Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add admin additional role to mlp.project.post #91

Merged
merged 7 commits into from
Oct 25, 2023
Merged

add admin additional role to mlp.project.post #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2a5b587
Update bootstrap.go
tkpd-hafizhan Oct 18, 2023
ce626ef
add bootstrap test
tkpd-hafizhan Oct 18, 2023
3385708
Update admin role to have default permission
tkpd-hafizhan Oct 20, 2023
6d2a1f0
update bootstrap test
tkpd-hafizhan Oct 23, 2023
6e19923
edit bootstrap config and add test
tkpd-hafizhan Oct 24, 2023
78c0247
update test name
tkpd-hafizhan Oct 24, 2023
e8bf5e3
fix long test name
tkpd-hafizhan Oct 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 13 additions & 10 deletions api/cmd/bootstrap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,14 @@ var (
if err != nil {
log.Panicf("unable to load role members from input file: %v", err)
}
err = startKetoBootstrap(bootstrapConfig)
authEnforcer, err := enforcer.NewEnforcerBuilder().
KetoEndpoints(bootstrapConfig.KetoRemoteRead, bootstrapConfig.KetoRemoteWrite).
Build()
if err != nil {
log.Panicf("unable to create keto enforcer: %v", err)
}

err = startKetoBootstrap(authEnforcer, bootstrapConfig.ProjectReaders, bootstrapConfig.MLPAdmins)
if err != nil {
log.Panicf("unable to bootstrap keto: %v", err)
}
Expand Down Expand Up @@ -64,15 +71,11 @@ func loadBootstrapConfig(path string) (*BootstrapConfig, error) {
return bootstrapCfg, nil
}

func startKetoBootstrap(bootstrapCfg *BootstrapConfig) error {
authEnforcer, err := enforcer.NewEnforcerBuilder().
KetoEndpoints(bootstrapCfg.KetoRemoteRead, bootstrapCfg.KetoRemoteWrite).
Build()
if err != nil {
return err
}
func startKetoBootstrap(authEnforcer enforcer.Enforcer, projectReaders []string, mlpAdmins []string) error {
defaultMLPAdminPermissions := []string{"mlp.projects.post"}
updateRequest := enforcer.NewAuthorizationUpdateRequest()
updateRequest.SetRoleMembers(enforcer.MLPProjectsReaderRole, bootstrapCfg.ProjectReaders)
updateRequest.SetRoleMembers(enforcer.MLPAdminRole, bootstrapCfg.MLPAdmins)
updateRequest.SetRoleMembers(enforcer.MLPProjectsReaderRole, projectReaders)
updateRequest.SetRoleMembers(enforcer.MLPAdminRole, mlpAdmins)
updateRequest.AddRolePermissions(enforcer.MLPAdminRole, defaultMLPAdminPermissions)
return authEnforcer.UpdateAuthorization(context.Background(), updateRequest)
}
86 changes: 86 additions & 0 deletions api/cmd/bootstrap_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
package cmd

import (
"testing"

"github.com/caraml-dev/mlp/api/pkg/authz/enforcer"
enforcerMock "github.com/caraml-dev/mlp/api/pkg/authz/enforcer/mocks"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
)

func TestStartKetoBootsrap(t *testing.T) {
tests := []struct {
name string
projectReaders []string
mlpAdmins []string
expectedUpdateAuthorizationRequest enforcer.AuthorizationUpdateRequest
}{
{
"admin role must have project post even there are no project readers",
[]string{},
[]string{"admin1"},
enforcer.AuthorizationUpdateRequest{
RolePermissions: map[string][]string{
"mlp.administrator": {"mlp.projects.post"},
},
RoleMembers: map[string][]string{
"mlp.projects.reader": {},
"mlp.administrator": {"admin1"},
},
},
},
{
"admin role should have project post, even there are no mlp admins or project readers",
[]string{},
[]string{},
enforcer.AuthorizationUpdateRequest{
RolePermissions: map[string][]string{
"mlp.administrator": {"mlp.projects.post"},
},
RoleMembers: map[string][]string{
"mlp.projects.reader": {},
"mlp.administrator": {},
},
},
},
{
"only admin role should have project post, even no mlp admins and project readers exist",
[]string{"readers1", "readers2"},
[]string{},
enforcer.AuthorizationUpdateRequest{
RolePermissions: map[string][]string{
"mlp.administrator": {"mlp.projects.post"},
},
RoleMembers: map[string][]string{
"mlp.projects.reader": {"readers1", "readers2"},
"mlp.administrator": {},
},
},
},
{
"only admin role should have project post, even project readers exist",
[]string{"readers1", "readers2"},
[]string{"admin1"},
enforcer.AuthorizationUpdateRequest{
RolePermissions: map[string][]string{
"mlp.administrator": {"mlp.projects.post"},
},
RoleMembers: map[string][]string{
"mlp.projects.reader": {"readers1", "readers2"},
"mlp.administrator": {"admin1"},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
authEnforcer := &enforcerMock.Enforcer{}

authEnforcer.On("UpdateAuthorization", mock.Anything, tt.expectedUpdateAuthorizationRequest).Return(nil)
err := startKetoBootstrap(authEnforcer, tt.projectReaders, tt.mlpAdmins)
authEnforcer.AssertExpectations(t)
require.NoError(t, err)
})
}
}
Loading