keyword_builtins/tests/value:module:read_only test_allow_value if { - allow + authz.allow with input.headers["x-token"] as "my-jwt" with data.jwks.cert as "mock-cert" with io.jwt.decode_verify as [true, {}, {}] @@ -397,17 +403,18 @@ replace(label) if { **authz_test.rego**: ```live:with_keyword_funcs/tests:module:read_only -package authz +package authz_test import rego.v1 +import authz test_replace_rule if { - replace_rule with input.label as "does-not-matter" with replace as true + authz.replace_rule with input.label as "does-not-matter" with replace as true } ``` ```console $ opa test -v authz.rego authz_test.rego -data.authz.test_replace_rule: PASS (648.314µs) +data.authz_test.test_replace_rule: PASS (648.314µs) -------------------------------------------------------------------------------- PASS: 1/1 ```