2023-04-03 22:29:21 +08:00
|
|
|
// Copyright 2023 Memgraph Ltd.
|
2021-10-26 14:53:56 +08:00
|
|
|
//
|
|
|
|
// Use of this software is governed by the Business Source License
|
|
|
|
// included in the file licenses/BSL.txt; by using this file, you agree to be bound by the terms of the Business Source
|
|
|
|
// License, and you may not use this file except in compliance with the Business Source License.
|
|
|
|
//
|
|
|
|
// As of the Change Date specified in that file, in accordance with
|
|
|
|
// the Business Source License, use of this software will be governed
|
|
|
|
// by the Apache License, Version 2.0, included in the file
|
|
|
|
// licenses/APL.txt.
|
|
|
|
|
2019-02-22 20:20:54 +08:00
|
|
|
#include <algorithm>
|
2018-07-27 16:54:20 +08:00
|
|
|
#include <iostream>
|
2022-08-18 22:59:38 +08:00
|
|
|
#include <optional>
|
2018-07-27 16:54:20 +08:00
|
|
|
|
|
|
|
#include <gflags/gflags.h>
|
|
|
|
#include <gtest/gtest.h>
|
|
|
|
|
|
|
|
#include "auth/auth.hpp"
|
|
|
|
#include "auth/crypto.hpp"
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
#include "auth/models.hpp"
|
2022-11-04 22:23:43 +08:00
|
|
|
#include "license/license.hpp"
|
2018-07-27 16:54:20 +08:00
|
|
|
#include "utils/cast.hpp"
|
|
|
|
#include "utils/file.hpp"
|
|
|
|
|
2022-02-22 20:33:45 +08:00
|
|
|
using namespace memgraph::auth;
|
2019-04-23 17:00:49 +08:00
|
|
|
namespace fs = std::filesystem;
|
2018-07-27 16:54:20 +08:00
|
|
|
|
2018-08-14 17:34:00 +08:00
|
|
|
DECLARE_bool(auth_password_permit_null);
|
|
|
|
DECLARE_string(auth_password_strength_regex);
|
2023-04-03 22:29:21 +08:00
|
|
|
DECLARE_string(password_encryption_algorithm);
|
2018-08-14 17:34:00 +08:00
|
|
|
|
2018-07-27 16:54:20 +08:00
|
|
|
class AuthWithStorage : public ::testing::Test {
|
|
|
|
protected:
|
2018-08-14 17:34:00 +08:00
|
|
|
virtual void SetUp() {
|
2022-02-22 20:33:45 +08:00
|
|
|
memgraph::utils::EnsureDir(test_folder_);
|
2018-08-14 17:34:00 +08:00
|
|
|
FLAGS_auth_password_permit_null = true;
|
|
|
|
FLAGS_auth_password_strength_regex = ".+";
|
2021-09-30 01:14:39 +08:00
|
|
|
|
2022-11-04 22:23:43 +08:00
|
|
|
memgraph::license::global_license_checker.EnableTesting();
|
2018-08-14 17:34:00 +08:00
|
|
|
}
|
2018-07-27 16:54:20 +08:00
|
|
|
|
|
|
|
virtual void TearDown() { fs::remove_all(test_folder_); }
|
|
|
|
|
2021-09-30 01:14:39 +08:00
|
|
|
fs::path test_folder_{fs::temp_directory_path() / "MG_tests_unit_auth"};
|
2018-07-27 16:54:20 +08:00
|
|
|
|
2021-09-30 01:14:39 +08:00
|
|
|
Auth auth{test_folder_ / ("unit_auth_test_" + std::to_string(static_cast<int>(getpid())))};
|
2018-07-27 16:54:20 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorage, AddRole) {
|
|
|
|
ASSERT_TRUE(auth.AddRole("admin"));
|
|
|
|
ASSERT_TRUE(auth.AddRole("user"));
|
|
|
|
ASSERT_FALSE(auth.AddRole("admin"));
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorage, RemoveRole) {
|
|
|
|
ASSERT_TRUE(auth.AddRole("admin"));
|
|
|
|
ASSERT_TRUE(auth.RemoveRole("admin"));
|
2023-04-03 22:29:21 +08:00
|
|
|
class AuthWithStorage : public ::testing::Test {
|
|
|
|
protected:
|
|
|
|
virtual void SetUp() {
|
|
|
|
memgraph::utils::EnsureDir(test_folder_);
|
|
|
|
FLAGS_auth_password_permit_null = true;
|
|
|
|
FLAGS_auth_password_strength_regex = ".+";
|
2018-07-27 16:54:20 +08:00
|
|
|
|
2023-04-03 22:29:21 +08:00
|
|
|
memgraph::license::global_license_checker.EnableTesting();
|
|
|
|
}
|
2018-07-27 16:54:20 +08:00
|
|
|
|
2023-04-03 22:29:21 +08:00
|
|
|
virtual void TearDown() { fs::remove_all(test_folder_); }
|
|
|
|
|
