diff --git a/test/e2e_test/smoke/proxy_test.go b/test/e2e_test/smoke/proxy_test.go index 5b9821bba..9c72119db 100644 --- a/test/e2e_test/smoke/proxy_test.go +++ b/test/e2e_test/smoke/proxy_test.go @@ -130,6 +130,33 @@ func (s *EndToEndProxySmokeTestSuite) TestProxyToEchoServer() { s.Assert().Equal(200, res.StatusCode) s.Assert().Equal("test-resource", resourceName) }) + + s.Run("user not part of group will not be authenticated by middleware auth", func() { + groupDetail, err := s.client.GetGroup(context.Background(), &shieldv1beta1.GetGroupRequest{Id: s.groupID}) + s.Require().NoError(err) + + url := fmt.Sprintf("http://localhost:%d/api/resource_slug", s.appConfig.Proxy.Services[0].Port) + reqBodyMap := map[string]string{ + "project": s.projID, + "name": "test-resource-group-slug", + "group_slug": groupDetail.GetGroup().GetSlug(), + } + reqBodyBytes, err := json.Marshal(reqBodyMap) + s.Require().NoError(err) + + req, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(reqBodyBytes)) + s.Require().NoError(err) + + req.Header.Set(testbench.IdentityHeader, "member2-group1@gotocompany.com") + req.Header.Set("X-Shield-Org", s.orgID) + + res, err := http.DefaultClient.Do(req) + s.Require().NoError(err) + + defer res.Body.Close() + + s.Assert().Equal(401, res.StatusCode) + }) s.Run("resource created on echo server should persist in shieldDB when using group slug", func() { groupDetail, err := s.client.GetGroup(context.Background(), &shieldv1beta1.GetGroupRequest{Id: s.groupID}) s.Require().NoError(err) diff --git a/test/e2e_test/testbench/helper.go b/test/e2e_test/testbench/helper.go index de74eb100..b8ab40ba2 100644 --- a/test/e2e_test/testbench/helper.go +++ b/test/e2e_test/testbench/helper.go @@ -8,6 +8,7 @@ import ( "net" "os" + "github.com/goto/shield/internal/schema" "github.com/goto/shield/pkg/db" shieldv1beta1 "github.com/goto/shield/proto/v1beta1" "google.golang.org/grpc" @@ -193,10 +194,11 @@ func BootstrapGroup(ctx context.Context, cl shieldv1beta1.ShieldServiceClient, c data[1].OrgId = orgResp.GetOrganizations()[0].GetId() data[2].OrgId = orgResp.GetOrganizations()[0].GetId() + ctx = metadata.NewOutgoingContext(ctx, metadata.New(map[string]string{ + IdentityHeader: creatorEmail, + })) + for _, d := range data { - ctx = metadata.NewOutgoingContext(ctx, metadata.New(map[string]string{ - IdentityHeader: creatorEmail, - })) if _, err := cl.CreateGroup(ctx, &shieldv1beta1.CreateGroupRequest{ Body: d, }); err != nil { @@ -207,6 +209,43 @@ func BootstrapGroup(ctx context.Context, cl shieldv1beta1.ShieldServiceClient, c return nil } +func AssignGroupManager(ctx context.Context, cl shieldv1beta1.ShieldServiceClient, creatorEmail string) error { + groupsResp, err := cl.ListGroups(ctx, &shieldv1beta1.ListGroupsRequest{}) + if err != nil { + return err + } + + if len(groupsResp.GetGroups()) < 1 { + return errors.New("no groups found") + } + + ctx = metadata.NewOutgoingContext(ctx, metadata.New(map[string]string{ + IdentityHeader: creatorEmail, + })) + + usr, err := cl.GetCurrentUser(ctx, &shieldv1beta1.GetCurrentUserRequest{}) + if err != nil { + return err + } + + for _, grp := range groupsResp.GetGroups() { + // assign admin to group + _, err = cl.CreateRelation(ctx, &shieldv1beta1.CreateRelationRequest{ + Body: &shieldv1beta1.RelationRequestBody{ + ObjectId: grp.GetId(), + ObjectNamespace: schema.GroupNamespace, + Subject: fmt.Sprintf("%s:%s", schema.UserPrincipal, usr.GetUser().GetId()), + RoleName: schema.ManagerRole, + }, + }) + if err != nil { + return err + } + } + + return nil +} + func SetupDB(cfg db.Config) (dbc *db.Client, err error) { dbc, err = db.New(cfg) if err != nil { diff --git a/test/e2e_test/testbench/testbench.go b/test/e2e_test/testbench/testbench.go index e5e8dfdcb..fce27151f 100644 --- a/test/e2e_test/testbench/testbench.go +++ b/test/e2e_test/testbench/testbench.go @@ -243,7 +243,10 @@ func SetupTests(t *testing.T) (shieldv1beta1.ShieldServiceClient, *config.Shield if err := BootstrapGroup(ctx, client, OrgAdminEmail, testDataPath); err != nil { t.Fatal(err) } - + time.Sleep(10 * time.Second) + if err := AssignGroupManager(ctx, client, OrgAdminEmail); err != nil { + t.Fatal(err) + } return client, appConfig, cancelClient, cancelContextFunc } func migrateShield(appConfig *config.Shield) error { diff --git a/test/e2e_test/testbench/testdata/configs/rules/rule.yaml b/test/e2e_test/testbench/testdata/configs/rules/rule.yaml index 9c28052e7..b81b67894 100644 --- a/test/e2e_test/testbench/testdata/configs/rules/rule.yaml +++ b/test/e2e_test/testbench/testdata/configs/rules/rule.yaml @@ -1,7 +1,7 @@ rules: - backends: - name: entropy - target: "http://localhost:60127" + target: "http://localhost:61587" frontends: - name: ping path: "/api/ping" @@ -48,7 +48,7 @@ rules: value: org1-group1 type: constant permissions: - - name: view + - name: membership namespace: shield/group attribute: owner_group hooks: diff --git a/test/e2e_test/testbench/testdata/configs/rules/rule.yamltpl b/test/e2e_test/testbench/testdata/configs/rules/rule.yamltpl index b51a7490b..8059a3bb5 100644 --- a/test/e2e_test/testbench/testdata/configs/rules/rule.yamltpl +++ b/test/e2e_test/testbench/testdata/configs/rules/rule.yamltpl @@ -48,7 +48,7 @@ rules: value: org1-group1 type: constant permissions: - - name: view + - name: membership namespace: shield/group attribute: owner_group hooks: