From f24c5ed4eca2e98cfef6ceef71561630f95f04c7 Mon Sep 17 00:00:00 2001
From: arekkas <aeneas@ory.am>
Date: Mon, 11 Jun 2018 12:52:53 +0200
Subject: [PATCH] warden: Use roles in warden decision

Closes #21
Closes #19
---
 warden/helper_test.go  | 25 +++++++++++++++++++++++++
 warden/warden_local.go |  8 ++++----
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/warden/helper_test.go b/warden/helper_test.go
index c6440b26a..74bd27682 100644
--- a/warden/helper_test.go
+++ b/warden/helper_test.go
@@ -63,6 +63,24 @@ var (
 			},
 			expectErr: false,
 		},
+		{
+			req: &warden.AccessRequest{
+				Subject:  "ken",
+				Resource: "forbidden_matrix",
+				Action:   "create",
+				Context:  ladon.Context{},
+			},
+			expectErr: true,
+		},
+		{
+			req: &warden.AccessRequest{
+				Subject:  "ken",
+				Resource: "allowed_matrix",
+				Action:   "create",
+				Context:  ladon.Context{},
+			},
+			expectErr: false,
+		},
 	}
 	wardens     = map[string]warden.Firewall{}
 	ladonWarden = &ladon.Ladon{
@@ -89,6 +107,13 @@ var (
 					Actions:   []string{"create", "decide"},
 					Effect:    ladon.DenyAccess,
 				},
+				"4": &ladon.DefaultPolicy{
+					ID:        "4",
+					Subjects:  []string{"group1"},
+					Resources: []string{"allowed_matrix", "rn:hydra:token<.*>"},
+					Actions:   []string{"create", "decide"},
+					Effect:    ladon.AllowAccess,
+				},
 			},
 		},
 	}
diff --git a/warden/warden_local.go b/warden/warden_local.go
index d2ff590a3..fef159194 100644
--- a/warden/warden_local.go
+++ b/warden/warden_local.go
@@ -71,20 +71,20 @@ func (w *Warden) IsAllowed(ctx context.Context, a *AccessRequest) error {
 }
 
 func (w *Warden) isAllowed(ctx context.Context, a *ladon.Request) error {
-	groups, err := w.Roles.FindRolesByMember(a.Subject, 10000, 0)
+	roles, err := w.Roles.FindRolesByMember(a.Subject, 10000, 0)
 	if err != nil {
 		return err
 	}
 
-	errs := make([]error, len(groups)+1)
-	return w.Warden.IsAllowed(&ladon.Request{
+	errs := make([]error, len(roles)+1)
+	errs[0] = w.Warden.IsAllowed(&ladon.Request{
 		Resource: a.Resource,
 		Action:   a.Action,
 		Subject:  a.Subject,
 		Context:  a.Context,
 	})
 
-	for k, g := range groups {
+	for k, g := range roles {
 		errs[k+1] = w.Warden.IsAllowed(&ladon.Request{
 			Resource: a.Resource,
 			Action:   a.Action,