diff options
| author | James Elliott <james-d-elliott@users.noreply.github.com> | 2022-04-01 22:38:49 +1100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-01 22:38:49 +1100 |
| commit | 3c1bb3ec1983e38f7d8ee3aa664c30521e12b5ff (patch) | |
| tree | 7f745c3c3e0e287ef2bb527c84d0e12a5939b663 /internal/configuration/validator/access_control_test.go | |
| parent | 0116506330822f0dac159004aedc056884e7ceed (diff) | |
feat(authorization): domain regex match with named groups (#2789)
This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
Diffstat (limited to 'internal/configuration/validator/access_control_test.go')
| -rw-r--r-- | internal/configuration/validator/access_control_test.go | 47 |
1 files changed, 28 insertions, 19 deletions
diff --git a/internal/configuration/validator/access_control_test.go b/internal/configuration/validator/access_control_test.go index 7e66864bf..3ce26fedf 100644 --- a/internal/configuration/validator/access_control_test.go +++ b/internal/configuration/validator/access_control_test.go @@ -2,6 +2,7 @@ package validator import ( "fmt" + "regexp" "testing" "github.com/stretchr/testify/assert" @@ -35,6 +36,31 @@ func (suite *AccessControl) TestShouldValidateCompleteConfiguration() { suite.Assert().False(suite.validator.HasErrors()) } +func (suite *AccessControl) TestShouldValidateEitherDomainsOrDomainsRegex() { + domainsRegex := regexp.MustCompile(`^abc.example.com$`) + + suite.config.AccessControl.Rules = []schema.ACLRule{ + { + Domains: []string{"abc.example.com"}, + Policy: "bypass", + }, + { + DomainsRegex: []regexp.Regexp{*domainsRegex}, + Policy: "bypass", + }, + { + Policy: "bypass", + }, + } + + ValidateRules(suite.config, suite.validator) + + suite.Assert().False(suite.validator.HasWarnings()) + suite.Require().Len(suite.validator.Errors(), 1) + + assert.EqualError(suite.T(), suite.validator.Errors()[0], "access control: rule #3: rule is invalid: must have the option 'domain' or 'domain_regex' configured") +} + func (suite *AccessControl) TestShouldRaiseErrorInvalidDefaultPolicy() { suite.config.AccessControl.DefaultPolicy = testInvalidPolicy @@ -99,9 +125,9 @@ func (suite *AccessControl) TestShouldRaiseErrorsWithEmptyRules() { suite.Assert().False(suite.validator.HasWarnings()) suite.Require().Len(suite.validator.Errors(), 4) - suite.Assert().EqualError(suite.validator.Errors()[0], "access control: rule #1: rule is invalid: must have the option 'domain' configured") + suite.Assert().EqualError(suite.validator.Errors()[0], "access control: rule #1: rule is invalid: must have the option 'domain' or 'domain_regex' configured") suite.Assert().EqualError(suite.validator.Errors()[1], "access control: rule #1: rule 'policy' option '' is invalid: must be one of 'deny', 'two_factor', 'one_factor' or 'bypass'") - suite.Assert().EqualError(suite.validator.Errors()[2], "access control: rule #2: rule is invalid: must have the option 'domain' configured") + suite.Assert().EqualError(suite.validator.Errors()[2], "access control: rule #2: rule is invalid: must have the option 'domain' or 'domain_regex' configured") suite.Assert().EqualError(suite.validator.Errors()[3], "access control: rule #2: rule 'policy' option 'wrong' is invalid: must be one of 'deny', 'two_factor', 'one_factor' or 'bypass'") } @@ -155,23 +181,6 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidMethod() { suite.Assert().EqualError(suite.validator.Errors()[0], "access control: rule #1 (domain 'public.example.com'): 'methods' option 'HOP' is invalid: must be one of 'GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE', 'TRACE', 'CONNECT', 'OPTIONS', 'COPY', 'LOCK', 'MKCOL', 'MOVE', 'PROPFIND', 'PROPPATCH', 'UNLOCK'") } -func (suite *AccessControl) TestShouldRaiseErrorInvalidResource() { - suite.config.AccessControl.Rules = []schema.ACLRule{ - { - Domains: []string{"public.example.com"}, - Policy: "bypass", - Resources: []string{"^/(api.*"}, - }, - } - - ValidateRules(suite.config, suite.validator) - - suite.Assert().False(suite.validator.HasWarnings()) - suite.Require().Len(suite.validator.Errors(), 1) - - suite.Assert().EqualError(suite.validator.Errors()[0], "access control: rule #1 (domain 'public.example.com'): 'resources' option '^/(api.*' is invalid: error parsing regexp: missing closing ): `^/(api.*`") -} - func (suite *AccessControl) TestShouldRaiseErrorInvalidSubject() { domains := []string{"public.example.com"} subjects := [][]string{{"invalid"}} |