test(authz): add an extra test for authz (#859)

Should help with test flakiness (the order in which the policies are read from the map impacted tested codepath) Signed-off-by: Andrei Aaron <andaaron@cisco.com> Signed-off-by: Andrei Aaron <andaaron@cisco.com>
2025-01-13 22:50:38 -05:00 · 2022-10-07 15:31:18 +03:00 · 2022-10-07 15:31:18 +03:00 · 1afc5c8c3f
commit 1afc5c8c3f
parent 261615c880
1 changed files with 40 additions and 13 deletions
--- a/pkg/cli/root_test.go
+++ b/pkg/cli/root_test.go
@ -266,17 +266,21 @@ func TestVerify(t *testing.T) {
 		So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldNotPanic)
 	})
-	Convey("Test verify default authorization fail", t, func(c C) {
+	Convey("Test verify admin policy authz is not allowed if no authn is configured", t, func(c C) {
 		tmpfile, err := os.CreateTemp("", "zot-test*.json")
 		So(err, ShouldBeNil)
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
 		 					"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
-							 "accessControl":{"**":{"defaultPolicy": ["read", "create"]},
+								"accessControl":{
 									"**":{"defaultPolicy": ["read", "create"]},
 									"/repo":{"anonymousPolicy": ["read", "create"]},
-							 "adminPolicy":{"users":["admin"],
+									"adminPolicy":{
-							 "actions":["read","create","update","delete"]}
+										"users":["admin"],
-							 }}}`)
+										"actions":["read","create","update","delete"]
 									}
 								}
 							}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
 		err = tmpfile.Close()
@ -285,18 +289,41 @@ func TestVerify(t *testing.T) {
 		So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldPanic)
 	})
-	Convey("Test verify default authorization fail", t, func(c C) {
+	Convey("Test verify default policy authz is not allowed if no authn is configured", t, func(c C) {
 		tmpfile, err := os.CreateTemp("", "zot-test*.json")
 		So(err, ShouldBeNil)
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
 							"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
-							"accessControl":{"**":{"defaultPolicy": ["read", "create"]},
+								"accessControl":{
 									"**":{"defaultPolicy": ["read", "create"]},
 									"/repo":{"anonymousPolicy": ["read", "create"]}
 								}
 							}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
 		err = tmpfile.Close()
 		So(err, ShouldBeNil)
 		os.Args = []string{"cli_test", "verify", tmpfile.Name()}
 		So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldPanic)
 	})
 	Convey("Test verify authz per user policies fail if no authn is configured", t, func(c C) {
 		tmpfile, err := os.CreateTemp("", "zot-test*.json")
 		So(err, ShouldBeNil)
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
 							"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
 								"accessControl":{
 									"/repo":{"anonymousPolicy": ["read", "create"]},
-							"/repo2":{"policies": [{
+									"/repo2":{
 										"policies": [{
 											"users": ["charlie"],
-								 "actions": ["read", "create", "update"]}]}
+											"actions": ["read", "create", "update"]
-							}}}`)
+										}]
 									}
 								}
 							}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
 		err = tmpfile.Close()