@@ -145,29 +145,55 @@ func (s *apiTokenTestSuite) TestCreate() {
145145}
146146
147147func (s * apiTokenTestSuite ) TestAuthzPolicies () {
148- // a new token has a new set of policies associated
149- token , err := s .APIToken .Create (context .Background (), randomName (), nil , nil , & s .org .ID )
150- require .NoError (s .T (), err )
148+ ctx := context .Background ()
151149
152- // With the new architecture, API token policies are stored in the database, not in Casbin
153- // Verify that the token has the default policies stored
154- expectedPolicies := make ([]* authz.Policy , 0 , len (s .APIToken .DefaultAuthzPolicies )+ len (biz .OrgLevelAPITokenPolicies ))
155- expectedPolicies = append (expectedPolicies , s .APIToken .DefaultAuthzPolicies ... )
156- expectedPolicies = append (expectedPolicies , biz .OrgLevelAPITokenPolicies ... )
157- s .Require ().NotNil (token .Policies )
158- s .Len (token .Policies , len (expectedPolicies ))
159-
160- // Check that all default policies for org-scoped token are present
161- for _ , expectedPolicy := range expectedPolicies {
162- found := false
163- for _ , actualPolicy := range token .Policies {
164- if actualPolicy .Resource == expectedPolicy .Resource && actualPolicy .Action == expectedPolicy .Action {
165- found = true
166- break
150+ s .Run ("project-level token gets default policies" , func () {
151+ token , err := s .APIToken .Create (ctx , randomName (), nil , nil , & s .org .ID , biz .APITokenWithProject (s .p1 ))
152+ require .NoError (s .T (), err )
153+ s .Require ().NotNil (token .Policies )
154+ s .Len (token .Policies , len (s .APIToken .DefaultAuthzPolicies ))
155+
156+ for _ , p := range s .APIToken .DefaultAuthzPolicies {
157+ found := false
158+ for _ , actual := range token .Policies {
159+ if actual .Resource == p .Resource && actual .Action == p .Action {
160+ found = true
161+ break
162+ }
167163 }
164+ s .True (found , fmt .Sprintf ("policy %s:%s not found" , p .Resource , p .Action ))
168165 }
169- s .True (found , fmt .Sprintf ("policy %s:%s not found" , expectedPolicy .Resource , expectedPolicy .Action ))
170- }
166+ })
167+
168+ s .Run ("org-level token gets default plus token management policies" , func () {
169+ token , err := s .APIToken .Create (ctx , randomName (), nil , nil , & s .org .ID )
170+ require .NoError (s .T (), err )
171+ s .Require ().NotNil (token .Policies )
172+
173+ // All default policies must be present
174+ for _ , p := range s .APIToken .DefaultAuthzPolicies {
175+ found := false
176+ for _ , actual := range token .Policies {
177+ if actual .Resource == p .Resource && actual .Action == p .Action {
178+ found = true
179+ break
180+ }
181+ }
182+ s .True (found , fmt .Sprintf ("default policy %s:%s not found" , p .Resource , p .Action ))
183+ }
184+
185+ // Additional org-level token management policies must be present
186+ for _ , p := range []* authz.Policy {authz .PolicyAPITokenCreate , authz .PolicyAPITokenList , authz .PolicyAPITokenRevoke } {
187+ found := false
188+ for _ , actual := range token .Policies {
189+ if actual .Resource == p .Resource && actual .Action == p .Action {
190+ found = true
191+ break
192+ }
193+ }
194+ s .True (found , fmt .Sprintf ("org policy %s:%s not found" , p .Resource , p .Action ))
195+ }
196+ })
171197}
172198
173199func (s * apiTokenTestSuite ) TestRevoke () {
0 commit comments