additional ACL Policy tests (#13464)

This changeset includes some additional unit tests for secure variables ACL policies, so that we have explicit coverage of edge cases we're discussing with the UI folks.
2026-01-01 16:05:42 +03:00 · 2022-06-23 09:18:15 -04:00
parent d03fd4b8b1
commit 86666ec87e
1 changed files with 46 additions and 0 deletions
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@@ -486,6 +486,52 @@ func TestSecureVariablesMatching(t *testing.T) {
 			op:    "read",
 			allow: true,
 		},
+		{
+			name: "concrete namespace with non-prefix wildcard path matches",
+			policy: `namespace "ns" {
+					secure_variables { path "*/bar" { capabilities = ["read"] }}}`,
+			ns:    "ns",
+			path:  "foo/bar",
+			op:    "read",
+			allow: true,
+		},
+		{
+			name: "concrete namespace with overlapping wildcard path prefix over suffix matches",
+			policy: `namespace "ns" {
+					secure_variables {
+						path "*/bar" { capabilities = ["list"] }
+						path "foo/*" { capabilities = ["write"] }
+					}}`,
+			ns:    "ns",
+			path:  "foo/bar",
+			op:    "write",
+			allow: true,
+		},
+		{
+			name: "concrete namespace with overlapping wildcard path prefix over suffix denied",
+			policy: `namespace "ns" {
+					secure_variables {
+						path "*/bar" { capabilities = ["list"] }
+						path "foo/*" { capabilities = ["write"] }
+					}}`,
+			ns:    "ns",
+			path:  "foo/bar",
+			op:    "list",
+			allow: false,
+		},
+		{
+			name: "concrete namespace with wildcard path matches most specific only",
+			policy: `namespace "ns" {
+					secure_variables {
+						path "*" { capabilities = ["read"] }
+						path "foo/*" { capabilities = ["read"] }
+						path "foo/bar" { capabilities = ["list"] }
+					}}`,
+			ns:    "ns",
+			path:  "foo/bar",
+			op:    "read",
+			allow: false,
+		},
 		{
 			name: "concrete namespace with invalid concrete path fails",
 			policy: `namespace "ns" {