mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 01:34:01 +00:00
64679d2db8
Implements RFD 45 / "where" conditions for active sessions[1]. In few words, the purpose of the RFD is to allow the creation of roles that permits users to only join a subset of active sessions (for example, only their own sessions). Implementation goes a bit further than the RFD, allowing the conditions to be applied to `update` and `delete` verbs as well. Originally implemented by @andrejtokarcik (#8568), tweaks by @codingllama. [1] https://github.com/gravitational/teleport/blob/master/rfd/0045-ssh_session-where-condition.md * Implement where conditions for active sessions list/read * actionWithConditionForList => actionForListWithCondition * Make Context-exposed sessions follow the RFD API * Add tests for "where" conditions on active sessions * Fix typos * Fix typos and spacing * Rename "parties" to "participants" in the context session * Update RFD to reflect PR changes Update RFD to reflect PR changes Specifically, mark as implemented and rename `parties` to `participants`. * Push list authz logic to ServerWithRoles, obsolete cond * Remove cond from GetSessions signature * Simplify cast in lib.utils.Fields.GetString * Add TODO to refactor SearchSessionEvents / stored sessions Co-authored-by: Andrej Tokarčík <andrej@goteleport.com>
70 lines
2.3 KiB
Go
70 lines
2.3 KiB
Go
/*
|
|
Copyright 2021 Gravitational, Inc.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package utils
|
|
|
|
import (
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/gravitational/teleport/api/types"
|
|
)
|
|
|
|
func TestFields(t *testing.T) {
|
|
t.Parallel()
|
|
now := time.Now().Round(time.Minute)
|
|
|
|
sliceString := []string{"test", "string", "slice"}
|
|
sliceInterface := []interface{}{"test", "string", "slice"}
|
|
f := Fields{
|
|
"one": 1,
|
|
"name": "vincent",
|
|
"time": now,
|
|
"strings": sliceString,
|
|
"strings2": sliceInterface,
|
|
}
|
|
|
|
require.Equal(t, 1, f.GetInt("one"))
|
|
require.Equal(t, 0, f.GetInt("two"))
|
|
require.Equal(t, "vincent", f.GetString("name"))
|
|
require.Equal(t, "", f.GetString("city"))
|
|
require.Equal(t, now, f.GetTime("time"))
|
|
require.Equal(t, sliceString, f.GetStrings("strings"))
|
|
require.Equal(t, sliceString, f.GetStrings("strings2"))
|
|
require.Nil(t, f.GetStrings("strings3"))
|
|
}
|
|
|
|
func TestToFieldsCondition(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// !equals(login, "root") && contains(participants, "test-user")
|
|
expr := &types.WhereExpr{And: types.WhereExpr2{
|
|
L: &types.WhereExpr{Not: &types.WhereExpr{Equals: types.WhereExpr2{L: &types.WhereExpr{Field: "login"}, R: &types.WhereExpr{Literal: "root"}}}},
|
|
R: &types.WhereExpr{Contains: types.WhereExpr2{L: &types.WhereExpr{Field: "participants"}, R: &types.WhereExpr{Literal: "test-user"}}},
|
|
}}
|
|
|
|
cond, err := ToFieldsCondition(expr)
|
|
require.NoError(t, err)
|
|
|
|
require.False(t, cond(Fields{}))
|
|
require.False(t, cond(Fields{"login": "root", "participants": []string{"test-user", "observer"}}))
|
|
require.False(t, cond(Fields{"login": "guest", "participants": []string{"another-user"}}))
|
|
require.True(t, cond(Fields{"login": "guest", "participants": []string{"test-user", "observer"}}))
|
|
require.True(t, cond(Fields{"participants": []string{"test-user"}}))
|
|
}
|