-
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathauthorization_test.go
244 lines (197 loc) · 6.36 KB
/
authorization_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
package traefik_oidc_auth
import (
"encoding/json"
"testing"
"github.com/golang-jwt/jwt/v5"
)
func createAuthInstance(claims []ClaimAssertion) TraefikOidcAuth {
return TraefikOidcAuth{
Config: &Config{
Authorization: &AuthorizationConfig{
AssertClaims: claims,
},
},
}
}
func getTestClaims() map[string]interface{} {
bytes := []byte(`{
"name": "Alice",
"age": 67,
"children": [
{ "name": "Bob", "age": 25 },
{ "name": "Eve", "age": 22 }
],
"roles": [
"support",
"accountant",
"administrator"
],
"address": {
"country": "USA",
"street": "Freedom Rd.",
"neighbours": [
"Joe",
"Sam"
]
},
"my:zitadel:grants": [
"abc",
"def",
"ghi"
]
}`)
claims := jwt.MapClaims{}
err := json.Unmarshal(bytes, &claims)
if err != nil {
panic(err)
}
return claims
}
func TestClaimNameExists(t *testing.T) {
claims := getTestClaims()
toa := createAuthInstance([]ClaimAssertion{
{Name: "name"},
})
if !toa.isAuthorized(claims) {
t.Fatal("Should authorize as a claim with the provided name exists")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "names"},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize as no claim with the provided name exists")
}
}
func TestSimpleAssertions(t *testing.T) {
claims := getTestClaims()
toa := createAuthInstance([]ClaimAssertion{
{Name: "name", AnyOf: []string{"Alice", "Bob", "Bruno"}},
})
if !toa.isAuthorized(claims) {
t.Fatal("Should authorize since value is any of the provided values")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "name", AnyOf: []string{"Ben", "Joe", "Sam"}},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize since value is none of the provided values")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "name", AllOf: []string{"Alice"}},
})
if !toa.isAuthorized(claims) {
t.Fatal("Should authorize since the single value matches all of the provided values")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "name", AllOf: []string{"Alice", "Bob", "Bruno"}},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize since the single value match cannot contain all values of array")
}
// We need to use ['my:zitadel:grants'] here to escape the colons in the jsonpath.
toa = createAuthInstance([]ClaimAssertion{
{Name: "['my:zitadel:grants']", AllOf: []string{"abc", "def", "ghi"}},
})
if !toa.isAuthorized(claims) {
t.Fatal("Should authorize since all values are contained in the array")
}
}
func TestNestedAssertions(t *testing.T) {
claims := getTestClaims()
toa := createAuthInstance([]ClaimAssertion{
{Name: "address.street", AnyOf: []string{"Freedom Rd.", "Eagle St."}},
})
if !toa.isAuthorized(claims) {
t.Fatal("Should authorize since nested value is any of the provided values")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "address.street", AnyOf: []string{"Concrete HWY"}},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize since nested value is none of the provided values")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "address.street", AllOf: []string{"Freedom Rd."}},
})
if !toa.isAuthorized(claims) {
t.Fatal("Should authorize since the single value matches all of the provided values")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "address.street", AllOf: []string{"Freedom Rd.", "Eagle St."}},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize since the single value match cannot contain all values of array")
}
}
func TestArrayAssertions(t *testing.T) {
claims := getTestClaims()
toa := createAuthInstance([]ClaimAssertion{
{Name: "children[*].name", AnyOf: []string{"Joe", "Bob", "Sam"}},
})
if !toa.isAuthorized(claims) {
t.Fatal("Should authorize since some of the values are part of the provided values")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "children[*].name", AnyOf: []string{"Joe", "Sam", "Alex"}},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize since values are none of the provided values")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "children[*].name", AllOf: []string{"Bob", "Eve"}},
})
if !toa.isAuthorized(claims) {
t.Fatal("Should authorize since all of the provided values have a matching claim value")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "children[*].name", AllOf: []string{"Bob", "Eve", "Alex"}},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize since not all of the provided values have a matching claim value")
}
}
func TestCombinedAssertions(t *testing.T) {
claims := getTestClaims()
toa := createAuthInstance([]ClaimAssertion{
{Name: "children[*].name", AnyOf: []string{"Joe", "Bob", "Sam"}, AllOf: []string{"Eve", "Bob"}},
})
if !toa.isAuthorized(claims) {
t.Fatal("Should authorize since both assertion quantifiers have matching values")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "children[*].name", AnyOf: []string{"Joe", "Bob", "Sam"}, AllOf: []string{"Eve", "Bob", "Alex"}},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize since not all values of the allOf quantifier are matched")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "children[*].name", AnyOf: []string{"Sam"}, AllOf: []string{"Eve", "Bob"}},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize since no value of the anyOf quantifier is matched")
}
}
func TestMultipleAssertions(t *testing.T) {
claims := getTestClaims()
toa := createAuthInstance([]ClaimAssertion{
{Name: "children[*].name", AnyOf: []string{"Joe", "Bob", "Sam"}, AllOf: []string{"Eve", "Bob"}},
{Name: "name", AnyOf: []string{"Alice", "Alex"}},
})
if !toa.isAuthorized(claims) {
t.Fatal("Should authorize since both assertions hold against the provided claims")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "children[*].name", AnyOf: []string{"Joe", "Bob", "Sam"}, AllOf: []string{"Eve", "Bob", "Alex"}},
{Name: "name", AnyOf: []string{"Alice", "Alex"}},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize since one of the assertions does not hold")
}
toa = createAuthInstance([]ClaimAssertion{
{Name: "children[*].name", AnyOf: []string{"Joe", "Bob", "Sam"}, AllOf: []string{"Eve", "Bob", "Alex"}},
{Name: "name", AnyOf: []string{"Alex", "Ben"}},
})
if toa.isAuthorized(claims) {
t.Fatal("Should not authorize since both of the assertions do not hold")
}
}