package policy import ( "context" "path/filepath" "testing" "git.wntrmute.dev/kyle/metacrypt/internal/barrier" "git.wntrmute.dev/kyle/metacrypt/internal/crypto" "git.wntrmute.dev/kyle/metacrypt/internal/db" ) func setupPolicy(t *testing.T) (*Engine, func()) { t.Helper() dir := t.TempDir() database, err := db.Open(filepath.Join(dir, "test.db")) if err != nil { t.Fatalf("open db: %v", err) } if err := db.Migrate(database); err != nil { t.Fatalf("migrate: %v", err) } b := barrier.NewAESGCMBarrier(database) mek, _ := crypto.GenerateKey() _ = b.Unseal(mek) e := NewEngine(b) return e, func() { _ = database.Close() } } func TestAdminBypass(t *testing.T) { e, cleanup := setupPolicy(t) defer cleanup() effect, err := e.Evaluate(context.Background(), &Request{ Username: "admin-user", Roles: []string{"admin"}, Resource: "engine/transit/default/encrypt", Action: "write", }) if err != nil { t.Fatalf("Evaluate: %v", err) } if effect != EffectAllow { t.Fatalf("admin should always be allowed, got: %s", effect) } } func TestDefaultDeny(t *testing.T) { e, cleanup := setupPolicy(t) defer cleanup() effect, err := e.Evaluate(context.Background(), &Request{ Username: "user1", Roles: []string{"viewer"}, Resource: "engine/transit/default/encrypt", Action: "write", }) if err != nil { t.Fatalf("Evaluate: %v", err) } if effect != EffectDeny { t.Fatalf("default should deny, got: %s", effect) } } func TestPolicyRuleCRUD(t *testing.T) { e, cleanup := setupPolicy(t) defer cleanup() ctx := context.Background() rule := &Rule{ ID: "test-rule", Priority: 100, Effect: EffectAllow, Roles: []string{"operator"}, Resources: []string{"engine/transit/*"}, Actions: []string{"read", "write"}, } if err := e.CreateRule(ctx, rule); err != nil { t.Fatalf("CreateRule: %v", err) } got, err := e.GetRule(ctx, "test-rule") if err != nil { t.Fatalf("GetRule: %v", err) } if got.Priority != 100 { t.Errorf("priority: got %d, want 100", got.Priority) } rules, err := e.ListRules(ctx) if err != nil { t.Fatalf("ListRules: %v", err) } if len(rules) != 1 { t.Fatalf("ListRules: got %d rules, want 1", len(rules)) } if err := e.DeleteRule(ctx, "test-rule"); err != nil { t.Fatalf("DeleteRule: %v", err) } rules, _ = e.ListRules(ctx) if len(rules) != 0 { t.Fatalf("after delete: got %d rules, want 0", len(rules)) } } func TestPolicyPriorityOrder(t *testing.T) { e, cleanup := setupPolicy(t) defer cleanup() ctx := context.Background() // Lower priority number = higher priority. Deny should win. _ = e.CreateRule(ctx, &Rule{ ID: "allow-rule", Priority: 200, Effect: EffectAllow, Roles: []string{"operator"}, Resources: []string{"engine/transit/*"}, Actions: []string{"write"}, }) _ = e.CreateRule(ctx, &Rule{ ID: "deny-rule", Priority: 100, Effect: EffectDeny, Roles: []string{"operator"}, Resources: []string{"engine/transit/*"}, Actions: []string{"write"}, }) effect, _ := e.Evaluate(ctx, &Request{ Username: "user1", Roles: []string{"operator"}, Resource: "engine/transit/default", Action: "write", }) if effect != EffectDeny { t.Fatalf("higher priority deny should win, got: %s", effect) } } func TestActionAnyMatchesNonAdmin(t *testing.T) { e, cleanup := setupPolicy(t) defer cleanup() ctx := context.Background() _ = e.CreateRule(ctx, &Rule{ ID: "any-rule", Priority: 100, Effect: EffectAllow, Roles: []string{"user"}, Resources: []string{"transit/*"}, Actions: []string{ActionAny}, }) // "any" should match encrypt, decrypt, sign, verify, hmac, read, write. for _, action := range []string{ActionEncrypt, ActionDecrypt, ActionSign, ActionVerify, ActionHMAC, ActionRead, ActionWrite} { effect, _ := e.Evaluate(ctx, &Request{ Username: "alice", Roles: []string{"user"}, Resource: "transit/default", Action: action, }) if effect != EffectAllow { t.Errorf("action %q should be allowed by 'any', got: %s", action, effect) } } // "any" must NOT match "admin". effect, _ := e.Evaluate(ctx, &Request{ Username: "alice", Roles: []string{"user"}, Resource: "transit/default", Action: ActionAdmin, }) if effect != EffectDeny { t.Fatalf("action 'admin' should not be matched by 'any', got: %s", effect) } } func TestLintRule(t *testing.T) { // Valid rule. problems := LintRule(&Rule{ ID: "ok", Effect: EffectAllow, Actions: []string{ActionAny, ActionEncrypt}, }) if len(problems) > 0 { t.Errorf("expected no problems, got: %v", problems) } // Missing ID. problems = LintRule(&Rule{Effect: EffectAllow}) if len(problems) != 1 { t.Errorf("expected 1 problem for missing ID, got: %v", problems) } // Invalid effect. problems = LintRule(&Rule{ID: "bad-effect", Effect: "maybe"}) if len(problems) != 1 { t.Errorf("expected 1 problem for bad effect, got: %v", problems) } // Invalid action. problems = LintRule(&Rule{ID: "bad-action", Effect: EffectAllow, Actions: []string{"destroy"}}) if len(problems) != 1 { t.Errorf("expected 1 problem for bad action, got: %v", problems) } // Multiple problems. problems = LintRule(&Rule{Effect: "bogus", Actions: []string{"nope"}}) if len(problems) != 3 { // missing ID + bad effect + bad action t.Errorf("expected 3 problems, got: %v", problems) } } func TestCreateRuleRejectsInvalid(t *testing.T) { e, cleanup := setupPolicy(t) defer cleanup() ctx := context.Background() err := e.CreateRule(ctx, &Rule{ ID: "bad", Effect: EffectAllow, Actions: []string{"obliterate"}, }) if err == nil { t.Fatal("expected error for invalid action, got nil") } } func TestPolicyUsernameMatch(t *testing.T) { e, cleanup := setupPolicy(t) defer cleanup() ctx := context.Background() _ = e.CreateRule(ctx, &Rule{ ID: "user-specific", Priority: 100, Effect: EffectAllow, Usernames: []string{"alice"}, Resources: []string{"engine/*"}, Actions: []string{"read"}, }) effect, _ := e.Evaluate(ctx, &Request{ Username: "alice", Roles: []string{"user"}, Resource: "engine/ca", Action: "read", }) if effect != EffectAllow { t.Fatalf("alice should be allowed, got: %s", effect) } effect, _ = e.Evaluate(ctx, &Request{ Username: "bob", Roles: []string{"user"}, Resource: "engine/ca", Action: "read", }) if effect != EffectDeny { t.Fatalf("bob should be denied, got: %s", effect) } }