|
|
|
fs::path test_folder_{fs::temp_directory_path() / "MG_tests_unit_auth"};
|
|
|
|
|
|
|
|
Auth auth{test_folder_ / ("unit_auth_test_" + std::to_string(static_cast<int>(getpid())))};
|
|
|
|
};
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_FALSE(auth.HasUsers());
|
|
|
|
ASSERT_FALSE(auth.RemoveUser("test2"));
|
|
|
|
ASSERT_FALSE(auth.RemoveUser("test"));
|
|
|
|
ASSERT_FALSE(auth.HasUsers());
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorage, Authenticate) {
|
|
|
|
ASSERT_FALSE(auth.HasUsers());
|
|
|
|
|
|
|
|
auto user = auth.AddUser("test");
|
2019-04-23 17:00:49 +08:00
|
|
|
ASSERT_NE(user, std::nullopt);
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_TRUE(auth.HasUsers());
|
|
|
|
|
2018-08-14 17:34:00 +08:00
|
|
|
ASSERT_TRUE(auth.Authenticate("test", "123"));
|
2018-07-27 16:54:20 +08:00
|
|
|
|
|
|
|
user->UpdatePassword("123");
|
2018-08-14 17:34:00 +08:00
|
|
|
auth.SaveUser(*user);
|
2018-07-27 16:54:20 +08:00
|
|
|
|
2019-04-23 17:00:49 +08:00
|
|
|
ASSERT_NE(auth.Authenticate("test", "123"), std::nullopt);
|
2018-07-27 16:54:20 +08:00
|
|
|
|
2019-04-23 17:00:49 +08:00
|
|
|
ASSERT_EQ(auth.Authenticate("test", "456"), std::nullopt);
|
|
|
|
ASSERT_NE(auth.Authenticate("test", "123"), std::nullopt);
|
2018-08-14 17:34:00 +08:00
|
|
|
|
|
|
|
user->UpdatePassword();
|
|
|
|
auth.SaveUser(*user);
|
|
|
|
|
2019-04-23 17:00:49 +08:00
|
|
|
ASSERT_NE(auth.Authenticate("test", "123"), std::nullopt);
|
|
|
|
ASSERT_NE(auth.Authenticate("test", "456"), std::nullopt);
|
2018-08-14 17:34:00 +08:00
|
|
|
|
2019-04-23 17:00:49 +08:00
|
|
|
ASSERT_EQ(auth.Authenticate("nonexistant", "123"), std::nullopt);
|
2018-07-27 16:54:20 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorage, UserRolePermissions) {
|
|
|
|
ASSERT_FALSE(auth.HasUsers());
|
|
|
|
ASSERT_TRUE(auth.AddUser("test"));
|
|
|
|
ASSERT_TRUE(auth.HasUsers());
|
|
|
|
|
|
|
|
auto user = auth.GetUser("test");
|
2019-04-23 17:00:49 +08:00
|
|
|
ASSERT_NE(user, std::nullopt);
|
2018-07-27 16:54:20 +08:00
|
|
|
|
|
|
|
// Test initial user permissions.
|
2021-02-18 22:32:43 +08:00
|
|
|
ASSERT_EQ(user->permissions().Has(Permission::MATCH), PermissionLevel::NEUTRAL);
|
|
|
|
ASSERT_EQ(user->permissions().Has(Permission::CREATE), PermissionLevel::NEUTRAL);
|
|
|
|
ASSERT_EQ(user->permissions().Has(Permission::MERGE), PermissionLevel::NEUTRAL);
|
|
|
|
ASSERT_EQ(user->permissions().Has(Permission::DELETE), PermissionLevel::NEUTRAL);
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_EQ(user->permissions(), user->GetPermissions());
|
|
|
|
|
|
|
|
// Change one user permission.
|
2018-08-14 17:34:00 +08:00
|
|
|
user->permissions().Grant(Permission::MATCH);
|
2018-07-27 16:54:20 +08:00
|
|
|
|
|
|
|
// Check permissions.
|
2018-08-14 17:34:00 +08:00
|
|
|
ASSERT_EQ(user->permissions().Has(Permission::MATCH), PermissionLevel::GRANT);
|
2021-02-18 22:32:43 +08:00
|
|
|
ASSERT_EQ(user->permissions().Has(Permission::CREATE), PermissionLevel::NEUTRAL);
|
|
|
|
ASSERT_EQ(user->permissions().Has(Permission::MERGE), PermissionLevel::NEUTRAL);
|
|
|
|
ASSERT_EQ(user->permissions().Has(Permission::DELETE), PermissionLevel::NEUTRAL);
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_EQ(user->permissions(), user->GetPermissions());
|
|
|
|
|
|
|
|
// Create role.
|
|
|
|
ASSERT_TRUE(auth.AddRole("admin"));
|
|
|
|
auto role = auth.GetRole("admin");
|
2019-04-23 17:00:49 +08:00
|
|
|
ASSERT_NE(role, std::nullopt);
|
2018-07-27 16:54:20 +08:00
|
|
|
|
|
|
|
// Assign permissions to role and role to user.
