ARSN-375: update tests

ARSN-375: add impDeny logic to ChainBackend
2023-11-27 19:12:20 +01:00 · 2023-11-27 19:11:42 +01:00
2 changed files with 66 additions and 38 deletions
--- a/lib/auth/backends/ChainBackend.ts
+++ b/lib/auth/backends/ChainBackend.ts
@ -151,7 +151,15 @@ export default class ChainBackend extends BaseBackend {
        });

        return Object.keys(policyMap).map(key => {
-            const policyRes: any = { isAllowed: policyMap[key].isAllowed };
+            const policyRes: any = {
+                isAllowed: policyMap[key].isAllowed,
+            };
+            if (policyMap[key].action) {
+                policyRes.action = policyMap[key].action;
+            }
+            if (typeof policyMap[key].isImplicit === 'boolean') {
+                policyRes.isImplicit = policyMap[key].isImplicit;
+            }
            if (policyMap[key].arn !== '') {
                policyRes.arn = policyMap[key].arn;
            }
--- a/tests/unit/auth/chainBackend.spec.js
+++ b/tests/unit/auth/chainBackend.spec.js
@ -192,11 +192,11 @@ describe('Auth Backend: Chain Backend', () => {
        it('should return an error if any of the clients fails', done => {
            const backend = new ChainBackend('chain', [
                new TestBackend('test1', null, {
-                    message: { body: [{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/obj1' }] },
+                    message: { body: [{ action: "PutObject", isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj1' }] },
                }),
                new TestBackend('test2', testError, null),
                new TestBackend('test3', null, {
-                    message: { body: [{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/obj1' }] },
+                    message: { body: [{ action: "PutObject", isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj1' }] },
                }),
            ]);

@ -209,23 +209,25 @@ describe('Auth Backend: Chain Backend', () => {
        it('should merge results from clients into a single response object', done => {
            const backend = new ChainBackend('chain', [
                new TestBackend('test1', null, {
-                    message: { body: [{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/obj1' }] },
+                    message: { body: [{ action: "PutObject", isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj1' }] },
                }),
                new TestBackend('test2', null, {
-                    message: { body: [{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/obj2' }] },
+                    message: { body: [{ action: "PutObject", isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj2' }] },
                }),
                new TestBackend('test3', null, {
-                    message: { body: [{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/obj1' }] },
+                    message: { body: [{ action: "PutObject", isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj1' }] },
                }),
            ]);

            backend.checkPolicies(null, null, null, (err, res) => {
                assert.ifError(err);
                assert.deepStrictEqual(res, {
-                    message: { body: [
-                        { isAllowed: true, arn: 'arn:aws:s3:::policybucket/obj1' },
-                        { isAllowed: true, arn: 'arn:aws:s3:::policybucket/obj2' },
-                    ] },
+                    message: {
+                        body: [
+                            { action: "PutObject", isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj1' },
+                            { action: "PutObject", isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj2' },
+                        ]
+                    },
                });
                done();
            });
@ -264,45 +266,63 @@ describe('Auth Backend: Chain Backend', () => {
    describe('::_mergePolicies', () => {
        it('should correctly merge policies', () => {
            const policyResps = [
-                { message: { body: [
-                    { isAllowed: false, arn: 'arn:aws:s3:::policybucket/true1' },
-                    { isAllowed: true, arn: 'arn:aws:s3:::policybucket/true2' },
-                    { isAllowed: false, arn: 'arn:aws:s3:::policybucket/false1' },
-                ] } },
-                { message: { body: [
-                    { isAllowed: true, arn: 'arn:aws:s3:::policybucket/true1' },
-                    { isAllowed: false, arn: 'arn:aws:s3:::policybucket/true2' },
-                    { isAllowed: false, arn: 'arn:aws:s3:::policybucket/false2' },
-                ] } },
+                {
+                    message: {
+                        body: [
+                            { action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
+                            { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
+                            { action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/false1' },
+                            { action: 'GetObject', isAllowed: false, isImplicit: true, arn: 'arn:aws:s3:::policybucket/false2' },
+                        ]
+                    }
+                },
+                {
+                    message: {
+                        body: [
+                            { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
+                            { action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
+                            { action: 'GetObject', isAllowed: false, isImplicit: true, arn: 'arn:aws:s3:::policybucket/false1' },
+                            { action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/false2' },
+                        ]
+                    }
+                },
            ];
            assert.deepStrictEqual(
                ChainBackend._mergePolicies(policyResps),
                [
-                    { isAllowed: true, arn: 'arn:aws:s3:::policybucket/true1' },
-                    { isAllowed: true, arn: 'arn:aws:s3:::policybucket/true2' },
-                    { isAllowed: false, arn: 'arn:aws:s3:::policybucket/false1' },
-                    { isAllowed: false, arn: 'arn:aws:s3:::policybucket/false2' },
+                    { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
+                    { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
+                    { action: 'GetObject', isAllowed: false, isImplicit: true, arn: 'arn:aws:s3:::policybucket/false1' },
+                    { action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/false2' },
                ],
            );
            const policyRespsNested = [
-                { message: { body: [
+                {
+                    message: {
+                        body: [
                            [
-                        { isAllowed: false, arn: 'arn:aws:s3:::policybucket/true1' },
-                        { isAllowed: true, arn: 'arn:aws:s3:::policybucket/true2' },
+                                { action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
+                                { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
                            ],
-                ] } },
-                { message: { body: [
+                        ]
+                    }
+                },
+                {
+                    message: {
+                        body: [
                            [
-                        { isAllowed: true, arn: 'arn:aws:s3:::policybucket/true1' },
-                        { isAllowed: true, arn: 'arn:aws:s3:::policybucket/true2' },
+                                { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
+                                { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
                            ],
-                ] } },
+                        ]
+                    }
+                },
            ];
            assert.deepStrictEqual(
                ChainBackend._mergePolicies(policyRespsNested),
                [
-                    { isAllowed: true, arn: 'arn:aws:s3:::policybucket/true1' },
-                    { isAllowed: true, arn: 'arn:aws:s3:::policybucket/true2' },
+                    { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
+                    { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
                ],
            );
        });
Author	SHA1	Message	Date
Will Toozs	0abc8c2895	ARSN-375: update tests	2023-11-27 19:12:20 +01:00
Will Toozs	b98f4dbd30	ARSN-375: add impDeny logic to ChainBackend	2023-11-27 19:11:42 +01:00