Testing & validating your access model
As you're iterating on your access model, it's important to have a quick and easy way to test and validate changes.
In this guide, we'll cover:
- How to test your access model (object types) and access rules (warrants) with the Warrant CLI using 'assertions'.
- How to create a test script for repeatable, automated testing.
Prerequisites
This guide assumes that you:
- Already have a Warrant account and access to your environments and API keys.
- Have the Warrant CLI installed.
Test assertions
The Warrant CLI's check command supports an --assert <true|false> flag used to assert the expected result. For example, let's say you're implementing RBAC and have assigned the following rules:
user:johnis assignedrole:adminrole:adminis assignedpermission:create-reports
warrant assign role:admin member permission:create-reports
warrant assign user:john member role:admin
This implies that user:john should have permission:create-reports. You can verify this using the check command's assert functionality:
warrant check user:john member permission:create-reports --assert true
The above command will return true indicating that the assertion is valid (user:john does indeed have permission:create-reports through role:admin). Similarly, you can check false assertions:
warrant check user:matt member permission:create-reports --assert false
The above command will again return true because we haven't yet assigned user:matt the permission:create-reports either directly or via some role.
Creating a test script
Assertions are an easy way to quickly validate your schema using simple test cases. As you're iterating on your object types schema, it might be helpful to manually run assertions. But as your schema becomes more complex, or if you need to create a regression test suite, automating assertions via a script is the best option.
Building on the assertion examples from above, we can create a basic shell script that:
- Sets up test data
- Runs assertions
- Tears down the test data
#!/bin/bash
# Exit if any cmd (setup, assertion, teardown) fails
set -e
# Setup
warrant assign role:admin member permission:create-reports
warrant assign role:admin member permission:view-reports
warrant assign role:viewer member permission:view-reports
warrant assign user:john member role:admin
warrant assign user:matt member role:viewer
# Assertions
warrant check user:john member permission:create-reports --assert true
warrant check user:john member permission:view-reports --assert true
warrant check user:matt member permission:create-reports --assert false
warrant check user:matt member permission:view-reports --assert true
# Teardown
warrant remove role:admin member permission:create-reports
warrant remove role:admin member permission:view-reports
warrant remove role:viewer member permission:view-reports
warrant remove user:john member role:admin
warrant remove user:matt member role:viewer
Assuming that you have the Warrant CLI installed on your machine, you can simply run the script:
chmod +x test.sh
./test.sh
A test script like this can be used to manually run a test suite or as part of a CI workflow for managing your object types schema.