|
2018-08-14 17:34:00 +08:00
|
|
|
role->permissions().Grant(Permission::DELETE);
|
2018-07-27 16:54:20 +08:00
|
|
|
user->SetRole(*role);
|
|
|
|
|
|
|
|
// Check permissions.
|
|
|
|
{
|
|
|
|
auto permissions = user->GetPermissions();
|
2018-08-14 17:34:00 +08:00
|
|
|
ASSERT_EQ(permissions.Has(Permission::MATCH), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::DELETE), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::CREATE), PermissionLevel::NEUTRAL);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MERGE), PermissionLevel::NEUTRAL);
|
2018-07-27 16:54:20 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// Add explicit deny to role.
|
2018-08-14 17:34:00 +08:00
|
|
|
role->permissions().Deny(Permission::MATCH);
|
2018-07-27 16:54:20 +08:00
|
|
|
user->SetRole(*role);
|
|
|
|
|
|
|
|
// Check permissions.
|
|
|
|
{
|
|
|
|
auto permissions = user->GetPermissions();
|
2018-08-14 17:34:00 +08:00
|
|
|
ASSERT_EQ(permissions.Has(Permission::MATCH), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::DELETE), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::CREATE), PermissionLevel::NEUTRAL);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MERGE), PermissionLevel::NEUTRAL);
|
2018-07-27 16:54:20 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-14 07:10:28 +08:00
|
|
|
#ifdef MG_ENTERPRISE
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
TEST_F(AuthWithStorage, UserRoleFineGrainedAccessHandler) {
|
|
|
|
ASSERT_FALSE(auth.HasUsers());
|
|
|
|
ASSERT_TRUE(auth.AddUser("test"));
|
|
|
|
ASSERT_TRUE(auth.HasUsers());
|
|
|
|
|
|
|
|
auto user = auth.GetUser("test");
|
|
|
|
ASSERT_NE(user, std::nullopt);
|
|
|
|
|
|
|
|
// Test initial user fine grained access permissions.
|
|
|
|
ASSERT_EQ(user->fine_grained_access_handler().label_permissions(), FineGrainedAccessPermissions{});
|
|
|
|
ASSERT_EQ(user->fine_grained_access_handler().edge_type_permissions(), FineGrainedAccessPermissions{});
|
|
|
|
ASSERT_EQ(user->fine_grained_access_handler().label_permissions(), user->GetFineGrainedAccessLabelPermissions());
|
|
|
|
ASSERT_EQ(user->fine_grained_access_handler().edge_type_permissions(),
|
|
|
|
user->GetFineGrainedAccessEdgeTypePermissions());
|
|
|
|
|
|
|
|
// Grant one label to user .
|
2022-08-22 20:11:43 +08:00
|
|
|
user->fine_grained_access_handler().label_permissions().Grant("labelTest", FineGrainedPermission::CREATE_DELETE);
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
// Grant one edge type to user .
|
2022-08-22 20:11:43 +08:00
|
|
|
user->fine_grained_access_handler().edge_type_permissions().Grant("edgeTypeTest",
|
|
|
|
FineGrainedPermission::CREATE_DELETE);
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
|
|
|
|
// Check permissions.
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(user->fine_grained_access_handler().label_permissions().Has("labelTest", FineGrainedPermission::READ),
|
2022-08-18 22:59:38 +08:00
|
|
|
PermissionLevel::GRANT);
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(
|
|
|
|
user->fine_grained_access_handler().edge_type_permissions().Has("edgeTypeTest", FineGrainedPermission::READ),
|
|
|
|
PermissionLevel::GRANT);
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
ASSERT_EQ(user->fine_grained_access_handler().label_permissions(), user->GetFineGrainedAccessLabelPermissions());
|
|
|
|
ASSERT_EQ(user->fine_grained_access_handler().edge_type_permissions(),
|
|
|
|
user->GetFineGrainedAccessEdgeTypePermissions());
|
|
|
|
|
|
|
|
// Check permissions.
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(user->fine_grained_access_handler().label_permissions().Has("labelTest1", FineGrainedPermission::READ),
|
2022-08-18 22:59:38 +08:00
|
|
|
PermissionLevel::DENY);
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(
|
|
|
|
user->fine_grained_access_handler().edge_type_permissions().Has("edgeTypeTest1", FineGrainedPermission::READ),
|
|
|
|
PermissionLevel::DENY);
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
ASSERT_EQ(user->fine_grained_access_handler().label_permissions(), user->GetFineGrainedAccessLabelPermissions());
|
|
|
|
ASSERT_EQ(user->fine_grained_access_handler().edge_type_permissions(),
|
|
|
|
user->GetFineGrainedAccessEdgeTypePermissions());
|
|
|
|
|
|
|
|
// Create role.
