fix(rbac): add more unit tests

AndrienkoAleksandr · AndrienkoAleksandr · commit 393ec7057d55 · 2024-07-02T10:06:27.000+03:00
Signed-off-by: Oleksandr Andriienko &lt;oandriie@redhat.com&gt;
diff --git a/plugins/rbac-backend/src/conditional-aliases/alias-resolver.test.ts b/plugins/rbac-backend/src/conditional-aliases/alias-resolver.test.ts
@@ -0,0 +1,262 @@
+import {
+  PermissionCondition,
+  PermissionCriteria,
+  PermissionRuleParams,
+} from '@backstage/plugin-permission-common';
+
+import { replaceAliases } from './alias-resolver';
+
+describe('replaceAliases', () => {
+  it('should replace aliases without criteria', () => {
+    const conditionParam: PermissionCriteria<
+      PermissionCondition<string, PermissionRuleParams>
+    > = {
+      rule: 'IS_ENTITY_OWNER',
+      resourceType: 'catalog-entity',
+      params: {
+        claims: ['$currentUser'],
+      },
+    };
+
+    replaceAliases(conditionParam, [
+      'user:default/tim',
+      'group:default/team-a',
+    ]);
+
+    expect(conditionParam).toEqual({
+      rule: 'IS_ENTITY_OWNER',
+      resourceType: 'catalog-entity',
+      params: {
+        claims: ['user:default/tim', 'group:default/team-a'],
+      },
+    });
+  });
+
+  it('should replace aliases with criteria not', () => {
+    const conditionParam: PermissionCriteria<
+      PermissionCondition<string, PermissionRuleParams>
+    > = {
+      not: {
+        rule: 'IS_ENTITY_OWNER',
+        resourceType: 'catalog-entity',
+        params: {
+          claims: ['$currentUser'],
+        },
+      },
+    };
+
+    replaceAliases(conditionParam, [
+      'user:default/tim',
+      'group:default/team-a',
+    ]);
+
+    expect(conditionParam).toEqual({
+      not: {
+        rule: 'IS_ENTITY_OWNER',
+        resourceType: 'catalog-entity',
+        params: {
+          claims: ['user:default/tim', 'group:default/team-a'],
+        },
+      },
+    });
+  });
+
+  it('should replace aliases with criteria anyOf', () => {
+    const conditionParam: PermissionCriteria<
+      PermissionCondition<string, PermissionRuleParams>
+    > = {
+      anyOf: [
+        {
+          rule: 'IS_ENTITY_OWNER',
+          resourceType: 'catalog-entity',
+          params: {
+            claims: ['$currentUser'],
+          },
+        },
+      ],
+    };
+
+    replaceAliases(conditionParam, [
+      'user:default/tim',
+      'group:default/team-a',
+    ]);
+
+    expect(conditionParam).toEqual({
+      anyOf: [
+        {
+          rule: 'IS_ENTITY_OWNER',
+          resourceType: 'catalog-entity',
+          params: {
+            claims: ['user:default/tim', 'group:default/team-a'],
+          },
+        },
+      ],
+    });
+  });
+
+  it('should replace aliases with criteria anyOf and few values', () => {
+    const conditionParam: PermissionCriteria<
+      PermissionCondition<string, PermissionRuleParams>
+    > = {
+      anyOf: [
+        {
+          rule: 'IS_ENTITY_OWNER',
+          resourceType: 'catalog-entity',
+          params: {
+            claims: ['$currentUser'],
+          },
+        },
+        {
+          rule: 'IS_ENTITY_KIND',
+          resourceType: 'catalog-entity',
+          params: { kinds: ['Group', 'User'] },
+        },
+      ],
+    };
+
+    replaceAliases(conditionParam, [
+      'user:default/tim',
+      'group:default/team-a',
+    ]);
+
+    expect(conditionParam).toEqual({
+      anyOf: [
+        {
+          rule: 'IS_ENTITY_OWNER',
+          resourceType: 'catalog-entity',
+          params: {
+            claims: ['user:default/tim', 'group:default/team-a'],
+          },
+        },
+        {
+          rule: 'IS_ENTITY_KIND',
+          resourceType: 'catalog-entity',
+          params: { kinds: ['Group', 'User'] },
+        },
+      ],
+    });
+  });
+
+  it('should replace aliases with criteria allOf', () => {
+    const conditionParam: PermissionCriteria<
+      PermissionCondition<string, PermissionRuleParams>
+    > = {
+      allOf: [
+        {
+          rule: 'IS_ENTITY_OWNER',
