dashboard/app: unit test accessLevel

google · Oct 18, 2024 · cd6fc0a · cd6fc0a
1 parent fc67a39
commit cd6fc0a
Show file tree

Hide file tree

Showing 3 changed files with 161 additions and 14 deletions.
diff --git a/dashboard/app/access.go b/dashboard/app/access.go
@@ -46,9 +46,6 @@ func checkAccessLevel(c context.Context, r *http.Request, level AccessLevel) err
 	return ErrAccess
 }
 
-// AuthDomain is broken in AppEngine tests.
-var isBrokenAuthDomainInTest = false
-
 func emailInAuthDomains(email string, authDomains []string) bool {
 	for _, authDomain := range authDomains {
 		if strings.HasSuffix(email, authDomain) {
@@ -59,7 +56,7 @@ func emailInAuthDomains(email string, authDomains []string) bool {
 	return false
 }
 
-func currentUser(c context.Context, r *http.Request) *user.User {
+func currentUser(c context.Context) *user.User {
 	u := user.Current(c)
 	if u != nil {
 		return u
@@ -78,23 +75,29 @@ func currentUser(c context.Context, r *http.Request) *user.User {
 // OAuth2 token is expected to be present in "Authorization" header.
 // Example: "Authorization: Bearer $(gcloud auth print-access-token)".
 func accessLevel(c context.Context, r *http.Request) AccessLevel {
-	if user.IsAdmin(c) {
-		switch r.FormValue("access") {
+	return userAccessLevel(currentUser(c), r.FormValue("access"), getConfig(c))
+}
+
+// trustedAuthDomain for the test environment is "".
+var trustedAuthDomain = "gmail.com"
+
+func userAccessLevel(u *user.User, wantAccess string, config *GlobalConfig) AccessLevel {
+	if u == nil || u.AuthDomain != trustedAuthDomain {
+		return AccessPublic
+	}
+	if u.Admin {
+		switch wantAccess {
 		case "public":
 			return AccessPublic
 		case "user":
 			return AccessUser
 		}
 		return AccessAdmin
 	}
-	u := currentUser(c, r)
-	if u == nil ||
-		// Devappserver does not pass AuthDomain.
-		u.AuthDomain != "gmail.com" && !isBrokenAuthDomainInTest ||
-		!emailInAuthDomains(u.Email, getConfig(c).AuthDomains) {
-		return AccessPublic
+	if emailInAuthDomains(u.Email, config.AuthDomains) {
+		return AccessUser
 	}
-	return AccessUser
+	return AccessPublic
 }
 
 func checkTextAccess(c context.Context, r *http.Request, tag string, id int64) (*Bug, *Crash, error) {

