diff --git a/gateway/api_test.go b/gateway/api_test.go index a1644eaa56f..90e0912bc0b 100644 --- a/gateway/api_test.go +++ b/gateway/api_test.go @@ -455,16 +455,24 @@ func TestKeyHandler_UpdateKey(t *testing.T) { } }) + pIdAccess := ts.CreatePolicy(func(p *user.Policy) { + p.Partitions.Acl = true + p.AccessRights = map[string]user.AccessDefinition{testAPIID: { + APIID: testAPIID, Versions: []string{"v1"}, + }} + p.Tags = []string{"p3-tag"} + p.MetaData = map[string]interface{}{ + "p3-meta": "p3-value", + } + }) + session, key := ts.CreateSession(func(s *user.SessionState) { - s.ApplyPolicies = []string{pID} + s.ApplyPolicies = []string{pIdAccess, pID} s.Tags = []string{"key-tag1", "key-tag2"} s.MetaData = map[string]interface{}{ "key-meta1": "key-value1", "key-meta2": "key-value2", } - s.AccessRights = map[string]user.AccessDefinition{testAPIID: { - APIID: testAPIID, Versions: []string{"v1"}, - }} }) t.Run("Add policy not enforcing acl", func(t *testing.T) { @@ -477,8 +485,8 @@ func TestKeyHandler_UpdateKey(t *testing.T) { }...) sessionState, found := ts.Gw.GlobalSessionManager.SessionDetail("default", key, false) - if !found || sessionState.AccessRights[testAPIID].APIID != testAPIID || len(sessionState.ApplyPolicies) != 2 { - + _, exists := sessionState.AccessRights[testAPIID] + if !found || !exists || len(sessionState.ApplyPolicies) != 3 { t.Fatal("Adding policy to the list failed") } }) @@ -493,7 +501,8 @@ func TestKeyHandler_UpdateKey(t *testing.T) { }...) sessionState, found := ts.Gw.GlobalSessionManager.SessionDetail("default", key, false) - if !found || sessionState.AccessRights[testAPIID].APIID != testAPIID || len(sessionState.ApplyPolicies) != 0 { + _, exists := sessionState.AccessRights[testAPIID] + if !found || !exists || len(sessionState.ApplyPolicies) != 0 { t.Fatal("Removing policy from the list failed") } }) @@ -518,21 +527,21 @@ func TestKeyHandler_UpdateKey(t *testing.T) { } t.Run("Add", func(t *testing.T) { - expected := []string{"p1-tag", "p2-tag", "key-tag1", "key-tag2"} - session.ApplyPolicies = []string{pID, pID2} + expected := []string{"p1-tag", "p2-tag", "p3-tag", "key-tag1", "key-tag2"} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} assertTags(session, expected) }) t.Run("Make unique", func(t *testing.T) { - expected := []string{"p1-tag", "p2-tag", "key-tag1", "key-tag2"} - session.ApplyPolicies = []string{pID, pID2} + expected := []string{"p1-tag", "p2-tag", "p3-tag", "key-tag1", "key-tag2"} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} session.Tags = append(session.Tags, "p1-tag", "key-tag1") assertTags(session, expected) }) t.Run("Remove", func(t *testing.T) { - expected := []string{"p1-tag", "p2-tag", "key-tag2"} - session.ApplyPolicies = []string{pID, pID2} + expected := []string{"p1-tag", "p2-tag", "p3-tag", "key-tag2"} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} session.Tags = []string{"key-tag2"} assertTags(session, expected) }) @@ -559,10 +568,11 @@ func TestKeyHandler_UpdateKey(t *testing.T) { expected := map[string]interface{}{ "p1-meta": "p1-value", "p2-meta": "p2-value", + "p3-meta": "p3-value", "key-meta1": "key-value1", "key-meta2": "key-value2", } - session.ApplyPolicies = []string{pID, pID2} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} assertMetaData(session, expected) }) @@ -570,10 +580,11 @@ func TestKeyHandler_UpdateKey(t *testing.T) { expected := map[string]interface{}{ "p1-meta": "p1-value", "p2-meta": "p2-value", + "p3-meta": "p3-value", "key-meta1": "key-value1", "key-meta2": "key-value2", } - session.ApplyPolicies = []string{pID, pID2} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} assertMetaData(session, expected) }) @@ -581,9 +592,10 @@ func TestKeyHandler_UpdateKey(t *testing.T) { expected := map[string]interface{}{ "p1-meta": "p1-value", "p2-meta": "p2-value", + "p3-meta": "p3-value", "key-meta2": "key-value2", } - session.ApplyPolicies = []string{pID, pID2} + session.ApplyPolicies = []string{pID, pID2, pIdAccess} session.MetaData = map[string]interface{}{ "key-meta2": "key-value2", } @@ -701,13 +713,14 @@ func TestKeyHandler_DeleteKeyWithQuota(t *testing.T) { pID := ts.CreatePolicy(func(p *user.Policy) { p.QuotaMax = 1 + p.AccessRights = map[string]user.AccessDefinition{testAPIID: { + APIID: testAPIID, + }} }) _, key := ts.CreateSession(func(s *user.SessionState) { s.ApplyPolicies = []string{pID} - s.AccessRights = map[string]user.AccessDefinition{testAPIID: { - APIID: testAPIID, - }} + }) authHeaders := map[string]string{ @@ -741,7 +754,11 @@ func TestUpdateKeyWithCert(t *testing.T) { defer ts.Close() apiId := "MTLSApi" - pID := ts.CreatePolicy(func(p *user.Policy) {}) + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{apiId: { + APIID: apiId, Versions: []string{"v1"}, + }} + }) ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.APIID = apiId @@ -768,9 +785,6 @@ func TestUpdateKeyWithCert(t *testing.T) { // create session base and set cert session, key := ts.CreateSession(func(s *user.SessionState) { s.ApplyPolicies = []string{pID} - s.AccessRights = map[string]user.AccessDefinition{apiId: { - APIID: apiId, Versions: []string{"v1"}, - }} s.Certificate = certID }) @@ -813,9 +827,6 @@ func TestUpdateKeyWithCert(t *testing.T) { // create session base and set cert session, key := ts.CreateSession(func(s *user.SessionState) { s.ApplyPolicies = []string{pID} - s.AccessRights = map[string]user.AccessDefinition{apiId: { - APIID: apiId, Versions: []string{"v1"}, - }} s.Certificate = certID }) @@ -3902,6 +3913,71 @@ func TestOrgKeyHandler_LastUpdated(t *testing.T) { }...) } +func TestDeletionOfPoliciesThatFromAKeyDoesNotMakeTheAPIKeyless(t *testing.T) { + const testAPIID = "testAPIID" + + ts := StartTest(nil) + defer ts.Close() + + apiID1 := testAPIID + "1" + apiID2 := testAPIID + "2" + + ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { + spec.APIID = apiID1 + spec.UseKeylessAccess = false + spec.OrgID = "default" + spec.Proxy.ListenPath = "/api1" + }, func(spec *APISpec) { + spec.APIID = apiID2 + spec.UseKeylessAccess = false + spec.OrgID = "default" + spec.Proxy.ListenPath = "/api2" + }) + + policyForApi1 := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{apiID1: { + APIID: apiID1, + }} + }) + + policyForApi2 := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{apiID2: { + APIID: apiID2, + }} + }) + + _, key := ts.CreateSession(func(s *user.SessionState) { + s.ApplyPolicies = []string{policyForApi1, policyForApi2} + }) + + authHeaders := map[string]string{ + "authorization": key, + } + + res, err := ts.Run(t, []test.TestCase{ + {Method: "GET", Path: "/api1", Headers: authHeaders, Code: 200}, + {Method: "GET", Path: "/api2", Headers: authHeaders, Code: 200}, + }...) + assert.NotNil(t, res) + assert.Nil(t, err) + + ts.DeletePolicy(policyForApi2) + res, err = ts.Run(t, []test.TestCase{ + {Method: "GET", Path: "/api1", Headers: authHeaders, Code: 200}, + {Method: "GET", Path: "/api2", Headers: authHeaders, Code: 403}, + }...) + assert.NotNil(t, res) + assert.Nil(t, err) + + ts.DeletePolicy(policyForApi1) + res, err = ts.Run(t, []test.TestCase{ + {Method: "GET", Path: "/api1", Headers: authHeaders, Code: 403}, + {Method: "GET", Path: "/api2", Headers: authHeaders, Code: 403}, + }...) + assert.NotNil(t, res) + assert.Nil(t, err) +} + func TestPurgeOAuthClientTokensEndpoint(t *testing.T) { conf := func(globalConf *config.Config) { // set tokens to be expired after 1 second diff --git a/gateway/middleware.go b/gateway/middleware.go index ec8d6cf265e..f53cb5b724c 100644 --- a/gateway/middleware.go +++ b/gateway/middleware.go @@ -769,6 +769,10 @@ func (t *BaseMiddleware) ApplyPolicies(session *user.SessionState) error { session.AccessRights = rights } + if len(rights) == 0 && policyIDs != nil { + return errors.New("key has no valid policies to be applied") + } + return nil } diff --git a/gateway/multiauth_test.go b/gateway/multiauth_test.go index c09a17af482..6312f876ee8 100644 --- a/gateway/multiauth_test.go +++ b/gateway/multiauth_test.go @@ -304,11 +304,16 @@ func TestJWTAuthKeyMultiAuth(t *testing.T) { ts := StartTest(nil) defer ts.Close() - pID := ts.CreatePolicy() + const testAPIID = "test-api-id" + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: {APIID: testAPIID, APIName: "test-api"}, + } + }) spec := ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.UseKeylessAccess = false - + spec.APIID = testAPIID spec.AuthConfigs = make(map[string]apidef.AuthConfig) spec.UseStandardAuth = true diff --git a/gateway/mw_jwt_test.go b/gateway/mw_jwt_test.go index 523793e5468..814bce73ad1 100644 --- a/gateway/mw_jwt_test.go +++ b/gateway/mw_jwt_test.go @@ -542,8 +542,9 @@ func BenchmarkJWTSessionRSAWithRawSourceOnWithClientID(b *testing.B) { // JWTSessionRSAWithRawSource func (ts *Test) prepareJWTSessionRSAWithRawSource() string { - + const testApiID = "test-api-id" ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { + spec.APIID = testApiID spec.UseKeylessAccess = false spec.EnableJWT = true spec.JWTSigningMethod = RSASign @@ -553,7 +554,13 @@ func (ts *Test) prepareJWTSessionRSAWithRawSource() string { spec.Proxy.ListenPath = "/" }) - pID := ts.CreatePolicy() + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testApiID: { + APIName: "test-api-name", + }, + } + }) jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Header["kid"] = "12345" @@ -641,7 +648,16 @@ func TestJWTSessionExpiresAtValidationConfigs(t *testing.T) { ts := StartTest(nil) defer ts.Close() - pID := ts.CreatePolicy() + const testAPIID = "test-api-id" + + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + jwtAuthHeaderGen := func(skew time.Duration) map[string]string { jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Claims.(jwt.MapClaims)["policy_id"] = pID @@ -653,6 +669,7 @@ func TestJWTSessionExpiresAtValidationConfigs(t *testing.T) { } spec := BuildAPI(func(spec *APISpec) { + spec.APIID = testAPIID spec.UseKeylessAccess = false spec.EnableJWT = true spec.JWTSigningMethod = RSASign @@ -716,7 +733,16 @@ func TestJWTSessionIssueAtValidationConfigs(t *testing.T) { ts := StartTest(nil) defer ts.Close() - pID := ts.CreatePolicy() + const testAPIID = "test-api-id" + + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + jwtAuthHeaderGen := func(skew time.Duration) map[string]string { jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Claims.(jwt.MapClaims)["policy_id"] = pID @@ -729,6 +755,7 @@ func TestJWTSessionIssueAtValidationConfigs(t *testing.T) { spec := BuildAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = "rsa" spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -807,7 +834,16 @@ func TestJWTSessionNotBeforeValidationConfigs(t *testing.T) { ts := StartTest(nil) defer ts.Close() - pID := ts.CreatePolicy() + const testAPIID = "test-api-id" + + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + jwtAuthHeaderGen := func(skew time.Duration) map[string]string { jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Claims.