1 files changed, 99 insertions, 5 deletions

diff --git a/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp b/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp
index 812d06868fd..8c9e50f17b4 100644
--- a/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp
+++ b/vespalib/src/tests/net/tls/policy_checking_certificate_verifier/policy_checking_certificate_verifier_test.cpp
@@ -124,7 +124,12 @@ PeerCredentials creds_with_cn(vespalib::stringref cn) {
 
 bool verify(AuthorizedPeers authorized_peers, const PeerCredentials& peer_creds) {
     auto verifier = create_verify_callback_from(std::move(authorized_peers));
-    return verifier->verify(peer_creds);
+    return verifier->verify(peer_creds).success();
+}
+
+AssumedRoles verify_roles(AuthorizedPeers authorized_peers, const PeerCredentials& peer_creds) {
+    auto verifier = create_verify_callback_from(std::move(authorized_peers));
+    return verifier->verify(peer_creds).steal_assumed_roles();
 }
 
 TEST("Default-constructed AuthorizedPeers does not allow all authenticated peers") {
@@ -137,6 +142,16 @@ TEST("Specially constructed set of policies allows all authenticated peers") {
     EXPECT_TRUE(verify(allow_all, creds_with_dns_sans({{"anything.goes"}})));
 }
 
+TEST("specially constructed set of policies returns wildcard role set") {
+    auto allow_all = AuthorizedPeers::allow_all_authenticated();
+    EXPECT_EQUAL(verify_roles(allow_all, creds_with_dns_sans({{"anything.goes"}})), AssumedRoles::make_wildcard_role());
+}
+
+TEST("policy without explicit role set implicitly returns wildcard role set") {
+    auto authorized = authorized_peers({policy_with({required_san_dns("yolo.swag")})});
+    EXPECT_EQUAL(verify_roles(authorized, creds_with_dns_sans({{"yolo.swag"}})), AssumedRoles::make_wildcard_role());
+}
+
 TEST("Non-empty policies do not allow all authenticated peers") {
     auto allow_not_all = authorized_peers({policy_with({required_san_dns("hello.world")})});
     EXPECT_FALSE(allow_not_all.allows_all_authenticated());
@@ -231,10 +246,11 @@ struct MultiPolicyMatchFixture {
 };
 
 MultiPolicyMatchFixture::MultiPolicyMatchFixture()
-    : authorized(authorized_peers({policy_with({required_san_dns("hello.world")}),
-                                   policy_with({required_san_dns("foo.bar")}),
-                                   policy_with({required_san_dns("zoid.berg")}),
-                                   policy_with({required_san_uri("zoid://be.rg/")})}))
+    : authorized(authorized_peers({policy_with({required_san_dns("hello.world")},   assumed_roles({"r1"})),
+                                   policy_with({required_san_dns("foo.bar")},       assumed_roles({"r2"})),
+                                   policy_with({required_san_dns("zoid.berg")},     assumed_roles({"r2", "r3"})),
+                                   policy_with({required_san_dns("secret.sauce")},  AssumedRoles::make_wildcard_role()),
+                                   policy_with({required_san_uri("zoid://be.rg/")}, assumed_roles({"r4"}))}))
 {}
 
 MultiPolicyMatchFixture::~MultiPolicyMatchFixture() = default;
@@ -246,14 +262,34 @@ TEST_F("peer verifies if it matches at least 1 policy of multiple", MultiPolicyM
     EXPECT_TRUE(verify(f.authorized, creds_with_uri_sans({{"zoid://be.rg/"}})));
 }
 
+TEST_F("role set is returned for single matched policy", MultiPolicyMatchFixture) {
+    EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"hello.world"}})),   assumed_roles({"r1"}));
+    EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"foo.bar"}})),       assumed_roles({"r2"}));
+    EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"zoid.berg"}})),     assumed_roles({"r2", "r3"}));
+    EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"secret.sauce"}})),  AssumedRoles::make_wildcard_role());
+    EXPECT_EQUAL(verify_roles(f.authorized, creds_with_uri_sans({{"zoid://be.rg/"}})), assumed_roles({"r4"}));
+}
+
 TEST_F("peer verifies if it matches multiple policies", MultiPolicyMatchFixture) {
     EXPECT_TRUE(verify(f.authorized, creds_with_dns_sans({{"hello.world"}, {"zoid.berg"}})));
 }
 
