forked from ayoquirk/cerbos-pg
-
Notifications
You must be signed in to change notification settings - Fork 0
/
basicResource_test.yaml
165 lines (154 loc) · 3.27 KB
/
basicResource_test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/TestSuite.schema.json
name: Basic Resource test suite
description: Tests for verifying the basicResource policy
principals:
sally:
id: sally
roles:
- USER
ian:
id: ian
roles:
- ADMIN
frank:
id: frank
roles:
- USER
resources:
resource1:
id: resource1
kind: basicResource
attr:
ownerId: sally
isPublished: true
resource2:
id: resource2
kind: basicResource
attr:
ownerId: sally
isPublished: true
resource3:
id: resource3
kind: basicResource
attr:
ownerId: sally
isPublished: false
newResource:
id: newResource
kind: basicResource
attr:
ownerId: sally
isPublished: false
tests:
- name: Admin Role
input:
principals:
- ian
resources:
- resource1
- resource2
- resource3
actions:
- read
- update
- delete
expected:
- principal: ian
resource: resource1
actions:
read: EFFECT_ALLOW
update: EFFECT_ALLOW
delete: EFFECT_ALLOW
- principal: ian
resource: resource2
actions:
read: EFFECT_ALLOW
update: EFFECT_ALLOW
delete: EFFECT_ALLOW
- principal: ian
resource: resource3
actions:
read: EFFECT_ALLOW
update: EFFECT_ALLOW
delete: EFFECT_ALLOW
- name: Admin Role - Create
input:
principals:
- ian
resources:
- newResource
actions:
- create
expected:
- principal: ian
resource: newResource
actions:
create: EFFECT_ALLOW
- name: User Role
input:
principals:
- sally
- frank
resources:
- resource1
- resource2
- resource3
actions:
- read
- update
- delete
expected:
- principal: sally
resource: resource1
actions:
read: EFFECT_ALLOW
update: EFFECT_ALLOW
delete: EFFECT_ALLOW
- principal: sally
resource: resource2
actions:
read: EFFECT_ALLOW
update: EFFECT_ALLOW
delete: EFFECT_ALLOW
- principal: sally
resource: resource3
actions:
read: EFFECT_ALLOW
update: EFFECT_ALLOW
delete: EFFECT_ALLOW
- principal: frank
resource: resource1
actions:
read: EFFECT_ALLOW
update: EFFECT_DENY
delete: EFFECT_DENY
- principal: frank
resource: resource2
actions:
read: EFFECT_ALLOW
update: EFFECT_DENY
delete: EFFECT_DENY
- principal: frank
resource: resource3
actions:
read: EFFECT_DENY
update: EFFECT_DENY
delete: EFFECT_DENY
- name: User Role - Create
input:
principals:
- sally
- frank
resources:
- newResource
actions:
- create
expected:
- principal: sally
resource: newResource
actions:
create: EFFECT_ALLOW
- principal: frank
resource: newResource
actions:
create: EFFECT_ALLOW