(jwt.MapClaims)["policy_id"] = pID @@ -819,6 +855,7 @@ func TestJWTSessionNotBeforeValidationConfigs(t *testing.T) { spec := BuildAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.Proxy.ListenPath = "/" spec.JWTSigningMethod = "rsa" @@ -875,7 +912,18 @@ func TestJWTExistingSessionRSAWithRawSourceInvalidPolicyID(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + + p1ID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + spec := BuildAPI(func(spec *APISpec) { + spec.APIID = testAPIID spec.UseKeylessAccess = false spec.EnableJWT = true spec.JWTSigningMethod = RSASign @@ -887,7 +935,6 @@ func TestJWTExistingSessionRSAWithRawSourceInvalidPolicyID(t *testing.T) { ts.Gw.LoadAPI(spec) - p1ID := ts.CreatePolicy() user_id := uuid.New() jwtToken := CreateJWKToken(func(t *jwt.Token) { @@ -1352,8 +1399,11 @@ func TestJWTExistingSessionRSAWithRawSourcePolicyIDChanged(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + spec := BuildAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -1367,9 +1417,19 @@ func TestJWTExistingSessionRSAWithRawSourcePolicyIDChanged(t *testing.T) { p1ID := ts.CreatePolicy(func(p *user.Policy) { p.QuotaMax = 111 + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } }) p2ID := ts.CreatePolicy(func(p *user.Policy) { p.QuotaMax = 999 + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } }) user_id := uuid.New() @@ -1432,7 +1492,10 @@ func TestJWTExistingSessionRSAWithRawSourcePolicyIDChanged(t *testing.T) { func (ts *Test) prepareJWTSessionRSAWithJWK() string { + const testAPIID = "test-api-id" + ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { + spec.APIID = testAPIID spec.UseKeylessAccess = false spec.EnableJWT = true spec.JWTSigningMethod = RSASign @@ -1442,7 +1505,14 @@ func (ts *Test) prepareJWTSessionRSAWithJWK() string { spec.Proxy.ListenPath = "/" }) - pID := ts.CreatePolicy() + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Header["kid"] = "12345" t.Claims.(jwt.MapClaims)["foo"] = "bar" @@ -1492,8 +1562,10 @@ func BenchmarkJWTSessionRSAWithJWK(b *testing.B) { func (ts *Test) prepareJWTSessionRSAWithEncodedJWK() (*APISpec, string) { + const testAPIID = "test-api-id" spec := BuildAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTIdentityBaseField = "user_id" @@ -1501,7 +1573,14 @@ func (ts *Test) prepareJWTSessionRSAWithEncodedJWK() (*APISpec, string) { spec.Proxy.ListenPath = "/" })[0] - pID := ts.CreatePolicy() + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Header["kid"] = "12345" // Set some claims @@ -1618,8 +1697,11 @@ func TestJWTRSAIdInClaimsWithBaseField(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -1628,8 +1710,13 @@ func TestJWTRSAIdInClaimsWithBaseField(t *testing.T) { spec.Proxy.ListenPath = "/" }) - pID := ts.CreatePolicy() - + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) //First test - user id in the configured base field 'user_id' jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Header["kid"] = "12345" @@ -1715,8 +1802,11 @@ func TestJWTRSAIdInClaimsWithoutBaseField(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -1725,7 +1815,13 @@ func TestJWTRSAIdInClaimsWithoutBaseField(t *testing.T) { spec.Proxy.ListenPath = "/" }) - pID := ts.CreatePolicy() + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) jwtToken := CreateJWKToken(func(t *jwt.Token) { t.Header["kid"] = "12345" @@ -1773,6 +1869,7 @@ func TestJWTDefaultPolicies(t *testing.T) { } p.Partitions = user.PolicyPartitions{ Quota: true, + Acl: true, } }) @@ -2065,8 +2162,11 @@ func TestJWTExpOverride(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -2078,6 +2178,11 @@ func TestJWTExpOverride(t *testing.T) { //create policy which sets keys to have expiry in one second pID := ts.CreatePolicy(func(p *user.Policy) { p.KeyExpiresIn = 1 + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } }) jwtToken := CreateJWKToken(func(t *jwt.Token) { @@ -2098,6 +2203,11 @@ func TestJWTExpOverride(t *testing.T) { t.Run("JWT expiration smaller then policy", func(t *testing.T) { pID := ts.CreatePolicy(func(p *user.Policy) { p.KeyExpiresIn = 5 + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } }) jwtToken := CreateJWKToken(func(t *jwt.Token) { @@ -2117,6 +2227,11 @@ func TestJWTExpOverride(t *testing.T) { t.Run("JWT expired but renewed, policy without expiration", func(t *testing.T) { pID := ts.CreatePolicy(func(p *user.Policy) { p.KeyExpiresIn = 0 + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } }) userID := uuid.New() @@ -2325,8 +2440,11 @@ func TestJWT_ExtractOAuthClientIDForDCR(t *testing.T) { ts := StartTest(nil) defer ts.Close() + const testAPIID = "test-api-id" + api := ts.Gw.BuildAndLoadAPI(func(spec *APISpec) { spec.UseKeylessAccess = false + spec.APIID = testAPIID spec.EnableJWT = true spec.JWTSigningMethod = RSASign spec.JWTSource = base64.StdEncoding.EncodeToString([]byte(jwtRSAPubKey)) @@ -2335,7 +2453,14 @@ func TestJWT_ExtractOAuthClientIDForDCR(t *testing.T) { spec.Proxy.ListenPath = "/" })[0] - pID := ts.CreatePolicy() + pID := ts.CreatePolicy(func(p *user.Policy) { + p.AccessRights = map[string]user.AccessDefinition{ + testAPIID: { + APIName: "test-api-name", + }, + } + }) + userID := uuid.New() const myOKTAClientID = "myOKTAClientID" diff --git a/gateway/policy_test.go b/gateway/policy_test.go index 1481798adad..084aac29a89 100644 --- a/gateway/policy_test.go +++ b/gateway/policy_test.go @@ -80,38 +80,44 @@ func (s *Test) TestPrepareApplyPolicies() (*BaseMiddleware, []testApplyPoliciesD }, "difforg": {OrgID: "different"}, "tags1": { - Partitions: user.PolicyPartitions{Quota: true}, - Tags: []string{"tagA"}, + Partitions: user.PolicyPartitions{Quota: true, Acl: true}, + Tags: []string{"tagA"}, + AccessRights: map[string]user.AccessDefinition{"a": {}}, }, "tags2": { - Partitions: user.PolicyPartitions{RateLimit: true}, - Tags: []string{"tagX", "tagY"}, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, + Tags: []string{"tagX", "tagY"}, + AccessRights: map[string]user.AccessDefinition{"b": {}}, }, "inactive1": { - Partitions: user.PolicyPartitions{RateLimit: true}, - IsInactive: true, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, + IsInactive: true, + AccessRights: map[string]user.AccessDefinition{"a": {}}, }, "inactive2": { - Partitions: user.PolicyPartitions{Quota: true}, - IsInactive: true, + Partitions: user.PolicyPartitions{Quota: true, Acl: true}, + IsInactive: true, + AccessRights: map[string]user.AccessDefinition{"b": {}}, }, "unlimited-quota": { - Partitions: user.PolicyPartitions{Quota: true}, + Partitions: user.PolicyPartitions{Quota: true, Acl: true}, AccessRights: map[string]user.AccessDefinition{"a": {}}, QuotaMax: -1, }, "quota1": { - Partitions: user.PolicyPartitions{Quota: true}, - QuotaMax: 2, + Partitions: user.PolicyPartitions{Quota: true, Acl: true}, + QuotaMax: 2, + AccessRights: map[string]user.AccessDefinition{"a": {}}, }, "quota2": { - Partitions: user.PolicyPartitions{Quota: true}, - QuotaMax: 3, + Partitions: user.PolicyPartitions{Quota: true, Acl: true}, + QuotaMax: 3, + AccessRights: map[string]user.AccessDefinition{"b": {}}, }, "quota3": { QuotaMax: 3, AccessRights: map[string]user.AccessDefinition{"a": {}}, - Partitions: user.PolicyPartitions{Quota: true}, + Partitions: user.PolicyPartitions{Quota: true, Acl: true}, }, "quota4": { QuotaMax: 3, @@ -120,49 +126,52 @@ func (s *Test) TestPrepareApplyPolicies() (*BaseMiddleware, []testApplyPoliciesD }, "quota5": { QuotaMax: 4, - Partitions: user.PolicyPartitions{Quota: true}, + Partitions: user.PolicyPartitions{Quota: true, Acl: true}, AccessRights: map[string]user.AccessDefinition{"b": {}}, }, "unlimited-rate": { - Partitions: user.PolicyPartitions{RateLimit: true}, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, AccessRights: map[string]user.AccessDefinition{"a": {}}, Rate: -1, }, "rate1": { - Partitions: user.PolicyPartitions{RateLimit: true}, - Rate: 3, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, + AccessRights: map[string]user.AccessDefinition{"a": {}}, + Rate: 3, }, "rate2": { - Partitions: user.PolicyPartitions{RateLimit: true}, - Rate: 4, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, + AccessRights: map[string]user.AccessDefinition{"b": {}}, + Rate: 4, }, "rate3": { - Partitions: user.PolicyPartitions{RateLimit: true}, - Rate: 4, - Per: 4, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, + Rate: 4, + Per: 4, + AccessRights: map[string]user.AccessDefinition{"a": {}}, }, "rate4": { - Partitions: user.PolicyPartitions{RateLimit: true}, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, Rate: 8, AccessRights: map[string]user.AccessDefinition{"a": {}}, }, "rate5": { - Partitions: user.PolicyPartitions{RateLimit: true}, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, Rate: 10, AccessRights: map[string]user.AccessDefinition{"a": {}}, }, "rate-for-a": { - Partitions: user.PolicyPartitions{RateLimit: true}, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, AccessRights: map[string]user.AccessDefinition{"a": {}}, Rate: 4, }, "rate-for-b": { - Partitions: user.PolicyPartitions{RateLimit: true}, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, AccessRights: map[string]user.AccessDefinition{"b": {}}, Rate: 2, }, "rate-for-a-b": { - Partitions: user.PolicyPartitions{RateLimit: true}, + Partitions: user.PolicyPartitions{RateLimit: true, Acl: true}, AccessRights: map[string]user.AccessDefinition{"a": {}, "b": {}}, Rate: 4, }, @@ -186,16 +195,18 @@ func (s *Test) TestPrepareApplyPolicies() (*BaseMiddleware, []testApplyPoliciesD AccessRights: map[string]user.AccessDefinition{"a": {}, "b": {}}, }, "unlimitedComplexity": { - Partitions: user.PolicyPartitions{Complexity: true}, + Partitions: user.PolicyPartitions{Complexity: true, Acl: true}, AccessRights: map[string]user.AccessDefinition{"a": {}}, MaxQueryDepth: -1, }, "complexity1": { - Partitions: user.PolicyPartitions{Complexity: true}, + Partitions: user.PolicyPartitions{Complexity: true, Acl: true}, + AccessRights: map[string]user.AccessDefinition{"a": {}}, MaxQueryDepth: 2, }, "complexity2": { - Partitions: user.PolicyPartitions{Complexity: true}, + Partitions: user.PolicyPartitions{Complexity: true, Acl: true}, + AccessRights: map[string]user.AccessDefinition{"b": {}}, MaxQueryDepth: 3, }, "per_api_and_partitions": { @@ -639,7 +650,7 @@ func (s *Test) TestPrepareApplyPolicies() (*BaseMiddleware, []testApplyPoliciesD { "Acl for a and rate for a,b", []string{"acl1", "rate-for-a-b"}, "", func(t *testing.T, s *user.SessionState) { - want := map[string]user.AccessDefinition{"a": {Limit: user.APILimit{Rate: 4}}} + want := map[string]user.AccessDefinition{"a": {Limit: user.APILimit{Rate: 4}}, "b": {Limit: user.APILimit{Rate: 4}}} assert.Equal(t, want, s.AccessRights) }, nil, }, diff --git a/gateway/server.go b/gateway/server.go index 0d15678a6e3..2a7aad0cfe9 100644 --- a/gateway/server.go +++ b/gateway/server.go @@ -584,9 +584,7 @@ func (gw *Gateway) syncPolicies() (count int, err error) { gw.policiesMu.Lock() defer gw.policiesMu.Unlock() - if len(pols) > 0 { - gw.policiesByID = pols - } + gw.policiesByID = pols return len(pols), err } diff --git a/gateway/testutil.go b/gateway/testutil.go index 669e2a2846c..508669c41a2 100644 --- a/gateway/testutil.go +++ b/gateway/testutil.go @@ -848,6 +848,12 @@ func (s *Test) CreatePolicy(pGen ...func(p *user.Policy)) string { return pol.ID } +func (s *Test) DeletePolicy(policyID string) { + s.Gw.policiesMu.Lock() + delete(s.Gw.policiesByID, policyID) + s.Gw.policiesMu.Unlock() +} + func CreateJWKToken(jGen ...func(*jwt.Token)) string { // Create the token token := jwt.New(jwt.GetSigningMethod("RS512"))