From 6d1b47646e37fc2600f8203c6fc86178f56c93f5 Mon Sep 17 00:00:00 2001 From: Cowan Macady Date: Fri, 8 Nov 2024 13:58:03 +0100 Subject: [PATCH] test: add kbac tests for external property implement ENG-4307 --- .../authorization_integration_test.go | 1984 +++++------------ examples/authorization/cmd/is_authorized.go | 18 +- examples/authorization/cmd/what_authorized.go | 6 +- examples/authorization/cmd/who_authorized.go | 6 +- examples/config/cmd/authorization.go | 110 + .../cmd/external_data_resolver_config.go | 33 +- examples/ingest/cmd/batch_delete_nodes.go | 11 +- examples/ingest/cmd/batch_upsert_nodes.go | 25 +- .../ingest/cmd/batch_upsert_relationships.go | 55 +- test/constants.go | 55 +- 10 files changed, 787 insertions(+), 1516 deletions(-) create mode 100644 examples/config/cmd/authorization.go diff --git a/authorization/authorization_integration_test.go b/authorization/authorization_integration_test.go index 62e2af15..f4c0440c 100644 --- a/authorization/authorization_integration_test.go +++ b/authorization/authorization_integration_test.go @@ -60,837 +60,317 @@ var _ = Describe("Authorized", func() { } }, NodeTimeout(time.Second*10)) - It("IsAuthorizedDT", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resources := integration.Resource1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + DescribeTable("DT Authorization tests", + func(digitalTwinId string, + resources []*authorizationpb.IsAuthorizedRequest_Resource, + policyTags []string, + expectedAllow bool, + expectedError string, + numberResources int) { + authorizationClient, err := integration.InitConfigAuthorization() + Expect(err).To(Succeed()) + + digitalTwin := &authorizationpb.DigitalTwin{ + Id: digitalTwinId, + } + + inputParams := map[string]*authorizationpb.InputParam{ + "auditLog": { + Value: &authorizationpb.InputParam_StringValue{ + StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }, }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(true), - })), - }), - })), - }), - })), - }), - }))) - }) - - It("IsAuthorizedDTMultiple", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node2, - } - - resources := integration.Resource9 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - resource1 := resources[1].ExternalId - action1 := resources[1].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(true), - })), - }), - })), - resource1: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action1: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(true), - })), - }), - })), - }), - })), - }), - }))) - }) - - It("IsAuthorizedTags", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resources := integration.Resource1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - policyTags := []string{"TagOne"} - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(true), - })), - }), - })), - }), - })), - }), - }))) - }) - - It("IsAuthorizedWrongTags", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resources := integration.Resource1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - policyTags := []string{"TagBad"} - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(false), - })), - }), - })), - }), - })), - }), - }))) - }) - - It("IsAuthorizedDTResourceNonValid", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resources := integration.Resource2 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - noAuditLogEntry = true - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - Expect(err).To(MatchError(ContainSubstring( - "invalid IsAuthorizedRequest_Resource.Type: value length must be between 2 and 50 runes"))) - Expect(resp).To(BeNil()) - }) - - It("IsAuthorizedDTSubjectNonValid", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.NodeBad, - } - - resources := integration.Resource2 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - noAuditLogEntry = true - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - Expect(err).To(MatchError(ContainSubstring("invalid IsAuthorizedRequest.Subject"))) - Expect(resp).To(BeNil()) - }) - - It("IsAuthorizedDTSubjectNotInDB", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.NodeNotInDB, - } - - resources := integration.Resource1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(false), - })), - }), - })), - }), - })), - }), - }))) - }) - - It("IsAuthorizedDTResourceNotInDB", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resources := integration.Resource3 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(false), - })), - }), - })), - }), - })), - }), - }))) - }) - - It("IsAuthorizedDTResourceNoSubscription", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resources := integration.Resource4 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(false), - })), - }), - })), - }), - })), - }), - }))) - }) - - It("IsAuthorizedDTResourceNoOrganization", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resources := integration.Resource7 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(false), - })), - }), - })), - }), - })), - }), - }))) - }) - - It("IsAuthorizedDTNoService", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resources := integration.Resource6 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(false), - })), - }), - })), - }), - })), - }), - }))) - }) - - It("IsAuthorizedDTResourceNotLinked", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resources := integration.Resource4 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorized( - context.Background(), - digitalTwin, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(false), + } + + resp, err := authorizationClient.IsAuthorized( + context.Background(), + digitalTwin, + resources, + inputParams, + policyTags, + retry.WithMax(5), + ) + + if expectedError != "" { + if numberResources == 0 { + noAuditLogEntry = true + } + Expect(err).To(MatchError(ContainSubstring(expectedError))) + Expect(resp).To(BeNil()) + } else { + Expect(err).To(Succeed()) + Expect(resp).NotTo(BeNil()) + + decision := resources[0].Type + resource := resources[0].ExternalId + action := resources[0].Actions[0] + + Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ + "DecisionTime": Not(BeNil()), + "Decisions": MatchAllKeys(Keys{ + decision: PointTo(MatchFields(IgnoreExtras, Fields{ + "Resources": MatchAllKeys(Keys{ + resource: PointTo(MatchFields(IgnoreExtras, Fields{ + "Actions": MatchAllKeys(Keys{ + action: PointTo(MatchFields(IgnoreExtras, Fields{ + "Allow": Equal(expectedAllow), + })), + }), })), }), })), }), - })), - }), - }))) - }) - - It("IsAuthorizedProperty", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwinProperty := &authorizationpb.Property{ - Type: "email", - Value: objectpb.String(integration.EmailGood), - } - - resources := integration.Resource1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }))) + } + }, + Entry("Authorized single resource", integration.Node1, integration.Resource1, + []string{}, true, "", 1), + Entry("Authorized with tags", integration.Node1, integration.Resource1, + []string{"TagOne"}, true, "", 1), + Entry("Unauthorized with wrong tags", integration.Node1, integration.Resource1, + []string{"TagBad"}, false, "", 1), + Entry("Invalid resource type", integration.Node1, integration.Resource2, []string{}, false, + "invalid IsAuthorizedRequest_Resource.Type: value length must be between 2 and 50 runes", 0), + Entry("Invalid digital twin subject", integration.NodeBad, integration.Resource2, + []string{}, false, + "invalid IsAuthorizedRequest.Subject", 0), + Entry("Digital twin not in DB", integration.NodeNotInDB, integration.Resource1, + []string{}, false, "", 1), + Entry("Resource not in DB", integration.Node1, integration.Resource3, + []string{}, false, "", 1), + Entry("Resource without subscription", integration.Node1, integration.Resource4, + []string{}, false, "", 1), + Entry("Resource without organization", integration.Node1, integration.Resource7, + []string{}, false, "", 1), + Entry("Authorized without service", integration.Node1, integration.Resource6, + []string{}, false, "", 1), + Entry("Resource not linked", integration.Node1, integration.Resource4, + []string{}, false, "", 1), + Entry("Authorized with external property", integration.Node3, + integration.Resource10, []string{}, true, "", 1), + Entry("Authorized without external property", integration.Node3, + integration.Resource12, []string{}, false, "", 1), + Entry("Authorized with wrong external property", integration.Node3, + integration.Resource13, []string{}, false, + "server was unable to complete the request", 1), + Entry("Authorized with external property against policy", integration.Node3, + integration.Resource11, []string{}, false, "", 1), + ) + + DescribeTable("DT Authorization multiple tests", + func(digitalTwinId string, + resources []*authorizationpb.IsAuthorizedRequest_Resource, + policyTags []string, + expectedAllow bool, + expectedError string, + numberResources int) { + authorizationClient, err := integration.InitConfigAuthorization() + Expect(err).To(Succeed()) + + digitalTwin := &authorizationpb.DigitalTwin{ + Id: digitalTwinId, + } + + inputParams := map[string]*authorizationpb.InputParam{ + "auditLog": { + Value: &authorizationpb.InputParam_StringValue{ + StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }, }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorizedByProperty( - context.Background(), - digitalTwinProperty, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(true), + } + + resp, err := authorizationClient.IsAuthorized( + context.Background(), + digitalTwin, + resources, + inputParams, + policyTags, + retry.WithMax(5), + ) + + if expectedError != "" { + if numberResources == 0 { + noAuditLogEntry = true + } + Expect(err).To(MatchError(ContainSubstring(expectedError))) + Expect(resp).To(BeNil()) + } else { + Expect(err).To(Succeed()) + Expect(resp).NotTo(BeNil()) + + decision := resources[0].Type + resource := resources[0].ExternalId + action := resources[0].Actions[0] + resource1 := resources[1].ExternalId + action1 := resources[1].Actions[0] + Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ + "DecisionTime": Not(BeNil()), + "Decisions": MatchAllKeys(Keys{ + decision: PointTo(MatchFields(IgnoreExtras, Fields{ + "Resources": MatchAllKeys(Keys{ + resource: PointTo(MatchFields(IgnoreExtras, Fields{ + "Actions": MatchAllKeys(Keys{ + action: PointTo(MatchFields(IgnoreExtras, Fields{ + "Allow": Equal(expectedAllow), + })), + }), })), - }), - })), - }), - })), - }), - }))) - }) - - It("IsAuthorizedPropertyNotInDB", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwinProperty := &authorizationpb.Property{ - Type: "email", - Value: objectpb.String(integration.EmailBad), - } - - resources := integration.Resource1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorizedByProperty( - context.Background(), - digitalTwinProperty, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(false), + resource1: PointTo(MatchFields(IgnoreExtras, Fields{ + "Actions": MatchAllKeys(Keys{ + action1: PointTo(MatchFields(IgnoreExtras, Fields{ + "Allow": Equal(expectedAllow), + })), + }), })), }), })), }), - })), - }), - }))) - }) - - It("IsAuthorizedExternalID", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - externalID := &authorizationpb.ExternalID{ - Type: "Person", - ExternalId: integration.Subject2, - } - - resources := integration.Resource1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }))) + } + }, + Entry("Authorized multiple resources", integration.Node2, integration.Resource9, + []string{}, true, "", 2), + ) + + DescribeTable("Property Authorization tests", + func(typeNode string, + property string, + resources []*authorizationpb.IsAuthorizedRequest_Resource, + policyTags []string, + expectedAllow bool, + expectedError string) { + authorizationClient, err := integration.InitConfigAuthorization() + Expect(err).To(Succeed()) + + digitalTwinProperty := &authorizationpb.Property{ + Type: typeNode, + Value: objectpb.String(property), + } + // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. + inputParams := map[string]*authorizationpb.InputParam{ + "auditLog": { + Value: &authorizationpb.InputParam_StringValue{ + StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }, }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorizedByExternalID( - context.Background(), - externalID, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(true), + } + + resp, err := authorizationClient.IsAuthorizedByProperty( + context.Background(), + digitalTwinProperty, + resources, + inputParams, + policyTags, + retry.WithMax(5), + ) + + if expectedError != "" { + noAuditLogEntry = true + Expect(err).To(MatchError(ContainSubstring(expectedError))) + Expect(resp).To(BeNil()) + } else { + Expect(err).To(Succeed()) + Expect(resp).NotTo(BeNil()) + + decision := resources[0].Type + resource := resources[0].ExternalId + action := resources[0].Actions[0] + Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ + "DecisionTime": Not(BeNil()), + "Decisions": MatchAllKeys(Keys{ + decision: PointTo(MatchFields(IgnoreExtras, Fields{ + "Resources": MatchAllKeys(Keys{ + resource: PointTo(MatchFields(IgnoreExtras, Fields{ + "Actions": MatchAllKeys(Keys{ + action: PointTo(MatchFields(IgnoreExtras, Fields{ + "Allow": Equal(expectedAllow), + })), + }), })), }), })), }), - })), - }), - }))) - }) - - It("IsAuthorizedExternalIDNotInDB", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - externalID := &authorizationpb.ExternalID{ - Type: "Person", - ExternalId: "anythingwrong", - } - - resources := integration.Resource1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }))) + } + }, + Entry("Authorized property", "email", integration.EmailGood, + integration.Resource1, []string{}, true, ""), + Entry("Authorized property not in DB", "email", integration.EmailBad, + integration.Resource1, []string{}, false, ""), + Entry("Authorized property with external property", "email", integration.EmailGood, + integration.Resource14, []string{}, true, ""), + ) + + DescribeTable("ExternalID Authorization tests", + func(typeNode string, + id string, + resources []*authorizationpb.IsAuthorizedRequest_Resource, + policyTags []string, + expectedAllow bool, + expectedError string) { + authorizationClient, err := integration.InitConfigAuthorization() + Expect(err).To(Succeed()) + + externalID := &authorizationpb.ExternalID{ + Type: typeNode, + ExternalId: id, + } + // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. + inputParams := map[string]*authorizationpb.InputParam{ + "auditLog": { + Value: &authorizationpb.InputParam_StringValue{ + StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }, }, - }, - } - var policyTags []string - - resp, err := authorizationClient.IsAuthorizedByExternalID( - context.Background(), - externalID, - resources, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action := resources[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Allow": Equal(false), + } + + resp, err := authorizationClient.IsAuthorizedByExternalID( + context.Background(), + externalID, + resources, + inputParams, + policyTags, + retry.WithMax(5), + ) + + if expectedError != "" { + noAuditLogEntry = true + Expect(err).To(MatchError(ContainSubstring(expectedError))) + Expect(resp).To(BeNil()) + } else { + Expect(err).To(Succeed()) + Expect(resp).NotTo(BeNil()) + + decision := resources[0].Type + resource := resources[0].ExternalId + action := resources[0].Actions[0] + Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ + "DecisionTime": Not(BeNil()), + "Decisions": MatchAllKeys(Keys{ + decision: PointTo(MatchFields(IgnoreExtras, Fields{ + "Resources": MatchAllKeys(Keys{ + resource: PointTo(MatchFields(IgnoreExtras, Fields{ + "Actions": MatchAllKeys(Keys{ + action: PointTo(MatchFields(IgnoreExtras, Fields{ + "Allow": Equal(expectedAllow), + })), + }), })), }), })), }), - })), - }), - }))) - }) + }))) + } + }, + Entry("Authorized external ID", "Person", integration.Subject2, + integration.Resource1, []string{}, true, ""), + Entry("Authorized external ID not in DB", "Person", "anythingwrong", + integration.Resource1, []string{}, false, ""), + Entry("External ID with external property", "Person", integration.Subject2, + integration.Resource14, []string{}, true, ""), + Entry("External ID with external property against policy", "Person", integration.Subject2, + integration.Resource11, []string{}, false, ""), + ) }) Describe("WhatAuthorized", func() { @@ -919,460 +399,239 @@ var _ = Describe("Authorized", func() { } }, NodeTimeout(time.Second*10)) - It("WhatAuthorizedDT", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resourcesTypes := integration.ResourceType1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + DescribeTable("What Authorization DT", + func(digitalTwinId string, + resourcesTypes []*authorizationpb.WhatAuthorizedRequest_ResourceType, + results []string, + policyTags []string, + expectedError string) { + authorizationClient, err := integration.InitConfigAuthorization() + Expect(err).To(Succeed()) + + digitalTwin := &authorizationpb.DigitalTwin{ + Id: digitalTwinId, + } + + // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. + inputParams := map[string]*authorizationpb.InputParam{ + "auditLog": { + Value: &authorizationpb.InputParam_StringValue{ + StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }, }, - }, - } - var policyTags []string - - resp, err := authorizationClient.WhatAuthorized( - context.Background(), - digitalTwin, - resourcesTypes, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resourcesTypes[0].Type - action := resourcesTypes[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllElementsWithIndex(IndexIdentity, Elements{ - "0": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset4), - })), - "1": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset3), - })), - "2": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset1), - })), - "3": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset2), - })), - "4": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset5), + } + + resp, err := authorizationClient.WhatAuthorized( + context.Background(), + digitalTwin, + resourcesTypes, + inputParams, + policyTags, + retry.WithMax(5), + ) + + if expectedError != "" { + noAuditLogEntry = true + Expect(err).To(MatchError(ContainSubstring(expectedError))) + Expect(resp).To(BeNil()) + } else { + Expect(err).To(Succeed()) + Expect(resp).NotTo(BeNil()) + + decision := resourcesTypes[0].Type + action := resourcesTypes[0].Actions[0] + resourceMatcher := BeEmpty() // Default to empty if no results + if len(results) > 0 { + elements := Elements{} + for i, result := range results { + elements[fmt.Sprintf("%d", i)] = PointTo(MatchFields(IgnoreExtras, Fields{ + "ExternalId": Equal(result), + })) + } + resourceMatcher = MatchAllElementsWithIndex(IndexIdentity, elements) + } + Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ + "DecisionTime": Not(BeNil()), + "Decisions": MatchAllKeys(Keys{ + decision: PointTo(MatchFields(IgnoreExtras, Fields{ + "Actions": MatchAllKeys(Keys{ + action: PointTo(MatchFields(IgnoreExtras, Fields{ + "Resources": resourceMatcher, })), }), })), }), - })), - }), - }))) - }) - - It("WhatAuthorizedDTResourceNonValid", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resourcesTypes := integration.ResourceType2 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - noAuditLogEntry = true - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.WhatAuthorized( - context.Background(), - digitalTwin, - resourcesTypes, - inputParams, - policyTags, - retry.WithMax(5), - ) - Expect(err).To(MatchError(ContainSubstring( - "invalid WhatAuthorizedRequest_ResourceType.Type: value length must be between 2 and 50 runes"))) - Expect(resp).To(BeNil()) - }) - - It("WhatAuthorizedDTSubjectNonValid", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.NodeBad, - } - - resourcesTypes := integration.ResourceType1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - noAuditLogEntry = true - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.WhatAuthorized( - context.Background(), - digitalTwin, - resourcesTypes, - inputParams, - policyTags, - retry.WithMax(5), - ) - Expect(err).To(MatchError(ContainSubstring( - "invalid DigitalTwin.Id: value length must be between 27 and 100 runes"))) - Expect(resp).To(BeNil()) - }) - - It("WhatAuthorizedDTSubjectNotInDB", func() { - var err error - - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.NodeNotInDB, - } - - resourcesTypes := integration.ResourceType1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.WhatAuthorized( - context.Background(), - digitalTwin, - resourcesTypes, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resourcesTypes[0].Type - action := resourcesTypes[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": BeEmpty(), - })), - }), - })), - }), - }))) - }) - - It("WhatAuthorizedDTResourceNotInDB", func() { - var err error - - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwin := &authorizationpb.DigitalTwin{ - Id: integration.Node1, - } - - resourcesTypes := integration.ResourceType3 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.WhatAuthorized( - context.Background(), - digitalTwin, - resourcesTypes, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resourcesTypes[0].Type - action := resourcesTypes[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": BeEmpty(), - })), - }), - })), - }), - }))) - }) - - It("WhatAuthorizedProperty", func() { - var err error - - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwinProperty := &authorizationpb.Property{ - Type: "email", - Value: objectpb.String(integration.EmailGood2), - } - - resourcesTypes := integration.ResourceType1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }))) + } + }, + Entry("What authorized DT", integration.Node1, integration.ResourceType1, + []string{integration.Asset4, integration.Asset3, integration.Asset1, + integration.Asset2, integration.Asset5}, []string{}, ""), + Entry("What Authorized DT Resource Non Valid", integration.Node1, integration.ResourceType2, + []string{}, []string{}, + "invalid WhatAuthorizedRequest_ResourceType.Type: value length must be between 2 and 50 runes"), + Entry("What Authorized DT Subject Non Valid", integration.NodeBad, integration.ResourceType1, + []string{}, []string{}, "invalid DigitalTwin.Id: value length must be between 27 and 100 runes"), + Entry("What Authorized DT Subject Not In DB", integration.NodeNotInDB, + integration.ResourceType1, []string{}, []string{}, ""), + Entry("What Authorized DT Resource Not In DB", integration.Node1, + integration.ResourceType3, []string{}, []string{}, ""), + Entry("What Authorized DT With External Property", integration.Node6, integration.ResourceType4, + []string{integration.Truck1}, []string{}, ""), + Entry("What Authorized DT With External Property Wrong Action", integration.Node7, + integration.ResourceType4, []string{}, []string{}, ""), + ) + + DescribeTable("What Authorization Property", + func(propertyType string, + property string, + resourcesTypes []*authorizationpb.WhatAuthorizedRequest_ResourceType, + results []string, + policyTags []string, + expectedError string) { + authorizationClient, err := integration.InitConfigAuthorization() + Expect(err).To(Succeed()) + + digitalTwinProperty := &authorizationpb.Property{ + Type: propertyType, + Value: objectpb.String(property), + } + + // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. + inputParams := map[string]*authorizationpb.InputParam{ + "auditLog": { + Value: &authorizationpb.InputParam_StringValue{ + StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }, }, - }, - } - var policyTags []string - - resp, err := authorizationClient.WhatAuthorizedByProperty( - context.Background(), - digitalTwinProperty, - resourcesTypes, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resourcesTypes[0].Type - action := resourcesTypes[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllElementsWithIndex(IndexIdentity, Elements{ - "0": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset4), - })), - "1": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset3), - })), - "2": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset1), + } + + resp, err := authorizationClient.WhatAuthorizedByProperty( + context.Background(), + digitalTwinProperty, + resourcesTypes, + inputParams, + policyTags, + retry.WithMax(5), + ) + + if expectedError != "" { + noAuditLogEntry = true + Expect(err).To(MatchError(ContainSubstring(expectedError))) + Expect(resp).To(BeNil()) + } else { + Expect(err).To(Succeed()) + Expect(resp).NotTo(BeNil()) + + decision := resourcesTypes[0].Type + action := resourcesTypes[0].Actions[0] + resourceMatcher := BeEmpty() // Default to empty if no results + if len(results) > 0 { + elements := Elements{} + for i, result := range results { + elements[fmt.Sprintf("%d", i)] = PointTo(MatchFields(IgnoreExtras, Fields{ + "ExternalId": Equal(result), + })) + } + resourceMatcher = MatchAllElementsWithIndex(IndexIdentity, elements) + } + Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ + "DecisionTime": Not(BeNil()), + "Decisions": MatchAllKeys(Keys{ + decision: PointTo(MatchFields(IgnoreExtras, Fields{ + "Actions": MatchAllKeys(Keys{ + action: PointTo(MatchFields(IgnoreExtras, Fields{ + "Resources": resourceMatcher, })), }), })), }), - })), - }), - }))) - }) - - It("WhatAuthorizedPropertyNotInDB", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - digitalTwinProperty := &authorizationpb.Property{ - Type: "Email", - Value: objectpb.String(integration.EmailBad), - } - - resourcesTypes := integration.ResourceType1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.WhatAuthorizedByProperty( - context.Background(), - digitalTwinProperty, - resourcesTypes, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resourcesTypes[0].Type - action := resourcesTypes[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": BeEmpty(), - })), - }), - })), - }), - }))) - }) - - It("WhatAuthorizedExternalID", func() { - var err error - - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - externalID := &authorizationpb.ExternalID{ - Type: "Person", - ExternalId: integration.Subject4, - } - - resourcesTypes := integration.ResourceType1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }))) + } + }, + Entry("What Authorized Property", "email", integration.EmailGood2, integration.ResourceType1, + []string{integration.Asset4, integration.Asset3, integration.Asset1}, []string{}, ""), + Entry("What Authorized Property Not In DB", "email", integration.EmailBad, integration.ResourceType1, + []string{}, []string{}, ""), + Entry("What Authorized Property With External