diff options
| author | Daniel Silverstone <dsilvers@digital-scurf.org> | 2017-01-02 17:54:58 +0000 |
|---|---|---|
| committer | Daniel Silverstone <dsilvers@digital-scurf.org> | 2017-01-02 17:54:58 +0000 |
| commit | 00f0d146708676a4f7141f83739bb426ccab275c (patch) | |
| tree | ac641e961257dd39a47a2081c693c7e997fb165d /testing | |
| parent | d96e47a5076343abc4ae7d52dbd2fed908e2daec (diff) | |
| download | gitano-00f0d146708676a4f7141f83739bb426ccab275c.tar.gz | |
Add group test yarnv0.8
Diffstat (limited to 'testing')
| -rw-r--r-- | testing/02-commands-group.yarn | 163 |
1 files changed, 161 insertions, 2 deletions
diff --git a/testing/02-commands-group.yarn b/testing/02-commands-group.yarn index 6cb6922..36dbba0 100644 --- a/testing/02-commands-group.yarn +++ b/testing/02-commands-group.yarn @@ -1,7 +1,166 @@ <!-- -*- markdown -*- --> -TODO: Expand this beyond these simple regression checks -======================================================= +Managing groups +=============== + +Gitano has users and users can be in groups. Groups are there primarily as a +way to manage access control since it's a lot easier to grant access to a group +and then manage the group, than to keep writing new ACLs for each user you want +to grant access to. + +Groups have a name and a description, and then a list of members. In addition +groups may contain other groups and membership is transitive across that +relationship. + +Group creation, listing, and removal +------------------------------------ + + SCENARIO basic group operation + +Initially there is one group, the `gitano-admin` group. + + GIVEN a standard instance + WHEN testinstance adminkey runs group list + THEN stdout contains gitano-admin + +We can add a group... + + WHEN testinstance adminkey runs group add newgroup simple description + AND testinstance adminkey runs group list + THEN stdout contains newgroup + AND stdout contains simple description + +We can remove a group... + + WHEN testinstance adminkey runs group del newgroup --force + AND testinstance adminkey runs group list + THEN stdout does not contain newgroup + + FINALLY the instance is torn down + +Examining and manipulating groups +--------------------------------- + + SCENARIO group description + +Initially the `gitano-admin` group has one user in it, and has a basic +description. + + GIVEN a standard instance + WHEN testinstance adminkey runs group show gitano-admin + THEN stdout contains gitano-admin:Gitano\ Instance\ Administrators + AND stdout contains =>\ admin + +We can change that description though. + + WHEN testinstance adminkey runs group description gitano-admin Jeffrey + AND testinstance adminkey runs group show gitano-admin + THEN stdout contains gitano-admin:Jeffrey + + FINALLY the instance is torn down + +Renaming groups +--------------- + + SCENARIO group renaming + +Groups, like users and repositories, can be renamed. This is a moderately +destructive operation since ACLs are often based on group names, and as such +it also takes a token. After renaming a group, the old group name does not +exist. + + GIVEN a standard instance + WHEN testinstance adminkey runs group add foo bar + AND testinstance adminkey runs group rename foo baz --force + AND testinstance adminkey runs group list + THEN stdout does not contain foo:bar + AND stdout contains baz:bar + + FINALLY the instance is torn down + +Group membership +---------------- + + SCENARIO group membership + GIVEN a standard instance + AND testinstance, using adminkey, adds a new user alice, with a key called main + +Group membership of users is managed using the `adduser` and `deluser` +subcommands in the `group` command + + WHEN testinstance adminkey runs group add foo bar + AND testinstance adminkey runs group adduser foo alice + AND testinstance adminkey runs group show foo + THEN stdout contains =>\ alice + WHEN testinstance adminkey runs group deluser foo alice --force + AND testinstance adminkey runs group show foo + THEN stdout does not contain alice + +Group membership of groups is managed with `addgroup` and `delgroup` +subcommands. + + WHEN testinstance adminkey runs group show gitano-admin + THEN stdout does not contain foo + WHEN testinstance adminkey runs group addgroup gitano-admin foo + AND testinstance adminkey runs group show gitano-admin + THEN stdout contains \[\]\ foo + WHEN testinstance adminkey runs group delgroup gitano-admin foo + AND testinstance adminkey runs group show gitano-admin + THEN stdout does not contain foo + + FINALLY the instance is torn down + +Membership works across renames +=============================== + +A critical component of users and groups is that they continue to work across +renames. + + SCENARIO group and user rename continuity + + GIVEN a standard instance + AND testinstance, using adminkey, adds a new user alice, with a key called main + WHEN testinstance adminkey runs group add foo foodesc + AND testinstance adminkey runs group add bar bardesc + AND testinstance adminkey runs group adduser foo alice + AND testinstance adminkey runs group addgroup bar foo + +Firstly we demonstrate that transitive membership turns up in whoami... + + WHEN alice main runs whoami + THEN stdout contains foodesc + AND stdout contains bardesc + AND stdout contains \(via foo\) + +Next, if we rename the alice user we want to know that the user membership +of group foo continues to work. + + WHEN testinstance adminkey runs user rename alice betty --force + WHEN testinstance adminkey runs group show foo + THEN stdout does not contain alice + AND stdout contains betty + WHEN alice main runs whoami + THEN stdout contains foodesc + AND stdout contains bardesc + AND stdout contains \(via foo\) + +And, of course, if we rename either group, then the membership persists. + + WHEN testinstance adminkey runs group rename foo baz --force + AND testinstance adminkey runs group rename bar meta --force + AND alice main runs whoami + THEN stdout contains foodesc + AND stdout contains bardesc + AND stdout contains \(via baz\) + + FINALLY the instance is torn down + +regression tests +================ + +At one point it was possible to run `group add` and pass a group name with a +slash in it which would really confuse Gitano subsequently. This ensures that +can never happen again. SCENARIO group add with slashes causes error |