improve test coverage and fix bugs

Signed-off-by: Roman Dmytrenko <[email protected]>

Author: erka

go.work.sum

@@ -542,6 +542,7 @@ github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7
 github.com/aws/aws-sdk-go-v2 v1.30.3/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc=
 github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0=
 github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0=
+github.com/aws/aws-sdk-go-v2 v1.32.5/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg=
 github.com/aws/aws-sdk-go-v2/config v1.27.17/go.mod h1:MzM3balLZeaafYcPz8IihAmam/aCz6niPQI0FdprxW0=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.17/go.mod h1:e4khg9iY08LnFK/HXQDWMf9GDaiMari7jWPnXvKAuBU=
@@ -550,10 +551,12 @@ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZ
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15/go.mod h1:U9ke74k1n2bf+RIgoX1SXFed1HLs51OgUSs+Ph0KJP8=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16/go.mod h1:2DwJF39FlNAUiX5pAc0UNeiz16lK2t7IaFcm0LFHEgc=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17/go.mod h1:Dh5zzJYMtxfIjYW+/evjQ8uj2OyR/ve2KROHGHlSFqE=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24/go.mod h1:5CI1JemjVwde8m2WG3cz23qHKPOxbpkq0HaoreEgLIY=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15/go.mod h1:ZQLZqhcu+JhSrA9/NXRm8SkDvsycE+JkV3WGY41e+IM=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16/go.mod h1:7ZfEPZxkW42Afq4uQB8H2E2e6ebh6mXTueEpYzjCzcs=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17/go.mod h1:aLJpZlCmjE+V+KtN1q1uyZkfnUWpQGpbsn89XPKyzfU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24/go.mod h1:dCn9HbJ8+K31i8IQ8EWmWj0EiIk0+vKiHNMxTTYveAg=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.8/go.mod h1:hD5YwHLOy6k7d6kqcn3me1bFWHOtzhaXstMd6BpdB68=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc=
@@ -562,6 +565,7 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10/go.mod h1:g
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17/go.mod h1:RkZEx4l0EHYDJpWppMJ3nD9wZJAa8/0lq9aVC+r2UII=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18/go.mod h1:++NHzT+nAF7ZPrHPsA+ENvsXkOO8wEu+C6RXltAG4/c=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5/go.mod h1:qu/W9HXQbbQ4+1+JcZp0ZNPV31ym537ZJN+fiS7Ti8E=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.8/go.mod h1:yUQPRlWqGG0lfNsmjbRWKVwgilfBtZTOFSLEYALlAig=
 github.com/aws/aws-sdk-go-v2/service/kms v1.29.2/go.mod h1:elLDaj+1RNl9Ovn3dB6dWLVo5WQ+VLSUMKegl7N96fY=
 github.com/aws/aws-sdk-go-v2/service/kms v1.31.0/go.mod h1:2snWQJQUKsbN66vAawJuOGX7dr37pfOq9hb0tZDGIqQ=

internal/server/authz/engine/bundle/engine.go

@@ -96,9 +96,9 @@ func (e *Engine) Namespaces(ctx context.Context, input map[string]interface{}) (
 	if !ok {
 		return nil, fmt.Errorf("unexpected result type: %T", values)
 	}
-	var namespaces []string
-	for _, ns := range values {
-		namespaces = append(namespaces, fmt.Sprintf("%s", ns))
+	namespaces := make([]string, len(values))
+	for i, ns := range values {
+		namespaces[i] = fmt.Sprintf("%s", ns)
 	}
 	return namespaces, nil
 }

internal/server/authz/engine/bundle/engine_test.go

@@ -246,5 +246,78 @@ func TestEngine_IsAllowed(t *testing.T) {
 		})
 	}
 
+	t.Run("viewable namespaces without definition", func(t *testing.T) {
+		namespaces, err := engine.Namespaces(ctx, map[string]any{})
+		require.Error(t, err)
+		require.Nil(t, namespaces)
+	})
+
 	assert.NoError(t, engine.Shutdown(ctx))
 }
+
+func TestViewableNamespaces(t *testing.T) {
+	ctx := context.Background()
+
+	policy, err := os.ReadFile("../testdata/viewable_namespaces.rego")
+	require.NoError(t, err)
+
+	data, err := os.ReadFile("../testdata/viewable_namespaces.json")
+	require.NoError(t, err)
+
+	var (
+		server = sdktest.MustNewServer(
+			sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
+				"main.rego": string(policy),
+				"data.json": string(data),
+			}),
+		)
+		config = fmt.Sprintf(`{
+		"services": {
+			"test": {
+				"url": %q
+			}
+		},
+		"bundles": {
+			"test": {
+				"resource": "/bundles/bundle.tar.gz"
+			}
+		},
+	}`, server.URL())
+	)
+
+	t.Cleanup(server.Stop)
+
+	opa, err := sdk.New(ctx, sdk.Options{
+		Config: strings.NewReader(config),
+		Store:  inmem.New(),
+		Logger: ozap.Wrap(zaptest.NewLogger(t), &zap.AtomicLevel{}),
+	})
+
+	require.NoError(t, err)
+	assert.NotNil(t, opa)
+
+	engine := &Engine{
+		opa:    opa,
+		logger: zaptest.NewLogger(t),
+	}
+	t.Cleanup(func() {
+		assert.NoError(t, engine.Shutdown(ctx))
+	})
+
+	tt := []struct {
+		name       string
+		roles      []string
+		namespaces []string
+	}{
+		{"empty", []string{}, []string{}},
+		{"devs", []string{"devs"}, []string{"local", "staging"}},
+		{"devsops", []string{"devs", "ops"}, []string{"local", "production", "staging"}},
+	}
+	for _, tt := range tt {
+		t.Run(tt.name, func(t *testing.T) {
+			namespaces, err := engine.Namespaces(ctx, map[string]any{"roles": tt.roles})
+			require.NoError(t, err)
+			require.Equal(t, tt.namespaces, namespaces)
+		})
+	}
+}

