test(groups): add grants tests for groups API #5403
Conversation
bosorawis
force-pushed
the
bosorawis-prototype-grant-test
branch
from
ffbb1c6 to
e18100e
Compare
bosorawis
force-pushed
the
bosorawis-prototype-grant-test
branch
from
fa1bac8 to
8a31f36
Compare
|
Looks like you need a "go mod tidy" |
| // genAuthTokenCtx creates an auth.VerifierContext which contains a valid auth token | ||
| // for a user which is associated with roles in the roles parameter | ||
| // this function creates an authMethod, account, user at global scope | ||
| func genAuthTokenCtx(t *testing.T, |
There was a problem hiding this comment.
We should add a prefix of Test to the function since it's only used for testing. So nobody accidentally calls it. I think we have a pattern of this in Boundary
There was a problem hiding this comment.
Since the function takes *testing.T as its first parameter so I don't think this can be accidentally called outside of test but I'll add test... prefix to its name 👍
There was a problem hiding this comment.
I would also note that this function is defined in an _test.go file, which means it does not get compiled into the final binary. As such it can only be called via the tests. The pattern of using a Test prefix is usually for things defined in testing.go.
| wantIDs: []string{globalGroup.PublicId, org1Group.PublicId, org2Group.PublicId, proj1Group.PublicId, proj2Group.PublicId, proj3Group.PublicId}, | ||
| }, | ||
| { | ||
| name: "org role grant children IDs only org children", |
There was a problem hiding this comment.
So descendants will also include items in the current scope which is org2Group. I expected only proj2Group and proj3Group to be returned just like GetGroup works with descendants
There was a problem hiding this comment.
Oops, this is a bad test name. The role is in global with descendant access - calling list at org2 will return org2, proj2, proj3. AFAIK, there's no way to make a list exclude the "listing scope". You always get all the groups in ScopeId of the list call.
| }, | ||
| }, | ||
| { | ||
| name: "global_role_grant_all_specific_permissions", |
There was a problem hiding this comment.
This test and the previous are the same or? Unless I am missing the difference
There was a problem hiding this comment.
another test I forgot to rename 🤦
| }, | ||
| }, | ||
| { | ||
| name: "global_role_grant_all_specific_permissions", |
There was a problem hiding this comment.
The test name here is also the same as the last 2 tests. Not distinct enough
There was a problem hiding this comment.
good catch! my bad, will push a fix soon
| t.Run("update", func(t *testing.T) { | ||
| testcases := []struct { | ||
| name string | ||
| setupScopesResourcesRoles func(t *testing.T, conn *db.DB, iamRepo *iam.Repository) (*iam.Group, []roleRequest) |
There was a problem hiding this comment.
Is there a reason why we can't pass only roleRequest and allow the for loop to create a test group to follow the pattern of other tests? is it because we want to create groups in different scopes?
There was a problem hiding this comment.
because in some cases we need ID of the group for testing resource-specific grant string
bosorawis
force-pushed
the
bosorawis-prototype-grant-test
branch
from
e44604f to
8e8eceb
Compare
bosorawis
changed the title
| } | ||
|
|
||
| for _, tc := range testcases { | ||
| t.Run(tc.name, func(t *testing.T) { |
There was a problem hiding this comment.
Can we use the Get call to test the behaviour of output_fields? We could also create a separate test that does this
There was a problem hiding this comment.
IMO output_fields should be tested across all CRUDL methods, not just the the read operations. I'm still working on adding a specific output_fields tests which encompasses all the method types.
bosorawis
force-pushed
the
bosorawis-prototype-grant-test
branch
from
44f89b4 to
4c13c6a
Compare
| // TestRoleWithGrants creates a role suitable for testing along with grants | ||
| // Functional options for GrantScopes aren't used to express that | ||
| // this function does not provide any default grant scope unlike TestRole | ||
| func TestRoleWithGrants(t testing.TB, conn *db.DB, scopeId string, grantScopeIDs []string, grants []string) *Role { |
There was a problem hiding this comment.
this will be moved to an unexported function if the setup pattern is accepted
bosorawis
force-pushed
the
bosorawis-prototype-grant-test
branch
from
f483723 to
ed41a7d
Compare
Add tests that validate covering grants in preparation for grants system rework