Property", "email", integration.EmailWhat, + integration.ResourceType4, []string{integration.Truck1}, []string{}, ""), + ) + + DescribeTable("What Authorization ExternalID", + func(nodeType string, + id string, + resourcesTypes []*authorizationpb.WhatAuthorizedRequest_ResourceType, + results []string, + policyTags []string, + expectedError string) { + authorizationClient, err := integration.InitConfigAuthorization() + Expect(err).To(Succeed()) + + externalID := &authorizationpb.ExternalID{ + Type: nodeType, + ExternalId: id, + } + + // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. + inputParams := map[string]*authorizationpb.InputParam{ + "auditLog": { + Value: &authorizationpb.InputParam_StringValue{ + StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }, }, - }, - } - var policyTags []string - - resp, err := authorizationClient.WhatAuthorizedByExternalID( - context.Background(), - externalID, - resourcesTypes, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resourcesTypes[0].Type - action := resourcesTypes[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllElementsWithIndex(IndexIdentity, Elements{ - "0": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset4), - })), - "1": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset3), - })), - "2": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Asset1), + } + + resp, err := authorizationClient.WhatAuthorizedByExternalID( + context.Background(), + externalID, + resourcesTypes, + inputParams, + policyTags, + retry.WithMax(5), + ) + + if expectedError != "" { + Expect(err).To(MatchError(ContainSubstring(expectedError))) + Expect(resp).To(BeNil()) + } else { + Expect(err).To(Succeed()) + Expect(resp).NotTo(BeNil()) + + decision := resourcesTypes[0].Type + action := resourcesTypes[0].Actions[0] + resourceMatcher := BeEmpty() // Default to empty if no results + if len(results) > 0 { + elements := Elements{} + for i, result := range results { + elements[fmt.Sprintf("%d", i)] = PointTo(MatchFields(IgnoreExtras, Fields{ + "ExternalId": Equal(result), + })) + } + resourceMatcher = MatchAllElementsWithIndex(IndexIdentity, elements) + } + Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ + "DecisionTime": Not(BeNil()), + "Decisions": MatchAllKeys(Keys{ + decision: PointTo(MatchFields(IgnoreExtras, Fields{ + "Actions": MatchAllKeys(Keys{ + action: PointTo(MatchFields(IgnoreExtras, Fields{ + "Resources": resourceMatcher, })), }), })), }), - })), - }), - }))) - }) - - It("WhatAuthorizedExternalIDNotInDB", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - externalID := &authorizationpb.ExternalID{ - Type: "Person", - ExternalId: "SomethingWrong", - } - - resourcesTypes := integration.ResourceType1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - resp, err := authorizationClient.WhatAuthorizedByExternalID( - context.Background(), - externalID, - resourcesTypes, - inputParams, - policyTags, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resourcesTypes[0].Type - action := resourcesTypes[0].Actions[0] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": BeEmpty(), - })), - }), - })), - }), - }))) - }) + }))) + } + }, + Entry("What Authorized External ID", "Person", integration.Subject4, integration.ResourceType1, + []string{integration.Asset4, integration.Asset3, integration.Asset1}, []string{}, ""), + Entry("What Authorized External ID Not In DB", "Person", "SomethingWrong", integration.ResourceType1, + []string{}, []string{}, ""), + Entry("What Authorized External ID With External Property", "Person", integration.Subject5, + integration.ResourceType4, []string{integration.Truck1}, []string{}, ""), + Entry("What Authorized External ID With External Property With Error", "Person", integration.Subject3, + integration.ResourceType4, []string{}, []string{}, "server was unable to complete the request"), + ) }) Describe("WhoAuthorized", func() { @@ -1401,162 +660,85 @@ var _ = Describe("Authorized", func() { } }, NodeTimeout(time.Second*10)) - It("WhoAuthorized", func() { - var err error - - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - resources := integration.ResourceWho1 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - req := &authorizationpb.WhoAuthorizedRequest{ - Resources: resources, - InputParams: inputParams, - PolicyTags: policyTags, - } - - resp, err := authorizationClient.WhoAuthorized( - context.Background(), - req, - retry.WithMax(5), - ) - - decision := resources[0].Type - resource := resources[0].ExternalId - action0 := resources[0].Actions[0] - action1 := resources[0].Actions[1] - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action0: PointTo(MatchFields(IgnoreExtras, Fields{ - "Subjects": MatchAllElementsWithIndex(IndexIdentity, Elements{ - "0": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Subject1), - })), - "1": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Subject3), - })), - "2": PointTo(MatchFields(IgnoreExtras, Fields{ - "ExternalId": Equal(integration.Subject2), - })), - }), - })), - action1: PointTo(MatchFields(IgnoreExtras, Fields{ - "Subjects": BeEmpty(), - })), - }), - })), - }), - })), - }), - }))) - }) - - It("WhoAuthorizedResourceNotValid", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - resources := integration.ResourceWho2 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - noAuditLogEntry = true - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), - }, - }, - } - var policyTags []string - - req := &authorizationpb.WhoAuthorizedRequest{ - Resources: resources, - InputParams: inputParams, - PolicyTags: policyTags, - } - - resp, err := authorizationClient.WhoAuthorized( - context.Background(), - req, - retry.WithMax(5), - ) - - Expect(err).To(MatchError(ContainSubstring( - "invalid WhoAuthorizedRequest_Resource.ExternalId: value length must be between 2 and 50 runes"))) - Expect(resp).To(BeNil()) - }) - - It("WhoAuthorizedResourceNotInDB", func() { - var err error - authorizationClient, err := integration.InitConfigAuthorization() - Expect(err).To(Succeed()) - - resources := integration.ResourceWho3 - // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. - inputParams := map[string]*authorizationpb.InputParam{ - "auditLog": { - Value: &authorizationpb.InputParam_StringValue{ - StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + DescribeTable("Who Authorization", + func(resources []*authorizationpb.WhoAuthorizedRequest_Resource, + subjects []string, + policyTags []string, + expectedError string) { + authorizationClient, err := integration.InitConfigAuthorization() + Expect(err).To(Succeed()) + + // To make sure that the proper audit log was queried from BigQuery, need to add a unique identifier. + inputParams := map[string]*authorizationpb.InputParam{ + "auditLog": { + Value: &authorizationpb.InputParam_StringValue{ + StringValue: fmt.Sprintf("\"%v\"", auditLogIdentifier), + }, }, - }, - } - var policyTags []string - - req := &authorizationpb.WhoAuthorizedRequest{ - Resources: resources, - InputParams: inputParams, - PolicyTags: policyTags, - } - - resp, err := authorizationClient.WhoAuthorized( - context.Background(), - req, - retry.WithMax(5), - ) - - Expect(err).To(Succeed()) - Expect(resp).NotTo(BeNil()) - - decision := resources[0].Type - resource := resources[0].ExternalId - action0 := resources[0].Actions[0] - action1 := resources[0].Actions[1] - - Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ - "DecisionTime": Not(BeNil()), - "Decisions": MatchAllKeys(Keys{ - decision: PointTo(MatchFields(IgnoreExtras, Fields{ - "Resources": MatchAllKeys(Keys{ - resource: PointTo(MatchFields(IgnoreExtras, Fields{ - "Actions": MatchAllKeys(Keys{ - action0: PointTo(MatchFields(IgnoreExtras, Fields{ - "Subjects": BeEmpty(), - })), - action1: PointTo(MatchFields(IgnoreExtras, Fields{ - "Subjects": BeEmpty(), + } + + req := &authorizationpb.WhoAuthorizedRequest{ + Resources: resources, + InputParams: inputParams, + PolicyTags: policyTags, + } + + resp, err := authorizationClient.WhoAuthorized( + context.Background(), + req, + retry.WithMax(5), + ) + + if expectedError != "" { + noAuditLogEntry = true + Expect(err).To(MatchError(ContainSubstring(expectedError))) + Expect(resp).To(BeNil()) + } else { + Expect(err).To(Succeed()) + Expect(resp).NotTo(BeNil()) + + decision := resources[0].Type + resource := resources[0].ExternalId + actions := resources[0].Actions + actionMatchers := Keys{} + for i, action := range actions { + // First action with specific subject matches + subjectMatcher := BeEmpty() + if i == 0 && len(subjects) > 0 { + elements := Elements{} + for i, subject := range subjects { + elements[fmt.Sprintf("%d", i)] = PointTo(MatchFields(IgnoreExtras, Fields{ + "ExternalId": Equal(subject), + })) + } + subjectMatcher = MatchAllElementsWithIndex(IndexIdentity, elements) + } + actionMatchers[action] = PointTo(MatchFields(IgnoreExtras, Fields{ + "Subjects": subjectMatcher, + })) + } + + Expect(resp).To(PointTo(MatchFields(IgnoreExtras, Fields{ + "DecisionTime": Not(BeNil()), + "Decisions": MatchAllKeys(Keys{ + decision: PointTo(MatchFields(IgnoreExtras, Fields{ + "Resources": MatchAllKeys(Keys{ + resource: PointTo(MatchFields(IgnoreExtras, Fields{ + "Actions": MatchAllKeys(actionMatchers), })), }), })), }), - })), - }), - }))) - }) + }))) + } + }, + Entry("Who Authorized", integration.ResourceWho1, + []string{integration.Subject1, integration.Subject3, integration.Subject2}, []string{}, ""), + Entry("Who Authorized Resource Not Valid", integration.ResourceWho2, []string{}, []string{}, + "invalid WhoAuthorizedRequest_Resource.ExternalId: value length must be between 2 and 50 runes"), + Entry("Who Authorized Resource Not In DB", integration.ResourceWho3, []string{}, []string{}, ""), + Entry("Who Authorized With External Property", integration.ResourceWho4, + []string{integration.Subject5, integration.Subject1}, []string{}, ""), + ) }) }) diff --git a/examples/authorization/cmd/is_authorized.go b/examples/authorization/cmd/is_authorized.go index ab8740fb..c1179ef8 100644 --- a/examples/authorization/cmd/is_authorized.go +++ b/examples/authorization/cmd/is_authorized.go @@ -81,9 +81,9 @@ var withDigitalTwinCmd = &cobra.Command{ resources := []*authorizationpb.IsAuthorizedRequest_Resource{ { - ExternalId: "resourceID", - Type: "Type", - Actions: []string{"ACTION"}, + ExternalId: "Truck1", + Type: "Truck", + Actions: []string{"SUBSCRIBES_TO"}, }, } inputParams := map[string]*authorizationpb.InputParam{} @@ -117,9 +117,9 @@ var withPropertyCmd = &cobra.Command{ resources := []*authorizationpb.IsAuthorizedRequest_Resource{ { - ExternalId: "resourceID", - Type: "Type", - Actions: []string{"ACTION"}, + ExternalId: "Truck2", + Type: "Truck", + Actions: []string{"SUBSCRIBES_TO"}, }, } inputParams := map[string]*authorizationpb.InputParam{} @@ -163,9 +163,9 @@ var withExternalIDCmd = &cobra.Command{ resources := []*authorizationpb.IsAuthorizedRequest_Resource{ { - ExternalId: "resourceID", - Type: "Type", - Actions: []string{"ACTION"}, + ExternalId: "Truck4", + Type: "Truck", + Actions: []string{"SUBSCRIBES_TO"}, }, } inputParams := map[string]*authorizationpb.InputParam{} diff --git a/examples/authorization/cmd/what_authorized.go b/examples/authorization/cmd/what_authorized.go index d297c535..84d3e147 100644 --- a/examples/authorization/cmd/what_authorized.go +++ b/examples/authorization/cmd/what_authorized.go @@ -77,8 +77,7 @@ var whatWithDigitalTwinCmd = &cobra.Command{ } resourceTypes := []*authorizationpb.WhatAuthorizedRequest_ResourceType{ - {Type: "TypeA"}, - {Type: "TypeB", Actions: []string{"ACTION"}}, + {Type: "Truck", Actions: []string{"SUBSCRIBES_TO"}}, } inputParams := map[string]*authorizationpb.InputParam{} var policyTags []string @@ -153,8 +152,7 @@ var whatWithExternalIDCmd = &cobra.Command{ fmt.Scanln(&(externalID.ExternalId)) resourceTypes := []*authorizationpb.WhatAuthorizedRequest_ResourceType{ - {Type: "TypeA", Actions: []string{"ACTION1", "ACTION2"}}, - {Type: "TypeB", Actions: []string{"ACTION"}}, + {Type: "Truck", Actions: []string{"SUBSCRIBES_TO"}}, } inputParams := map[string]*authorizationpb.InputParam{} diff --git a/examples/authorization/cmd/who_authorized.go b/examples/authorization/cmd/who_authorized.go index 30272780..e72c256c 100644 --- a/examples/authorization/cmd/who_authorized.go +++ b/examples/authorization/cmd/who_authorized.go @@ -32,9 +32,9 @@ var whoAuthorizedCmd = &cobra.Command{ Run: func(cmd *cobra.Command, args []string) { resources := []*authorizationpb.WhoAuthorizedRequest_Resource{ { - ExternalId: "resourceID", - Type: "Type", - Actions: []string{"ACTION"}, + ExternalId: "Truck1", + Type: "Truck", + Actions: []string{"SUBSCRIBES_TO", "OWNS"}, }, } inputParams := map[string]*authorizationpb.InputParam{} diff --git a/examples/config/cmd/authorization.go b/examples/config/cmd/authorization.go new file mode 100644 index 00000000..283c588b --- /dev/null +++ b/examples/config/cmd/authorization.go @@ -0,0 +1,110 @@ +// Copyright (c) 2024 IndyKite +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cmd + +import ( + "context" + "fmt" + "log" + + "github.com/spf13/cobra" + + "github.com/indykite/indykite-sdk-go/config" + configpb "github.com/indykite/indykite-sdk-go/gen/indykite/config/v1beta1" +) + +var authorizationPolicyConfigCmd = &cobra.Command{ + Use: "authorizationPolicy", + Short: "AuthorizationPolicy config", +} + +var createAuthorizationPolicyConfigCmd = &cobra.Command{ + Use: "create", + Short: "Create AuthorizationPolicy config", + Run: func(cmd *cobra.Command, args []string) { + jsonInput := `{"meta":{"policyVersion":"1.0-indykite"},"subject":{"type":"Person"},"actions":["SUBSCRIBES_TO"],"resource":{"type":"Truck"},"condition":{"cypher":"MATCH (subject:Person)-[:BELONGS_TO]->(:Organization)-[:OWNS]->(resource:Truck)-[HAS]->(p:Property:External {type: 'echo', value: '2024'}) "}}` + configuration := &configpb.AuthorizationPolicyConfig{ + Policy: jsonInput, + Status: configpb.AuthorizationPolicyConfig_STATUS_ACTIVE, + Tags: []string{}, + } + createReq, _ := config.NewCreate("like-real-config-node-name") + createReq.ForLocation("gid:AAAAAguDnAAAAAAAAAAAAAAA") + createReq.WithDisplayName("Like real ConfigNode Name") + createReq.WithAuthorizationPolicyConfig(configuration) + + resp, err := client.CreateConfigNode(context.Background(), createReq) + if err != nil { + log.Fatalf("failed to invoke operation on IndyKite Client %v", err) + } + fmt.Println(jsonp.Format(resp)) + + readReq, _ := config.NewRead(resp.Id) + readResp, err := client.ReadConfigNode(context.Background(), readReq) + if err != nil { + log.Fatalf("failed to invoke operation on IndyKite Client %v", err) + } + fmt.Println(jsonp.Format(readResp)) + }, +} + +var updateAuthorizationPolicyConfigCmd = &cobra.Command{ + Use: "update", + Short: "Update AuthorizationPolicy config", + Run: func(cmd *cobra.Command, args []string) { + jsonInput := `{"meta":{"policyVersion":"1.0-indykite"},"subject":{"type":"Person"},"actions":["SUBSCRIBES_TO"],"resource":{"type":"Asset"},"condition":{"cypher":"MATCH (subject:Person)-[:BELONGS_TO]->(:Organization)-[:OWNS]->(resource:Truck)-[HAS]->(Truck:Property:External {type: echo, value: '2024'}) "}}` + configuration := &configpb.AuthorizationPolicyConfig{ + Policy: jsonInput, + Status: configpb.AuthorizationPolicyConfig_STATUS_ACTIVE, + Tags: []string{"TagA", "TagB"}, + } + updateReq, _ := config.NewUpdate("gid:AAAAFo7ukfFQHkBjtiQQZiE2zb8") + updateReq.WithAuthorizationPolicyConfig(configuration) + updateReq.WithDescription("Desc1") + + resp, err := client.UpdateConfigNode(context.Background(), updateReq) + if err != nil { + log.Fatalf("failed to invoke operation on IndyKite Client %v", err) + } + fmt.Println(jsonp.Format(resp)) + + readReq, _ := config.NewRead(resp.Id) + readResp, err := client.ReadConfigNode(context.Background(), readReq) + if err != nil { + log.Fatalf("failed to invoke operation on IndyKite Client %v", err) + } + fmt.Println(jsonp.Format(readResp)) + }, +} + +var deleteAuthorizationPolicyConfigCmd = &cobra.Command{ + Use: "delete", + Short: "Delete AuthorizationPolicy configuration", + Run: func(cmd *cobra.Command, args []string) { + deleteReq, _ := config.NewDelete("gid:AAAAFvTeAqwrRUinglaK7B891aI") + resp, err := client.DeleteConfigNode(context.Background(), deleteReq) + if err != nil { + log.Fatalf("failed to invoke operation on IndyKite Client %v", err) + } + fmt.Println(jsonp.Format(resp)) + }, +} + +func init() { + rootCmd.AddCommand(authorizationPolicyConfigCmd) + authorizationPolicyConfigCmd.AddCommand(createAuthorizationPolicyConfigCmd) + authorizationPolicyConfigCmd.AddCommand(updateAuthorizationPolicyConfigCmd) + authorizationPolicyConfigCmd.AddCommand(deleteAuthorizationPolicyConfigCmd) +} diff --git a/examples/config/cmd/external_data_resolver_config.go b/examples/config/cmd/external_data_resolver_config.go index 01c6591a..2f7da936 100644 --- a/examples/config/cmd/external_data_resolver_config.go +++ b/examples/config/cmd/external_data_resolver_config.go @@ -35,19 +35,16 @@ var createExternalDataResolverConfigCmd = &cobra.Command{ Short: "Create ExternalDataResolver config", Run: func(cmd *cobra.Command, args []string) { configuration := &configpb.ExternalDataResolverConfig{ - Url: "https://example.com/source2", - Method: "GET", - Headers: map[string]*configpb.ExternalDataResolverConfig_Header{ - "Authorization": {Values: []string{"Bearer edolkUTY"}}, - "Content-Type": {Values: []string{"application/json"}}, - }, + Url: "http://super-octo-waffle.indykite.com/magic?data=2024", + Method: "GET", + Headers: map[string]*configpb.ExternalDataResolverConfig_Header{}, RequestType: configpb.ExternalDataResolverConfig_CONTENT_TYPE_JSON, - RequestPayload: []byte(`{"key": "value"}`), + RequestPayload: []byte(``), ResponseType: configpb.ExternalDataResolverConfig_CONTENT_TYPE_JSON, - ResponseSelector: ".", + ResponseSelector: ".echo", } createReq, _ := config.NewCreate("like-real-config-node-name2") - createReq.ForLocation("gid:AAAAABBBBB_uiuiu144KNUI1245") + createReq.ForLocation("gid:AAAAAguAAAAAAAAAAAAAAAAAAAA") createReq.WithDisplayName("Like real ConfigNode Name2") createReq.WithExternalDataResolverConfig(configuration) @@ -71,18 +68,16 @@ var updateExternalDataResolverConfigCmd = &cobra.Command{ Short: "Update ExternalDataResolver config", Run: func(cmd *cobra.Command, args []string) { configuration := &configpb.ExternalDataResolverConfig{ - Url: "https://example.com/source", - Method: "GET", - Headers: map[string]*configpb.ExternalDataResolverConfig_Header{ - "Authorization": {Values: []string{"Bearer edyUTY"}}, - "Content-Type": {Values: []string{"application/json"}}, - }, + Url: "http://super-octo-waffle.indykite.com/magic?data=2024", + Method: "GET", + Headers: map[string]*configpb.ExternalDataResolverConfig_Header{}, RequestType: configpb.ExternalDataResolverConfig_CONTENT_TYPE_JSON, - RequestPayload: []byte(`{"key": "value"}`), + RequestPayload: []byte(``), ResponseType: configpb.ExternalDataResolverConfig_CONTENT_TYPE_JSON, - ResponseSelector: ".", + ResponseSelector: ".echo", } - updateReq, _ := config.NewUpdate("gid:id-of-existing-config") + updateReq, _ := config.NewUpdate("gid:AAAAIZISzhPyS0i-hT-OnuiGkKE") + updateReq.WithDescription("Desc2") updateReq.WithExternalDataResolverConfig(configuration) resp, err := client.UpdateConfigNode(context.Background(), updateReq) @@ -104,7 +99,7 @@ var deleteExternalDataResolverConfigCmd = &cobra.Command{ Use: "delete", Short: "Delete ExternalDataResolver configuration", Run: func(cmd *cobra.Command, args []string) { - deleteReq, _ := config.NewDelete("gid:id-of-existing-config") + deleteReq, _ := config.NewDelete("gid:AAAAIWWRI5nLaEkjhFBa4v8Gi-4") resp, err := client.DeleteConfigNode(context.Background(), deleteReq) if err != nil { log.Fatalf("failed to invoke operation on IndyKite Client %v", err) diff --git a/examples/ingest/cmd/batch_delete_nodes.go b/examples/ingest/cmd/batch_delete_nodes.go index 2718b47d..cb565112 100644 --- a/examples/ingest/cmd/batch_delete_nodes.go +++ b/examples/ingest/cmd/batch_delete_nodes.go @@ -33,17 +33,12 @@ var batchDeleteNodesCmd = &cobra.Command{ Run: func(cmd *cobra.Command, args []string) { nodeMatch1 := &ingestpb.NodeMatch{ - ExternalId: "0000", - Type: "Employee", - } - - nodeMatch2 := &ingestpb.NodeMatch{ - ExternalId: "0001", - Type: "Truck", + ExternalId: "tyUjk78Hnm", + Type: "Asset", } nodes := []*ingestpb.NodeMatch{ - nodeMatch1, nodeMatch2, + nodeMatch1, } resp, err := client.BatchDeleteNodes(context.Background(), nodes) if err != nil { diff --git a/examples/ingest/cmd/batch_upsert_nodes.go b/examples/ingest/cmd/batch_upsert_nodes.go index 015f13f3..55fd2c0f 100644 --- a/examples/ingest/cmd/batch_upsert_nodes.go +++ b/examples/ingest/cmd/batch_upsert_nodes.go @@ -35,7 +35,7 @@ var batchUpsertNodesCmd = &cobra.Command{ Run: func(cmd *cobra.Command, args []string) { node1 := &knowledgeobjects.Node{ - ExternalId: "741258", + ExternalId: "barnabebe", Type: "Person", IsIdentity: true, Properties: []*knowledgeobjects.Property{ @@ -43,7 +43,7 @@ var batchUpsertNodesCmd = &cobra.Command{ Type: "email", Value: &objects.Value{ Type: &objects.Value_StringValue{ - StringValue: "elias@yahoo.com", + StringValue: "banabebe@yahoo.com", }, }, Metadata: &knowledgeobjects.Metadata{ @@ -69,24 +69,7 @@ var batchUpsertNodesCmd = &cobra.Command{ Type: "first_name", Value: &objects.Value{ Type: &objects.Value_StringValue{ - StringValue: "colias", - }, - }, - }, - }, - Tags: []string{"Sitea", "Siteb"}, - } - - node2 := &knowledgeobjects.Node{ - ExternalId: "789456", - Type: "Car", - IsIdentity: false, - Properties: []*knowledgeobjects.Property{ - { - Type: "plateNumber", - Value: &objects.Value{ - Type: &objects.Value_StringValue{ - StringValue: "NO8521", + StringValue: "barnabebe", }, }, }, @@ -95,7 +78,7 @@ var batchUpsertNodesCmd = &cobra.Command{ } nodes := []*knowledgeobjects.Node{ - node1, node2, + node1, } resp, err := client.BatchUpsertNodes(context.Background(), nodes) if err != nil { diff --git a/examples/ingest/cmd/batch_upsert_relationships.go b/examples/ingest/cmd/batch_upsert_relationships.go index 291d44d6..a49230ea 100644 --- a/examples/ingest/cmd/batch_upsert_relationships.go +++ b/examples/ingest/cmd/batch_upsert_relationships.go @@ -20,11 +20,8 @@ import ( "log" "github.com/spf13/cobra" - "google.golang.org/protobuf/types/known/timestamppb" ingestpb "github.com/indykite/indykite-sdk-go/gen/indykite/ingest/v1beta3" - knowledgeobjects "github.com/indykite/indykite-sdk-go/gen/indykite/knowledge/objects/v1beta1" - objects "github.com/indykite/indykite-sdk-go/gen/indykite/objects/v1beta2" ) // batch upsert relationships represents the command for ingesting up to 250 relationships @@ -37,60 +34,18 @@ var batchUpsertRelationshipsCmd = &cobra.Command{ relationship1 := &ingestpb.Relationship{ Source: &ingestpb.NodeMatch{ - ExternalId: "741258", + ExternalId: "barnabebe", Type: "Person", }, Target: &ingestpb.NodeMatch{ - ExternalId: "963258", - Type: "Car", - }, - Type: "OWNS", - Properties: []*knowledgeobjects.Property{ - { - Type: "linked", - Value: &objects.Value{ - Type: &objects.Value_StringValue{ - StringValue: "12345", - }, - }, - Metadata: &knowledgeobjects.Metadata{ - AssuranceLevel: 1, - VerificationTime: timestamppb.Now(), - Source: "Myself", - CustomMetadata: map[string]*objects.Value{ - "customdata": { - Type: &objects.Value_StringValue{StringValue: "SomeCustomData"}, - }, - }, - }, - }, - }, - } - - relationship2 := &ingestpb.Relationship{ - Source: &ingestpb.NodeMatch{ - ExternalId: "0002", - Type: "Employee", - }, - Target: &ingestpb.NodeMatch{ - ExternalId: "0003", - Type: "Truck", - }, - Type: "SERVICES", - Properties: []*knowledgeobjects.Property{ - { - Type: "linked", - Value: &objects.Value{ - Type: &objects.Value_StringValue{ - StringValue: "678910", - }, - }, - }, + ExternalId: "tRVeocDOOzNfTIN", + Type: "Organization", }, + Type: "BELONGS_TO", } relationships := []*ingestpb.Relationship{ - relationship1, relationship2, + relationship1, } resp, err := client.BatchUpsertRelationships(context.Background(), relationships) if err != nil { diff --git a/test/constants.go b/test/constants.go index a4f89b43..a6619fc5 100644 --- a/test/constants.go +++ b/test/constants.go @@ -129,6 +129,46 @@ var ( }, } + Resource10 = []*authorizationpb.IsAuthorizedRequest_Resource{ + { + ExternalId: "Truck1", + Type: "Truck", + Actions: []string{"SUBSCRIBES_TO"}, + }, + } + + Resource11 = []*authorizationpb.IsAuthorizedRequest_Resource{ + { + ExternalId: "Truck3", + Type: "Truck", + Actions: []string{"SUBSCRIBES_TO"}, + }, + } + + Resource12 = []*authorizationpb.IsAuthorizedRequest_Resource{ + { + ExternalId: "Truck4", + Type: "Truck", + Actions: []string{"SUBSCRIBES_TO"}, + }, + } + + Resource13 = []*authorizationpb.IsAuthorizedRequest_Resource{ + { + ExternalId: "Truck5", + Type: "Truck", + Actions: []string{"SUBSCRIBES_TO"}, + }, + } + + Resource14 = []*authorizationpb.IsAuthorizedRequest_Resource{ + { + ExternalId: "Truck2", + Type: "Truck", + Actions: []string{"SUBSCRIBES_TO"}, + }, + } + ResourceType1 = []*authorizationpb.WhatAuthorizedRequest_ResourceType{ {Type: "Asset", Actions: []string{"SUBSCRIBES_TO"}}, } @@ -141,6 +181,10 @@ var ( {Type: "Asset", Actions: []string{"DEMANDS"}}, } + ResourceType4 = []*authorizationpb.WhatAuthorizedRequest_ResourceType{ + {Type: "Truck", Actions: []string{"SUBSCRIBES_TO"}}, + } + ResourceWho1 = []*authorizationpb.WhoAuthorizedRequest_Resource{ {ExternalId: "pFlpMtkWqCPXVue", Type: "Asset", Actions: []string{"SUBSCRIBES_TO", "OWNS"}}, } @@ -153,17 +197,24 @@ var ( {ExternalId: "pFlpMtkWqCPXVue", Type: "Asset", Actions: []string{"DEMANDS", "REPELS"}}, } + ResourceWho4 = []*authorizationpb.WhoAuthorizedRequest_Resource{ + {ExternalId: "Truck1", Type: "Truck", Actions: []string{"SUBSCRIBES_TO", "OWNS"}}, + } + NodeBad = "id" NodeNotInDB = "gid:AAAAGaiIPzg6L0DKkbIh22crsFg" Node1 = "gid:AAAAHJsPjaxKk0WchnF4wH3Hg10" Node2 = "gid:AAAAHO-ocNjhAU1dlkF_1QG22Uo" - Node3 = "gid:AAAAHNdVLTx1-ExZnjv7nVyRiQc" + Node3 = "gid:AAAAHCV9T0p2sU63pJmKD0HZzM8" Node4 = "gid:AAAAHH50iSkNRkZni9C12Ed-7fk" Node5 = "gid:AAAAHIJg29h5dErYihm_ZRLDB_Y" + Node6 = "gid:AAAAHD7D1VHJAEBoh0XAcDkvwlY" + Node7 = "gid:AAAAHBKAf-Hu_04hvTIingK8q5Q" EmailBad = "test@example.com" EmailGood = "biche@yahoo.co.uk" EmailGood2 = "darna@yahoo.co.uk" + EmailWhat = "banabebe@yahoo.com" ExternalIDGood = "TrSFiLuoSLGiCIo" @@ -176,11 +227,13 @@ var ( Car1Ext = "9658744" Car2 = "gid:AAAAHM1Lc0CS5EJxpM5QuRUAnrc" Car2Ext = "963258" + Truck1 = "Truck1" Subject1 = "dilZWYdFcmXiojC" Subject2 = "fVcaUxJqmOkyOTX" Subject3 = "lSPmCXIPRXppszf" Subject4 = "NACTFFKUCcceDIz" + Subject5 = "barnabebe" SubjectDT4 = "852147963" SubjectDT5 = "741258"