(t *testing.T)
| 23 | ) |
| 24 | |
| 25 | func TestConstraintSOD(t *testing.T) { |
| 26 | modelText := ` |
| 27 | [request_definition] |
| 28 | r = sub, obj, act |
| 29 | |
| 30 | [policy_definition] |
| 31 | p = sub, obj, act |
| 32 | |
| 33 | [role_definition] |
| 34 | g = _, _ |
| 35 | |
| 36 | [constraint_definition] |
| 37 | c = sod("role1", "role2") |
| 38 | |
| 39 | [policy_effect] |
| 40 | e = some(where (p.eft == allow)) |
| 41 | |
| 42 | [matchers] |
| 43 | m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act |
| 44 | ` |
| 45 | |
| 46 | m, err := model.NewModelFromString(modelText) |
| 47 | if err != nil { |
| 48 | t.Fatalf("Failed to create model: %v", err) |
| 49 | } |
| 50 | |
| 51 | e, err := NewEnforcer(m) |
| 52 | if err != nil { |
| 53 | t.Fatalf("Failed to create enforcer: %v", err) |
| 54 | } |
| 55 | |
| 56 | // Add a user to role1 should succeed |
| 57 | _, err = e.AddRoleForUser("alice", "role1") |
| 58 | if err != nil { |
| 59 | t.Fatalf("Failed to add role1 to alice: %v", err) |
| 60 | } |
| 61 | |
| 62 | // Add a different user to role2 should succeed |
| 63 | _, err = e.AddRoleForUser("bob", "role2") |
| 64 | if err != nil { |
| 65 | t.Fatalf("Failed to add role2 to bob: %v", err) |
| 66 | } |
| 67 | |
| 68 | // Try to add role2 to alice should fail (SOD violation) |
| 69 | _, err = e.AddRoleForUser("alice", "role2") |
| 70 | if err == nil { |
| 71 | t.Fatal("Expected constraint violation error, got nil") |
| 72 | } |
| 73 | if !strings.Contains(err.Error(), "constraint violation") { |
| 74 | t.Fatalf("Expected constraint violation error, got: %v", err) |
| 75 | } |
| 76 | } |
| 77 | |
| 78 | func TestConstraintSODMax(t *testing.T) { |
| 79 | modelText := ` |
nothing calls this directly
no test coverage detected
searching dependent graphs…