|
|
|
|
ASSERT_TRUE(auth.AddRole("admin"));
|
|
|
|
auto role = auth.GetRole("admin");
|
|
|
|
ASSERT_NE(role, std::nullopt);
|
|
|
|
|
|
|
|
// Grant label and edge type to role and role to user.
|
2022-08-22 20:11:43 +08:00
|
|
|
role->fine_grained_access_handler().label_permissions().Grant("roleLabelTest", FineGrainedPermission::CREATE_DELETE);
|
|
|
|
role->fine_grained_access_handler().edge_type_permissions().Grant("roleEdgeTypeTest",
|
|
|
|
FineGrainedPermission::CREATE_DELETE);
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
user->SetRole(*role);
|
|
|
|
|
|
|
|
// Check permissions.
|
|
|
|
{
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(user->GetFineGrainedAccessLabelPermissions().Has("roleLabelTest", FineGrainedPermission::READ),
|
2022-08-18 22:59:38 +08:00
|
|
|
PermissionLevel::GRANT);
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(user->GetFineGrainedAccessEdgeTypePermissions().Has("roleEdgeTypeTest", FineGrainedPermission::READ),
|
2022-08-18 22:59:38 +08:00
|
|
|
PermissionLevel::GRANT);
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
user->SetRole(*role);
|
|
|
|
|
|
|
|
// Check permissions.
|
|
|
|
{
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(user->GetFineGrainedAccessLabelPermissions().Has("roleLabelTest1", FineGrainedPermission::READ),
|
2022-08-18 22:59:38 +08:00
|
|
|
PermissionLevel::DENY);
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(user->GetFineGrainedAccessEdgeTypePermissions().Has("roleEdgeTypeTest1", FineGrainedPermission::READ),
|
2022-08-18 22:59:38 +08:00
|
|
|
PermissionLevel::DENY);
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
}
|
|
|
|
}
|
2022-09-14 07:10:28 +08:00
|
|
|
#endif
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
|
2018-07-27 16:54:20 +08:00
|
|
|
TEST_F(AuthWithStorage, RoleManipulations) {
|
|
|
|
{
|
|
|
|
auto user1 = auth.AddUser("user1");
|
|
|
|
ASSERT_TRUE(user1);
|
|
|
|
auto role1 = auth.AddRole("role1");
|
|
|
|
ASSERT_TRUE(role1);
|
|
|
|
user1->SetRole(*role1);
|
|
|
|
auth.SaveUser(*user1);
|
|
|
|
|
|
|
|
auto user2 = auth.AddUser("user2");
|
|
|
|
ASSERT_TRUE(user2);
|
|
|
|
auto role2 = auth.AddRole("role2");
|
|
|
|
ASSERT_TRUE(role2);
|
|
|
|
user2->SetRole(*role2);
|
|
|
|
auth.SaveUser(*user2);
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
auto user1 = auth.GetUser("user1");
|
|
|
|
ASSERT_TRUE(user1);
|
2021-07-22 22:22:08 +08:00
|
|
|
const auto *role1 = user1->role();
|
|
|
|
ASSERT_NE(role1, nullptr);
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_EQ(role1->rolename(), "role1");
|
|
|
|
|
|
|
|
auto user2 = auth.GetUser("user2");
|
|
|
|
ASSERT_TRUE(user2);
|
2021-07-22 22:22:08 +08:00
|
|
|
const auto *role2 = user2->role();
|
|
|
|
ASSERT_NE(role2, nullptr);
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_EQ(role2->rolename(), "role2");
|
|
|
|
}
|
|
|
|
|
|
|
|
ASSERT_TRUE(auth.RemoveRole("role1"));
|
|
|
|
|
|
|
|
{
|
|
|
|
auto user1 = auth.GetUser("user1");
|
|
|
|
ASSERT_TRUE(user1);
|
2021-07-22 22:22:08 +08:00
|
|
|
const auto *role = user1->role();
|
|
|
|
ASSERT_EQ(role, nullptr);
|
2018-07-27 16:54:20 +08:00
|
|
|
|
|
|
|
auto user2 = auth.GetUser("user2");
|
|
|
|
ASSERT_TRUE(user2);
|
2021-07-22 22:22:08 +08:00
|
|
|
const auto *role2 = user2->role();
|
|
|
|
ASSERT_NE(role2, nullptr);
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_EQ(role2->rolename(), "role2");
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
auto role1 = auth.AddRole("role1");
|
|
|
|
ASSERT_TRUE(role1);
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
auto user1 = auth.GetUser("user1");
|
|
|
|
ASSERT_TRUE(user1);
|
2021-07-22 22:22:08 +08:00
|
|
|
const auto *role1 = user1->role();
|
|
|
|
ASSERT_EQ(role1, nullptr);
|
2018-07-27 16:54:20 +08:00
|
|
|
|
|
|
|
auto user2 = auth.GetUser("user2");
|
|
|
|
ASSERT_TRUE(user2);
|
2021-07-22 22:22:08 +08:00
|
|
|
const auto *role2 = user2->role();
|
|
|
|
ASSERT_NE(role2, nullptr);
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_EQ(role2->rolename(), "role2");
|
|
|
|
}
|
2018-08-14 17:34:00 +08:00
|
|
|
|
|
|
|
{
|
|
|
|
auto users = auth.AllUsers();
|
2021-02-18 22:32:43 +08:00
|
|
|
std::sort(users.begin(), users.end(), [](const User &a, const User &b) { return a.username() < b.username(); });
|
2018-08-14 17:34:00 +08:00
|
|
|
ASSERT_EQ(users.size(), 2);
|
|
|
|
ASSERT_EQ(users[0].username(), "user1");
|
|
|
|
