19215: Fixes IAM policy example for Keepstore S3 access.
[arvados.git] / services / ws / permission_test.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package ws
6
7 import (
8         "context"
9
10         "git.arvados.org/arvados.git/sdk/go/arvados"
11         "git.arvados.org/arvados.git/sdk/go/arvadostest"
12         check "gopkg.in/check.v1"
13 )
14
15 var _ = check.Suite(&permSuite{})
16
17 type permSuite struct{}
18
19 func (s *permSuite) TestCheck(c *check.C) {
20         pc := newPermChecker(*(arvados.NewClientFromEnv())).(*cachingPermChecker)
21         setToken := func(label, token string) {
22                 c.Logf("...%s token %q", label, token)
23                 pc.SetToken(token)
24         }
25         wantError := func(uuid string) {
26                 c.Log(uuid)
27                 ok, err := pc.Check(context.Background(), uuid)
28                 c.Check(ok, check.Equals, false)
29                 c.Check(err, check.NotNil)
30         }
31         wantYes := func(uuid string) {
32                 c.Log(uuid)
33                 ok, err := pc.Check(context.Background(), uuid)
34                 c.Check(ok, check.Equals, true)
35                 c.Check(err, check.IsNil)
36         }
37         wantNo := func(uuid string) {
38                 c.Log(uuid)
39                 ok, err := pc.Check(context.Background(), uuid)
40                 c.Check(ok, check.Equals, false)
41                 c.Check(err, check.IsNil)
42         }
43
44         setToken("no", "")
45         wantNo(arvadostest.UserAgreementCollection)
46         wantNo(arvadostest.UserAgreementPDH)
47         wantNo(arvadostest.FooBarDirCollection)
48
49         setToken("anonymous", arvadostest.AnonymousToken)
50         wantYes(arvadostest.UserAgreementCollection)
51         wantYes(arvadostest.UserAgreementPDH)
52         wantNo(arvadostest.FooBarDirCollection)
53         wantNo(arvadostest.FooCollection)
54
55         setToken("active", arvadostest.ActiveToken)
56         wantYes(arvadostest.UserAgreementCollection)
57         wantYes(arvadostest.UserAgreementPDH)
58         wantYes(arvadostest.FooBarDirCollection)
59         wantYes(arvadostest.FooCollection)
60
61         setToken("admin", arvadostest.AdminToken)
62         wantYes(arvadostest.UserAgreementCollection)
63         wantYes(arvadostest.UserAgreementPDH)
64         wantYes(arvadostest.FooBarDirCollection)
65         wantYes(arvadostest.FooCollection)
66
67         // hack to empty the cache
68         pc.SetToken("")
69         pc.SetToken(arvadostest.ActiveToken)
70
71         c.Log("...network error")
72         pc.Client.APIHost = "127.0.0.1:9"
73         wantError(arvadostest.UserAgreementCollection)
74         wantError(arvadostest.FooBarDirCollection)
75
76         c.Logf("%d checks, %d misses, %d invalid, %d cached", pc.nChecks, pc.nMisses, pc.nInvalid, len(pc.cache))
77 }