Skip to content

Commit

Permalink
PR(TEST): Add tests where requests without identity can not access
Browse files Browse the repository at this point in the history
(after revokation)
  • Loading branch information
shahzadlone committed Nov 27, 2024
1 parent 5b8b1dc commit a81c7d3
Showing 1 changed file with 163 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ func TestACP_OwnerRevokesAccessFromAllNonExplicitActors_ActorsCanNotReadAnymore(
},
},

testUtils.DeleteDocActorRelationship{ // Revoke access from all actors, not explictly allowed.
testUtils.DeleteDocActorRelationship{ // Revoke access from all actors, (ones given access through * implicitly).
RequestorIdentity: testUtils.ClientIdentity(1),

TargetIdentity: testUtils.AllClientIdentities(),
Expand Down Expand Up @@ -444,7 +444,7 @@ func TestACP_OwnerRevokesAccessFromAllNonExplicitActors_ExplicitActorsCanStillRe
},
},

testUtils.DeleteDocActorRelationship{ // Revoke access from all actors, not explictly allowed.
testUtils.DeleteDocActorRelationship{ // Revoke access from all actors, (ones given access through * implicitly).
RequestorIdentity: testUtils.ClientIdentity(1),

TargetIdentity: testUtils.AllClientIdentities(),
Expand Down Expand Up @@ -546,3 +546,164 @@ func TestACP_OwnerRevokesAccessFromAllNonExplicitActors_ExplicitActorsCanStillRe

testUtils.ExecuteTestCase(t, test)
}

func TestACP_OwnerRevokesAccessFromAllNonExplicitActors_NonIdentityRequestsCanNotReadAnymore(t *testing.T) {
expectedPolicyID := "fc56b7509c20ac8ce682b3b9b4fdaad868a9c70dda6ec16720298be64f16e9a4"

test := testUtils.TestCase{

Description: "Test acp, owner revokes read access from actors that were given read access implicitly, non-identity actors can't read anymore",

Actions: []any{
testUtils.AddPolicy{

Identity: testUtils.ClientIdentity(1),

Policy: `
name: Test Policy
description: A Policy
actor:
name: actor
resources:
users:
permissions:
read:
expr: owner + reader + writer
write:
expr: owner + writer
nothing:
expr: dummy
relations:
owner:
types:
- actor
reader:
types:
- actor
writer:
types:
- actor
admin:
manages:
- reader
types:
- actor
dummy:
types:
- actor
`,

ExpectedPolicyID: expectedPolicyID,
},

testUtils.SchemaUpdate{
Schema: fmt.Sprintf(`
type Users @policy(
id: "%s",
resource: "users"
) {
name: String
age: Int
}
`,
expectedPolicyID,
),
},

testUtils.CreateDoc{
Identity: testUtils.ClientIdentity(1),

CollectionID: 0,

Doc: `
{
"name": "Shahzad",
"age": 28
}
`,
},

testUtils.AddDocActorRelationship{
RequestorIdentity: testUtils.ClientIdentity(1),

TargetIdentity: testUtils.AllClientIdentities(), // Give implicit access to all identities.

CollectionID: 0,

DocID: 0,

Relation: "reader",

ExpectedExistence: false,
},

testUtils.Request{
Identity: testUtils.NoIdentity(), // Can read even without identity

Request: `
query {
Users {
_docID
name
age
}
}
`,

Results: map[string]any{
"Users": []map[string]any{
{
"_docID": "bae-9d443d0c-52f6-568b-8f74-e8ff0825697b",
"name": "Shahzad",
"age": int64(28),
},
},
},
},

testUtils.DeleteDocActorRelationship{ // Revoke access from all actors, (ones given access through * implicitly).
RequestorIdentity: testUtils.ClientIdentity(1),

TargetIdentity: testUtils.AllClientIdentities(),

CollectionID: 0,

DocID: 0,

Relation: "reader",

ExpectedRecordFound: true,
},

testUtils.Request{
Identity: testUtils.NoIdentity(), // Can not read anymore

Request: `
query {
Users {
_docID
name
age
}
}
`,

Results: map[string]any{
"Users": []map[string]any{}, // Can't see the documents now
},
},
},
}

testUtils.ExecuteTestCase(t, test)
}

0 comments on commit a81c7d3

Please sign in to comment.