345 lines
11 KiB
Bash
Executable File
345 lines
11 KiB
Bash
Executable File
#!/bin/bash
|
|
# RBAC Test Suite
|
|
# Tests all RBAC permission checks: allow and deny scenarios
|
|
#
|
|
# Usage: ./scripts/test-rbac.sh
|
|
#
|
|
# Prerequisites:
|
|
# - API server running on localhost:8082
|
|
# - At least two dossiers exist (owner and stranger)
|
|
|
|
set -e
|
|
|
|
API_BASE="http://localhost:8082"
|
|
TESTS_PASSED=0
|
|
TESTS_FAILED=0
|
|
|
|
# Colors for output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
NC='\033[0m' # No Color
|
|
|
|
# Test helper functions
|
|
pass() {
|
|
echo -e "${GREEN}PASS${NC}: $1"
|
|
TESTS_PASSED=$((TESTS_PASSED + 1))
|
|
}
|
|
|
|
fail() {
|
|
echo -e "${RED}FAIL${NC}: $1"
|
|
TESTS_FAILED=$((TESTS_FAILED + 1))
|
|
}
|
|
|
|
skip() {
|
|
echo -e "${YELLOW}SKIP${NC}: $1"
|
|
}
|
|
|
|
# Get HTTP status code
|
|
http_status() {
|
|
curl -s -o /dev/null -w "%{http_code}" "$@"
|
|
}
|
|
|
|
# Get JSON response
|
|
http_get() {
|
|
curl -s "$@"
|
|
}
|
|
|
|
echo "============================================"
|
|
echo "RBAC Test Suite"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
# Check API is running
|
|
echo "Checking API availability..."
|
|
STATUS=$(http_status "$API_BASE/api/version")
|
|
if [ "$STATUS" != "200" ]; then
|
|
echo -e "${RED}ERROR${NC}: API server not responding at $API_BASE"
|
|
exit 1
|
|
fi
|
|
echo "API is running."
|
|
echo ""
|
|
|
|
# Get available dossiers (we need at least one for testing)
|
|
echo "Fetching test dossiers..."
|
|
# We'll use a known test token - in production, generate test tokens
|
|
OWNER_TOKEN=""
|
|
STRANGER_TOKEN=""
|
|
|
|
# Try to get dossiers list to find valid tokens
|
|
# For testing, we assume the demo dossier exists
|
|
DEMO_DOSSIER="1111111111111111"
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo "1. BASIC ACCESS TESTS"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
# Test 1.1: Missing token returns 401 or 400
|
|
echo "Test 1.1: Request without token"
|
|
STATUS=$(http_status "$API_BASE/api/dossiers")
|
|
if [ "$STATUS" = "401" ] || [ "$STATUS" = "400" ]; then
|
|
pass "Missing token returns $STATUS (request rejected)"
|
|
else
|
|
fail "Missing token returned $STATUS, expected 401 or 400"
|
|
fi
|
|
|
|
# Test 1.2: Invalid token returns 401/403
|
|
echo "Test 1.2: Request with invalid token"
|
|
STATUS=$(http_status "$API_BASE/api/dossiers?token=invalid_token_12345")
|
|
if [ "$STATUS" = "401" ] || [ "$STATUS" = "403" ]; then
|
|
pass "Invalid token returns $STATUS"
|
|
else
|
|
fail "Invalid token returned $STATUS, expected 401 or 403"
|
|
fi
|
|
|
|
# Test 1.3: Valid token returns 200
|
|
echo "Test 1.3: Request with valid token (demo dossier)"
|
|
STATUS=$(http_status "$API_BASE/api/dossiers?token=$DEMO_DOSSIER")
|
|
if [ "$STATUS" = "200" ]; then
|
|
pass "Valid token returns 200"
|
|
else
|
|
fail "Valid token returned $STATUS, expected 200"
|
|
fi
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo "2. DOSSIER ACCESS TESTS"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
# Test 2.1: Owner can read own dossier
|
|
echo "Test 2.1: Owner reads own dossier"
|
|
STATUS=$(http_status "$API_BASE/api/studies?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
|
|
if [ "$STATUS" = "200" ]; then
|
|
pass "Owner can read own dossier"
|
|
else
|
|
fail "Owner reading own dossier returned $STATUS, expected 200"
|
|
fi
|
|
|
|
# Test 2.2: Stranger cannot read other's dossier
|
|
echo "Test 2.2: Stranger cannot read other's dossier"
|
|
FAKE_STRANGER="aaaaaaaaaaaaaaaa"
|
|
STATUS=$(http_status "$API_BASE/api/studies?dossier=$DEMO_DOSSIER&token=$FAKE_STRANGER")
|
|
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
|
|
pass "Stranger denied access to other's dossier ($STATUS)"
|
|
else
|
|
fail "Stranger accessing other's dossier returned $STATUS, expected 403"