diff --git a/dashboard/app/access_test.go b/dashboard/app/access_test.go
@@ -429,3 +429,147 @@ func TestAccess(t *testing.T) {
 		}
 	}
 }
+
+type UserAuthorizationLevel int
+
+const (
+	BadAuthDomain UserAuthorizationLevel = iota
+	Regular
+	Authenticated
+	AuthorizedAccessPublic
+	AuthorizedUser
+	AuthorizedAdmin
+)
+
+func makeUser(a UserAuthorizationLevel) *user.User {
+	u := &user.User{}
+	switch a {
+	case BadAuthDomain:
+		u.AuthDomain = "public.com"
+	case Regular:
+		u = nil
+	case Authenticated:
+		u.Email = "[email protected]"
+	case AuthorizedAccessPublic:
+		u.Email = "[email protected]"
+	case AuthorizedUser:
+		u.Email = "[email protected]"
+	case AuthorizedAdmin:
+		u.Email = "[email protected]"
+		u.Admin = true
+	}
+	return u
+}
+
+func TestUserAccessLevel(t *testing.T) {
+	tests := []struct {
+		name                string
+		u                   *user.User
+		enforcedAccessLevel string
+		config              *GlobalConfig
+		wantAccessLevel     AccessLevel
+	}{
+		{
+			name:            "wrong auth domain",
+			u:               makeUser(BadAuthDomain),
+			wantAccessLevel: AccessPublic,
+		},
+		{
+			name:            "regular not authenticated user",
+			u:               makeUser(Regular),
+			wantAccessLevel: AccessPublic,
+		},
+		{
+			name:                "regular not authenticated user wants to be an admin",
+			u:                   makeUser(Regular),
+			enforcedAccessLevel: "admin",
+			config:              testConfig,
+			wantAccessLevel:     AccessPublic,
+		},
+		{
+			name:                "regular not authenticated user wants to be a user",
+			u:                   makeUser(Regular),
+			enforcedAccessLevel: "user",
+			config:              testConfig,
+			wantAccessLevel:     AccessPublic,
+		},
+		{
+			name:            "authenticated, not authorized user",
+			u:               makeUser(Authenticated),
+			config:          testConfig,
+			wantAccessLevel: AccessPublic,
+		},
+		{
+			name:                "authenticated, not authorized user wants to be an admin",
+			u:                   makeUser(Authenticated),
+			enforcedAccessLevel: "admin",
+			config:              testConfig,
+			wantAccessLevel:     AccessPublic,
+		},
+		{
+			name:                "authenticated, not authorized user wants to be a user",
+			u:                   makeUser(Authenticated),
+			enforcedAccessLevel: "user",
+			config:              testConfig,
+			wantAccessLevel:     AccessPublic,
+		},
+		{
+			name:            "authorized for AccessPublic user",
+			u:               makeUser(AuthorizedAccessPublic),
+			config:          testConfig,
+			wantAccessLevel: AccessPublic,
+		},
+		{
+			name:                "authorized for AccessPublic user wants to be an admin",
+			u:                   makeUser(AuthorizedAccessPublic),
+			enforcedAccessLevel: "admin",
+			config:              testConfig,
+			wantAccessLevel:     AccessPublic,
+		},
+		{
+			name:                "authorized for AccessPublic user wants to be a user",
+			u:                   makeUser(AuthorizedAccessPublic),
+			enforcedAccessLevel: "user",
+			config:              testConfig,
+			wantAccessLevel:     AccessPublic,
+		},
+		{
+			name:            "authorized for AccessUser user",
+			u:               makeUser(AuthorizedUser),
+			config:          testConfig,
+			wantAccessLevel: AccessUser,
+		},
+		{
+			name:                "authorized for AccessUser user wants to be an admin",
+			u:                   makeUser(AuthorizedUser),
+			enforcedAccessLevel: "admin",
+			config:              testConfig,
+			wantAccessLevel:     AccessUser,
+		},
+		{
+			name:            "authorized admin wants AccessAdmin",
+			u:               makeUser(AuthorizedAdmin),
+			config:          testConfig,
+			wantAccessLevel: AccessAdmin,
+		},
+		{
+			name:                "authorized admin wants AccessPublic",
+			u:                   makeUser(AuthorizedAdmin),
+			enforcedAccessLevel: "public",
+			config:              testConfig,
+			wantAccessLevel:     AccessPublic,
+		},
+		{
+			name:                "authorized admin wants AccessUser",
+			u:                   makeUser(AuthorizedAdmin),
+			enforcedAccessLevel: "user",
+			config:              testConfig,
+			wantAccessLevel:     AccessUser,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			assert.Equal(t, test.wantAccessLevel, userAccessLevel(test.u, test.enforcedAccessLevel, test.config))
+		})
+	}
+}
diff --git a/dashboard/app/app_test.go b/dashboard/app/app_test.go
@@ -31,7 +31,7 @@ func init() {
 	os.Setenv("GAE_MODULE_VERSION", "1")
 	os.Setenv("GAE_MINOR_VERSION", "1")
 
-	isBrokenAuthDomainInTest = true
+	trustedAuthDomain = "" // Devappserver environment value is "", prod value is "gmail.com".
 	obsoleteWhatWontBeFixBisected = true
 	notifyAboutUnsuccessfulBisections = true
 	ensureConfigImmutability = true