-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
67 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
package abbey.functions_test | ||
|
||
import future.keywords.if | ||
import future.keywords.in | ||
|
||
apps := [ | ||
"googleworkspace", | ||
"okta", | ||
"google", | ||
] | ||
|
||
# METADATA | ||
# title: Member Of | ||
# description: | | ||
# Function which checks whether a user has a specific group membership. | ||
# This function will iterate through all of a user's imported `apps` to determine | ||
# if any of the `group_id`s match the user's group memberships. | ||
# related_resources: | ||
# - ref: https://docs.abbey.io/reference/access-policies/types-of-access-policies | ||
# entrypoint: false | ||
member_of(group_id) if { | ||
some app in apps # Iterate over each app. | ||
user_groups := data.user[app] # Get each app of the user. | ||
some group in user_groups.groups # For the app, get the user's group memberships. | ||
group_id in group # Check if the group_id is one of the keys of the group object. | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
package abbey.functions_test | ||
|
||
import future.keywords.if | ||
|
||
fixture := { | ||
"googleworkspace": {"groups": [ | ||
{"id": "Engineering"}, | ||
{"id": "R&D"}, | ||
]}, | ||
"okta": {"groups": [ | ||
{"id": "123"}, | ||
{"id": "456"}, | ||
]}, | ||
} | ||
|
||
test_member_of_googleworkspace_engineering_group if { | ||
member_of("Engineering") with data.user as fixture | ||
} | ||
|
||
test_member_of_okta_group if { | ||
member_of("123") with data.user as fixture | ||
} | ||
|
||
# Tests if the user is a member of a group within Google. However, technically, the way we implement | ||
# the `member_of` function entails a lookup against all of the user's `apps`. This means this test | ||
# will also produce `false` if the group doesn't exist as a result of the group not being imported. | ||
test_not_member_of_googleworkspace_engineering_group if { | ||
not member_of("Marketing") with data.user as fixture | ||
} | ||
|
||
# Tests if the user is a member of a group within Okta. However, technically, the way we implement | ||
# the `member_of` function entails a lookup against all of the user's `apps`. This means this test | ||
# will also produce `false` if the group doesn't exist as a result of the group not being imported. | ||
test_not_member_of_okta_group if { | ||
not member_of("789") with data.user as fixture | ||
} | ||
|
||
# Tests if the user is a member of a group, but the group is not imported. | ||
test_unimported_group if { | ||
not member_of("unimported") with data.user as fixture | ||
} |