forked from baron/baron-sso
Ory Keto ReBAC Policy & Relation Tuple Architecture
This commit is contained in:
@@ -16,52 +16,15 @@ import (
|
||||
"baron-sso-backend/internal/domain"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/mock"
|
||||
)
|
||||
|
||||
// --- Mocks ---
|
||||
|
||||
type MockKetoService struct {
|
||||
mock.Mock
|
||||
}
|
||||
|
||||
func (m *MockKetoService) CheckPermission(ctx context.Context, subject, namespace, object, relation string) (bool, error) {
|
||||
args := m.Called(ctx, subject, namespace, object, relation)
|
||||
return args.Bool(0), args.Error(1)
|
||||
}
|
||||
|
||||
func (m *MockKetoService) CreateRelation(ctx context.Context, namespace, object, relation, subject string) error {
|
||||
args := m.Called(ctx, namespace, object, relation, subject)
|
||||
return args.Error(0)
|
||||
}
|
||||
|
||||
func (m *MockKetoService) DeleteRelation(ctx context.Context, namespace, object, relation, subject string) error {
|
||||
args := m.Called(ctx, namespace, object, relation, subject)
|
||||
return args.Error(0)
|
||||
}
|
||||
|
||||
func (m *MockKetoService) ListRelations(ctx context.Context, namespace, object, relation, subject string) ([]RelationTuple, error) {
|
||||
args := m.Called(ctx, namespace, object, relation, subject)
|
||||
if args.Get(0) == nil {
|
||||
return nil, args.Error(1)
|
||||
}
|
||||
return args.Get(0).([]RelationTuple), args.Error(1)
|
||||
}
|
||||
|
||||
func (m *MockKetoService) ListObjects(ctx context.Context, namespace, relation, subject string) ([]string, error) {
|
||||
args := m.Called(ctx, namespace, relation, subject)
|
||||
if args.Get(0) == nil {
|
||||
return nil, args.Error(1)
|
||||
}
|
||||
return args.Get(0).([]string), args.Error(1)
|
||||
}
|
||||
|
||||
// --- Test Helpers ---
|
||||
|
||||
type hydraRoundTripperFunc func(*http.Request) (*http.Response, error)
|
||||
@@ -83,7 +46,8 @@ func mockHydraClient(handler http.Handler) *http.Client {
|
||||
// --- Tests ---
|
||||
|
||||
func TestRelyingPartyService_Create_Success(t *testing.T) {
|
||||
mockKeto := new(MockKetoService)
|
||||
mockKeto := new(MockKetoServiceShared)
|
||||
mockOutbox := new(MockKetoOutboxRepositoryShared)
|
||||
|
||||
tenantID := "tenant-1"
|
||||
inputClient := domain.HydraClient{
|
||||
@@ -113,25 +77,23 @@ func TestRelyingPartyService_Create_Success(t *testing.T) {
|
||||
HTTPClient: mockHydraClient(hydraHandler),
|
||||
}
|
||||
|
||||
mockKeto.On("CreateRelation", mock.Anything, "RelyingParty", "generated-client-id", "parent_tenant", "Tenant:"+tenantID).Return(nil)
|
||||
// Keto sync via Outbox using 'parents' relation
|
||||
mockOutbox.On("Create", mock.Anything, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
|
||||
return e.Namespace == "RelyingParty" && e.Object == "generated-client-id" && e.Relation == "parents" && e.Subject == "Tenant:"+tenantID
|
||||
})).Return(nil)
|
||||
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto)
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto, mockOutbox)
|
||||
rp, err := svc.Create(context.Background(), tenantID, inputClient)
|
||||
if err != nil {
|
||||
t.Fatalf("Create failed: %v", err)
|
||||
}
|
||||
if rp.ClientID != "generated-client-id" {
|
||||
t.Errorf("expected client id generated-client-id, got %s", rp.ClientID)
|
||||
}
|
||||
if rp.TenantID != tenantID {
|
||||
t.Errorf("expected tenant id %s, got %s", tenantID, rp.TenantID)
|
||||
}
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, "generated-client-id", rp.ClientID)
|
||||
assert.Equal(t, tenantID, rp.TenantID)
|
||||
|
||||
mockKeto.AssertExpectations(t)
|
||||
mockOutbox.AssertExpectations(t)
|
||||
}
|
||||
|
||||
func TestRelyingPartyService_Create_HydraFail(t *testing.T) {
|
||||
mockKeto := new(MockKetoService)
|
||||
mockKeto := new(MockKetoServiceShared)
|
||||
mockOutbox := new(MockKetoOutboxRepositoryShared)
|
||||
|
||||
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
@@ -141,54 +103,15 @@ func TestRelyingPartyService_Create_HydraFail(t *testing.T) {
|
||||
HTTPClient: mockHydraClient(hydraHandler),
|
||||
}
|
||||
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto)
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto, mockOutbox)
|
||||
_, err := svc.Create(context.Background(), "tenant-1", domain.HydraClient{})
|
||||
|
||||
if err == nil {
|
||||
t.Error("expected error from hydra")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRelyingPartyService_Create_KetoFail_Rollback(t *testing.T) {
|
||||
mockKeto := new(MockKetoService)
|
||||
|
||||
