Skip to content

Commit

Permalink
PR(TEST): Add tests where requests without identity can access
Browse files Browse the repository at this point in the history
  • Loading branch information
@shahzadlone
shahzadlone committed Nov 27, 2024
1 parent 1d64617 commit 5b8b1dc
Show file tree
Hide file tree
Showing 2 changed files with 412 additions and 0 deletions.
206 changes: 206 additions & 0 deletions tests/integration/acp/relationship/doc_actor/add/with_target_all_actors_gql_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,3 +248,209 @@ func TestACP_OwnerGivesOnlyReadAccessToAllActors_GQL_AllActorsCanReadButNotUpdat

testUtils.ExecuteTestCase(t, test)
}

func TestACP_OwnerGivesOnlyReadAccessToAllActors_GQL_CanReadEvenWithoutIdentityButNotUpdateOrDelete(t *testing.T) {
expectedPolicyID := "fc56b7509c20ac8ce682b3b9b4fdaad868a9c70dda6ec16720298be64f16e9a4"

test := testUtils.TestCase{

Description: "Test acp, owner gives read access to all actors (gql), can read without an identity but can't update or delete",

SupportedMutationTypes: immutable.Some(
[]testUtils.MutationType{
// GQL mutation will return no error when wrong identity is used so test that separately.
testUtils.GQLRequestMutationType,
},
),

Actions: []any{
testUtils.AddPolicy{

Identity: testUtils.ClientIdentity(1),

Policy: `
name: Test Policy
description: A Policy
actor:
name: actor
resources:
users:
permissions:
read:
expr: owner + reader + writer
write:
expr: owner + writer
nothing:
expr: dummy
relations:
owner:
types:
- actor
reader:
types:
- actor
writer:
types:
- actor
admin:
manages:
- reader
types:
- actor
dummy:
types:
- actor
`,

ExpectedPolicyID: expectedPolicyID,
},

testUtils.SchemaUpdate{
Schema: fmt.Sprintf(`
type Users @policy(
id: "%s",
resource: "users"
) {
name: String
age: Int
}
`,
expectedPolicyID,
),
},

testUtils.CreateDoc{
Identity: testUtils.ClientIdentity(1),

CollectionID: 0,

Doc: `
{
"name": "Shahzad",
"age": 28
}
`,
},

testUtils.Request{
Identity: testUtils.NoIdentity(), // Can not read without an identity.

Request: `
query {
Users {
_docID
name
age
}
}
`,

Results: map[string]any{
"Users": []map[string]any{}, // Can't see the documents yet
},
},

testUtils.DeleteDoc{ // Since can't read without identity, can't delete either.
CollectionID: 0,

Identity: testUtils.NoIdentity(),

DocID: 0,

ExpectedError: "document not found or not authorized to access",
},

testUtils.UpdateDoc{ // Since can't read without identity, can't update either.
CollectionID: 0,

Identity: testUtils.NoIdentity(),

DocID: 0,

Doc: `
{
"name": "Shahzad Lone"
}
`,

ExpectedError: "document not found or not authorized to access",
},

testUtils.AddDocActorRelationship{
RequestorIdentity: testUtils.ClientIdentity(1),

TargetIdentity: testUtils.AllClientIdentities(),

CollectionID: 0,

DocID: 0,

Relation: "reader",

ExpectedExistence: false,
},

testUtils.Request{
Identity: testUtils.NoIdentity(), // Now any identity can read, even if there is no identity

Request: `
query {
Users {
_docID
name
age
}
}
`,

Results: map[string]any{
"Users": []map[string]any{
{
"_docID": "bae-9d443d0c-52f6-568b-8f74-e8ff0825697b",
"name": "Shahzad",
"age": int64(28),
},
},
},
},

testUtils.UpdateDoc{ // But doesn't mean they can update.
CollectionID: 0,

Identity: testUtils.NoIdentity(),

DocID: 0,

Doc: `
{
"name": "Shahzad Lone"
}
`,

ExpectedError: "document not found or not authorized to access",
},

testUtils.DeleteDoc{ // But doesn't mean they can delete.
CollectionID: 0,

Identity: testUtils.NoIdentity(),

DocID: 0,

ExpectedError: "document not found or not authorized to access",
},
},
}

testUtils.ExecuteTestCase(t, test)
}
Loading

0 comments on commit 5b8b1dc

Please sign in to comment.