Skip to content

Commit

Permalink
inspec: port authz_api to Cypress policies spec
Browse files Browse the repository at this point in the history 
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
  • Loading branch information
Brenna Hewer-Darroch committed Feb 21, 2020
1 parent a2162bf commit 3412013
Show file tree
Hide file tree
Showing 3 changed files with 225 additions and 1,224 deletions.
294 changes: 225 additions & 69 deletions e2e/cypress/integration/api/iam/policies_api.spec.ts
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,43 @@
const defaultAdminReq = {
headers: {}, // must fill in before use
url: '/apis/iam/v2/policies'
};
const cypressPrefix = 'test-policies-api';
const now = Cypress.moment().format('MMDDYYhhmm');
const project1 = {
id: `${cypressPrefix}-project1-${now}`,
name: 'Test Project 1'
};
const project2 = {
id: `${cypressPrefix}-project2-${now}`,
name: 'Test Project 2'
};
const policyID = `${cypressPrefix}-policy-${now}`;
const policyName = `${cypressPrefix} policy ${now}`;

const chefManagedPolicyIDs = [
'administrator-access',
'editor-access',
'viewer-access',
'ingest-access'
];

interface Policy {
id: string;
name: string;
members: string[];
statements: Statement[];
projects: string[];
}

interface Statement {
effect: string;
actions: string[];
projects: string[];
}


describe('policies API', () => {
const defaultAdminReq = {
headers: {}, // must fill in before use
url: '/apis/iam/v2/policies'
};
const cypressPrefix = 'test-policies-api';
const now = Cypress.moment().format('MMDDYYhhmm');
const project1 = {
id: `${cypressPrefix}-project1-${now}`,
name: 'Test Project 1'
};
const project2 = {
id: `${cypressPrefix}-project2-${now}`,
name: 'Test Project 2'
};

before(() => {
defaultAdminReq.headers = { 'api-token': Cypress.env('ADMIN_TOKEN') };
Expand All @@ -32,75 +57,207 @@ describe('policies API', () => {
cy.cleanupV2IAMObjectsByIDPrefixes(cypressPrefix, ['policies', 'projects']);
});

describe('POST /apis/iam/v2/policies', () => {
beforeEach(() => {
describe('policies API', () => {

before(() => {
cy.cleanupV2IAMObjectsByIDPrefixes(cypressPrefix, ['policies']);
});

afterEach(() => {
after(() => {
cy.cleanupV2IAMObjectsByIDPrefixes(cypressPrefix, ['policies']);
});

it('returns 400 when there are no statements', () => {
cy.request({
...defaultAdminReq,
method: 'POST',
failOnStatusCode: false,
body: {
id: `${cypressPrefix}-policy-${now}`,
name: `${cypressPrefix} policy ${now}`,
members: ['team:local:test'],
projects: [project1.id]
}
}).then((response) => {
expect(response.status).to.equal(400);
describe('POST /apis/iam/v2/policies', () => {

it('returns 200 when all valid inputs are provided', () => {
cy.request({
...defaultAdminReq,
method: 'POST',
failOnStatusCode: false,
body: {
id: policyID,
name: policyName,
members: ['team:local:test'],
statements: [
{
effect: 'ALLOW',
actions: ['test:svc:someaction', 'test:svc:otheraction'],
projects: [project1.id]
}
],
projects: [project1.id]
}
}).then((response) => {
expect(response.status).to.equal(200);
expect(response.body.policy.id).to.equal(policyID);
expect(response.body.policy.name).to.equal(policyName);
expect(response.body.policy.members).to.deep.equal(['team:local:test']);
expect(response.body.policy.statements).to.deep.equal([{
effect: 'ALLOW',
actions: ['test:svc:someaction', 'test:svc:otheraction'],
resources: ['*'],
role: '',
projects: [project1.id]
}]);
expect(response.body.policy.projects).to.deep.equal([project1.id]);
});
});
});
});

describe('PUT /apis/iam/v2/policies', () => {
beforeEach(() => {
cy.cleanupV2IAMObjectsByIDPrefixes(cypressPrefix, ['policies']);
it('returns 400 when there are no statements', () => {
cy.request({
...defaultAdminReq,
method: 'POST',
failOnStatusCode: false,
body: {
id: `${cypressPrefix}-policy-${now}`,
name: `${cypressPrefix} policy ${now}`,
members: ['team:local:test'],
projects: [project1.id]
}
}).then((response) => {
expect(response.status).to.equal(400);
});
});
});

afterEach(() => {
cy.cleanupV2IAMObjectsByIDPrefixes(cypressPrefix, ['policies']);
describe('GET', () => {

it('returns 200 on successful fetch (/apis/iam/v2/policies)', () => {
cy.request({
...defaultAdminReq,
method: 'GET',
url: '/apis/iam/v2/policies'
}).then((response) => {
expect(response.status).to.equal(200);
expect(response.body.policies.length).to.equal(chefManagedPolicyIDs.length + 1);