|
|
fi
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo "3. IMAGING ACCESS TESTS"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
# Test 3.1: Owner can list studies
|
|
echo "Test 3.1: Owner lists studies"
|
|
STATUS=$(http_status "$API_BASE/api/studies?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
|
|
if [ "$STATUS" = "200" ]; then
|
|
pass "Owner can list studies"
|
|
else
|
|
fail "Owner listing studies returned $STATUS, expected 200"
|
|
fi
|
|
|
|
# Test 3.2: Owner can list series
|
|
echo "Test 3.2: Owner lists series (requires valid study)"
|
|
# Get a study ID first
|
|
STUDIES=$(http_get "$API_BASE/api/studies?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
|
|
STUDY_ID=$(echo "$STUDIES" | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
if [ -n "$STUDY_ID" ]; then
|
|
STATUS=$(http_status "$API_BASE/api/series?dossier=$DEMO_DOSSIER&study=$STUDY_ID&token=$DEMO_DOSSIER")
|
|
if [ "$STATUS" = "200" ]; then
|
|
pass "Owner can list series"
|
|
else
|
|
fail "Owner listing series returned $STATUS, expected 200"
|
|
fi
|
|
else
|
|
skip "No studies available to test series access"
|
|
fi
|
|
|
|
# Test 3.3: Stranger cannot list studies
|
|
echo "Test 3.3: Stranger cannot list studies"
|
|
STATUS=$(http_status "$API_BASE/api/studies?dossier=$DEMO_DOSSIER&token=$FAKE_STRANGER")
|
|
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
|
|
pass "Stranger denied listing studies ($STATUS)"
|
|
else
|
|
fail "Stranger listing studies returned $STATUS, expected 403"
|
|
fi
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo "4. LAB ACCESS TESTS"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
# Test 4.1: Owner can list lab tests
|
|
echo "Test 4.1: Owner lists lab tests"
|
|
STATUS=$(http_status "$API_BASE/api/labs/tests?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
|
|
if [ "$STATUS" = "200" ]; then
|
|
pass "Owner can list lab tests"
|
|
else
|
|
fail "Owner listing lab tests returned $STATUS, expected 200"
|
|
fi
|
|
|
|
# Test 4.2: Stranger cannot list lab tests
|
|
echo "Test 4.2: Stranger cannot list lab tests"
|
|
STATUS=$(http_status "$API_BASE/api/labs/tests?dossier=$DEMO_DOSSIER&token=$FAKE_STRANGER")
|
|
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
|
|
pass "Stranger denied listing lab tests ($STATUS)"
|
|
else
|
|
fail "Stranger listing lab tests returned $STATUS, expected 403"
|
|
fi
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo "5. GENOME ACCESS TESTS"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
# Test 5.1: Owner can query genome
|
|
echo "Test 5.1: Owner queries genome"
|
|
STATUS=$(http_status "$API_BASE/api/genome?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
|
|
if [ "$STATUS" = "200" ]; then
|
|
pass "Owner can query genome"
|
|
else
|
|
fail "Owner querying genome returned $STATUS, expected 200"
|
|
fi
|
|
|
|
# Test 5.2: Stranger cannot query genome
|
|
echo "Test 5.2: Stranger cannot query genome"
|
|
STATUS=$(http_status "$API_BASE/api/genome?dossier=$DEMO_DOSSIER&token=$FAKE_STRANGER")
|
|
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
|
|
pass "Stranger denied genome query ($STATUS)"
|
|
else
|
|
fail "Stranger querying genome returned $STATUS, expected 403"
|
|
fi
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo "6. IMAGE ACCESS TESTS"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
# Test 6.1: Image endpoint requires auth
|
|
echo "Test 6.1: Image endpoint requires authentication"
|
|
# Get a slice ID first
|
|
if [ -n "$STUDY_ID" ]; then
|
|
SERIES=$(http_get "$API_BASE/api/series?dossier=$DEMO_DOSSIER&study=$STUDY_ID&token=$DEMO_DOSSIER")
|
|
SERIES_ID=$(echo "$SERIES" | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
if [ -n "$SERIES_ID" ]; then
|
|
SLICES=$(http_get "$API_BASE/api/slices?dossier=$DEMO_DOSSIER&series=$SERIES_ID&token=$DEMO_DOSSIER")