internal/server/authz/engine/rego/engine.go

@@ -167,15 +167,15 @@ func (e *Engine) Namespaces(ctx context.Context, input map[string]any) ([]string
 		return nil, err
 	}
 	if len(results) == 0 {
-		return []string{}, nil
+		return nil, errors.New("no results found")
 	}
 	values, ok := results[0].Expressions[0].Value.([]any)
 	if !ok {
 		return nil, fmt.Errorf("unexpected result type: %T", results[0].Expressions[0].Value)
 	}
-	var namespaces []string
-	for _, ns := range values {
-		namespaces = append(namespaces, fmt.Sprintf("%s", ns))
+	namespaces := make([]string, len(values))
+	for i, ns := range values {
+		namespaces[i] = fmt.Sprintf("%s", ns)
 	}
 	return namespaces, nil
 }

internal/server/authz/engine/rego/engine_test.go

@@ -8,6 +8,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.flipt.io/flipt/internal/server/authz/engine/rego/source"
 	authrpc "go.flipt.io/flipt/rpc/flipt/auth"
@@ -29,6 +30,17 @@ func TestEngine_NewEngine(t *testing.T) {
 }
 
 func TestEngine_IsAllowed(t *testing.T) {
+	policy, err := os.ReadFile("../testdata/rbac.rego")
+	require.NoError(t, err)
+
+	data, err := os.ReadFile("../testdata/rbac.json")
+	require.NoError(t, err)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+	engine, err := newEngine(ctx, zaptest.NewLogger(t), withPolicySource(policySource(string(policy))), withDataSource(dataSource(string(data)), 5*time.Second))
+	require.NoError(t, err)
+
 	tests := []struct {
 		name     string
 		input    string
@@ -200,17 +212,6 @@ func TestEngine_IsAllowed(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			policy, err := os.ReadFile("../testdata/rbac.rego")
-			require.NoError(t, err)
-
-			data, err := os.ReadFile("../testdata/rbac.json")
-			require.NoError(t, err)
-
-			ctx, cancel := context.WithCancel(context.Background())
-			t.Cleanup(cancel)
-			engine, err := newEngine(ctx, zaptest.NewLogger(t), withPolicySource(policySource(string(policy))), withDataSource(dataSource(string(data)), 5*time.Second))
-			require.NoError(t, err)
-
 			var input map[string]interface{}
 
 			err = json.Unmarshal([]byte(tt.input), &input)
@@ -221,6 +222,14 @@ func TestEngine_IsAllowed(t *testing.T) {
 			require.Equal(t, tt.expected, allowed)
 		})
 	}
+
+	t.Run("viewable namespaces without definition", func(t *testing.T) {
+		ctx, cancel := context.WithCancel(context.Background())
+		t.Cleanup(cancel)
+		namespaces, err := engine.Namespaces(ctx, map[string]any{})
+		require.Error(t, err)
+		require.Nil(t, namespaces)
+	})
 }
 
 func TestEngine_IsAuthMethod(t *testing.T) {
@@ -269,6 +278,42 @@ func TestEngine_IsAuthMethod(t *testing.T) {
 	}
 }
 
+func TestViewableNamespaces(t *testing.T) {
+	ctx := context.Background()
+
+	policy, err := os.ReadFile("../testdata/viewable_namespaces.rego")
+	require.NoError(t, err)
+
+	data, err := os.ReadFile("../testdata/viewable_namespaces.json")
+	require.NoError(t, err)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+	engine, err := newEngine(ctx, zaptest.NewLogger(t), withPolicySource(policySource(string(policy))), withDataSource(dataSource(string(data)), 5*time.Second))
+	require.NoError(t, err)
+
+	t.Cleanup(func() {
+		assert.NoError(t, engine.Shutdown(ctx))
+	})
+
+	tt := []struct {
+		name       string
+		roles      []string
+		namespaces []string
+	}{
+		{"empty", []string{}, []string{}},
+		{"devs", []string{"devs"}, []string{"local", "staging"}},
+		{"devsops", []string{"devs", "ops"}, []string{"local", "production", "staging"}},
+	}
+	for _, tt := range tt {
+		t.Run(tt.name, func(t *testing.T) {
+			namespaces, err := engine.Namespaces(ctx, map[string]any{"roles": tt.roles})
+			require.NoError(t, err)
+			require.Equal(t, tt.namespaces, namespaces)
+		})
+	}
+}
+
 type policySource string
 
