test(authz): add an extra test for authz (#859)

Should help with test flakiness (the order in which the policies are read from the map impacted tested codepath) Signed-off-by: Andrei Aaron <andaaron@cisco.com> Signed-off-by: Andrei Aaron <andaaron@cisco.com>
2024-12-16 21:56:37 -05:00 · 2022-10-07 15:31:18 +03:00 · 2022-10-07 15:31:18 +03:00 · 1afc5c8c3f
commit 1afc5c8c3f
parent 261615c880
1 changed files with 40 additions and 13 deletions
--- a/pkg/cli/root_test.go
+++ b/pkg/cli/root_test.go
@ -266,17 +266,21 @@ func TestVerify(t *testing.T) {
 		So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldNotPanic)
 	})

-	Convey("Test verify default authorization fail", t, func(c C) {
+	Convey("Test verify admin policy authz is not allowed if no authn is configured", t, func(c C) {
 		tmpfile, err := os.CreateTemp("", "zot-test*.json")
 		So(err, ShouldBeNil)
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
 		 					"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
-							 "accessControl":{"**":{"defaultPolicy": ["read", "create"]},
-							 "/repo":{"anonymousPolicy": ["read", "create"]},
-							 "adminPolicy":{"users":["admin"],
-							 "actions":["read","create","update","delete"]}
-							 }}}`)
+								"accessControl":{
+									"**":{"defaultPolicy": ["read", "create"]},
+									"/repo":{"anonymousPolicy": ["read", "create"]},
+									"adminPolicy":{
+										"users":["admin"],
+										"actions":["read","create","update","delete"]
+									}
+								}
+							}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
 		err = tmpfile.Close()
@ -285,18 +289,41 @@ func TestVerify(t *testing.T) {
 		So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldPanic)
 	})

-	Convey("Test verify default authorization fail", t, func(c C) {
+	Convey("Test verify default policy authz is not allowed if no authn is configured", t, func(c C) {
 		tmpfile, err := os.CreateTemp("", "zot-test*.json")
 		So(err, ShouldBeNil)
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
 							"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
-							"accessControl":{"**":{"defaultPolicy": ["read", "create"]},
-							"/repo":{"anonymousPolicy": ["read", "create"]},
-							"/repo2":{"policies": [{
-								 "users": ["charlie"],
-								 "actions": ["read", "create", "update"]}]}
-							}}}`)
+								"accessControl":{
+									"**":{"defaultPolicy": ["read", "create"]},
+									"/repo":{"anonymousPolicy": ["read", "create"]}
+								}
+							}}`)
+		_, err = tmpfile.Write(content)
+		So(err, ShouldBeNil)
+		err = tmpfile.Close()
+		So(err, ShouldBeNil)
+		os.Args = []string{"cli_test", "verify", tmpfile.Name()}
+		So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldPanic)
+	})
+
+	Convey("Test verify authz per user policies fail if no authn is configured", t, func(c C) {
+		tmpfile, err := os.CreateTemp("", "zot-test*.json")
+		So(err, ShouldBeNil)
+		defer os.Remove(tmpfile.Name()) // clean up
+		content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
+							"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
+								"accessControl":{
+									"/repo":{"anonymousPolicy": ["read", "create"]},
+									"/repo2":{
+										"policies": [{
+											"users": ["charlie"],
+											"actions": ["read", "create", "update"]
+										}]
+									}
+								}
+							}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
 		err = tmpfile.Close()