system: settings: auth: authz: update RequireLocalAdmin tests for PAM allow policy

2026-06-14 00:46:34 +03:00 · 2026-05-18 19:27:50 +05:30
parent 5ea3f7999d
commit d65e0f5d64
1 changed files with 25 additions and 1 deletions
@@ -82,8 +82,32 @@ func TestRequireLocalAdminAllowsPasskeyAdmin(t *testing.T) {
 	}
 }

-func TestRequireLocalAdminRejectsPamAuth(t *testing.T) {
+func TestRequireLocalAdminAllowsPamAdmin(t *testing.T) {
 	service := newAuthzTestService(t)
+	if err := service.DB.Create(&models.User{
+		ID:       1,
+		Username: "root",
+		Admin:    true,
+	}).Error; err != nil {
+		t.Fatalf("failed_to_seed_user: %v", err)
+	}
+
+	status := performAuthzRequest(t, service, "pam", 1)
+	if status != http.StatusOK {
+		t.Fatalf("expected_status_200_got: %d", status)
+	}
+}
+
+func TestRequireLocalAdminRejectsPamNonAdmin(t *testing.T) {
+	service := newAuthzTestService(t)
+	if err := service.DB.Create(&models.User{
+		ID:       1,
+		Username: "pamuser",
+		Admin:    false,
+	}).Error; err != nil {
+		t.Fatalf("failed_to_seed_user: %v", err)
+	}
+
 	status := performAuthzRequest(t, service, "pam", 1)
 	if status != http.StatusForbidden {
 		t.Fatalf("expected_status_403_got: %d", status)