package rbac2_test import ( "database/sql" "testing" "github.com/bluesky-social/indigo/atproto/syntax" _ "github.com/mattn/go-sqlite3" "github.com/stretchr/testify/assert" "tangled.org/core/rbac2" ) func setup(t *testing.T) *rbac2.Enforcer { enforcer, err := rbac2.NewEnforcer(":memory:") assert.NoError(t, err) return enforcer } func TestNewEnforcer(t *testing.T) { db, err := sql.Open("sqlite3", "/tmp/test/test.db?_foreign_keys=1") assert.NoError(t, err) enforcer1, err := rbac2.NewEnforcerWithDB(db) assert.NoError(t, err) enforcer1.AddRepo(syntax.ATURI("at://did:plc:foo/sh.tangled.repo/reporkey")) model1 := enforcer1.CaptureModel() enforcer2, err := rbac2.NewEnforcerWithDB(db) assert.NoError(t, err) model2 := enforcer2.CaptureModel() // model1.GetLogger().EnableLog(true) // model1.PrintModel() // model1.PrintPolicy() // model1.GetLogger().EnableLog(false) model2.GetLogger().EnableLog(true) model2.PrintModel() model2.PrintPolicy() model2.GetLogger().EnableLog(false) assert.Equal(t, model1, model2) } func TestRepoOwnerPermissions(t *testing.T) { var ( e = setup(t) ok bool err error fooRepo = syntax.ATURI("at://did:plc:foo/sh.tangled.repo/reporkey") fooUser = syntax.DID("did:plc:foo") ) assert.NoError(t, e.AddRepo(fooRepo)) ok, err = e.IsRepoOwner(fooUser, fooRepo) assert.NoError(t, err) assert.True(t, ok, "repo author should be repo owner") ok, err = e.IsRepoWriteAllowed(fooUser, fooRepo) assert.NoError(t, err) assert.True(t, ok, "repo owner should be able to modify the repo itself") ok, err = e.IsRepoCollaborator(fooUser, fooRepo) assert.NoError(t, err) assert.True(t, ok, "repo owner should inherit role role:collaborator") ok, err = e.IsRepoSettingsWriteAllowed(fooUser, fooRepo) assert.NoError(t, err) assert.True(t, ok, "repo owner should inherit collaborator permissions") } func TestRepoCollaboratorPermissions(t *testing.T) { var ( e = setup(t) ok bool err error fooRepo = syntax.ATURI("at://did:plc:foo/sh.tangled.repo/reporkey") barUser = syntax.DID("did:plc:bar") ) assert.NoError(t, e.AddRepo(fooRepo)) assert.NoError(t, e.AddRepoCollaborator(barUser, fooRepo)) ok, err = e.IsRepoCollaborator(barUser, fooRepo) assert.NoError(t, err) assert.True(t, ok, "should set repo collaborator") ok, err = e.IsRepoSettingsWriteAllowed(barUser, fooRepo) assert.NoError(t, err) assert.True(t, ok, "repo collaborator should be able to edit repo settings") ok, err = e.IsRepoWriteAllowed(barUser, fooRepo) assert.NoError(t, err) assert.False(t, ok, "repo collaborator shouldn't be able to modify the repo itself") } func TestGetByRole(t *testing.T) { var ( e = setup(t) err error fooRepo = syntax.ATURI("at://did:plc:foo/sh.tangled.repo/reporkey") owner = syntax.DID("did:plc:foo") collaborator1 = syntax.DID("did:plc:bar") collaborator2 = syntax.DID("did:plc:baz") ) assert.NoError(t, e.AddRepo(fooRepo)) assert.NoError(t, e.AddRepoCollaborator(collaborator1, fooRepo)) assert.NoError(t, e.AddRepoCollaborator(collaborator2, fooRepo)) collaborators, err := e.GetRepoCollaborators(fooRepo) assert.NoError(t, err) assert.ElementsMatch(t, []syntax.DID{ owner, collaborator1, collaborator2, }, collaborators) } func TestSpindleOwnerPermissions(t *testing.T) { var ( e = setup(t) ok bool err error spindle = syntax.DID("did:web:spindle.example.com") owner = syntax.DID("did:plc:foo") member = syntax.DID("did:plc:bar") ) assert.NoError(t, e.SetSpindleOwner(owner, spindle)) assert.NoError(t, e.AddSpindleMember(member, spindle)) ok, err = e.IsSpindleMember(owner, spindle) assert.NoError(t, err) assert.True(t, ok, "spindle owner is spindle member") ok, err = e.IsSpindleMember(member, spindle) assert.NoError(t, err) assert.True(t, ok, "spindle member is spindle member") ok, err = e.IsSpindleMemberInviteAllowed(owner, spindle) assert.NoError(t, err) assert.True(t, ok, "spindle owner can invite members") ok, err = e.IsSpindleMemberInviteAllowed(member, spindle) assert.NoError(t, err) assert.False(t, ok, "spindle member cannot invite members") }