142 lines
4.7 KiB
Rego
142 lines
4.7 KiB
Rego
# Copyright 2025 New Vector Ltd.
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
|
|
# Please see LICENSE files in the repository root for full details.
|
|
|
|
package authorization_grant_test
|
|
|
|
import data.authorization_grant
|
|
import rego.v1
|
|
|
|
user := {"username": "john"}
|
|
|
|
client := {"client_id": "client"}
|
|
|
|
test_standard_scopes if {
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.scope as ""
|
|
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.scope as "openid"
|
|
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.scope as "email"
|
|
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.scope as "openid email"
|
|
|
|
# Not supported yet
|
|
not authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.scope as "phone"
|
|
|
|
# Not supported yet
|
|
not authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.scope as "profile"
|
|
}
|
|
|
|
test_matrix_scopes if {
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.grant_type as "authorization_code"
|
|
with input.scope as "urn:matrix:org.matrix.msc2967.client:api:*"
|
|
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.grant_type as "urn:ietf:params:oauth:grant-type:device_code"
|
|
with input.scope as "urn:matrix:org.matrix.msc2967.client:api:*"
|
|
|
|
not authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.grant_type as "client_credentials"
|
|
with input.scope as "urn:matrix:org.matrix.msc2967.client:api:*"
|
|
}
|
|
|
|
test_device_scopes if {
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.grant_type as "authorization_code"
|
|
with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01"
|
|
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.grant_type as "authorization_code"
|
|
with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01-asdasdsa1-2313"
|
|
|
|
# Too short
|
|
not authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.grant_type as "authorization_code"
|
|
with input.scope as "urn:matrix:org.matrix.msc2967.client:device:abcd"
|
|
|
|
# Multiple device scope
|
|
not authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.grant_type as "authorization_code"
|
|
with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01 urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd02"
|
|
|
|
# Allowed with the device code grant
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.grant_type as "urn:ietf:params:oauth:grant-type:device_code"
|
|
with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01"
|
|
|
|
# Not authorization_grant.allowed for the client credentials grant
|
|
not authorization_grant.allow with input.client as client
|
|
with input.grant_type as "client_credentials"
|
|
with input.scope as "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01"
|
|
}
|
|
|
|
test_synapse_admin_scopes if {
|
|
some grant_type in ["authorization_code", "urn:ietf:params:oauth:grant-type:device_code"]
|
|
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with data.admin_users as ["john"]
|
|
with input.grant_type as grant_type
|
|
with input.scope as "urn:synapse:admin:*"
|
|
|
|
not authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with data.admin_users as []
|
|
with input.grant_type as grant_type
|
|
with input.scope as "urn:synapse:admin:*"
|
|
|
|
authorization_grant.allow with input.user as user
|
|
with input.user.can_request_admin as true
|
|
with input.client as client
|
|
with data.admin_users as []
|
|
with input.grant_type as grant_type
|
|
with input.scope as "urn:synapse:admin:*"
|
|
|
|
not authorization_grant.allow with input.user as user
|
|
with input.user.can_request_admin as false
|
|
with input.client as client
|
|
with data.admin_users as []
|
|
with input.grant_type as grant_type
|
|
with input.scope as "urn:synapse:admin:*"
|
|
}
|
|
|
|
test_mas_scopes if {
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with input.scope as "urn:mas:graphql:*"
|
|
|
|
authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with data.admin_users as ["john"]
|
|
with input.grant_type as "authorization_code"
|
|
with input.scope as "urn:mas:admin"
|
|
|
|
not authorization_grant.allow with input.user as user
|
|
with input.client as client
|
|
with data.admin_users as []
|
|
with input.grant_type as "authorization_code"
|
|
with input.scope as "urn:mas:admin"
|
|
}
|