fix: policy validation uses wrong case for effect values (#452)

Former-commit-id: 2d80d65b95dec1871f921001008c179cc7f6327e
treeverse · Aug 6, 2020 · 0e0cc9f · 0e0cc9f
1 parent cde088c
commit 0e0cc9f
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 2 deletions.
diff --git a/api/api_controller_test.go b/api/api_controller_test.go
@@ -9,6 +9,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/treeverse/lakefs/api/gen/client/auth"
+
 	"github.com/go-openapi/runtime"
 	httptransport "github.com/go-openapi/runtime/client"
 	"github.com/go-openapi/swag"
@@ -1164,6 +1166,103 @@ func TestHandler_ObjectsDeleteObjectHandler(t *testing.T) {
 	})
 }
 
+func TestController_CreatePolicyHandler(t *testing.T) {
+	handler, deps := getHandler(t)
+
+	// create user
+	creds := createDefaultAdminUser(deps.auth, t)
+	bauth := httptransport.BasicAuth(creds.AccessKeyID, creds.AccessSecretKey)
+
+	// setup client
+	clt := client.Default
+	clt.SetTransport(&handlerTransport{Handler: handler})
+
+	t.Run("valid_policy", func(t *testing.T) {
+		ctx := context.Background()
+		_, err := clt.Auth.CreatePolicy(&auth.CreatePolicyParams{
+			Policy: &models.Policy{
+				CreationDate: time.Now().Unix(),
+				ID:           swag.String("ValidPolicyID"),
+				Statement: []*models.Statement{
+					{
+						Action:   []string{"fs:ReadObject"},
+						Effect:   swag.String("allow"),
+						Resource: swag.String("arn:lakefs:fs:::repository/foo/object/*"),
+					},
+				},
+			},
+			Context: ctx,
+		}, bauth)
+		if err != nil {
+			t.Fatalf("unexpected error creating valid policy: %v", err)
+		}
+	})
+
+	t.Run("invalid_policy_action", func(t *testing.T) {
+		ctx := context.Background()
+		_, err := clt.Auth.CreatePolicy(&auth.CreatePolicyParams{
+			Policy: &models.Policy{
+				CreationDate: time.Now().Unix(),
+				ID:           swag.String("ValidPolicyID"),
+				Statement: []*models.Statement{
+					{
+						Action:   []string{"fsx:ReadObject"},
+						Effect:   swag.String("allow"),
+						Resource: swag.String("arn:lakefs:fs:::repository/foo/object/*"),
+					},
+				},
+			},
+			Context: ctx,
+		}, bauth)
+		if err == nil {
+			t.Fatalf("expected error creating invalid policy: action")
+		}
+	})
+
+	t.Run("invalid_policy_effect", func(t *testing.T) {
+		ctx := context.Background()
+		_, err := clt.Auth.CreatePolicy(&auth.CreatePolicyParams{
+			Policy: &models.Policy{
+				CreationDate: time.Now().Unix(),
+				ID:           swag.String("ValidPolicyID"),
+				Statement: []*models.Statement{
+					{
+						Action:   []string{"fs:ReadObject"},
+						Effect:   swag.String("Allow"),
+						Resource: swag.String("arn:lakefs:fs:::repository/foo/object/*"),
+					},
+				},
+			},
+			Context: ctx,
+		}, bauth)
+		if err == nil {
+			t.Fatalf("expected error creating invalid policy: effect")
+		}
+	})
+
+	t.Run("invalid_policy_arn", func(t *testing.T) {
+		ctx := context.Background()
+		_, err := clt.Auth.CreatePolicy(&auth.CreatePolicyParams{
+			Policy: &models.Policy{
+				CreationDate: time.Now().Unix(),
+				ID:           swag.String("ValidPolicyID"),
+				Statement: []*models.Statement{
+					{
+						Action:   []string{"fs:ReadObject"},
+						Effect:   swag.String("Allow"),
+						Resource: swag.String("arn:lakefs:fs:repository/foo/object/*"),
+					},
+				},
+			},
+			Context: ctx,
+		}, bauth)
+		if err == nil {
+			t.Fatalf("expected error creating invalid policy: arn")
+		}
+	})
+
+}
+
 func TestHandler_RetentionPolicyHandlers(t *testing.T) {
 	handler, deps := getHandler(t)
 

diff --git a/auth/model/model.go b/auth/model/model.go
@@ -5,11 +5,13 @@ import (
 	"encoding/json"
 	"errors"
 	"time"
+
+	"github.com/treeverse/lakefs/api/gen/models"
 )
 
 const (
-	StatementEffectAllow = "Allow"
-	StatementEffectDeny  = "Deny"
+	StatementEffectAllow = models.StatementEffectAllow
+	StatementEffectDeny  = models.StatementEffectDeny
 )
 
 type PaginationParams struct {