37 lines
1.3 KiB
Go
37 lines
1.3 KiB
Go
package store
|
|
|
|
import "testing"
|
|
|
|
func TestSameResponseChainOwnerIsolatesUserAndTenant(t *testing.T) {
|
|
chain := ResponseChain{
|
|
GatewayUserID: "user-1", GatewayTenantID: "tenant-1", TenantID: "external-tenant", TenantKey: "tenant-key",
|
|
}
|
|
owner := GatewayTask{
|
|
GatewayUserID: "user-1", GatewayTenantID: "tenant-1", TenantID: "external-tenant", TenantKey: "tenant-key",
|
|
}
|
|
if !sameResponseChainOwner(chain, owner) {
|
|
t.Fatal("matching user and tenant should own the response chain")
|
|
}
|
|
owner.GatewayUserID = "user-2"
|
|
if sameResponseChainOwner(chain, owner) {
|
|
t.Fatal("another user must not access the response chain")
|
|
}
|
|
owner.GatewayUserID = "user-1"
|
|
owner.GatewayTenantID = "tenant-2"
|
|
if sameResponseChainOwner(chain, owner) {
|
|
t.Fatal("another tenant must not access the response chain")
|
|
}
|
|
}
|
|
|
|
func TestSameResponseChainOwnerSupportsExternalIdentityFallback(t *testing.T) {
|
|
chain := ResponseChain{UserID: "external-user", UserSource: "server-main", TenantID: "tenant-a"}
|
|
owner := GatewayTask{UserID: "external-user", UserSource: "server-main", TenantID: "tenant-a"}
|
|
if !sameResponseChainOwner(chain, owner) {
|
|
t.Fatal("matching external identity should own the response chain")
|
|
}
|
|
owner.UserSource = "gateway"
|
|
if sameResponseChainOwner(chain, owner) {
|
|
t.Fatal("identity source must participate in isolation")
|
|
}
|
|
}
|