From 22b2bd0a3f4eda922479838cb3acdd49cba9115b Mon Sep 17 00:00:00 2001 From: Ali Dowair Date: Tue, 3 Dec 2024 21:32:38 -0800 Subject: [PATCH] internal/parser: test parsing of tags in condition Signed-off-by: Ali Dowair --- internal/parser/cedar_parse_test.go | 26 +++++++++++++++++++++ internal/parser/cedar_unmarshal_test.go | 30 +++++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/internal/parser/cedar_parse_test.go b/internal/parser/cedar_parse_test.go index 4b77c24..f72663c 100644 --- a/internal/parser/cedar_parse_test.go +++ b/internal/parser/cedar_parse_test.go @@ -111,6 +111,18 @@ func TestParse(t *testing.T) { when { action.foo["bar"].isIpv4() } unless { principal.isIpv4(false, 123, "foo") } when { principal["foo"] };`, false}, + {"tags", `permit(principal, action, resource) + when { resource.hasTag("blue") }; + + permit(principal, action, resource) + when { resource.getTag("blue") }; + + permit(principal, action, resource) + when { resource.hasTag(context.color) }; + + permit(principal, action, resource) + when { resource.getTag(context.color) }; + `, false}, {"unary", `permit(principal, action, resource) when { !resource.foo } unless { -resource.bar } @@ -243,6 +255,20 @@ func TestParse(t *testing.T) { when { resource.bar[baz]`, true}, {"invalidAccess8", `permit(principal, action, resource) when { resource.bar["baz")`, true}, + {"invalidTag1", `permit(principal, action, resource) + when { resource.getTag(42)}`, true}, + {"invalidTag2", `permit(principal, action, resource) + when { resource.hasTag(42)}`, true}, + {"invalidTag3", `permit(principal, action, resource) + when { resource.hasTag(12.1 + 3.6)}`, true}, + {"invalidTag4", `permit(principal, action, resource) + when { resource.hasTag(true)}`, true}, + {"invalidTag5", `permit(principal, action, resource) + when { "blue".hasTag("true")}`, true}, + {"invalidTag6", `permit(principal, action, resource) + when { 42.hasTag("true")}`, true}, + {"invalidTag7", `permit(principal, action, resource) + when { true.hasTag("true")}`, true}, {"invalidUnaryOp", `permit(principal, action, resource) when { +resource.bar };`, true}, {"invalidAdd", `permit(principal, action, resource) diff --git a/internal/parser/cedar_unmarshal_test.go b/internal/parser/cedar_unmarshal_test.go index 5f349ac..b8ae8f4 100644 --- a/internal/parser/cedar_unmarshal_test.go +++ b/internal/parser/cedar_unmarshal_test.go @@ -200,6 +200,36 @@ when { context.sourceIP.isIpv4() };`, when { 42 * 2 };`, ast.Permit().When(ast.Long(42).Multiply(ast.Long(2))), }, + { + "principal has tag", + `permit ( principal, action, resource ) +when { principal.hasTag("blue") };`, + ast.Permit().When(ast.Principal().HasTag(ast.String("blue"))), + }, + { + "resource has tag", + `permit ( principal, action, resource ) +when { resource.hasTag("blue") };`, + ast.Permit().When(ast.Resource().HasTag(ast.String("blue"))), + }, + { + "principal tag equals value", + `permit ( principal, action, resource ) +when { principal.hasTag("blue") && principal.getTag("blue") == "green" };`, + ast.Permit().When(ast.Principal().HasTag(ast.String("blue")).And(ast.Principal().GetTag(ast.String("blue")).Equal(ast.String("green")))), + }, + { + "principal tag has attribute", + `permit ( principal, action, resource ) +when { principal.hasTag("blue") && principal.getTag("blue") has attr };`, + ast.Permit().When(ast.Principal().HasTag(ast.String("blue")).And(ast.Principal().GetTag(ast.String("blue")).Has("attr"))), + }, + { + "principal has tag from context", + `permit ( principal, action, resource ) +when { principal.hasTag(context.request_ip) };`, + ast.Permit().When(ast.Principal().HasTag(ast.Context().Access("request_ip"))), + }, { "multiple multiplication", `permit ( principal, action, resource )