ASSERT_EQ(users[1].username(), "user2");
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
auto roles = auth.AllRoles();
|
2021-02-18 22:32:43 +08:00
|
|
|
std::sort(roles.begin(), roles.end(), [](const Role &a, const Role &b) { return a.rolename() < b.rolename(); });
|
2018-08-14 17:34:00 +08:00
|
|
|
ASSERT_EQ(roles.size(), 2);
|
|
|
|
ASSERT_EQ(roles[0].rolename(), "role1");
|
|
|
|
ASSERT_EQ(roles[1].rolename(), "role2");
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
auto users = auth.AllUsersForRole("role2");
|
|
|
|
ASSERT_EQ(users.size(), 1);
|
|
|
|
ASSERT_EQ(users[0].username(), "user2");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorage, UserRoleLinkUnlink) {
|
|
|
|
{
|
|
|
|
auto user = auth.AddUser("user");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
auto role = auth.AddRole("role");
|
|
|
|
ASSERT_TRUE(role);
|
|
|
|
user->SetRole(*role);
|
|
|
|
auth.SaveUser(*user);
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
auto user = auth.GetUser("user");
|
|
|
|
ASSERT_TRUE(user);
|
2021-07-22 22:22:08 +08:00
|
|
|
const auto *role = user->role();
|
|
|
|
ASSERT_NE(role, nullptr);
|
2018-08-14 17:34:00 +08:00
|
|
|
ASSERT_EQ(role->rolename(), "role");
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
auto user = auth.GetUser("user");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
user->ClearRole();
|
|
|
|
auth.SaveUser(*user);
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
auto user = auth.GetUser("user");
|
|
|
|
ASSERT_TRUE(user);
|
2021-07-22 22:22:08 +08:00
|
|
|
ASSERT_EQ(user->role(), nullptr);
|
2018-08-14 17:34:00 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorage, UserPasswordCreation) {
|
|
|
|
{
|
|
|
|
auto user = auth.AddUser("test");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_TRUE(auth.Authenticate("test", "123"));
|
|
|
|
ASSERT_TRUE(auth.Authenticate("test", "456"));
|
|
|
|
ASSERT_TRUE(auth.RemoveUser(user->username()));
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
auto user = auth.AddUser("test", "123");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_TRUE(auth.Authenticate("test", "123"));
|
|
|
|
ASSERT_FALSE(auth.Authenticate("test", "456"));
|
|
|
|
ASSERT_TRUE(auth.RemoveUser(user->username()));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorage, PasswordStrength) {
|
|
|
|
const std::string kWeakRegex = ".+";
|
|
|
|
// https://stackoverflow.com/questions/5142103/regex-to-validate-password-strength
|
|
|
|
const std::string kStrongRegex =
|
|
|
|
"^(?=.*[A-Z].*[A-Z])(?=.*[!@#$&*])(?=.*[0-9].*[0-9])(?=.*[a-z].*[a-z].*["
|
|
|
|
"a-z]).{8,}$";
|
|
|
|
|
|
|
|
const std::string kWeakPassword = "weak";
|
2021-02-18 22:32:43 +08:00
|
|
|
const std::string kAlmostStrongPassword = "ThisPasswordMeetsAllButOneCriterion1234";
|
2018-08-14 17:34:00 +08:00
|
|
|
const std::string kStrongPassword = "ThisIsAVeryStrongPassword123$";
|
|
|
|
|
|
|
|
auto user = auth.AddUser("user");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
|
|
|
|
FLAGS_auth_password_permit_null = true;
|
|
|
|
FLAGS_auth_password_strength_regex = kWeakRegex;
|
|
|
|
ASSERT_NO_THROW(user->UpdatePassword());
|
|
|
|
ASSERT_NO_THROW(user->UpdatePassword(kWeakPassword));
|
|
|
|
ASSERT_NO_THROW(user->UpdatePassword(kAlmostStrongPassword));
|
|
|
|
ASSERT_NO_THROW(user->UpdatePassword(kStrongPassword));
|
|
|
|
|
|
|
|
FLAGS_auth_password_permit_null = false;
|
|
|
|
FLAGS_auth_password_strength_regex = kWeakRegex;
|
|
|
|
ASSERT_THROW(user->UpdatePassword(), AuthException);
|
|
|
|
ASSERT_NO_THROW(user->UpdatePassword(kWeakPassword));
|
|
|
|
ASSERT_NO_THROW(user->UpdatePassword(kAlmostStrongPassword));
|
|
|
|
ASSERT_NO_THROW(user->UpdatePassword(kStrongPassword));
|
|
|
|
|
|
|
|
FLAGS_auth_password_permit_null = true;
|
|
|
|
FLAGS_auth_password_strength_regex = kStrongRegex;
|
|
|
|
ASSERT_NO_THROW(user->UpdatePassword());
|
|
|
|
ASSERT_THROW(user->UpdatePassword(kWeakPassword), AuthException);
|
|
|
|
ASSERT_THROW(user->UpdatePassword(kAlmostStrongPassword), AuthException);
|
|
|
|
ASSERT_NO_THROW(user->UpdatePassword(kStrongPassword));
|
|
|
|
|
|
|
|
FLAGS_auth_password_permit_null = false;
|
|
|
|
FLAGS_auth_password_strength_regex = kStrongRegex;
|
|
|
|
ASSERT_THROW(user->UpdatePassword(), AuthException);
|
|
|
|
ASSERT_THROW(user->UpdatePassword(kWeakPassword), AuthException);
|
|
|
|
ASSERT_THROW(user->UpdatePassword(kAlmostStrongPassword), AuthException);
|
|
|
|
