diff --git a/gateway/api_test.go b/gateway/api_test.go index 00bef2aa88a..f2d88608ee5 100644 --- a/gateway/api_test.go +++ b/gateway/api_test.go @@ -455,16 +455,24 @@ func TestKeyHandler_UpdateKey(t *testing.T) { } }) + pIdAccess := ts.CreatePolicy(func(p *user.Policy) { + p.Partitions.Acl = true + p.AccessRights = map[string]user.AccessDefinition{testAPIID: { + APIID: testAPIID, Versions: []string{"v1"}, + }} + p.Tags = []string{"p3-tag"} + p.MetaData = map[string]interface{}{ + "p3-meta": "p3-value", + } + }) + session, key := ts.CreateSession(func(s *user.SessionState) { - s.ApplyPolicies = []string{pID} + s.ApplyPolicies = []string{pIdAccess, pID} s.Tags = []string{"key-tag1", "key-tag2"} s.MetaData = map[string]interface{}{ "key-meta1": "key-value1", "key-meta2": "key-value2", } - s.AccessRights = map[string]user.AccessDefinition{testAPIID: { - APIID: testAPIID, Versions: []string{"v1"}, - }} }) t.Run("Add policy not enforcing acl", func(t *testing.T) { @@ -477,8 +485,8 @@ func TestKeyHandler_UpdateKey(t *testing.T) { }...) sessionState, found := ts.Gw.GlobalSessionManager.SessionDetail("default", key, false) - if !found || sessionState.AccessRights[testAPIID].APIID != testAPIID || len(sessionState.ApplyPolicies) != 2 { - + _, exists := sessionState.AccessRights[testAPIID] + if !found || !exists || len(sessionState.ApplyPolicies) != 3 { t.Fatal("Adding policy to the list failed") } }) @@ -493,7 +501,8 @@ func TestKeyHandler_UpdateKey(t *testing.T) { }...) sessionState, found := ts.Gw.GlobalSessionManager.SessionDetail("default", key, false) - if !found || sessionState.AccessRights[testAPIID].APIID != testAPIID || len(sessionState.ApplyPolicies) != 0 { + _, exists := sessionState.AccessRights[testAPIID] + if !found || !exists || len(sessionState.ApplyPolicies) != 0 { t.Fatal("Removing policy from the list failed") } }) @@ -518,21 +527,21 @@ func TestKeyHandler_UpdateKey(t *testing.T) { } t.Run("Add", func(t *testing.T) { - expected := []string{"p1-tag", "p2-tag", "key-tag1", "key-tag2"} - session.ApplyPolicies = []string{pID, pID2} + expected := []string{"p1-tag", "p2-tag", "p3-tag", "key-tag1", "key-tag2"} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} assertTags(session, expected) }) t.Run("Make unique", func(t *testing.T) { - expected := []string{"p1-tag", "p2-tag", "key-tag1", "key-tag2"} - session.ApplyPolicies = []string{pID, pID2} + expected := []string{"p1-tag", "p2-tag", "p3-tag", "key-tag1", "key-tag2"} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} session.Tags = append(session.Tags, "p1-tag", "key-tag1") assertTags(session, expected) }) t.Run("Remove", func(t *testing.T) { - expected := []string{"p1-tag", "p2-tag", "key-tag2"} - session.ApplyPolicies = []string{pID, pID2} + expected := []string{"p1-tag", "p2-tag", "p3-tag", "key-tag2"} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} session.Tags = []string{"key-tag2"} assertTags(session, expected) }) @@ -559,10 +568,11 @@ func TestKeyHandler_UpdateKey(t *testing.T) { expected := map[string]interface{}{ "p1-meta": "p1-value", "p2-meta": "p2-value", + "p3-meta": "p3-value", "key-meta1": "key-value1", "key-meta2": "key-value2", } - session.ApplyPolicies = []string{pID, pID2} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} assertMetaData(session, expected) }) @@ -570,10 +580,11 @@ func TestKeyHandler_UpdateKey(t *testing.T) { expected := map[string]interface{}{ "p1-meta": "p1-value", "p2-meta": "p2-value", + "p3-meta": "p3-value", "key-meta1": "key-value1", "key-meta2": "key-value2", } - session.ApplyPolicies = []string{pID, pID2} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} assertMetaData(session, expected) }) @@ -581,9 +592,10 @@ func TestKeyHandler_UpdateKey(t *testing.T) { expected := map[string]interface{}{ "p1-meta": "p1-value", "p2-meta": "p2-value", + "p3-meta": "p3-value", "key-meta2": "key-value2", } - session.ApplyPolicies = []string{pID, pID2} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} session.MetaData = map[string]interface{}{ "key-meta2": "key-value2", } @@ -701,13 +713,14 @@ func TestKeyHandler_DeleteKeyWithQuota(t *testing.T) { pID := ts.CreatePolicy(func(p *user.Policy) { p.QuotaMax = 1 + p.AccessRights = map[string]user.AccessDefinition{testAPIID: { + APIID: testAPIID, + }} }) _, key := ts.CreateSession(func(s *user.SessionState) { s.ApplyPolicies = []string{pID} - s.AccessRights = map[string]user.AccessDefinition{testAPIID: { - APIID: testAPIID, - }} + }) authHeaders := map[string]string{ @@ -741,7 +754,11 @@ func TestUpdateKeyWithCert(t *testing.T) { defer ts.Close() apiId := "MTLSApi" - pID := ts.CreatePolicy(func(p *user.Policy) {}) + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{apiId: { + APIID: apiId, Versions: []string{"v1"}, + }} + }) ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.APIID = apiId @@ -768,9 +785,6 @@ func TestUpdateKeyWithCert(t *testing.T) { // create session base and set cert session, key := ts.CreateSession(func(s *user.SessionState) { s.ApplyPolicies = []string{pID} - s.AccessRights = map[string]user.AccessDefinition{apiId: { - APIID: apiId, Versions: []string{"v1"}, - }} s.Certificate = certID }) @@ -813,9 +827,6 @@ func TestUpdateKeyWithCert(t *testing.T) { // create session base and set cert session, key := ts.CreateSession(func(s *user.SessionState) { s.ApplyPolicies = []string{pID} - s.AccessRights = map[string]user.AccessDefinition{apiId: { - APIID: apiId, Versions: []string{"v1"}, - }} s.Certificate = certID }) @@ -3900,6 +3911,71 @@ func TestOrgKeyHandler_LastUpdated(t *testing.T) { }...) } +func TestDeletionOfPoliciesThatFromAKeyDoesNotMakeTheAPIKeyless(t *testing.T) { + const testAPIID = "testAPIID" + + ts := StartTest(nil) + defer ts.Close() + + apiID1 := testAPIID + "1" + apiID2 := testAPIID + "2" + + ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { + spec.APIID = apiID1 + spec.UseKeylessAccess = false + spec.OrgID = "default" + spec.Proxy.ListenPath = "/api1" + }, func(spec *APISpec) { + spec.APIID = apiID2 + spec.UseKeylessAccess = false + spec.OrgID = "default" + spec.Proxy.ListenPath = "/api2" + }) + + policyForApi1 := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{apiID1: { + APIID: apiID1, + }} + }) + + policyForApi2 := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{apiID2: { + APIID: apiID2, + }} + }) + + _, key := ts.CreateSession(func(s *user.SessionState) { + s.ApplyPolicies = []string{policyForApi1, policyForApi2} + }) + + authHeaders := map[string]string{ + "authorization": key, + } + + res, err := ts.Run(t, []test.TestCase{ + {Method: "GET", Path: "/api1", Headers: authHeaders, Code: 200}, + {Method: "GET", Path: "/api2", Headers: authHeaders, Code: 200}, + }...) + assert.NotNil(t, res) + assert.Nil(t, err) + + ts.DeletePolicy(policyForApi2) + res, err = ts.Run(t, []test.TestCase{ + {Method: "GET", Path: "/api1", Headers: authHeaders, Code: 