+TEST_F("union role set is returned if multiple policies match", MultiPolicyMatchFixture) {
+    EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}, {"zoid.berg"}})),
+                 assumed_roles({"r1", "r2", "r3"}));
+    // Wildcard role is tracked as a distinct role string
+    EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"hello.world"}, {"foo.bar"}, {"secret.sauce"}})),
+                 assumed_roles({"r1", "r2", "*"}));
+}
+
 TEST_F("peer must match at least 1 of multiple policies", MultiPolicyMatchFixture) {
     EXPECT_FALSE(verify(f.authorized, creds_with_dns_sans({{"does.not.exist"}})));
 }
 
+TEST_F("empty role set is returned if no policies match", MultiPolicyMatchFixture) {
+    EXPECT_EQUAL(verify_roles(f.authorized, creds_with_dns_sans({{"does.not.exist"}})), AssumedRoles::make_empty());
+}
+
 TEST("CN requirement without glob pattern is matched as exact string") {
     auto authorized = authorized_peers({policy_with({required_cn("hello.world")})});
     EXPECT_TRUE(verify(authorized,  creds_with_cn("hello.world")));
@@ -272,6 +308,64 @@ TEST("CN requirement can include glob wildcards") {
     EXPECT_FALSE(verify(authorized, creds_with_cn("world")));
 }
 
+TEST("AssumedRoles by default contains no roles") {
+    AssumedRoles roles;
+    EXPECT_TRUE(roles.empty());
+    EXPECT_FALSE(roles.can_assume_role("foo"));
+    auto empty = AssumedRoles::make_empty();
+    EXPECT_EQUAL(roles, empty);
+}
+
+TEST("AssumedRoles can be constructed with an explicit set of roles") {
+    auto roles = AssumedRoles::make_for_roles({"foo", "bar"});
+    EXPECT_TRUE(roles.can_assume_role("foo"));
+    EXPECT_TRUE(roles.can_assume_role("bar"));
+    EXPECT_FALSE(roles.can_assume_role("baz"));
+}
+
+TEST("AssumedRoles wildcard role can assume any role") {
+    auto roles = AssumedRoles::make_wildcard_role();
+    EXPECT_TRUE(roles.can_assume_role("foo"));
+    EXPECT_TRUE(roles.can_assume_role("bar"));
+}
+
+TEST("AssumedRolesBuilder builds union set of added roles") {
+    AssumedRolesBuilder builder;
+    builder.add_union(AssumedRoles::make_for_roles({"hello", "world"}));
+    builder.add_union(AssumedRoles::make_for_roles({"hello", "moon"}));
+    builder.add_union(AssumedRoles::make_for_roles({"goodbye", "moon"}));
+    auto roles = builder.build_with_move();
+    EXPECT_EQUAL(roles, AssumedRoles::make_for_roles({"hello", "goodbye", "moon", "world"}));
+}
+
+TEST("AuthorizationResult is not authorized by default") {
+    AuthorizationResult result;
+    EXPECT_FALSE(result.success());
+    EXPECT_TRUE(result.assumed_roles().empty());
+}
+
+TEST("AuthorizationResult can be explicitly created as not authorzed") {
+    auto result = AuthorizationResult::make_not_authorized();
+    EXPECT_FALSE(result.success());
+    EXPECT_TRUE(result.assumed_roles().empty());
+}
+
+TEST("AuthorizationResult can be pre-authorized for all roles") {
+    auto result = AuthorizationResult::make_authorized_for_all_roles();
+    EXPECT_TRUE(result.success());
+    EXPECT_FALSE(result.assumed_roles().empty());
+    EXPECT_TRUE(result.assumed_roles().can_assume_role("foo"));
+}
+
+TEST("AuthorizationResult can be pre-authorized for an explicit set of roles") {
+    auto result = AuthorizationResult::make_authorized_for_roles(AssumedRoles::make_for_roles({"elden", "ring"}));
+    EXPECT_TRUE(result.success());
+    EXPECT_FALSE(result.assumed_roles().empty());
+    EXPECT_TRUE(result.assumed_roles().can_assume_role("elden"));
+    EXPECT_TRUE(result.assumed_roles().can_assume_role("ring"));
+    EXPECT_FALSE(result.assumed_roles().can_assume_role("O you don't have the right"));
+}
+
 // TODO test CN _and_ SAN
 
 TEST_MAIN() { TEST_RUN_ALL(); }