ASSERT_NO_THROW(user->UpdatePassword(kStrongPassword));
|
2018-07-27 16:54:20 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
TEST(AuthWithoutStorage, Permissions) {
|
|
|
|
Permissions permissions;
|
|
|
|
ASSERT_EQ(permissions.grants(), 0);
|
|
|
|
ASSERT_EQ(permissions.denies(), 0);
|
|
|
|
|
2018-08-14 17:34:00 +08:00
|
|
|
permissions.Grant(Permission::MATCH);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MATCH), PermissionLevel::GRANT);
|
2022-02-22 20:33:45 +08:00
|
|
|
ASSERT_EQ(permissions.grants(), memgraph::utils::UnderlyingCast(Permission::MATCH));
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_EQ(permissions.denies(), 0);
|
|
|
|
|
2018-08-14 17:34:00 +08:00
|
|
|
permissions.Revoke(Permission::MATCH);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MATCH), PermissionLevel::NEUTRAL);
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_EQ(permissions.grants(), 0);
|
|
|
|
ASSERT_EQ(permissions.denies(), 0);
|
|
|
|
|
2018-08-14 17:34:00 +08:00
|
|
|
permissions.Deny(Permission::MATCH);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MATCH), PermissionLevel::DENY);
|
2022-02-22 20:33:45 +08:00
|
|
|
ASSERT_EQ(permissions.denies(), memgraph::utils::UnderlyingCast(Permission::MATCH));
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_EQ(permissions.grants(), 0);
|
|
|
|
|
2018-08-14 17:34:00 +08:00
|
|
|
permissions.Grant(Permission::MATCH);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MATCH), PermissionLevel::GRANT);
|
2022-02-22 20:33:45 +08:00
|
|
|
ASSERT_EQ(permissions.grants(), memgraph::utils::UnderlyingCast(Permission::MATCH));
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_EQ(permissions.denies(), 0);
|
|
|
|
|
2018-08-14 17:34:00 +08:00
|
|
|
permissions.Deny(Permission::CREATE);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MATCH), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::CREATE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MERGE), PermissionLevel::NEUTRAL);
|
2022-02-22 20:33:45 +08:00
|
|
|
ASSERT_EQ(permissions.grants(), memgraph::utils::UnderlyingCast(Permission::MATCH));
|
|
|
|
ASSERT_EQ(permissions.denies(), memgraph::utils::UnderlyingCast(Permission::CREATE));
|
2018-08-14 17:34:00 +08:00
|
|
|
|
|
|
|
permissions.Grant(Permission::DELETE);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MATCH), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::CREATE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MERGE), PermissionLevel::NEUTRAL);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::DELETE), PermissionLevel::GRANT);
|
2022-02-22 20:33:45 +08:00
|
|
|
ASSERT_EQ(permissions.grants(),
|
|
|
|
memgraph::utils::UnderlyingCast(Permission::MATCH) | memgraph::utils::UnderlyingCast(Permission::DELETE));
|
|
|
|
ASSERT_EQ(permissions.denies(), memgraph::utils::UnderlyingCast(Permission::CREATE));
|
2018-08-14 17:34:00 +08:00
|
|
|
|
|
|
|
permissions.Revoke(Permission::DELETE);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MATCH), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::CREATE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::MERGE), PermissionLevel::NEUTRAL);
|
|
|
|
ASSERT_EQ(permissions.Has(Permission::DELETE), PermissionLevel::NEUTRAL);
|
2022-02-22 20:33:45 +08:00
|
|
|
ASSERT_EQ(permissions.grants(), memgraph::utils::UnderlyingCast(Permission::MATCH));
|
|
|
|
ASSERT_EQ(permissions.denies(), memgraph::utils::UnderlyingCast(Permission::CREATE));
|
2018-07-27 16:54:20 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
TEST(AuthWithoutStorage, PermissionsMaskTest) {
|
|
|
|
Permissions p1(0, 0);
|
|
|
|
ASSERT_EQ(p1.grants(), 0);
|
|
|
|
ASSERT_EQ(p1.denies(), 0);
|
|
|
|
|
|
|
|
Permissions p2(1, 0);
|
|
|
|
ASSERT_EQ(p2.grants(), 1);
|
|
|
|
ASSERT_EQ(p2.denies(), 0);
|
|
|
|
|
|
|
|
Permissions p3(1, 1);
|
|
|
|
ASSERT_EQ(p3.grants(), 0);
|
|
|
|
ASSERT_EQ(p3.denies(), 1);
|
|
|
|
|
|
|
|
Permissions p4(3, 2);
|
|
|
|
ASSERT_EQ(p4.grants(), 1);
|
|
|
|
ASSERT_EQ(p4.denies(), 2);
|
|
|
|
}
|
|
|
|
|
2022-09-14 07:10:28 +08:00
|
|
|
#ifdef MG_ENTERPRISE
|
2022-08-18 22:59:38 +08:00
|
|
|
TEST(AuthWithoutStorage, FineGrainedAccessPermissions) {
|
|
|
|
const std::string any_label = "AnyString";
|
|
|
|
const std::string check_label = "Label";
|
|
|
|
const std::string non_check_label = "OtherLabel";
|
|
|
|
const std::string asterisk = "*";
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions1, fga_permissions2;
