add grants tests for groups API #5403
Conversation
bosorawis
force-pushed
the
bosorawis-prototype-grant-test
branch
from
ffbb1c6 to
e18100e
Compare
bosorawis
force-pushed
the
bosorawis-prototype-grant-test
branch
from
fa1bac8 to
8a31f36
Compare
|
Looks like you need a "go mod tidy" |
| // genAuthTokenCtx creates an auth.VerifierContext which contains a valid auth token | ||
| // for a user which is associated with roles in the roles parameter | ||
| // this function creates an authMethod, account, user at global scope | ||
| func genAuthTokenCtx(t *testing.T, |
There was a problem hiding this comment.
We should add a prefix of Test to the function since it's only used for testing. So nobody accidentally calls it. I think we have a pattern of this in Boundary
There was a problem hiding this comment.
Since the function takes *testing.T as its first parameter so I don't think this can be accidentally called outside of test but I'll add test... prefix to its name 👍
There was a problem hiding this comment.
I would also note that this function is defined in an _test.go file, which means it does not get compiled into the final binary. As such it can only be called via the tests. The pattern of using a Test prefix is usually for things defined in testing.go.
| wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId, proj1Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, | ||
| }, | ||
| { | ||
| name: "org role grant children IDs only org children", |
There was a problem hiding this comment.
So descendants will also include items in the current scope which is org2Group. I expected only proj2Group and proj3Group to be returned just like GetGroup works with descendants
There was a problem hiding this comment.
Oops, this is a bad test name. The role is in global with descendant access - calling list at org2 will return org2, proj2, proj3. AFAIK, there's no way to make a list exclude the "listing scope". You always get all the groups in ScopeId of the list call.
| proj2Group := iam.TestGroup(t, conn, proj2.GetPublicId(), iam.WithDescription("proj2"), iam.WithName("proj2")) | ||
| proj3Group := iam.TestGroup(t, conn, proj3.GetPublicId(), iam.WithDescription("proj3"), iam.WithName("proj3")) | ||
|
|
||
| t.Run("List", func(t *testing.T) { |
There was a problem hiding this comment.
We could add test coverage for:
- List with grant string with specific scope id
- Test permission error with type that is not a group
There was a problem hiding this comment.
added tests to cover both cases
| }, | ||
| }, | ||
| { | ||
| name: "global_role_grant_all_specific_permissions", |
There was a problem hiding this comment.
This test and the previous are the same or? Unless I am missing the difference
There was a problem hiding this comment.
another test I forgot to rename 🤦
| }, | ||
| }, | ||
| { | ||
| name: "global_role_grant_all_specific_permissions", |
There was a problem hiding this comment.
The test name here is also the same as the last 2 tests. Not distinct enough
There was a problem hiding this comment.
good catch! my bad, will push a fix soon
| t.Run("update", func(t *testing.T) { | ||
| testcases := []struct { | ||
| name string | ||
| setupScopesResourcesRoles func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) |
There was a problem hiding this comment.
Is there a reason why we can't pass only roleRequest and allow the for loop to create a test group to follow the pattern of other tests? is it because we want to create groups in different scopes?
There was a problem hiding this comment.
because in some cases we need ID of the group for testing resource-specific grant string
bosorawis
force-pushed
the
bosorawis-prototype-grant-test
branch
from
e44604f to
8e8eceb
Compare
| ctx := context.Background() | ||
| conn, _ := db.TestSetup(t, "postgres") | ||
| wrap := db.TestWrapper(t) | ||
| iamRepo := iam.TestRepo(t, conn, wrap) | ||
| repoFn := func() (*iam.Repository, error) { | ||
| return iamRepo, nil | ||
| } | ||
| s, err := groups.NewService(ctx, repoFn, 1000) | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
We're performing this test setup in a few places -- we could reduce code by moving this into a shared function
There was a problem hiding this comment.
🤔 We're using most of these setup objects throughout the test though. I'm not sure if we could abstract this away while keeping those available
Add tests that validate covering grants in preparation for grants system rework