add admin additional role to mlp.project.post (#91)

tkpd-hafizhan · web-flow · commit b3d74d1f9273 · 2023-10-25T10:02:04.000+07:00
* Update bootstrap.go

* add bootstrap test

* Update admin role to have default permission

* update bootstrap test

* edit bootstrap config and add test

* update test name

* fix long test name
diff --git a/api/cmd/bootstrap.go b/api/cmd/bootstrap.go
@@ -30,7 +30,14 @@ var (
 			if err != nil {
 				log.Panicf("unable to load role members from input file: %v", err)
 			}
-			err = startKetoBootstrap(bootstrapConfig)
+			authEnforcer, err := enforcer.NewEnforcerBuilder().
+				KetoEndpoints(bootstrapConfig.KetoRemoteRead, bootstrapConfig.KetoRemoteWrite).
+				Build()
+			if err != nil {
+				log.Panicf("unable to create keto enforcer: %v", err)
+			}
+
+			err = startKetoBootstrap(authEnforcer, bootstrapConfig.ProjectReaders, bootstrapConfig.MLPAdmins)
 			if err != nil {
 				log.Panicf("unable to bootstrap keto: %v", err)
 			}
@@ -64,15 +71,11 @@ func loadBootstrapConfig(path string) (*BootstrapConfig, error) {
 	return bootstrapCfg, nil
 }
 
-func startKetoBootstrap(bootstrapCfg *BootstrapConfig) error {
-	authEnforcer, err := enforcer.NewEnforcerBuilder().
-		KetoEndpoints(bootstrapCfg.KetoRemoteRead, bootstrapCfg.KetoRemoteWrite).
-		Build()
-	if err != nil {
-		return err
-	}
+func startKetoBootstrap(authEnforcer enforcer.Enforcer, projectReaders []string, mlpAdmins []string) error {
+	defaultMLPAdminPermissions := []string{"mlp.projects.post"}
 	updateRequest := enforcer.NewAuthorizationUpdateRequest()
-	updateRequest.SetRoleMembers(enforcer.MLPProjectsReaderRole, bootstrapCfg.ProjectReaders)
-	updateRequest.SetRoleMembers(enforcer.MLPAdminRole, bootstrapCfg.MLPAdmins)
+	updateRequest.SetRoleMembers(enforcer.MLPProjectsReaderRole, projectReaders)
+	updateRequest.SetRoleMembers(enforcer.MLPAdminRole, mlpAdmins)
+	updateRequest.AddRolePermissions(enforcer.MLPAdminRole, defaultMLPAdminPermissions)
 	return authEnforcer.UpdateAuthorization(context.Background(), updateRequest)
 }
diff --git a/api/cmd/bootstrap_test.go b/api/cmd/bootstrap_test.go
@@ -0,0 +1,86 @@
+package cmd
+
+import (
+	"testing"
+
+	"github.com/caraml-dev/mlp/api/pkg/authz/enforcer"
+	enforcerMock "github.com/caraml-dev/mlp/api/pkg/authz/enforcer/mocks"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+)
+
+func TestStartKetoBootsrap(t *testing.T) {
+	tests := []struct {
+		name                               string
+		projectReaders                     []string
+		mlpAdmins                          []string
+		expectedUpdateAuthorizationRequest enforcer.AuthorizationUpdateRequest
+	}{
+		{
+			"admin role must have project post even there are no project readers",
+			[]string{},
+			[]string{"admin1"},
+			enforcer.AuthorizationUpdateRequest{
+				RolePermissions: map[string][]string{
+					"mlp.administrator": {"mlp.projects.post"},
+				},
+				RoleMembers: map[string][]string{
+					"mlp.projects.reader": {},
+					"mlp.administrator":   {"admin1"},
+				},
+			},
+		},
+		{
+			"admin role should have project post, even there are no mlp admins or project readers",
+			[]string{},
+			[]string{},
+			enforcer.AuthorizationUpdateRequest{
+				RolePermissions: map[string][]string{
+					"mlp.administrator": {"mlp.projects.post"},
+				},
+				RoleMembers: map[string][]string{
+					"mlp.projects.reader": {},
+					"mlp.administrator":   {},
+				},
+			},
+		},
+		{
+			"only admin role should have project post, even no mlp admins and project readers exist",
+			[]string{"readers1", "readers2"},
+			[]string{},
+			enforcer.AuthorizationUpdateRequest{
+				RolePermissions: map[string][]string{
+					"mlp.administrator": {"mlp.projects.post"},
+				},
+				RoleMembers: map[string][]string{
+					"mlp.projects.reader": {"readers1", "readers2"},
+					"mlp.administrator":   {},
+				},
+			},
+		},
+		{
+			"only admin role should have project post, even project readers exist",
+			[]string{"readers1", "readers2"},
+			[]string{"admin1"},
+			enforcer.AuthorizationUpdateRequest{
+				RolePermissions: map[string][]string{
+					"mlp.administrator": {"mlp.projects.post"},
+				},
+				RoleMembers: map[string][]string{
+					"mlp.projects.reader": {"readers1", "readers2"},
+					"mlp.administrator":   {"admin1"},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			authEnforcer := &enforcerMock.Enforcer{}
+
+			authEnforcer.On("UpdateAuthorization", mock.Anything, tt.expectedUpdateAuthorizationRequest).Return(nil)
+			err := startKetoBootstrap(authEnforcer, tt.projectReaders, tt.mlpAdmins)
+			authEnforcer.AssertExpectations(t)
+			require.NoError(t, err)
+		})
+	}
+}