|
|
|
|
ASSERT_TRUE(fga_permissions1 == fga_permissions2);
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions;
|
|
|
|
ASSERT_TRUE(fga_permissions.GetPermissions().empty());
|
|
|
|
ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt);
|
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::UPDATE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::READ), PermissionLevel::DENY);
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions.Grant(any_label, FineGrainedPermission::CREATE_DELETE);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
|
|
|
ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt);
|
|
|
|
ASSERT_FALSE(fga_permissions.GetPermissions().empty());
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions.Grant(asterisk, FineGrainedPermission::CREATE_DELETE);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions.GetGlobalPermission(), kLabelPermissionAll);
|
2022-09-14 18:39:23 +08:00
|
|
|
ASSERT_TRUE(fga_permissions.GetPermissions().empty());
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions.Grant(asterisk, FineGrainedPermission::CREATE_DELETE);
|
2022-08-18 22:59:38 +08:00
|
|
|
fga_permissions.Revoke(any_label);
|
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions.GetGlobalPermission(), kLabelPermissionAll);
|
2022-08-18 22:59:38 +08:00
|
|
|
ASSERT_TRUE(fga_permissions.GetPermissions().empty());
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions.Grant(any_label, FineGrainedPermission::CREATE_DELETE);
|
2022-08-18 22:59:38 +08:00
|
|
|
fga_permissions.Revoke(any_label);
|
|
|
|
|
|
|
|
ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt);
|
|
|
|
ASSERT_TRUE(fga_permissions.GetPermissions().empty());
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions.Grant(any_label, FineGrainedPermission::CREATE_DELETE);
|
2022-08-18 22:59:38 +08:00
|
|
|
fga_permissions.Revoke(asterisk);
|
|
|
|
|
|
|
|
ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt);
|
|
|
|
ASSERT_TRUE(fga_permissions.GetPermissions().empty());
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions.Grant(asterisk, FineGrainedPermission::CREATE_DELETE);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::UPDATE), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::READ), PermissionLevel::GRANT);
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions.Grant(asterisk, FineGrainedPermission::UPDATE);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::UPDATE), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::READ), PermissionLevel::GRANT);
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions.Grant(asterisk, FineGrainedPermission::CREATE_DELETE);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::UPDATE), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(any_label, FineGrainedPermission::READ), PermissionLevel::GRANT);
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions.Grant(asterisk, FineGrainedPermission::READ);
|
|
|
|
fga_permissions.Grant(check_label, FineGrainedPermission::UPDATE);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions.Has(check_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(check_label, FineGrainedPermission::UPDATE), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(check_label, FineGrainedPermission::READ), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(non_check_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(non_check_label, FineGrainedPermission::UPDATE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions.Has(non_check_label, FineGrainedPermission::READ), PermissionLevel::GRANT);
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
}
|
2022-09-14 07:10:28 +08:00
|
|
|
|
2022-08-18 22:59:38 +08:00
|
|
|
TEST_F(AuthWithStorage, FineGrainedAccessCheckerMerge) {
|
|
|
|
auto any_label = "AnyString";
|
|
|
|
auto check_label = "Label";
|
|
|
|
auto asterisk = "*";
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions1, fga_permissions2;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions1.Grant(asterisk, FineGrainedPermission::READ);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
|
|
|
auto fga_permissions3 = memgraph::auth::Merge(fga_permissions1, fga_permissions2);
|
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions3.Has(any_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions3.Has(any_label, FineGrainedPermission::UPDATE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions3.Has(any_label, FineGrainedPermission::READ), PermissionLevel::GRANT);
