add integration tests for licensee authz

keygen-sh · Jan 17, 2024 · 315c3d4 · 315c3d4
1 parent 5c36db8
commit 315c3d4
Show file tree

Hide file tree

Showing 79 changed files with 2,257 additions and 139 deletions.
diff --git a/app/policies/machines/v1x5/user_policy.rb b/app/policies/machines/v1x5/user_policy.rb
@@ -15,7 +15,7 @@ def show?
         allow!
       in role: Role(:product) if machine.product == bearer
         allow!
-      in role: Role(:user) if machine.owner == bearer || machine.license.owner == bearer  || bearer.machines.exists?(machine.id)
+      in role: Role(:user) if machine.license.owner == bearer
         allow!
       in role: Role(:license) if machine.license == bearer
         allow!

diff --git a/features/api/v1/arches/index.feature b/features/api/v1/arches/index.feature
@@ -416,7 +416,7 @@ Feature: List release arches
     Then the response status should be "200"
     And the response body should be an array of 0 "arches"
 
-  Scenario: User attempts to retrieve the arches for a product (licensed)
+  Scenario: User attempts to retrieve the arches for their license (owner)
     Given the current account is "test1"
     And the current account has 1 "user"
     And the current account has 1 "product"
@@ -431,7 +431,22 @@ Feature: List release arches
     Then the response status should be "200"
     And the response body should be an array of 1 "arch"
 
-  Scenario: User attempts to retrieve the arches for a product (unlicensed)
+  Scenario: User attempts to retrieve the arches for their license (licensee)
+    Given the current account is "test1"
+    And the current account has 1 "user"
+    And the current account has 1 "product"
+    And the current account has 1 "policy" for an existing "product"
+    And the current account has 1 "license" for an existing "policy"
+    And the current account has 1 "license-user" for the last "license" and the last "user"
+    And the current account has 1 "release" for an existing "product"
+    And the current account has 1 "artifact" for an existing "release"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/arches"
+    Then the response status should be "200"
+    And the response body should be an array of 1 "arch"
+
+  Scenario: User attempts to retrieve their arches (unlicensed)
     Given the current account is "test1"
     And the current account has 1 "user"
     And the current account has 1 "product"

diff --git a/features/api/v1/arches/show.feature b/features/api/v1/arches/show.feature
@@ -159,7 +159,21 @@ Feature: Show release arch
     When I send a GET request to "/accounts/test1/arches/$0"
     Then the response status should be "404"
 
-  Scenario: User retrieves an arch with a license for it
+  Scenario: User retrieves an arch with a license for it (owner)
+    Given the current account is "test1"
+    And the current account has 1 "user"
+    And the current account has 1 "product"
+    And the current account has 1 "release" for an existing "product"
+    And the current account has 1 "artifact" for the last "release"
+    And the current account has 1 "policy" for an existing "product"
+    And the current account has 1 "license" for an existing "policy"
+    And the current account has 1 "license-user" for the last "license" and the last "user"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/arches/$0"
+    Then the response status should be "200"
+
+  Scenario: User retrieves an arch with a license for it (licensee)
     Given the current account is "test1"
     And the current account has 1 "user"
     And the current account has 1 "product"

diff --git a/features/api/v1/artifacts/index.feature b/features/api/v1/artifacts/index.feature
@@ -673,7 +673,7 @@ Feature: List release artifacts
     Then the response status should be "200"
     And the response body should be an array of 0 "artifacts"
 
-  Scenario: User attempts to retrieve the artifacts for their products (licensed)
+  Scenario: User attempts to retrieve the artifacts for their licenses (owner)
     Given the current account is "test1"
     And the current account has 3 "products"
     And the current account has 1 "policy" for each "product"
@@ -690,7 +690,24 @@ Feature: List release artifacts
     Then the response status should be "200"
     And the response body should be an array of 4 "artifacts"
 
-  Scenario: User attempts to retrieve the artifacts for a product (unlicensed)
+  Scenario: User attempts to retrieve the artifacts for their licenses (licensee)
+    Given the current account is "test1"
+    And the current account has 3 "products"
+    And the current account has 1 "policy" for each "product"
+    And the current account has 2 "licenses" for the first "policy"
+    And the current account has 1 "license" for the second "policy"
+    And the current account has 2 "releases" for each "product"
+    And the current account has 2 "artifacts" for each "release"
+    And the current account has 1 "user"
+    And the current account has 1 "license-user" for the first "license" and the last "user"
+    And the current account has 1 "license-user" for the second "license" and the last "user"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/artifacts"
+    Then the response status should be "200"
+    And the response body should be an array of 4 "artifacts"
+
+  Scenario: User attempts to retrieve their artifacts (unlicensed)
     Given the current account is "test1"
     And the current account has 1 "user"
     And the current account has 1 "product"

diff --git a/features/api/v1/artifacts/show.feature b/features/api/v1/artifacts/show.feature
@@ -294,7 +294,7 @@ Feature: Show release artifact
     When I send a GET request to "/accounts/test1/artifacts/$0"
     Then the response status should be "404"
 
-  Scenario: User retrieves an artifact with a license for it
+  Scenario: User retrieves an artifact with a license for it (owner)
     Given the current account is "test1"
     And the current account has 1 "user"
     And the current account has 1 "product"
@@ -308,6 +308,20 @@ Feature: Show release artifact
     When I send a GET request to "/accounts/test1/artifacts/$0"
     Then the response status should be "303"
 
+  Scenario: User retrieves an artifact with a license for it (licensee)
+    Given the current account is "test1"
+    And the current account has 1 "user"
+    And the current account has 1 "product"
+    And the current account has 1 "release" for an existing "product"
+    And the current account has 1 "policy" for an existing "product"
+    And the current account has 1 "license" for an existing "policy"
+    And the current account has 1 "license-user" for the last "license" and the last "user"
+    And the current account has 1 "artifact" for the last "release"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/artifacts/$0"
+    Then the response status should be "303"
+
   Scenario: License retrieves an artifact of a different product
     Given the current account is "test1"
     And the current account has 1 "license"

diff --git a/features/api/v1/channels/index.feature b/features/api/v1/channels/index.feature
@@ -422,7 +422,7 @@ Feature: List release channels
     Then the response status should be "200"
     And the response body should be an array of 0 "channels"
 
-  Scenario: User attempts to retrieve the channels for a product (licensed)
+  Scenario: User attempts to retrieve the channels for their licenses (owner)
     Given the current account is "test1"
     And the current account has 1 "user"
     And the current account has 1 "product"
@@ -437,7 +437,22 @@ Feature: List release channels
     Then the response status should be "200"
     And the response body should be an array of 1 "channel"
 
-  Scenario: User attempts to retrieve the channels for a product (unlicensed)
+  Scenario: User attempts to retrieve the channels for their licenses (licensee)
+    Given the current account is "test1"
+    And the current account has 1 "user"
+    And the current account has 1 "product"
+    And the current account has 1 "policy" for an existing "product"
+    And the current account has 1 "license" for an existing "policy"
+    And the current account has 1 "license-user" for the last "license" and the last "user"
+    And the current account has 1 "release" for an existing "product"
+    And the current account has 1 "artifact" for the first "release"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/channels"
+    Then the response status should be "200"
+    And the response body should be an array of 1 "channel"
+
+  Scenario: User attempts to retrieve their channels (unlicensed)
     Given the current account is "test1"
     And the current account has 1 "user"
     And the current account has 1 "product"

diff --git a/features/api/v1/channels/show.feature b/features/api/v1/channels/show.feature
@@ -150,7 +150,7 @@ Feature: Show release channel
     When I send a GET request to "/accounts/test1/channels/$0"
     Then the response status should be "404"
 
-  Scenario: User retrieves a channel with a license for it
+  Scenario: User retrieves a channel with a license for it (owner)
     Given the current account is "test1"
     And the current account has 1 "user"
     And the current account has 1 "product"
@@ -163,6 +163,19 @@ Feature: Show release channel
     When I send a GET request to "/accounts/test1/channels/$0"
     Then the response status should be "200"
 
+  Scenario: User retrieves a channel with a license for it (licensee)
+    Given the current account is "test1"
+    And the current account has 1 "user"
+    And the current account has 1 "product"
+    And the current account has 1 "release" for an existing "product"
+    And the current account has 1 "policy" for an existing "product"
+    And the current account has 1 "license" for an existing "policy"
+    And the current account has 1 "license-user" for the last "license" and the last "user"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/channels/$0"
+    Then the response status should be "200"
+
   Scenario: License retrieves a channel of a different product
     Given the current account is "test1"
     And the current account has 1 "license"

diff --git a/features/api/v1/components/create.feature b/features/api/v1/components/create.feature
@@ -1026,7 +1026,7 @@ Feature: Create machine component
     And sidekiq should have 1 "metric" job
     And sidekiq should have 1 "request-log" job
 
-  Scenario: User creates a component for their machine
+  Scenario: User creates a component for their machine (owner)
     Given the current account is "test1"
     And the current account has 2 "webhook-endpoints"
     And the current account has 1 "user"
@@ -1066,6 +1066,81 @@ Feature: Create machine component
     And sidekiq should have 1 "metric" job
     And sidekiq should have 1 "request-log" job
 