+          resourceType: 'catalog-entity',
+          params: {
+            claims: ['$currentUser'],
+          },
+        },
+      ],
+    };
+
+    replaceAliases(conditionParam, [
+      'user:default/tim',
+      'group:default/team-a',
+    ]);
+
+    expect(conditionParam).toEqual({
+      allOf: [
+        {
+          rule: 'IS_ENTITY_OWNER',
+          resourceType: 'catalog-entity',
+          params: {
+            claims: ['user:default/tim', 'group:default/team-a'],
+          },
+        },
+      ],
+    });
+  });
+
+  it('should replace aliases with criteria allOf and few values', () => {
+    const conditionParam: PermissionCriteria<
+      PermissionCondition<string, PermissionRuleParams>
+    > = {
+      allOf: [
+        {
+          rule: 'IS_ENTITY_OWNER',
+          resourceType: 'catalog-entity',
+          params: {
+            claims: ['$currentUser'],
+          },
+        },
+        {
+          rule: 'IS_ENTITY_KIND',
+          resourceType: 'catalog-entity',
+          params: { kinds: ['Group', 'User'] },
+        },
+      ],
+    };
+
+    replaceAliases(conditionParam, [
+      'user:default/tim',
+      'group:default/team-a',
+    ]);
+
+    expect(conditionParam).toEqual({
+      allOf: [
+        {
+          rule: 'IS_ENTITY_OWNER',
+          resourceType: 'catalog-entity',
+          params: {
+            claims: ['user:default/tim', 'group:default/team-a'],
+          },
+        },
+        {
+          rule: 'IS_ENTITY_KIND',
+          resourceType: 'catalog-entity',
+          params: { kinds: ['Group', 'User'] },
+        },
+      ],
+    });
+  });
+
+  it('should replace aliases with nested criteria', () => {
+    const conditionParam: PermissionCriteria<
+      PermissionCondition<string, PermissionRuleParams>
+    > = {
+      allOf: [
+        {
+          not: {
+            rule: 'IS_ENTITY_OWNER',
+            resourceType: 'catalog-entity',
+            params: {
+              claims: ['$currentUser'],
+            },
+          },
+        },
+        {
+          rule: 'IS_ENTITY_KIND',
+          resourceType: 'catalog-entity',
+          params: { kinds: ['Group', 'User'] },
+        },
+      ],
+    };
+
+    replaceAliases(conditionParam, [
+      'user:default/tim',
+      'group:default/team-a',
+    ]);
+
+    expect(conditionParam).toEqual({
+      allOf: [
+        {
+          not: {
+            rule: 'IS_ENTITY_OWNER',
+            resourceType: 'catalog-entity',
+            params: {
+              claims: ['user:default/tim', 'group:default/team-a'],
+            },
+          },
+        },
+        {
+          rule: 'IS_ENTITY_KIND',
+          resourceType: 'catalog-entity',
+          params: { kinds: ['Group', 'User'] },
+        },
+      ],
+    });
+  });
+});
diff --git a/plugins/rbac-backend/src/conditional-aliases/alias-resolver.ts b/plugins/rbac-backend/src/conditional-aliases/alias-resolver.ts
@@ -44,9 +44,6 @@ function replaceAliasWithValue<K extends string>(
     return { ...params, [key]: nonAliasValues };
   }
 
-  //   if (predicate(params[key])) {
-  //     return { ...params, [key]: newValue };
-  //   }
   return params;
 }
 
diff --git a/plugins/rbac-backend/src/service/permission-policy.test.ts b/plugins/rbac-backend/src/service/permission-policy.test.ts
@@ -2235,7 +2235,7 @@ describe('Policy checks for conditional policies', () => {
     });
   });
 
-  it('should execute condition policy with current user alias, when params contains array', async () => {
+  it('should execute condition policy with current user alias', async () => {
     const entityMock: Entity = {
       apiVersion: 'v1',
       kind: 'Group',

Original file line number	Diff line number	Diff line change
`@@ -44,9 +44,6 @@ function replaceAliasWithValue<K extends string>(`
`44`	`44`	`return { ...params, [key]: nonAliasValues };`
`45`	`45`	`}`
`46`	`46`
`47`		`- // if (predicate(params[key])) {`
`48`		`- // return { ...params, [key]: newValue };`
`49`		`- // }`
`50`	`47`	`return params;`
`51`	`48`	`}`
`52`	`49`