chore(e2e): add tests for RBAC policyDecisionPrecedence config

JessicaJHee · JessicaJHee · commit 70928e6e1ff3 · 2025-10-20T15:33:01.000-04:00
Signed-off-by: Jessica He &lt;jhe@redhat.com&gt;
diff --git a/.ibm/pipelines/resources/config_map/app-config-rhdh-rbac.yaml b/.ibm/pipelines/resources/config_map/app-config-rhdh-rbac.yaml
@@ -136,4 +136,5 @@ permission:
     admin:
       users:
         - name: user:default/rhdh-qe
+    policyDecisionPrecedence: basic
 includeTransitiveGroupOwnership: true
diff --git a/.ibm/pipelines/resources/config_map/rbac-policy.csv b/.ibm/pipelines/resources/config_map/rbac-policy.csv
@@ -39,3 +39,16 @@ p, role:default/catalog_reader, catalog.entity.read, read, allow
 g, user:default/rhdh-qe, role:default/extension
 p, role:default/extension, extension-plugin, read, allow
 p, role:default/extension, extension-plugin, create, allow
+
+p, role:default/all_resource_reader, catalog-entity, read, allow
+p, role:default/all_resource_reader, catalog-entity, create, allow
+g, user:default/rhdh-qe-6, role:default/all_resource_reader
+
+p, role:default/all_resource_denier, catalog-entity, read, deny
+p, role:default/all_resource_denier, catalog-entity, create, allow
+g, user:default/rhdh-qe-4, role:default/all_resource_denier
+
+g, user:default/rhdh-qe-4, role:default/owned_resource_reader
+g, user:default/rhdh-qe-6, role:default/owned_resource_reader
+
+g, user:development/guest, role:default/admin
diff --git a/.ibm/pipelines/value_files/values_showcase-rbac.yaml b/.ibm/pipelines/value_files/values_showcase-rbac.yaml
@@ -334,6 +334,19 @@ upstream:
               params:
                 claims:
                   - \$ownerRefs
+            ---
+            result: CONDITIONAL
+            roleEntityRef: 'role:default/owned_resource_reader'
+            pluginId: catalog
+            resourceType: catalog-entity
+            permissionMapping:
+              - read
+            conditions:
+              rule: IS_ENTITY_OWNER
+              resourceType: catalog-entity
+              params:
+                claims:
+                  - \$currentUser
             EOF
 
             ./install-dynamic-plugins.sh /dynamic-plugins-root
diff --git a/e2e-tests/playwright/e2e/plugins/rbac/rbac.spec.ts b/e2e-tests/playwright/e2e/plugins/rbac/rbac.spec.ts
@@ -786,4 +786,41 @@ test.describe.serial("Test RBAC", () => {
       await expect(dropdownMenuLocator).toBeHidden();
     });
   });
+
+  test.describe
+    .serial("Test RBAC plugin: Policy decision precedence: basic — prioritize permission before conditional", () => {
+    let page: Page;
+    let common: Common;
+    let uiHelper: UIhelper;
+
+    test.beforeAll(async ({ browser }, testInfo) => {
+      page = (await setupBrowser(browser, testInfo)).page;
+
+      uiHelper = new UIhelper(page);
+      common = new Common(page);
+    });
+
+    test("should decide based on policy defined in basic policy, conditional policy should be ignored", async () => {
+      // Should allow read for user6: has static allow read via CSV and is also permitted via conditional policy
+      await common.loginAsKeycloakUser(
+        process.env.QE_USER6_ID,
+        process.env.QE_USER6_PASS,
+      );
+      await uiHelper.openSidebar("Catalog");
+      await uiHelper.selectMuiBox("Kind", "Component");
+      await uiHelper.searchInputPlaceholder("mock-component");
+      await expect(
+        page.getByRole("link", { name: "mock-component-qe-6" }),
+      ).toBeVisible();
+
+      // Should deny read for user4: has static deny read via CSV even though permitted by conditional policy
+      await common.loginAsKeycloakUser(
+        process.env.QE_USER4_ID,
+        process.env.QE_USER4_PASS,
+      );
+      await uiHelper.openSidebar("Catalog");
+      await uiHelper.selectMuiBox("Kind", "Component");
+      await uiHelper.verifyTableIsEmpty();
+    });
+  });
 });
