nolint:thelper
(ctx context.Context, t *testing.T, rep repo.Repository, authorizer auth.Authorizer)
| 117 | |
| 118 | //nolint:thelper |
| 119 | func verifyLegacyAuthorizer(ctx context.Context, t *testing.T, rep repo.Repository, authorizer auth.Authorizer) { |
| 120 | cases := []struct { |
| 121 | usernameAtHost string |
| 122 | globalPolicyAccess auth.AccessLevel |
| 123 | fooAtBarPathPolicyAccess auth.AccessLevel |
| 124 | fooAtBazPathPolicyAccess auth.AccessLevel |
| 125 | fooAtBarPolicyAccess auth.AccessLevel |
| 126 | fooAtBazPolicyAccess auth.AccessLevel |
| 127 | barPolicyAccess auth.AccessLevel |
| 128 | bazPolicyAccess auth.AccessLevel |
| 129 | fooAtBarSnapshotAccess auth.AccessLevel |
| 130 | fooAtBazSnapshotAccess auth.AccessLevel |
| 131 | }{ |
| 132 | { |
| 133 | usernameAtHost: "foo@bar", |
| 134 | globalPolicyAccess: auth.AccessLevelRead, |
| 135 | fooAtBarPathPolicyAccess: auth.AccessLevelFull, // full access to own path policies |
| 136 | fooAtBazPathPolicyAccess: auth.AccessLevelNone, |
| 137 | fooAtBarPolicyAccess: auth.AccessLevelFull, // full access to own user policy |
| 138 | fooAtBazPolicyAccess: auth.AccessLevelNone, |
| 139 | barPolicyAccess: auth.AccessLevelRead, // read access to own host policy |
| 140 | bazPolicyAccess: auth.AccessLevelNone, |
| 141 | fooAtBarSnapshotAccess: auth.AccessLevelFull, // full access to own snapshot |
| 142 | fooAtBazSnapshotAccess: auth.AccessLevelNone, |
| 143 | }, |
| 144 | { |
| 145 | usernameAtHost: "evil@bar", |
| 146 | globalPolicyAccess: auth.AccessLevelRead, |
| 147 | fooAtBarPathPolicyAccess: auth.AccessLevelNone, |
| 148 | fooAtBazPathPolicyAccess: auth.AccessLevelNone, |
| 149 | fooAtBarPolicyAccess: auth.AccessLevelNone, |
| 150 | fooAtBazPolicyAccess: auth.AccessLevelNone, |
| 151 | barPolicyAccess: auth.AccessLevelRead, |
| 152 | bazPolicyAccess: auth.AccessLevelNone, |
| 153 | fooAtBarSnapshotAccess: auth.AccessLevelNone, |
| 154 | fooAtBazSnapshotAccess: auth.AccessLevelNone, |
| 155 | }, |
| 156 | { |
| 157 | usernameAtHost: "evil@elsewhere", |
| 158 | globalPolicyAccess: auth.AccessLevelRead, |
| 159 | fooAtBarPathPolicyAccess: auth.AccessLevelNone, |
| 160 | fooAtBazPathPolicyAccess: auth.AccessLevelNone, |
| 161 | fooAtBarPolicyAccess: auth.AccessLevelNone, |
| 162 | fooAtBazPolicyAccess: auth.AccessLevelNone, |
| 163 | barPolicyAccess: auth.AccessLevelNone, |
| 164 | bazPolicyAccess: auth.AccessLevelNone, |
| 165 | fooAtBarSnapshotAccess: auth.AccessLevelNone, |
| 166 | fooAtBazSnapshotAccess: auth.AccessLevelNone, |
| 167 | }, |
| 168 | } |
| 169 | |
| 170 | for _, tc := range cases { |
| 171 | t.Run(tc.usernameAtHost, func(t *testing.T) { |
| 172 | a := authorizer.Authorize(ctx, rep, tc.usernameAtHost) |
| 173 | |
| 174 | if got, want := a.ContentAccessLevel(), auth.AccessLevelFull; got != want { |
| 175 | t.Errorf("invalid content access level: %v, want %v", got, want) |
| 176 | } |
no test coverage detected