forked from opensearch-project/OpenSearch-Dashboards
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add acl permission related functions (#65)
* Add acl permission check functions Signed-off-by: gaobinlong <gbinlong@amazon.com> * Refactor some code Signed-off-by: gaobinlong <gbinlong@amazon.com> * Optimize some code Signed-off-by: gaobinlong <gbinlong@amazon.com> * Refactor acl Signed-off-by: gaobinlong <gbinlong@amazon.com> * Modify index mapping definition code Signed-off-by: gaobinlong <gbinlong@amazon.com> * Optimize code Signed-off-by: gaobinlong <gbinlong@amazon.com> * Optimize code Signed-off-by: gaobinlong <gbinlong@amazon.com> --------- Signed-off-by: gaobinlong <gbinlong@amazon.com>
- Loading branch information
1 parent
345d96e
commit 57984a2
Showing
4 changed files
with
453 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
164 changes: 164 additions & 0 deletions
164
src/core/server/saved_objects/permission_control/acl.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,164 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { PermissionMode } from '../../../../core/utils/constants'; | ||
import { Principals, Permissions, ACL } from './acl'; | ||
|
||
describe('SavedObjectTypeRegistry', () => { | ||
let acl: ACL; | ||
|
||
it('test has permission', () => { | ||
const principals: Principals = { | ||
users: ['user1'], | ||
groups: [], | ||
}; | ||
const permissions: Permissions = { | ||
read: principals, | ||
}; | ||
acl = new ACL(permissions); | ||
expect( | ||
acl.hasPermission([PermissionMode.Read], { | ||
users: ['user1'], | ||
groups: [], | ||
}) | ||
).toEqual(true); | ||
expect( | ||
acl.hasPermission([PermissionMode.Read], { | ||
users: ['user2'], | ||
groups: [], | ||
}) | ||
).toEqual(false); | ||
}); | ||
|
||
it('test add permission', () => { | ||
acl = new ACL(); | ||
const result1 = acl | ||
.addPermission([PermissionMode.Read], { | ||
users: ['user1'], | ||
groups: [], | ||
}) | ||
.getPermissions(); | ||
expect(result1?.read?.users).toEqual(['user1']); | ||
|
||
acl.resetPermissions(); | ||
const result2 = acl | ||
.addPermission([PermissionMode.Write, PermissionMode.Management], { | ||
users: ['user2'], | ||
groups: ['group1', 'group2'], | ||
}) | ||
.getPermissions(); | ||
expect(result2?.write?.users).toEqual(['user2']); | ||
expect(result2?.management?.groups).toEqual(['group1', 'group2']); | ||
}); | ||
|
||
it('test remove permission', () => { | ||
const principals1: Principals = { | ||
users: ['user1'], | ||
groups: ['group1', 'group2'], | ||
}; | ||
const permissions1 = { | ||
read: principals1, | ||
write: principals1, | ||
}; | ||
acl = new ACL(permissions1); | ||
const result1 = acl | ||
.removePermission([PermissionMode.Read], { | ||
users: ['user1'], | ||
groups: [], | ||
}) | ||
.removePermission([PermissionMode.Write], { | ||
users: [], | ||
groups: ['group2'], | ||
}) | ||
.getPermissions(); | ||
expect(result1?.read?.users).toEqual([]); | ||
expect(result1?.write?.groups).toEqual(['group1']); | ||
|
||
const principals2: Principals = { | ||
users: ['*'], | ||
groups: ['*'], | ||
}; | ||
|
||
const permissions2 = { | ||
read: principals2, | ||
write: principals2, | ||
}; | ||
|
||
acl = new ACL(permissions2); | ||
const result2 = acl | ||
.removePermission([PermissionMode.Read, PermissionMode.Write], { | ||
users: ['user1'], | ||
groups: ['group1'], | ||
}) | ||
.getPermissions(); | ||
expect(result2?.read?.users).toEqual(['*']); | ||
expect(result2?.write?.groups).toEqual(['*']); | ||
}); | ||
|
||
it('test transform permission', () => { | ||
const principals: Principals = { | ||
users: ['user1'], | ||
groups: ['group1', 'group2'], | ||
}; | ||
const permissions = { | ||
read: principals, | ||
write: principals, | ||
}; | ||
acl = new ACL(permissions); | ||
const result = acl.transformPermissions(); | ||
expect(result?.length).toEqual(3); | ||
}); | ||
|
||
it('test genereate query DSL', () => { | ||
const principals = { | ||
users: ['user1'], | ||
groups: ['group1'], | ||
}; | ||
const result = ACL.genereateGetPermittedSavedObjectsQueryDSL( | ||
PermissionMode.Read, | ||
principals, | ||
'workspace' | ||
); | ||
expect(result).toEqual({ | ||
query: { | ||
bool: { | ||
filter: [ | ||
{ | ||
bool: { | ||
should: [ | ||
{ | ||
terms: { | ||
'permissions.read.users': ['user1'], | ||
}, | ||
}, | ||
{ | ||
term: { | ||
'permissions.read.users': '*', | ||
}, | ||
}, | ||
{ | ||
terms: { | ||
'permissions.read.groups': ['group1'], | ||
}, | ||
}, | ||
{ | ||
term: { | ||
'permissions.read.groups': '*', | ||
}, | ||
}, | ||
], | ||
}, | ||
}, | ||
{ | ||
terms: { | ||
type: ['workspace'], | ||
}, | ||
}, | ||
], | ||
}, | ||
}, | ||
}); | ||
}); | ||
}); |
Oops, something went wrong.