diff --git a/internal/check/engine_test.go b/internal/check/engine_test.go index 2a8f42544..cb301446f 100644 --- a/internal/check/engine_test.go +++ b/internal/check/engine_test.go @@ -45,7 +45,7 @@ func TestEngine(t *testing.T) { Relation: "owner", Object: object, Namespace: ns, - Subject: &relationtuple.SubjectSet{ + Subject: &relationtuple.SubjectSet{ Relation: "admin", Object: object, Namespace: ns, @@ -56,7 +56,7 @@ func TestEngine(t *testing.T) { Relation: "access", Object: object, Namespace: ns, - Subject: &relationtuple.SubjectSet{ + Subject: &relationtuple.SubjectSet{ Relation: "owner", Object: object, Namespace: ns, @@ -76,14 +76,29 @@ func TestEngine(t *testing.T) { Subject: user, } - // max-depth=2 is not enough + // global max-depth defaults to 10 + assert.Equal(t, reg.Config().ReadAPIMaxDepth(), 10) + + // req max-depth takes precedence, max-depth=2 is not enough res, err := e.SubjectIsAllowed(context.Background(), userHasAccess, 2) require.NoError(t, err) assert.False(t, res) - // max-depth=3 is enough + // req max-depth takes precedence, max-depth=3 is enough + res, err = e.SubjectIsAllowed(context.Background(), userHasAccess, 3) + require.NoError(t, err) + assert.True(t, res) + + // global max-depth takes precedence and max-depth=2 is not enough + reg.Config().Set(config.KeyReadMaxDepth, 2) res, err = e.SubjectIsAllowed(context.Background(), userHasAccess, 3) require.NoError(t, err) + assert.False(t, res) + + // global max-depth takes precedence and max-depth=3 is enough + reg.Config().Set(config.KeyReadMaxDepth, 3) + res, err = e.SubjectIsAllowed(context.Background(), userHasAccess, 0) + require.NoError(t, err) assert.True(t, res) }) @@ -102,7 +117,7 @@ func TestEngine(t *testing.T) { e := check.NewEngine(reg) - res, err := e.SubjectIsAllowed(context.Background(), &rel, 100) + res, err := e.SubjectIsAllowed(context.Background(), &rel, 0) require.NoError(t, err) assert.True(t, res) }) @@ -143,7 +158,7 @@ func TestEngine(t *testing.T) { Object: dust, Subject: &mark, Namespace: sofaNamespace, - }, 100) + }, 0) require.NoError(t, err) assert.True(t, res) }) @@ -171,7 +186,7 @@ func TestEngine(t *testing.T) { Object: rel.Object, Namespace: rel.Namespace, Subject: &relationtuple.SubjectID{ID: "not " + user.ID}, - }, 100) + }, 0) require.NoError(t, err) assert.False(t, res) }) @@ -203,7 +218,7 @@ func TestEngine(t *testing.T) { Relation: access.Relation, Object: object, Subject: user.Subject, - }, 100) + }, 0) require.NoError(t, err) assert.False(t, res) }) @@ -241,7 +256,7 @@ func TestEngine(t *testing.T) { Object: diaryEntry, Namespace: diaryNamespace, Subject: user.Subject, - }, 100) + }, 0) require.NoError(t, err) assert.False(t, res) }) @@ -299,7 +314,7 @@ func TestEngine(t *testing.T) { Relation: writeRel.Relation, Object: object, Subject: &user, - }, 100) + }, 0) require.NoError(t, err) assert.True(t, res) @@ -309,7 +324,7 @@ func TestEngine(t *testing.T) { Relation: orgMembers.Relation, Object: organization, Subject: &user, - }, 100) + }, 0) require.NoError(t, err) assert.True(t, res) }) @@ -349,7 +364,7 @@ func TestEngine(t *testing.T) { Relation: directoryAccess.Relation, Object: file, Subject: &user, - }, 100) + }, 0) require.NoError(t, err) assert.False(t, res) }) @@ -393,7 +408,7 @@ func TestEngine(t *testing.T) { Object: obj, Relation: ownerRel, Subject: &relationtuple.SubjectID{ID: directOwner}, - }, 100) + }, 0) require.NoError(t, err) assert.True(t, res) @@ -402,7 +417,7 @@ func TestEngine(t *testing.T) { Object: obj, Relation: ownerRel, Subject: &relationtuple.SubjectID{ID: indirectOwner}, - }, 100) + }, 0) require.NoError(t, err) assert.True(t, res) }) @@ -435,7 +450,7 @@ func TestEngine(t *testing.T) { Object: obj, Relation: access, Subject: &relationtuple.SubjectID{ID: user}, - }, 100) + }, 0) require.NoError(t, err) assert.True(t, allowed) @@ -489,7 +504,7 @@ func TestEngine(t *testing.T) { Relation: access, Subject: &relationtuple.SubjectID{ID: user}, } - allowed, err := e.SubjectIsAllowed(context.Background(), req, 100) + allowed, err := e.SubjectIsAllowed(context.Background(), req, 0) require.NoError(t, err) assert.True(t, allowed, req.String()) } @@ -543,7 +558,7 @@ func TestEngine(t *testing.T) { Subject: &relationtuple.SubjectID{ ID: stations[2], }, - }, 100) + }, 0) require.NoError(t, err) assert.False(t, res) })