Authorization Testing
Authorization policies must be thoroughly tested in a controlled setting before being deployed to production. Effective testing strategies confirm that the system behaves as expected under various conditions and help catch potential issues before they affect the production environment.
Here's how testing should be structured:
Unit Testing
Unit tests are essential for verifying the individual components of your authorization policies. These tests should be designed to run independently from the rest of the system, allowing for quick checks on the logic and functionality of each policy.
At Permit, unit tests can be executed using policy as code, where the policy code is loaded directly onto the policy engine (such as via the OPA test command line), ensuring that each component functions correctly in isolation.
Application and Integration Testing
Application and integration tests evaluate how well different parts of your application work together under real-world scenarios. This involves deploying a PDP that is synced to the development environment and running tests that simulate actual application queries against the PDP. This method ensures that policies are not only theoretically correct, but are also effectively enforced within the application context.
In Permit, we incorporate these tests into our development cycles, allowing for thorough validation of policy implementations in a controlled yet realistic setting.
Automation of Testing Processes
Automation plays a vital role in maintaining efficiency and consistency in testing. Automated tests can be configured to run as part of the CI/CD pipeline, ensuring that every change is vetted before it goes live. We suggest you consider the following triggers and hooks, which you can mix and match according to your needs:
- The CI system deploys PDPs specifically for testing policy changes.
- Developers can trigger tests automatically through the CI system.
- Tests must pass before environments are merged; if tests fail, the CI system will not proceed with merging changes.
- The CI system uses APIs like Create/Copy-env to establish environments purely for testing purposes, guaranteeing that each test environment mirrors the target deployment scenario accurately.