From cfeb40c49edb8f93b9315cd5df73e59c34941cf7 Mon Sep 17 00:00:00 2001
From: Tobin Feldman-Fitzthum <tobin@ibm.com>
Date: Tue, 21 Jan 2025 16:19:55 -0600
Subject: [PATCH] tests: add negative test for resources

Add another test to make sure the KBS won't return resources when the
DenyAll policy is set.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
---
 integration-tests/tests/integration.rs | 38 +++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 4 deletions(-)

diff --git a/integration-tests/tests/integration.rs b/integration-tests/tests/integration.rs
index 1f50098e0..09d90595f 100644
--- a/integration-tests/tests/integration.rs
+++ b/integration-tests/tests/integration.rs
@@ -39,16 +39,14 @@ const ALLOW_ALL_POLICY: &str = "
     allow = true
 ";
 
-/*
 const DENY_ALL_POLICY: &str = "
     package policy
     allow = false
 ";
-*/
 
 enum PolicyType {
     AllowAll,
-    //DenyAll,
+    DenyAll,
     //Custom(String),
 }
 
@@ -135,7 +133,7 @@ impl TestHarness {
 
         let policy_bytes = match policy {
             PolicyType::AllowAll => ALLOW_ALL_POLICY.as_bytes().to_vec(),
-            //PolicyType::DenyAll => DENY_ALL_POLICY.as_bytes().to_vec(),
+            PolicyType::DenyAll => DENY_ALL_POLICY.as_bytes().to_vec(),
             //PolicyType::Custom(p) => p.into_bytes(),
         };
 
@@ -210,3 +208,35 @@ async fn get_secret_allow_all(#[case] test_parameters: TestParameters) -> Result
 
     Ok(())
 }
+
+#[rstest]
+#[case::ear_deny_all(TestParameters{attestation_token_type: "Ear".to_string() })]
+#[case::simple_deny_all(TestParameters{attestation_token_type: "Simple".to_string() })]
+#[serial]
+#[actix_rt::test]
+async fn get_secret_deny_all(#[case] test_parameters: TestParameters) -> Result<()> {
+    let _ = env_logger::try_init_from_env(env_logger::Env::new().default_filter_or("debug"));
+    let harness = TestHarness::new(test_parameters)?;
+
+    let api_server = ApiServer::new(harness.kbs_config.clone()).await?;
+
+    let kbs_server = api_server.server()?;
+    let kbs_handle = kbs_server.handle();
+
+    actix_web::rt::spawn(kbs_server);
+
+    harness.wait().await;
+    harness.set_secret(SECRET_PATH.to_string(), SECRET_BYTES.as_ref().to_vec())
+        .await?;
+    harness.set_policy(PolicyType::DenyAll).await?;
+
+    let secret = harness.get_secret(SECRET_PATH.to_string()).await;
+
+    assert!(secret.is_err());
+    assert_eq!(secret.unwrap_err().to_string(), "request unauthorized".to_string());
+    info!("TEST: test completed succesfully");
+
+    kbs_handle.stop(true).await;
+
+    Ok(())
+}