 func (p policySource) Get(context.Context, source.Hash) ([]byte, source.Hash, error) {

internal/server/authz/engine/testdata/viewable_namespaces.json

@@ -0,0 +1,6 @@
+{
+  "roles_to_namespaces": {
+    "devs": ["local", "staging"],
+    "ops": ["staging", "production"]
+  }
+}

internal/server/authz/engine/testdata/viewable_namespaces.rego

@@ -0,0 +1,16 @@
+
+package flipt.authz.v1
+
+import rego.v1
+import data
+
+viewable_namespaces contains namespace if {
+	some role in input.roles
+	some namespace in data.roles_to_namespaces[role]
+}
+
+default allow := false
+
+allow if {
+	input.request.namespace in viewable_namespaces
+}

internal/server/authz/middleware/grpc/middleware.go

@@ -98,12 +98,12 @@ func AuthorizationRequiredInterceptor(logger *zap.Logger, policyVerifier authz.V
 				return ctx, errUnauthorized
 			}
 
-			// FIXME: This is proof of concept
 			if info.FullMethod == flipt.Flipt_ListNamespaces_FullMethodName {
 				namespaces, err := policyVerifier.Namespaces(ctx, map[string]any{
 					"request":        request,
 					"authentication": auth,
 				})
+
 				logger.Debug("policy namespaces evaluation", zap.Any("namespaces", namespaces), zap.Error(err))
 				if err == nil && len(namespaces) > 0 {
 					// if user has no access to `default` namespace the api call to list namespaces

internal/server/authz/middleware/grpc/middleware_test.go

@@ -15,9 +15,10 @@ import (
 )
 
 type mockPolicyVerifier struct {
-	isAllowed bool
-	wantErr   error
-	input     map[string]any
+	isAllowed          bool
+	wantErr            error
+	input              map[string]any
+	viewableNamespaces []string
 }
 
 func (v *mockPolicyVerifier) IsAllowed(ctx context.Context, input map[string]any) (bool, error) {
@@ -26,6 +27,9 @@ func (v *mockPolicyVerifier) IsAllowed(ctx context.Context, input map[string]any
 }
 
 func (v *mockPolicyVerifier) Namespaces(_ context.Context, _ map[string]any) ([]string, error) {
+	if v.viewableNamespaces != nil {
+		return v.viewableNamespaces, nil
+	}
 	return nil, errors.ErrUnsupported
 }
 
@@ -50,14 +54,16 @@ var adminAuth = &authrpc.Authentication{
 
 func TestAuthorizationRequiredInterceptor(t *testing.T) {
 	tests := []struct {
-		name             string
-		server           any
-		req              any
-		authn            *authrpc.Authentication
-		validatorAllowed bool
-		validatorErr     error
-		wantAllowed      bool
-		authzInput       map[string]any
+		name               string
+		server             any
+		req                any
+		authn              *authrpc.Authentication
+		validatorAllowed   bool
+		validatorErr       error
+		wantAllowed        bool
+		authzInput         map[string]any
+		viewableNamespaces []string
+		serverFullMethod   string
 	}{
 		{
 			name:  "allowed",
@@ -124,6 +130,22 @@ func TestAuthorizationRequiredInterceptor(t *testing.T) {
 			validatorErr: errors.New("error"),
 			wantAllowed:  false,
 		},
+		{
+			name:               "list namespaces",
+			authn:              adminAuth,
+			req:                &flipt.ListNamespaceRequest{},
+			wantAllowed:        true,
+			viewableNamespaces: []string{"special"},
+			serverFullMethod:   "/flipt.Flipt/ListNamespaces",
+			authzInput: map[string]any{
+				"request": flipt.Request{
+					Resource: flipt.ResourceNamespace,
+					Action:   flipt.ActionRead,
+					Status:   flipt.StatusSuccess,
+				},
+				"authentication": adminAuth,
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -140,14 +162,16 @@ func TestAuthorizationRequiredInterceptor(t *testing.T) {
 
 				srv           = &grpc.UnaryServerInfo{Server: &mockServer{}}
 				policyVerfier = &mockPolicyVerifier{
-					isAllowed: tt.validatorAllowed,
-					wantErr:   tt.validatorErr,
+					isAllowed:          tt.validatorAllowed,
+					wantErr:            tt.validatorErr,
+					viewableNamespaces: tt.viewableNamespaces,
 				}
 			)
 
 			if tt.server != nil {
 				srv.Server = tt.server
 			}
+			srv.FullMethod = tt.serverFullMethod
 
 			_, err := AuthorizationRequiredInterceptor(logger, policyVerfier)(ctx, tt.req, srv, handler)