+  Scenario: User creates a component for their machine (licensee, as owner)
+    Given the current account is "test1"
+    And the current account has 2 "webhook-endpoints"
+    And the current account has 1 "user"
+    And the current account has 1 "license"
+    And the current account has 1 "license-user" for the last "license" and the last "user"
+    And the current account has 1 "machine" for the last "license" and the last "user" as "owner"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a POST request to "/accounts/test1/components" with the following:
+      """
+      {
+        "data": {
+          "type": "components",
+          "attributes": {
+            "fingerprint": "26f93d8e-e7e0-4078-93af-9132886799c5",
+            "name": "HDD"
+          },
+          "relationships": {
+            "machine": {
+              "data": {
+                "type": "machines",
+                "id": "$machines[0]"
+              }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "201"
+    And the response body should be a "component" with the following attributes:
+      """
+      {
+        "fingerprint": "26f93d8e-e7e0-4078-93af-9132886799c5",
+        "name": "HDD"
+      }
+      """
+    And sidekiq should have 2 "webhook" jobs
+    And sidekiq should have 1 "metric" job
+    And sidekiq should have 1 "request-log" job
+
+  Scenario: User creates a component for their machine (licensee, no owner)
+    Given the current account is "test1"
+    And the current account has 2 "webhook-endpoints"
+    And the current account has 1 "user"
+    And the current account has 1 "license"
+    And the current account has 1 "license-user" for the last "license" and the last "user"
+    And the current account has 1 "machine" for the last "license"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a POST request to "/accounts/test1/components" with the following:
+      """
+      {
+        "data": {
+          "type": "components",
+          "attributes": {
+            "fingerprint": "26f93d8e-e7e0-4078-93af-9132886799c5",
+            "name": "HDD"
+          },
+          "relationships": {
+            "machine": {
+              "data": {
+                "type": "machines",
+                "id": "$machines[0]"
+              }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "403"
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 0 "metric" jobs
+    And sidekiq should have 1 "request-log" job
+
   Scenario: User creates a component for their machine with a protected policy
     Given the current account is "test1"
     And the current account has 2 "webhook-endpoints"

diff --git a/features/api/v1/components/destroy.feature b/features/api/v1/components/destroy.feature
@@ -131,7 +131,7 @@ Feature: Delete machine component
     And sidekiq should have 0 "metric" jobs
     And sidekiq should have 1 "request-log" job
 
-  Scenario: User deletes a component for their unprotected license
+  Scenario: User deletes a component for their unprotected license (owner)
     Given the current account is "test1"
     And the current account has 1 "webhook-endpoint"
     And the current account has 1 "policy"
@@ -156,6 +156,50 @@ Feature: Delete machine component
     And sidekiq should have 1 "metric" job
     And sidekiq should have 1 "request-log" job
 
+  Scenario: User deletes a component for their unprotected license (licensee, as owner)
+    Given the current account is "test1"
+    And the current account has 1 "webhook-endpoint"
+    And the current account has 1 "policy"
+    And the first "policy" has the following attributes:
+      """
+      { "protected": false }
+      """
+    And the current account has 1 "user"
+    And the current account has 1 "license" for the last "policy"
+    And the current account has 1 "license-user" for the last "license" and the last "user"
+    And the current account has 1 "machine" for the last "license" and the last "user" as "owner"
+    And the current account has 1 "component" for the last "machine"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a DELETE request to "/accounts/test1/components/$0"
+    Then the response status should be "204"
+    And the current account should have 0 "components"
+    And sidekiq should have 1 "webhook" job
+    And sidekiq should have 1 "metric" job
+    And sidekiq should have 1 "request-log" job
+
+  Scenario: User deletes a component for their unprotected license (licensee, no owner)
+    Given the current account is "test1"
+    And the current account has 1 "webhook-endpoint"
+    And the current account has 1 "policy"
+    And the first "policy" has the following attributes:
+      """
+      { "protected": false }
+      """
+    And the current account has 1 "user"
+    And the current account has 1 "license" for the last "policy"
+    And the current account has 1 "license-user" for the last "license" and the last "user"
+    And the current account has 1 "machine" for the last "license"
+    And the current account has 1 "component" for the last "machine"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a DELETE request to "/accounts/test1/components/$0"
+    Then the response status should be "403"
+    And the current account should have 1 "component"
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 0 "metric" jobs
+    And sidekiq should have 1 "request-log" job
+
   Scenario: User deletes a component for their protected license
     Given the current account is "test1"
     And the current account has 1 "webhook-endpoint"

diff --git a/features/api/v1/components/index.feature b/features/api/v1/components/index.feature
@@ -355,7 +355,7 @@ Feature: List machine components
     Then the response status should be "200"
     And the response body should be an array with 0 "components"
 
-  Scenario: User attempts to retrieve all components for their account
+  Scenario: User attempts to retrieve all their components (owner)
     Given the current account is "test1"
     And the current account has 1 "user"
     And the current account has 1 "license" for the last "user" as "owner"
@@ -368,6 +368,20 @@ Feature: List machine components
     Then the response status should be "200"
     And the response body should be an array with 3 "components"
 
+  Scenario: User attempts to retrieve all their components (licensee)
+    Given the current account is "test1"
+    And the current account has 1 "user"
+    And the current account has 3 "licenses"
+    And the current account has 1 "license-user" for the first "license" and the last "user"
+    And the current account has 1 "license-user" for the last "license" and the last "user"
+    And the current account has 1 "machine" for each "license"
+    And the current account has 3 "components" for each "machine"
+    And I am a user of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/components"
+    Then the response status should be "200"
+    And the response body should be an array with 6 "components"
+
   Scenario: License retrieves all components for their license with matches
     Given the current account is "test1"
     And the current account has 1 "license"