Skip to content

Commit

Permalink
add access check test
Browse files Browse the repository at this point in the history
  • Loading branch information
@probakowski
probakowski committed Nov 15, 2024
1 parent 1534519 commit fcb75ba
Showing 1 changed file with 50 additions and 6 deletions.
56 changes: 50 additions & 6 deletions lib/auth/dynamicwindows/dynamicwindowsv1/service_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,43 @@ import (
"github.com/gravitational/teleport/lib/utils"
)

func TestFailedAccessCheck(t *testing.T) {
t.Parallel()
checker := fakeChecker{
allowedVerbs: []string{types.VerbRead, types.VerbList, types.VerbCreate, types.VerbUpdate},
}
s := newService(t, authz.AdminActionAuthMFAVerified, &checker)
desktop, err := types.NewDynamicWindowsDesktopV1("test2", nil, types.DynamicWindowsDesktopSpecV1{Addr: "addr"})
require.NoError(t, err)
req := dynamicwindowsv1.CreateDynamicWindowsDesktopRequest{
Desktop: desktop,
}
_, err = s.CreateDynamicWindowsDesktop(context.Background(), &req)
require.NoError(t, err)
checker.failAccess = true
testCases := []string{
"CreateDynamicWindowsDesktop",
"UpdateDynamicWindowsDesktop",
"UpsertDynamicWindowsDesktop",
"DeleteDynamicWindowsDesktop",
"GetDynamicWindowsDesktop",
}
for _, tt := range testCases {
t.Run(fmt.Sprintf("%s failed access check", tt), func(t *testing.T) {
err := callMethod(s, tt)
require.True(t, trace.IsAccessDenied(err))
})
}
t.Run("ListDynamicWindowsDesktops failed access check", func(t *testing.T) {
req := dynamicwindowsv1.ListDynamicWindowsDesktopsRequest{
PageSize: 10,
}
resp, err := s.ListDynamicWindowsDesktops(context.Background(), &req)
require.NoError(t, err)
require.Empty(t, resp.Desktops)
})
}

func TestServiceAccess(t *testing.T) {
t.Parallel()

Expand Down Expand Up @@ -87,7 +124,7 @@ func TestServiceAccess(t *testing.T) {
for _, state := range tt.allowedStates {
for _, verbs := range utils.Combinations(tt.allowedVerbs) {
t.Run(fmt.Sprintf("%v,allowed:%v,verbs:%v", tt.name, stateToString(state), verbs), func(t *testing.T) {
service := newService(t, state, fakeChecker{allowedVerbs: verbs})
service := newService(t, state, &fakeChecker{allowedVerbs: verbs})
err := callMethod(service, tt.name)
// expect access denied except with full set of verbs.
if len(verbs) == len(tt.allowedVerbs) {
Expand All @@ -105,7 +142,7 @@ func TestServiceAccess(t *testing.T) {
t.Run(fmt.Sprintf("%v,disallowed:%v", tt.name, stateToString(state)), func(t *testing.T) {
// it is enough to test against tt.allowedVerbs,
// this is the only different data point compared to the test cases above.
service := newService(t, state, fakeChecker{allowedVerbs: tt.allowedVerbs})
service := newService(t, state, &fakeChecker{allowedVerbs: tt.allowedVerbs})
err := callMethod(service, tt.name)
require.True(t, trace.IsAccessDenied(err))
})
Expand Down Expand Up @@ -157,16 +194,19 @@ func callMethod(service *Service, method string) error {
if desc.MethodName == method {
_, err := desc.Handler(service, context.Background(), func(arg any) error {
switch arg := arg.(type) {
case *dynamicwindowsv1.GetDynamicWindowsDesktopRequest:
arg.Name = "test2"

case *dynamicwindowsv1.CreateDynamicWindowsDesktopRequest:
arg.Desktop, _ = types.NewDynamicWindowsDesktopV1("test", nil, types.DynamicWindowsDesktopSpecV1{
Addr: "test",
})
case *dynamicwindowsv1.UpdateDynamicWindowsDesktopRequest:
arg.Desktop, _ = types.NewDynamicWindowsDesktopV1("test", nil, types.DynamicWindowsDesktopSpecV1{
arg.Desktop, _ = types.NewDynamicWindowsDesktopV1("test2", nil, types.DynamicWindowsDesktopSpecV1{
Addr: "test",
})
case *dynamicwindowsv1.UpsertDynamicWindowsDesktopRequest:
arg.Desktop, _ = types.NewDynamicWindowsDesktopV1("test", nil, types.DynamicWindowsDesktopSpecV1{
arg.Desktop, _ = types.NewDynamicWindowsDesktopV1("test2", nil, types.DynamicWindowsDesktopSpecV1{
Addr: "test",
})
}
Expand All @@ -180,10 +220,11 @@ func callMethod(service *Service, method string) error {

type fakeChecker struct {
allowedVerbs []string
failAccess bool
services.AccessChecker
}

func (f fakeChecker) CheckAccessToRule(_ services.RuleContext, _ string, resource string, verb string) error {
func (f *fakeChecker) CheckAccessToRule(_ services.RuleContext, _ string, resource string, verb string) error {
if resource == types.KindDynamicWindowsDesktop {
if slices.Contains(f.allowedVerbs, verb) {
return nil
Expand All @@ -193,7 +234,10 @@ func (f fakeChecker) CheckAccessToRule(_ services.RuleContext, _ string, resourc
return trace.AccessDenied("access denied to rule=%v/verb=%v", resource, verb)
}

func (f fakeChecker) CheckAccess(r services.AccessCheckable, state services.AccessState, matchers ...services.RoleMatcher) error {
func (f *fakeChecker) CheckAccess(r services.AccessCheckable, state services.AccessState, matchers ...services.RoleMatcher) error {
if f.failAccess {
return trace.AccessDenied("denied")
}
return nil
}

Expand Down

0 comments on commit fcb75ba

Please sign in to comment.