clientID := "rollback-client-id"
|
||||
deleteCalled := false
|
||||
|
||||
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method == http.MethodPost {
|
||||
_ = json.NewEncoder(w).Encode(domain.HydraClient{ClientID: clientID})
|
||||
return
|
||||
}
|
||||
if r.Method == http.MethodDelete && strings.Contains(r.URL.Path, clientID) {
|
||||
deleteCalled = true
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
return
|
||||
}
|
||||
http.NotFound(w, r)
|
||||
})
|
||||
hydraSvc := &HydraAdminService{
|
||||
AdminURL: "http://hydra:4445",
|
||||
HTTPClient: mockHydraClient(hydraHandler),
|
||||
}
|
||||
|
||||
mockKeto.On("CreateRelation", mock.Anything, "RelyingParty", clientID, "parent_tenant", "Tenant:tenant-1").Return(errors.New("keto error"))
|
||||
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto)
|
||||
_, err := svc.Create(context.Background(), "tenant-1", domain.HydraClient{})
|
||||
|
||||
if err == nil {
|
||||
t.Error("expected error from keto")
|
||||
}
|
||||
if !deleteCalled {
|
||||
t.Error("expected hydra client cleanup on keto failure")
|
||||
}
|
||||
|
||||
mockKeto.AssertExpectations(t)
|
||||
assert.Error(t, err)
|
||||
}
|
||||
|
||||
func TestRelyingPartyService_Get_Success(t *testing.T) {
|
||||
mockKeto := new(MockKetoService)
|
||||
mockKeto := new(MockKetoServiceShared)
|
||||
mockOutbox := new(MockKetoOutboxRepositoryShared)
|
||||
clientID := "client-123"
|
||||
|
||||
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
@@ -205,21 +128,16 @@ func TestRelyingPartyService_Get_Success(t *testing.T) {
|
||||
HTTPClient: mockHydraClient(hydraHandler),
|
||||
}
|
||||
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto)
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto, mockOutbox)
|
||||
rp, hc, err := svc.Get(context.Background(), clientID)
|
||||
if err != nil {
|
||||
t.Fatalf("Get failed: %v", err)
|
||||
}
|
||||
if rp.Name != "Hydra Name" {
|
||||
t.Errorf("expected Hydra Name, got %s", rp.Name)
|
||||
}
|
||||
if hc.ClientName != "Hydra Name" {
|
||||
t.Errorf("expected Hydra Name, got %s", hc.ClientName)
|
||||
}
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, "Hydra Name", rp.Name)
|
||||
assert.Equal(t, "Hydra Name", hc.ClientName)
|
||||
}
|
||||
|
||||
func TestRelyingPartyService_Update_Success(t *testing.T) {
|
||||
mockKeto := new(MockKetoService)
|
||||
mockKeto := new(MockKetoServiceShared)
|
||||
mockOutbox := new(MockKetoOutboxRepositoryShared)
|
||||
clientID := "client-123"
|
||||
|
||||
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
@@ -235,20 +153,17 @@ func TestRelyingPartyService_Update_Success(t *testing.T) {
|
||||
HTTPClient: mockHydraClient(hydraHandler),
|
||||
}
|
||||
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto)
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto, mockOutbox)
|
||||
|
||||
updateReq := domain.HydraClient{ClientName: "New Name"}
|
||||
rp, err := svc.Update(context.Background(), clientID, updateReq)
|
||||
if err != nil {
|
||||
t.Fatalf("Update failed: %v", err)
|
||||
}
|
||||
if rp.Name != "New Name" {
|
||||
t.Errorf("expected New Name, got %s", rp.Name)
|
||||
}
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, "New Name", rp.Name)
|
||||
}
|
||||
|
||||
func TestRelyingPartyService_Delete_Success(t *testing.T) {
|
||||
mockKeto := new(MockKetoService)
|
||||
mockKeto := new(MockKetoServiceShared)
|
||||
mockOutbox := new(MockKetoOutboxRepositoryShared)
|
||||
clientID := "client-123"
|
||||
tenantID := "tenant-1"
|
||||
|
||||
@@ -273,13 +188,14 @@ func TestRelyingPartyService_Delete_Success(t *testing.T) {
|
||||
HTTPClient: mockHydraClient(hydraHandler),
|
||||
}
|
||||
|
||||
mockKeto.On("DeleteRelation", mock.Anything, "RelyingParty", clientID, "parent_tenant", "Tenant:"+tenantID).Return(nil)
|
||||
// Delete relation via Outbox using 'parents'
|
||||
mockOutbox.On("Create", mock.Anything, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
|
||||
return e.Namespace == "RelyingParty" && e.Object == clientID && e.Relation == "parents" && e.Subject == "Tenant:"+tenantID
|
||||
})).Return(nil)
|
||||
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto)
|
||||
svc := NewRelyingPartyService(hydraSvc, mockKeto, mockOutbox)
|
||||
err := svc.Delete(context.Background(), clientID)
|
||||
if err != nil {
|
||||
t.Fatalf("Delete failed: %v", err)
|
||||
}
|
||||
assert.NoError(t, err)
|
||||
|
||||
mockKeto.AssertExpectations(t)
|
||||
mockOutbox.AssertExpectations(t)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user