2023-07-29 18:47:25 +00:00
|
|
|
use std::collections::HashMap;
|
|
|
|
|
use std::sync::Arc;
|
|
|
|
|
|
2023-08-30 18:01:30 +00:00
|
|
|
use surrealdb::dbs::capabilities::Capabilities;
|
2023-07-29 18:47:25 +00:00
|
|
|
use surrealdb::dbs::Session;
|
2023-08-30 18:01:30 +00:00
|
|
|
use surrealdb::err::Error;
|
2023-07-29 18:47:25 +00:00
|
|
|
use surrealdb::iam::{Auth, Level, Role};
|
|
|
|
|
use surrealdb::kvs::Datastore;
|
|
|
|
|
|
2023-08-30 18:01:30 +00:00
|
|
|
pub async fn new_ds() -> Result<Datastore, Error> {
|
|
|
|
|
Ok(Datastore::new("memory").await?.with_capabilities(Capabilities::all()))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[allow(dead_code)]
|
2023-07-29 18:47:25 +00:00
|
|
|
pub async fn iam_run_case(
|
|
|
|
|
prepare: &str,
|
|
|
|
|
test: &str,
|
|
|
|
|
check: &str,
|
|
|
|
|
check_expected_result: &Vec<&str>,
|
|
|
|
|
ds: &Datastore,
|
|
|
|
|
sess: &Session,
|
|
|
|
|
should_succeed: bool,
|
|
|
|
|
) -> Result<(), Box<dyn std::error::Error>> {
|
|
|
|
|
// Use the same scope as the test statement, but change the Auth to run the check with full permissions
|
|
|
|
|
let mut owner_sess = sess.clone();
|
|
|
|
|
owner_sess.au = Arc::new(Auth::for_root(Role::Owner));
|
|
|
|
|
|
|
|
|
|
// Prepare statement
|
|
|
|
|
{
|
|
|
|
|
if !prepare.is_empty() {
|
|
|
|
|
let resp = ds.execute(prepare, &owner_sess, None).await.unwrap();
|
|
|
|
|
for r in resp.into_iter() {
|
|
|
|
|
let tmp = r.output();
|
|
|
|
|
if tmp.is_err() {
|
|
|
|
|
return Err(format!("Prepare statement failed: {}", tmp.unwrap_err()).into());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Execute statement
|
|
|
|
|
let mut resp = ds.execute(test, sess, None).await.unwrap();
|
|
|
|
|
|
|
|
|
|
// Check datastore state first
|
|
|
|
|
{
|
|
|
|
|
let resp = ds.execute(check, &owner_sess, None).await.unwrap();
|
|
|
|
|
if resp.len() != check_expected_result.len() {
|
|
|
|
|
return Err(format!(
|
|
|
|
|
"Check statement failed for test: expected {} results, got {}",
|
|
|
|
|
check_expected_result.len(),
|
|
|
|
|
resp.len()
|
|
|
|
|
)
|
|
|
|
|
.into());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i, r) in resp.into_iter().enumerate() {
|
|
|
|
|
let tmp = r.output();
|
|
|
|
|
if tmp.is_err() {
|
|
|
|
|
return Err(
|
|
|
|
|
format!("Check statement errored for test: {}", tmp.unwrap_err()).into()
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let tmp = tmp.unwrap().to_string();
|
|
|
|
|
if &tmp != check_expected_result[i] {
|
|
|
|
|
return Err(format!(
|
|
|
|
|
"Check statement failed for test: expected value '{}' doesn't match '{}'",
|
|
|
|
|
check_expected_result[i], tmp
|
|
|
|
|
)
|
|
|
|
|
.into());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check statement result. If the statement should succeed, check that the result is Ok, otherwise check that the result is a 'Not Allowed' error
|
|
|
|
|
let res = resp.pop().unwrap().output();
|
|
|
|
|
if should_succeed {
|
|
|
|
|
if res.is_err() {
|
|
|
|
|
