@@ -214,6 +214,14 @@ func TestPoliciesLookup(t *testing.T) {
214214 name : "contract apply operation found" ,
215215 operation : "/controlplane.v1.WorkflowContractService/Apply" ,
216216 },
217+ {
218+ name : "organization delete membership operation found" ,
219+ operation : "/controlplane.v1.OrganizationService/DeleteMembership" ,
220+ },
221+ {
222+ name : "organization update membership operation found" ,
223+ operation : "/controlplane.v1.OrganizationService/UpdateMembership" ,
224+ },
217225 }
218226
219227 for _ , tc := range testCases {
@@ -234,3 +242,47 @@ func TestPoliciesLookupContractApply(t *testing.T) {
234242 assert .NoError (t , err )
235243 assert .Equal (t , []* authz.Policy {authz .PolicyWorkflowContractCreate , authz .PolicyWorkflowContractUpdate }, policies )
236244}
245+
246+ func TestPoliciesLookupDeleteMembership (t * testing.T ) {
247+ policies , err := policiesLookup ("/controlplane.v1.OrganizationService/DeleteMembership" )
248+ assert .NoError (t , err )
249+ assert .Equal (t , []* authz.Policy {authz .PolicyOrganizationMembershipsDelete }, policies )
250+ }
251+
252+ func TestPoliciesLookupUpdateMembership (t * testing.T ) {
253+ policies , err := policiesLookup ("/controlplane.v1.OrganizationService/UpdateMembership" )
254+ assert .NoError (t , err )
255+ assert .Equal (t , []* authz.Policy {authz .PolicyOrganizationMembershipsUpdate }, policies )
256+ }
257+
258+ func TestViewerDeniedDeleteMembership (t * testing.T ) {
259+ logger := log .NewHelper (log .NewStdLogger (io .Discard ))
260+
261+ ctx := context .Background ()
262+ ctx = usercontext .WithAuthzSubject (ctx , string (authz .RoleViewer ))
263+ ctx = transport .NewServerContext (ctx , & mockTransport {operation : "/controlplane.v1.OrganizationService/DeleteMembership" })
264+
265+ e := NewMockEnforcer (t )
266+ e .On ("Enforce" , mock .Anything , string (authz .RoleViewer ), authz .PolicyOrganizationMembershipsDelete ).Return (false , nil )
267+
268+ m := WithAuthzMiddleware (e , logger )
269+ _ , err := m (emptyHandler )(ctx , nil )
270+ assert .Error (t , err )
271+ assert .True (t , errors .IsForbidden (err ))
272+ }
273+
274+ func TestViewerDeniedUpdateMembership (t * testing.T ) {
275+ logger := log .NewHelper (log .NewStdLogger (io .Discard ))
276+
277+ ctx := context .Background ()
278+ ctx = usercontext .WithAuthzSubject (ctx , string (authz .RoleViewer ))
279+ ctx = transport .NewServerContext (ctx , & mockTransport {operation : "/controlplane.v1.OrganizationService/UpdateMembership" })
280+
281+ e := NewMockEnforcer (t )
282+ e .On ("Enforce" , mock .Anything , string (authz .RoleViewer ), authz .PolicyOrganizationMembershipsUpdate ).Return (false , nil )
283+
284+ m := WithAuthzMiddleware (e , logger )
285+ _ , err := m (emptyHandler )(ctx , nil )
286+ assert .Error (t , err )
287+ assert .True (t , errors .IsForbidden (err ))
288+ }
0 commit comments