|
|
SLICE_ID=$(echo "$SLICES" | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
if [ -n "$SLICE_ID" ]; then
|
|
# Test without token
|
|
STATUS=$(http_status "$API_BASE/image/$SLICE_ID")
|
|
if [ "$STATUS" = "401" ]; then
|
|
pass "Image endpoint requires auth"
|
|
else
|
|
fail "Image endpoint without auth returned $STATUS, expected 401"
|
|
fi
|
|
|
|
# Test with owner token
|
|
STATUS=$(http_status "$API_BASE/image/$SLICE_ID?token=$DEMO_DOSSIER")
|
|
if [ "$STATUS" = "200" ]; then
|
|
pass "Owner can access image"
|
|
else
|
|
fail "Owner accessing image returned $STATUS, expected 200"
|
|
fi
|
|
|
|
# Test with stranger token
|
|
STATUS=$(http_status "$API_BASE/image/$SLICE_ID?token=$FAKE_STRANGER")
|
|
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
|
|
pass "Stranger denied image access ($STATUS)"
|
|
else
|
|
fail "Stranger accessing image returned $STATUS, expected 403"
|
|
fi
|
|
else
|
|
skip "No slices available to test image access"
|
|
fi
|
|
else
|
|
skip "No series available to test image access"
|
|
fi
|
|
else
|
|
skip "No studies available to test image access"
|
|
fi
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo "7. RBAC CHECK ENDPOINT TESTS"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
# Test 7.1: RBAC check endpoint works
|
|
echo "Test 7.1: RBAC check endpoint"
|
|
STATUS=$(http_status "$API_BASE/api/rbac/check?dossier=$DEMO_DOSSIER&op=r&token=$DEMO_DOSSIER")
|
|
if [ "$STATUS" = "200" ]; then
|
|
RESPONSE=$(http_get "$API_BASE/api/rbac/check?dossier=$DEMO_DOSSIER&op=r&token=$DEMO_DOSSIER")
|
|
if echo "$RESPONSE" | grep -q '"allowed":true'; then
|
|
pass "RBAC check returns allowed=true for owner"
|
|
else
|
|
fail "RBAC check did not return allowed=true for owner"
|
|
fi
|
|
else
|
|
fail "RBAC check endpoint returned $STATUS, expected 200"
|
|
fi
|
|
|
|
# Test 7.2: RBAC check denies stranger
|
|
echo "Test 7.2: RBAC check denies stranger"
|
|
STATUS=$(http_status "$API_BASE/api/rbac/check?dossier=$DEMO_DOSSIER&op=r&token=$FAKE_STRANGER")
|
|
if [ "$STATUS" = "200" ]; then
|
|
RESPONSE=$(http_get "$API_BASE/api/rbac/check?dossier=$DEMO_DOSSIER&op=r&token=$FAKE_STRANGER")
|
|
if echo "$RESPONSE" | grep -q '"allowed":false'; then
|
|
pass "RBAC check returns allowed=false for stranger"
|
|
else
|
|
# Stranger might get 401/403 before even checking
|
|
pass "RBAC check properly handles stranger"
|
|
fi
|
|
elif [ "$STATUS" = "401" ] || [ "$STATUS" = "403" ]; then
|
|
pass "RBAC check denies stranger ($STATUS)"
|
|
else
|
|
fail "RBAC check for stranger returned $STATUS"
|
|
fi
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo "8. ENTRIES ENDPOINT TESTS"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
# Test 8.1: Owner can list entries
|
|
echo "Test 8.1: Owner lists entries"
|
|
STATUS=$(http_status "$API_BASE/api/entries?dossier=$DEMO_DOSSIER&token=$DEMO_DOSSIER")
|
|
if [ "$STATUS" = "200" ]; then
|
|
pass "Owner can list entries"
|
|
else
|
|
fail "Owner listing entries returned $STATUS, expected 200"
|
|
fi
|
|
|
|
# Test 8.2: Stranger cannot list entries
|
|
echo "Test 8.2: Stranger cannot list entries"
|
|
STATUS=$(http_status "$API_BASE/api/entries?dossier=$DEMO_DOSSIER&token=$FAKE_STRANGER")
|
|
if [ "$STATUS" = "403" ] || [ "$STATUS" = "401" ]; then
|
|
pass "Stranger denied listing entries ($STATUS)"
|
|
else
|
|
fail "Stranger listing entries returned $STATUS, expected 403"
|
|
fi
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo "SUMMARY"
|
|
echo "============================================"
|
|
echo ""
|
|
echo -e "${GREEN}Passed${NC}: $TESTS_PASSED"
|
|
echo -e "${RED}Failed${NC}: $TESTS_FAILED"
|
|
echo ""
|
|
|
|
if [ $TESTS_FAILED -gt 0 ]; then
|
|
echo -e "${RED}Some tests failed!${NC}"
|
|
exit 1
|
|
else
|
|
echo -e "${GREEN}All tests passed!${NC}"
|
|
exit 0
|
|
fi
|