use common plumbing

internal/mesh/internal/types/destination_policy_test.go

@@ -11,7 +11,6 @@ import (
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/durationpb"
 
-	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/internal/resource"
 	"github.com/hashicorp/consul/internal/resource/resourcetest"
@@ -534,54 +533,15 @@ func TestDestinationPolicyACLs(t *testing.T) {
 		return res
 	}
 
-	type testcase struct {
-		res     *pbresource.Resource
-		rules   string
-		check   func(t *testing.T, authz acl.Authorizer, res *pbresource.Resource)
-		readOK  string
-		writeOK string
-	}
-
 	const (
-		DENY    = "deny"
-		ALLOW   = "allow"
-		DEFAULT = "default"
+		DENY    = resourcetest.DENY
+		ALLOW   = resourcetest.ALLOW
+		DEFAULT = resourcetest.DEFAULT
 	)
 
-	checkF := func(t *testing.T, name string, expect string, got error) {
-		switch expect {
-		case ALLOW:
-			if acl.IsErrPermissionDenied(got) {
-				t.Fatal(name + " should be allowed")
-			}
-		case DENY:
-			if !acl.IsErrPermissionDenied(got) {
-				t.Fatal(name + " should be denied")
-			}
-		case DEFAULT:
-			require.Nil(t, got, name+" expected fallthrough decision")
-		default:
-			t.Fatalf(name+" unexpected expectation: %q", expect)
-		}
-	}
-
-	reg, ok := registry.Resolve(pbmesh.DestinationPolicyType)
-	require.True(t, ok)
-
-	run := func(t *testing.T, name string, tc testcase) {
+	run := func(t *testing.T, name string, tc resourcetest.ACLTestCase) {
 		t.Run(name, func(t *testing.T) {
-			config := acl.Config{
-				WildcardName: structs.WildcardSpecifier,
-			}
-			authz, err := acl.NewAuthorizerFromRules(tc.rules, &config, nil)
-			require.NoError(t, err)
-			authz = acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.DenyAll()})
-
-			authCtx := resource.AuthorizerContext(tc.res.Id.Tenancy)
-
-			checkF(t, "read", tc.readOK, reg.ACLs.Read(authz, authCtx, tc.res.Id, nil))
-			checkF(t, "write", tc.writeOK, reg.ACLs.Write(authz, authCtx, tc.res))
-			checkF(t, "list", DEFAULT, reg.ACLs.List(authz, authCtx))
+			resourcetest.RunACLTestCase(t, tc, registry)
 		})
 	}
 
@@ -601,11 +561,13 @@ func TestDestinationPolicyACLs(t *testing.T) {
 	}
 
 	assert := func(t *testing.T, name string, rules string, res *pbresource.Resource, readOK, writeOK string) {
-		tc := testcase{
-			res:     res,
-			rules:   rules,
-			readOK:  readOK,
-			writeOK: writeOK,
+		tc := resourcetest.ACLTestCase{
+			AuthCtx: resource.AuthorizerContext(res.Id.Tenancy),
+			Rules:   rules,
+			Res:     res,
+			ReadOK:  readOK,
+			WriteOK: writeOK,
+			ListOK:  DEFAULT,
 		}
 		run(t, name, tc)
 	}

internal/resource/resourcetest/acls.go

@@ -41,6 +41,9 @@ var checkF = func(t *testing.T, expect string, got error) {
 type ACLTestCase struct {
 	Rules string
 
+	// AuthCtx is optional. If not provided an empty one will be used.
+	AuthCtx *acl.AuthorizerContext
+
 	// One of either Res or Data/Owner/Typ should be set.
 	Res   *pbresource.Resource
 	Data  protoreflect.ProtoMessage
@@ -92,21 +95,25 @@ func RunACLTestCase(t *testing.T, tc ACLTestCase, registry resource.Registry) {
 	require.NoError(t, err)
 	authz = acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.DenyAll()})
 
+	if tc.AuthCtx == nil {
+		tc.AuthCtx = &acl.AuthorizerContext{}
+	}
+
 	if tc.ReadHookRequiresResource {
-		err = reg.ACLs.Read(authz, &acl.AuthorizerContext{}, res.Id, nil)
+		err = reg.ACLs.Read(authz, tc.AuthCtx, res.Id, nil)
 		require.ErrorIs(t, err, resource.ErrNeedResource, "read hook should require the data payload")
 	}
 
 	t.Run("read", func(t *testing.T) {
-		err := reg.ACLs.Read(authz, &acl.AuthorizerContext{}, res.Id, res)
+		err := reg.ACLs.Read(authz, tc.AuthCtx, res.Id, res)
 		checkF(t, tc.ReadOK, err)
 	})
 	t.Run("write", func(t *testing.T) {
-		err := reg.ACLs.Write(authz, &acl.AuthorizerContext{}, res)
+		err := reg.ACLs.Write(authz, tc.AuthCtx, res)
 		checkF(t, tc.WriteOK, err)
 	})
 	t.Run("list", func(t *testing.T) {
-		err := reg.ACLs.List(authz, &acl.AuthorizerContext{})
+		err := reg.ACLs.List(authz, tc.AuthCtx)
 		checkF(t, tc.ListOK, err)
 	})
 }