From efcc284dbfebeec0b00ae5d15e39dcf5598f5949 Mon Sep 17 00:00:00 2001 From: Erin Millard Date: Fri, 13 Dec 2024 12:27:42 +1000 Subject: [PATCH] WIP --- ...authorize-token-for-repo-all-repos.spec.ts | 33 +++++++++++++++++++ .../authorize-token-for-repo-no-repos.spec.ts | 33 +++++++++++++++++++ ...rize-token-for-repo-selected-repos.spec.ts | 33 +++++++++++++++++++ 3 files changed, 99 insertions(+) diff --git a/test/suite/unit/auth/authorize-token-for-repo-all-repos.spec.ts b/test/suite/unit/auth/authorize-token-for-repo-all-repos.spec.ts index e73a8f6..b8c87d5 100644 --- a/test/suite/unit/auth/authorize-token-for-repo-all-repos.spec.ts +++ b/test/suite/unit/auth/authorize-token-for-repo-all-repos.spec.ts @@ -676,3 +676,36 @@ it("doesn't allow tokens when a later rule removes access that a previous rule a ❌ contents: have none, wanted write" `); }); + +it("doesn't allow tokens when the consumer is not authorized", () => { + const authorizer = createTokenAuthorizer({ + rules: [ + { + resources: [ + { + accounts: ["account-a"], + noRepos: false, + allRepos: true, + selectedRepos: [], + }, + ], + consumers: ["account-x", "account-x/repo-x"], + permissions: { contents: "write" }, + }, + ], + }); + + expect( + explain( + authorizer.authorizeForRepo("account-x/repo-y", { + role: undefined, + account: "account-a", + repos: "all", + permissions: { contents: "write" }, + }), + ), + ).toMatchInlineSnapshot(` + "❌ Repo account-x/repo-y was denied access to a token: + ❌ Insufficient access to all repos in account-a (no matching rules)" + `); +}); diff --git a/test/suite/unit/auth/authorize-token-for-repo-no-repos.spec.ts b/test/suite/unit/auth/authorize-token-for-repo-no-repos.spec.ts index 0d03f7f..8dfa83d 100644 --- a/test/suite/unit/auth/authorize-token-for-repo-no-repos.spec.ts +++ b/test/suite/unit/auth/authorize-token-for-repo-no-repos.spec.ts @@ -676,3 +676,36 @@ it("doesn't allow tokens when a later rule removes access that a previous rule a ❌ contents: have none, wanted write" `); }); + +it("doesn't allow tokens when the consumer is not authorized", () => { + const authorizer = createTokenAuthorizer({ + rules: [ + { + resources: [ + { + accounts: ["account-a"], + noRepos: true, + allRepos: false, + selectedRepos: [], + }, + ], + consumers: ["account-x", "account-x/repo-x"], + permissions: { contents: "write" }, + }, + ], + }); + + expect( + explain( + authorizer.authorizeForRepo("account-x/repo-y", { + role: undefined, + account: "account-a", + repos: [], + permissions: { contents: "write" }, + }), + ), + ).toMatchInlineSnapshot(` + "❌ Repo account-x/repo-y was denied access to a token: + ❌ Insufficient access to account-a (no matching rules)" + `); +}); diff --git a/test/suite/unit/auth/authorize-token-for-repo-selected-repos.spec.ts b/test/suite/unit/auth/authorize-token-for-repo-selected-repos.spec.ts index d903fdf..b5275e5 100644 --- a/test/suite/unit/auth/authorize-token-for-repo-selected-repos.spec.ts +++ b/test/suite/unit/auth/authorize-token-for-repo-selected-repos.spec.ts @@ -773,3 +773,36 @@ it("doesn't allow tokens when a later rule removes access that a previous rule a ❌ contents: have none, wanted read" `); }); + +it("doesn't allow tokens when the consumer is not authorized", () => { + const authorizer = createTokenAuthorizer({ + rules: [ + { + resources: [ + { + accounts: ["account-a"], + noRepos: false, + allRepos: false, + selectedRepos: ["repo-a"], + }, + ], + consumers: ["account-x", "account-x/repo-x"], + permissions: { contents: "write" }, + }, + ], + }); + + expect( + explain( + authorizer.authorizeForRepo("account-x/repo-y", { + role: undefined, + account: "account-a", + repos: ["repo-a"], + permissions: { contents: "write" }, + }), + ), + ).toMatchInlineSnapshot(` + "❌ Repo account-x/repo-y was denied access to a token: + ❌ Insufficient access to repo account-a/repo-a (no matching rules)" + `); +});