WIP

ghalactic · Dec 13, 2024 · efcc284 · efcc284
1 parent bc364e7
commit efcc284
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 0 deletions.
diff --git a/test/suite/unit/auth/authorize-token-for-repo-all-repos.spec.ts b/test/suite/unit/auth/authorize-token-for-repo-all-repos.spec.ts
@@ -676,3 +676,36 @@ it("doesn't allow tokens when a later rule removes access that a previous rule a
           ❌ contents: have none, wanted write"
   `);
 });
+
+it("doesn't allow tokens when the consumer is not authorized", () => {
+  const authorizer = createTokenAuthorizer({
+    rules: [
+      {
+        resources: [
+          {
+            accounts: ["account-a"],
+            noRepos: false,
+            allRepos: true,
+            selectedRepos: [],
+          },
+        ],
+        consumers: ["account-x", "account-x/repo-x"],
+        permissions: { contents: "write" },
+      },
+    ],
+  });
+
+  expect(
+    explain(
+      authorizer.authorizeForRepo("account-x/repo-y", {
+        role: undefined,
+        account: "account-a",
+        repos: "all",
+        permissions: { contents: "write" },
+      }),
+    ),
+  ).toMatchInlineSnapshot(`
+    "❌ Repo account-x/repo-y was denied access to a token:
+      ❌ Insufficient access to all repos in account-a (no matching rules)"
+  `);
+});
diff --git a/test/suite/unit/auth/authorize-token-for-repo-no-repos.spec.ts b/test/suite/unit/auth/authorize-token-for-repo-no-repos.spec.ts
@@ -676,3 +676,36 @@ it("doesn't allow tokens when a later rule removes access that a previous rule a
           ❌ contents: have none, wanted write"
   `);
 });
+
+it("doesn't allow tokens when the consumer is not authorized", () => {
+  const authorizer = createTokenAuthorizer({
+    rules: [
+      {
+        resources: [
+          {
+            accounts: ["account-a"],
+            noRepos: true,
+            allRepos: false,
+            selectedRepos: [],
+          },
+        ],
+        consumers: ["account-x", "account-x/repo-x"],
+        permissions: { contents: "write" },
+      },
+    ],
+  });
+
+  expect(
+    explain(
+      authorizer.authorizeForRepo("account-x/repo-y", {
+        role: undefined,
+        account: "account-a",
+        repos: [],
+        permissions: { contents: "write" },
+      }),
+    ),
+  ).toMatchInlineSnapshot(`
+    "❌ Repo account-x/repo-y was denied access to a token:
+      ❌ Insufficient access to account-a (no matching rules)"
+  `);
+});
diff --git a/test/suite/unit/auth/authorize-token-for-repo-selected-repos.spec.ts b/test/suite/unit/auth/authorize-token-for-repo-selected-repos.spec.ts
@@ -773,3 +773,36 @@ it("doesn't allow tokens when a later rule removes access that a previous rule a
           ❌ contents: have none, wanted read"
   `);
 });
+
+it("doesn't allow tokens when the consumer is not authorized", () => {
+  const authorizer = createTokenAuthorizer({
+    rules: [
+      {
+        resources: [
+          {
+            accounts: ["account-a"],
+            noRepos: false,
+            allRepos: false,
+            selectedRepos: ["repo-a"],
+          },
+        ],
+        consumers: ["account-x", "account-x/repo-x"],
+        permissions: { contents: "write" },
+      },
+    ],
+  });
+
+  expect(
+    explain(
+      authorizer.authorizeForRepo("account-x/repo-y", {
+        role: undefined,
+        account: "account-a",
+        repos: ["repo-a"],
+        permissions: { contents: "write" },
+      }),
+    ),
+  ).toMatchInlineSnapshot(`
+    "❌ Repo account-x/repo-y was denied access to a token:
+      ❌ Insufficient access to repo account-a/repo-a (no matching rules)"
+  `);
+});