return Err(format!("Test statement failed: {}", res.unwrap_err()).into());
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if res.is_ok() {
|
|
|
|
|
return Err(
|
|
|
|
|
format!("Test statement succeeded when it should have failed: {:?}", res).into()
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let err = res.unwrap_err().to_string();
|
|
|
|
|
if !err.contains("Not enough permissions to perform this action") {
|
|
|
|
|
return Err(format!("Test statement failed with unexpected error: {}", err).into());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-30 18:01:30 +00:00
|
|
|
#[allow(dead_code)]
|
2023-07-29 18:47:25 +00:00
|
|
|
pub async fn iam_check_cases(
|
|
|
|
|
cases: std::slice::Iter<'_, ((Level, Role), (&str, &str), bool)>,
|
|
|
|
|
scenario: &HashMap<&str, &str>,
|
|
|
|
|
check_results: [Vec<&str>; 2],
|
|
|
|
|
) -> Result<(), Box<dyn std::error::Error>> {
|
|
|
|
|
let prepare = scenario.get("prepare").unwrap();
|
|
|
|
|
let test = scenario.get("test").unwrap();
|
|
|
|
|
let check = scenario.get("check").unwrap();
|
|
|
|
|
|
|
|
|
|
for ((level, role), (ns, db), should_succeed) in cases {
|
|
|
|
|
println!("* Testing '{test}' for '{level}Actor({role})' on '({ns}, {db})'");
|
|
|
|
|
let sess = Session::for_level(level.to_owned(), role.to_owned()).with_ns(ns).with_db(db);
|
|
|
|
|
let expected_result = if *should_succeed {
|
|
|
|
|
check_results.get(0).unwrap()
|
|
|
|
|
} else {
|
|
|
|
|
check_results.get(1).unwrap()
|
|
|
|
|
};
|
|
|
|
|
// Auth enabled
|
|
|
|
|
{
|
2023-08-30 18:01:30 +00:00
|
|
|
let ds = new_ds().await.unwrap().with_auth_enabled(true);
|
2023-07-29 18:47:25 +00:00
|
|
|
iam_run_case(prepare, test, check, &expected_result, &ds, &sess, *should_succeed)
|
|
|
|
|
.await?;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Auth disabled
|
|
|
|
|
{
|
2023-08-30 18:01:30 +00:00
|
|
|
let ds = new_ds().await.unwrap().with_auth_enabled(false);
|
2023-07-29 18:47:25 +00:00
|
|
|
iam_run_case(prepare, test, check, &expected_result, &ds, &sess, *should_succeed)
|
|
|
|
|
.await?;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Anonymous user
|
|
|
|
|
let ns = "NS";
|
|
|
|
|
let db = "DB";
|
|
|
|
|
for auth_enabled in [true, false].into_iter() {
|
|
|
|
|
{
|
|
|
|
|
println!(
|
|
|
|
|
"* Testing '{test}' for 'Anonymous' on '({ns}, {db})' with {auth_enabled}",
|
|
|
|
|
auth_enabled =
|
|
|
|
|
auth_enabled.then(|| "auth enabled").unwrap_or_else(|| "auth disabled")
|
|
|
|
|
);
|
2023-08-30 18:01:30 +00:00
|
|
|
let ds = new_ds().await.unwrap().with_auth_enabled(auth_enabled);
|
2023-07-29 18:47:25 +00:00
|
|
|
let expected_result = if auth_enabled {
|
|
|
|
|
check_results.get(1).unwrap()
|
|
|
|
|
} else {
|
|
|
|
|
check_results.get(0).unwrap()
|
|
|
|
|
};
|
|
|
|
|
iam_run_case(
|
|
|
|
|
prepare,
|
|
|
|
|
test,
|
|
|
|
|
check,
|
|
|
|
|
&expected_result,
|
|
|
|
|
&ds,
|
|
|
|
|
&Session::default().with_ns(ns).with_db(db),
|
|
|
|
|
!auth_enabled,
|
|
|
|
|
)
|
|
|
|
|
.await?;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