200}, + {Method: "GET", Path: "/api2", Headers: authHeaders, Code: 403}, + }...) + assert.NotNil(t, res) + assert.Nil(t, err) + + ts.DeletePolicy(policyForApi1) + res, err = ts.Run(t, []test.TestCase{ + {Method: "GET", Path: "/api1", Headers: authHeaders, Code: 403}, + {Method: "GET", Path: "/api2", Headers: authHeaders, Code: 403}, + }...) + assert.NotNil(t, res) + assert.Nil(t, err) +} + func TestPurgeOAuthClientTokensEndpoint(t *testing.T) { conf := func(globalConf *config.Config) { // set tokens to be expired after 1 second diff --git a/gateway/multiauth_test.go b/gateway/multiauth_test.go index 3e4ffd236cd..21a2f7e60e0 100644 --- a/gateway/multiauth_test.go +++ b/gateway/multiauth_test.go @@ -304,11 +304,16 @@ func TestJWTAuthKeyMultiAuth(t *testing.T) { ts := StartTest(nil) defer ts.Close() - pID := ts.CreatePolicy() + const testAPIID = "test-api-id" + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: {APIID: testAPIID, APIName: "test-api"}, + } + }) spec := ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.UseKeylessAccess = false - + spec.APIID = testAPIID spec.AuthConfigs = make(map[string]apidef.AuthConfig) spec.UseStandardAuth = true diff --git a/gateway/mw_jwt_test.go b/gateway/mw_jwt_test.go index a0ad54bc6b7..766c11bcf17 100644 --- a/gateway/mw_jwt_test.go +++ b/gateway/mw_jwt_test.go @@ -542,8 +542,9 @@ func BenchmarkJWTSessionRSAWithRawSourceOnWithClientID(b *testing.B) { // JWTSessionRSAWithRawSource func (ts *Test) prepareJWTSessionRSAWithRawSource() string { - + const testApiID = "test-api-id" ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { + spec.APIID = testApiID spec.UseKeylessAccess = false spec.EnableJWT = true spec.JWTSigningMethod = RSASign @@ -553,7 +554,13 @@ func (ts *Test) prepareJWTSessionRSAWithRawSource() string { spec.Proxy.ListenPath = "/" }) - pID := ts.CreatePolicy() + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testApiID: { + APIName: "test-api-name", + }, + } + }) jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Header["kid"] = "12345" @@ -641,7 +648,16 @@ func TestJWTSessionExpiresAtValidationConfigs(t *testing.T) { ts := StartTest(nil) defer ts.Close() - pID := ts.CreatePolicy() + const testAPIID = "test-api-id" + + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + jwtAuthHeaderGen := func(skew time.Duration) map[string]string { jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Claims.(jwt.MapClaims)["policy_id"] = pID @@ -653,6 +669,7 @@ func TestJWTSessionExpiresAtValidationConfigs(t *testing.T) { } spec := BuildAPI(func(spec *APISpec) { + spec.APIID = testAPIID spec.UseKeylessAccess = false spec.EnableJWT = true spec.JWTSigningMethod = RSASign @@ -716,7 +733,16 @@ func TestJWTSessionIssueAtValidationConfigs(t *testing.T) { ts := StartTest(nil) defer ts.Close() - pID := ts.CreatePolicy() + const testAPIID = "test-api-id" + + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + jwtAuthHeaderGen := func(skew time.Duration) map[string]string { jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Claims.(jwt.MapClaims)["policy_id"] = pID @@ -729,6 +755,7 @@ func TestJWTSessionIssueAtValidationConfigs(t *testing.T) { spec := BuildAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = "rsa" spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -807,7 +834,16 @@ func TestJWTSessionNotBeforeValidationConfigs(t *testing.T) { ts := StartTest(nil) defer ts.Close() - pID := ts.CreatePolicy() + const testAPIID = "test-api-id" + + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + jwtAuthHeaderGen := func(skew time.Duration) map[string]string { jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Claims.