const policyIDs = response.body.policies.map((pol: Policy) => pol.id);

chefManagedPolicyIDs.forEach((id: string) => {
expect(policyIDs).include(id);
});
expect(policyIDs).to.include(policyID);
});
});

it('returns 200 on successful fetch (/apis/iam/v2/policies/{policy_id})', () => {
cy.request({
...defaultAdminReq,
method: 'GET',
url: `/apis/iam/v2/policies/${policyID}`
}).then((response) => {
expect(response.status).to.equal(200);
expect(response.body.policy.id).to.equal(policyID);
expect(response.body.policy.name).to.equal(policyName);
expect(response.body.policy.members).to.deep.equal(['team:local:test']);
expect(response.body.policy.statements).to.deep.equal([{
effect: 'ALLOW',
actions: ['test:svc:someaction', 'test:svc:otheraction'],
resources: ['*'],
role: '',
projects: [project1.id]
}]);
expect(response.body.policy.projects).to.deep.equal([project1.id]);
});
});

it('returns 404 if policy not found', () => {
cy.request({
...defaultAdminReq,
method: 'GET',
url: '/apis/iam/v2/policies/not-a-real-policy-nope',
failOnStatusCode: false
}).then((response) => {
expect(response.status).to.equal(404);
});
});
});

const policyID = `${cypressPrefix}-policy-${now}`;
beforeEach(() => {
cy.request({
...defaultAdminReq,
method: 'POST',
body: {
id: policyID,
name: `${cypressPrefix} policy ${now}`,
members: ['team:local:test'],
statements: [
{
effect: 'ALLOW',
actions: ['test:svc:someaction', 'test:svc:otheraction'],
projects: [project1.id]
}
],
projects: [project1.id]
}
describe('PUT /apis/iam/v2/policies', () => {

it('returns 200 when all valid inputs are provided', () => {
cy.request({
...defaultAdminReq,
method: 'PUT',
url: `/apis/iam/v2/policies/${policyID}`,
body: {
name: 'shiny new name',
members: ['user:local:test2'],
statements: [
{
effect: 'DENY',
actions: ['test:svc:anotheraction'],
projects: [project2.id]
}
],
projects: [project2.id]
}
}).then((response) => {
expect(response.status).to.equal(200);
expect(response.body.policy.id).to.equal(policyID);
expect(response.body.policy.name).to.equal('shiny new name');
expect(response.body.policy.members).to.deep.equal(['user:local:test2']);
expect(response.body.policy.statements).to.deep.equal([{
effect: 'DENY',
actions: ['test:svc:anotheraction'],
resources: ['*'],
role: '',
projects: [project2.id]
}]);
expect(response.body.policy.projects).to.deep.equal([project2.id]);
});
});

it('returns 400 when there are no statements', () => {
cy.request({
...defaultAdminReq,
method: 'PUT',
url: `/apis/iam/v2/policies/${policyID}`,
failOnStatusCode: false,
body: {
name: `${cypressPrefix} policy ${now}`,
members: ['team:local:test'],
projects: [project1.id]
}
}).then((response) => {
expect(response.status).to.equal(400);
});
});
});

it('returns 400 when there are no statements', () => {
cy.request({
...defaultAdminReq,
method: 'PUT',
url: `/apis/iam/v2/policies/${policyID}`,
failOnStatusCode: false,
body: {
name: `${cypressPrefix} policy ${now}`,
members: ['team:local:test'],
projects: [project1.id]
}
}).then((response) => {
expect(response.status).to.equal(400);
describe('DELETE /apis/iam/v2/policies/{policy_id}', () => {

it('returns 200 on successful delete', () => {
cy.request({
...defaultAdminReq,
method: 'DELETE',
url: `/apis/iam/v2/policies/${policyID}`
}).then((response) => {
expect(response.status).to.equal(200);
expect(response.body).to.deep.equal({});
});
});

it('returns 404 if policy not found', () => {
cy.request({
...defaultAdminReq,
method: 'DELETE',
url: `/apis/iam/v2/policies/${policyID}`,
failOnStatusCode: false
}).then((response) => {
expect(response.status).to.equal(404);
});
});

it('returns 403 if policy is chef-managed', () => {
cy.request({
...defaultAdminReq,
method: 'DELETE',
url: `/apis/iam/v2/policies/${chefManagedPolicyIDs[0]}`,
failOnStatusCode: false
}).then((response) => {
expect(response.status).to.equal(403);
});
});
});
});
Expand All @@ -109,7 +266,6 @@ describe('policies API', () => {
let nonAdminToken = '';
const nonAdminTokenID = `${cypressPrefix}-nonadmin-token-${now}`;
const statementProjects = [project1.id];
const policyID = `${cypressPrefix}-policy-${now}`;
const defaultNonAdminReq = {
headers: {}, // must fill in before use
method: 'POST',
Expand Down
Loading

0 comments on commit 3412013

Please sign in to comment.