Skip to content

Commit 6de09ca

Browse files
committed
refactor
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
1 parent bfe1290 commit 6de09ca

2 files changed

Lines changed: 49 additions & 30 deletions

File tree

app/controlplane/pkg/biz/apitoken.go

Lines changed: 3 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -35,21 +35,14 @@ type APITokenJWTConfig struct {
3535
SymmetricHmacKey string
3636
}
3737

38-
// OrgLevelAPITokenPolicies are additional policies granted only to org-level tokens.
38+
// orgLevelTokenPolicies are additional policies granted only to org-level tokens.
3939
// They allow managing project-scoped tokens.
40-
var OrgLevelAPITokenPolicies = []*authz.Policy{
40+
var orgLevelTokenPolicies = []*authz.Policy{
4141
authz.PolicyAPITokenCreate,
4242
authz.PolicyAPITokenList,
4343
authz.PolicyAPITokenRevoke,
4444
}
4545

46-
// withOrgLevelPolicies returns a new slice with OrgLevelAPITokenPolicies appended.
47-
func withOrgLevelPolicies(policies []*authz.Policy) []*authz.Policy {
48-
result := make([]*authz.Policy, len(policies), len(policies)+len(OrgLevelAPITokenPolicies))
49-
copy(result, policies)
50-
return append(result, OrgLevelAPITokenPolicies...)
51-
}
52-
5346
// APIToken is used for unattended access to the control plane API.
5447
type APIToken struct {
5548
ID uuid.UUID
@@ -221,7 +214,7 @@ func (uc *APITokenUseCase) Create(ctx context.Context, name string, description
221214

222215
// Org-level tokens additionally get project-level API token management policies
223216
if projectID == nil && orgUUID != nil {
224-
policies = withOrgLevelPolicies(policies)
217+
policies = append(policies, orgLevelTokenPolicies...)
225218
}
226219

227220
// NOTE: the expiration time is stored just for reference, it's also encoded in the JWT

app/controlplane/pkg/biz/apitoken_integration_test.go

Lines changed: 46 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -145,29 +145,55 @@ func (s *apiTokenTestSuite) TestCreate() {
145145
}
146146

147147
func (s *apiTokenTestSuite) TestAuthzPolicies() {
148-
// a new token has a new set of policies associated
149-
token, err := s.APIToken.Create(context.Background(), randomName(), nil, nil, &s.org.ID)
150-
require.NoError(s.T(), err)
148+
ctx := context.Background()
151149

152-
// With the new architecture, API token policies are stored in the database, not in Casbin
153-
// Verify that the token has the default policies stored
154-
expectedPolicies := make([]*authz.Policy, 0, len(s.APIToken.DefaultAuthzPolicies)+len(biz.OrgLevelAPITokenPolicies))
155-
expectedPolicies = append(expectedPolicies, s.APIToken.DefaultAuthzPolicies...)
156-
expectedPolicies = append(expectedPolicies, biz.OrgLevelAPITokenPolicies...)
157-
s.Require().NotNil(token.Policies)
158-
s.Len(token.Policies, len(expectedPolicies))
159-
160-
// Check that all default policies for org-scoped token are present
161-
for _, expectedPolicy := range expectedPolicies {
162-
found := false
163-
for _, actualPolicy := range token.Policies {
164-
if actualPolicy.Resource == expectedPolicy.Resource && actualPolicy.Action == expectedPolicy.Action {
165-
found = true
166-
break
150+
s.Run("project-level token gets default policies", func() {
151+
token, err := s.APIToken.Create(ctx, randomName(), nil, nil, &s.org.ID, biz.APITokenWithProject(s.p1))
152+
require.NoError(s.T(), err)
153+
s.Require().NotNil(token.Policies)
154+
s.Len(token.Policies, len(s.APIToken.DefaultAuthzPolicies))
155+
156+
for _, p := range s.APIToken.DefaultAuthzPolicies {
157+
found := false
158+
for _, actual := range token.Policies {
159+
if actual.Resource == p.Resource && actual.Action == p.Action {
160+
found = true
161+
break
162+
}
167163
}
164+
s.True(found, fmt.Sprintf("policy %s:%s not found", p.Resource, p.Action))
168165
}
169-
s.True(found, fmt.Sprintf("policy %s:%s not found", expectedPolicy.Resource, expectedPolicy.Action))
170-
}
166+
})
167+
168+
s.Run("org-level token gets default plus token management policies", func() {
169+
token, err := s.APIToken.Create(ctx, randomName(), nil, nil, &s.org.ID)
170+
require.NoError(s.T(), err)
171+
s.Require().NotNil(token.Policies)
172+
173+
// All default policies must be present
174+
for _, p := range s.APIToken.DefaultAuthzPolicies {
175+
found := false
176+
for _, actual := range token.Policies {
177+
if actual.Resource == p.Resource && actual.Action == p.Action {
178+
found = true
179+
break
180+
}
181+
}
182+
s.True(found, fmt.Sprintf("default policy %s:%s not found", p.Resource, p.Action))
183+
}
184+
185+
// Additional org-level token management policies must be present
186+
for _, p := range []*authz.Policy{authz.PolicyAPITokenCreate, authz.PolicyAPITokenList, authz.PolicyAPITokenRevoke} {
187+
found := false
188+
for _, actual := range token.Policies {
189+
if actual.Resource == p.Resource && actual.Action == p.Action {
190+
found = true
191+
break
192+
}
193+
}
194+
s.True(found, fmt.Sprintf("org policy %s:%s not found", p.Resource, p.Action))
195+
}
196+
})
171197
}
172198

173199
func (s *apiTokenTestSuite) TestRevoke() {

0 commit comments

Comments
 (0)