(jwt.MapClaims)["policy_id"] = pID @@ -819,6 +855,7 @@ func TestJWTSessionNotBeforeValidationConfigs(t *testing.T) { spec := BuildAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.Proxy.ListenPath = "/" spec.JWTSigningMethod = "rsa" @@ -875,7 +912,18 @@ func TestJWTExistingSessionRSAWithRawSourceInvalidPolicyID(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + + p1ID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + spec := BuildAPI(func(spec *APISpec) { + spec.APIID = testAPIID spec.UseKeylessAccess = false spec.EnableJWT = true spec.JWTSigningMethod = RSASign @@ -887,7 +935,6 @@ func TestJWTExistingSessionRSAWithRawSourceInvalidPolicyID(t *testing.T) { ts.Gw.LoadAPI(spec) - p1ID := ts.CreatePolicy() user_id := uuid.New() jwtToken := CreateJWKToken(func(t *jwt.Token) { @@ -1360,8 +1407,11 @@ func TestJWTExistingSessionRSAWithRawSourcePolicyIDChanged(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + spec := BuildAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -1375,9 +1425,19 @@ func TestJWTExistingSessionRSAWithRawSourcePolicyIDChanged(t *testing.T) { p1ID := ts.CreatePolicy(func(p *user.Policy) { p.QuotaMax = 111 + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } }) p2ID := ts.CreatePolicy(func(p *user.Policy) { p.QuotaMax = 999 + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } }) user_id := uuid.New() @@ -1440,7 +1500,10 @@ func TestJWTExistingSessionRSAWithRawSourcePolicyIDChanged(t *testing.T) { func (ts *Test) prepareJWTSessionRSAWithJWK() string { + const testAPIID = "test-api-id" + ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { + spec.APIID = testAPIID spec.UseKeylessAccess = false spec.EnableJWT = true spec.JWTSigningMethod = RSASign @@ -1450,7 +1513,14 @@ func (ts *Test) prepareJWTSessionRSAWithJWK() string { spec.Proxy.ListenPath = "/" }) - pID := ts.CreatePolicy() + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Header["kid"] = "12345" t.Claims.(jwt.MapClaims)["foo"] = "bar" @@ -1500,8 +1570,10 @@ func BenchmarkJWTSessionRSAWithJWK(b *testing.B) { func (ts *Test) prepareJWTSessionRSAWithEncodedJWK() (*APISpec, string) { + const testAPIID = "test-api-id" spec := BuildAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTIdentityBaseField = "user_id" @@ -1509,7 +1581,14 @@ func (ts *Test) prepareJWTSessionRSAWithEncodedJWK() (*APISpec, string) { spec.Proxy.ListenPath = "/" })[0] - pID := ts.CreatePolicy() + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Header["kid"] = "12345" // Set some claims @@ -1731,8 +1810,11 @@ func TestJWTRSAIdInClaimsWithBaseField(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -1741,8 +1823,13 @@ func TestJWTRSAIdInClaimsWithBaseField(t *testing.T) { spec.Proxy.ListenPath = "/" }) - pID := ts.CreatePolicy() - + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) //First test - user id in the configured base field 'user_id' jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Header["kid"] = "12345" @@ -1828,8 +1915,11 @@ func TestJWTRSAIdInClaimsWithoutBaseField(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -1838,7 +1928,13 @@ func TestJWTRSAIdInClaimsWithoutBaseField(t *testing.T) { spec.Proxy.ListenPath = "/" }) - pID := ts.CreatePolicy() + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Header["kid"] = "12345" @@ -1886,6 +1982,7 @@ func TestJWTDefaultPolicies(t *testing.T) { } p.Partitions = user.PolicyPartitions{ Quota: true, + Acl: true, } }) @@ -2179,8 +2276,11 @@ func TestJWTExpOverride(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -2192,6 +2292,11 @@ func TestJWTExpOverride(t *testing.T) { //create policy which sets keys to have expiry in one second pID := ts.CreatePolicy(func(p *user.Policy) { p.KeyExpiresIn = 1 + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } }) jwtToken := CreateJWKToken(func(t *jwt.Token) { @@ -2212,6 +2317,11 @@ func TestJWTExpOverride(t *testing.T) { t.Run("JWT expiration smaller then policy", func(t *testing.T) { pID := ts.CreatePolicy(func(p *user.Policy) { p.KeyExpiresIn = 5 + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } }) jwtToken := CreateJWKToken(func(t *jwt.Token) { @@ -2231,6 +2341,11 @@ func TestJWTExpOverride(t *testing.T) { t.Run("JWT expired but renewed, policy without expiration", func(t *testing.T) { pID := ts.CreatePolicy(func(p *user.Policy) { p.KeyExpiresIn = 0 + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } }) userID := uuid.New() @@ -2439,8 +2554,11 @@ func TestJWT_ExtractOAuthClientIDForDCR(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + api := ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -2449,7 +2567,14 @@ func TestJWT_ExtractOAuthClientIDForDCR(t *testing.T) { spec.Proxy.ListenPath = "/" })[0] - pID := ts.CreatePolicy() + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + userID := uuid.New() const myOKTAClientID = "myOKTAClientID" diff --git a/gateway/server.go b/gateway/server.go index aa20ee19eea..0e51b4c3716 100644 --- a/gateway/server.go +++ b/gateway/server.go @@ -567,9 +567,7 @@ func (gw *Gateway) syncPolicies() (count int, err error) { gw.policiesMu.Lock() defer gw.policiesMu.Unlock() - if len(pols) > 0 { - gw.policiesByID = pols - } + gw.policiesByID = pols return len(pols), err } diff --git a/gateway/testutil.go b/gateway/testutil.go index 6e8724cc323..267f28d1cd2 100644 --- a/gateway/testutil.go +++ b/gateway/testutil.go @@ -890,6 +890,12 @@ func (s *Test) CreatePolicy(pGen ...func(p *user.Policy)) string { return pol.ID } +func (s *Test) DeletePolicy(policyID string) { + s.Gw.policiesMu.Lock() + delete(s.Gw.policiesByID, policyID) + s.Gw.policiesMu.Unlock() +} + func CreateJWKToken(jGen ...func(*jwt.Token)) string { // Create the token token := jwt.New(jwt.GetSigningMethod("RS512")) diff --git a/internal/policy/apply.go b/internal/policy/apply.go index 380a34922e0..6d454236eec 100644 --- a/internal/policy/apply.go +++ b/internal/policy/apply.go @@ -234,6 +234,10 @@ func (t *Service) Apply(session *user.SessionState) error { session.AccessRights = rights } + if len(rights) == 0 && policyIDs != nil { + return errors.New("key has no valid policies to be applied") + } + return nil } diff --git a/internal/policy/apply_test.go b/internal/policy/apply_test.go index e22da5c5b05..5388850283f 100644 --- a/internal/policy/apply_test.go +++ b/internal/policy/apply_test.go @@ -124,8 +124,11 @@ func TestApplyRateLimits_FromCustomPolicies(t *testing.T) { session := &user.SessionState{} session.SetCustomPolicies([]user.Policy{ { - ID: "pol1", - Partitions: user.PolicyPartitions{RateLimit: true}, + ID: "pol1", + Partitions: user.PolicyPartitions{ + RateLimit: true, + Acl: true, + }, Rate: 8, Per: 1, AccessRights: map[string]user.AccessDefinition{"a": {}},