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions1, fga_permissions2;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions2.Grant(asterisk, FineGrainedPermission::READ);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
|
|
|
auto fga_permissions3 = memgraph::auth::Merge(fga_permissions1, fga_permissions2);
|
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions3.Has(any_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions3.Has(any_label, FineGrainedPermission::UPDATE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions3.Has(any_label, FineGrainedPermission::READ), PermissionLevel::GRANT);
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions1, fga_permissions2;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions1.Grant(asterisk, FineGrainedPermission::READ);
|
|
|
|
fga_permissions2.Grant(asterisk, FineGrainedPermission::UPDATE);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
|
|
|
auto fga_permissions3 = memgraph::auth::Merge(fga_permissions1, fga_permissions2);
|
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions3.Has(any_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions3.Has(any_label, FineGrainedPermission::UPDATE), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(fga_permissions3.Has(any_label, FineGrainedPermission::READ), PermissionLevel::GRANT);
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions1, fga_permissions2;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions1.Grant(asterisk, FineGrainedPermission::READ);
|
|
|
|
fga_permissions1.Grant(check_label, FineGrainedPermission::UPDATE);
|
|
|
|
fga_permissions2.Grant(asterisk, FineGrainedPermission::UPDATE);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
|
|
|
auto fga_permissions3 = memgraph::auth::Merge(fga_permissions1, fga_permissions2);
|
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions3.Has(check_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions3.Has(check_label, FineGrainedPermission::UPDATE), PermissionLevel::GRANT);
|
|
|
|
ASSERT_EQ(fga_permissions3.Has(check_label, FineGrainedPermission::READ), PermissionLevel::GRANT);
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
FineGrainedAccessPermissions fga_permissions1, fga_permissions2;
|
2022-08-22 20:11:43 +08:00
|
|
|
fga_permissions1.Grant(asterisk, FineGrainedPermission::READ);
|
|
|
|
fga_permissions1.Grant(check_label, FineGrainedPermission::CREATE_DELETE);
|
|
|
|
fga_permissions2.Grant(asterisk, FineGrainedPermission::UPDATE);
|
|
|
|
fga_permissions2.Grant(check_label, FineGrainedPermission::READ);
|
2022-08-18 22:59:38 +08:00
|
|
|
|
|
|
|
auto fga_permissions3 = memgraph::auth::Merge(fga_permissions1, fga_permissions2);
|
|
|
|
|
2022-08-22 20:11:43 +08:00
|
|
|
ASSERT_EQ(fga_permissions3.Has(check_label, FineGrainedPermission::CREATE_DELETE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions3.Has(check_label, FineGrainedPermission::UPDATE), PermissionLevel::DENY);
|
|
|
|
ASSERT_EQ(fga_permissions3.Has(check_label, FineGrainedPermission::READ), PermissionLevel::GRANT);
|
2022-08-18 22:59:38 +08:00
|
|
|
}
|
|
|
|
}
|
2022-09-14 07:10:28 +08:00
|
|
|
#endif
|
2022-08-18 22:59:38 +08:00
|
|
|
|
2018-07-27 16:54:20 +08:00
|
|
|
TEST(AuthWithoutStorage, UserSerializeDeserialize) {
|
|
|
|
auto user = User("test");
|
2018-08-14 17:34:00 +08:00
|
|
|
user.permissions().Grant(Permission::MATCH);
|
|
|
|
user.permissions().Deny(Permission::MERGE);
|
2018-07-27 16:54:20 +08:00
|
|
|
user.UpdatePassword("world");
|
|
|
|
|
|
|
|
auto data = user.Serialize();
|
|
|
|
|
|
|
|
auto output = User::Deserialize(data);
|
|
|
|
ASSERT_EQ(user, output);
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST(AuthWithoutStorage, RoleSerializeDeserialize) {
|
|
|
|
auto role = Role("test");
|
2018-08-14 17:34:00 +08:00
|
|
|
role.permissions().Grant(Permission::MATCH);
|
|
|
|
role.permissions().Deny(Permission::MERGE);
|
2018-07-27 16:54:20 +08:00
|
|
|
|
|
|
|
auto data = role.Serialize();
|
|
|
|
|
|
|
|
auto output = Role::Deserialize(data);
|
|
|
|
ASSERT_EQ(role, output);
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorage, UserWithRoleSerializeDeserialize) {
|
2018-08-14 17:34:00 +08:00
|
|
|
auto role = auth.AddRole("role");
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_TRUE(role);
|
2018-08-14 17:34:00 +08:00
|
|
|
role->permissions().Grant(Permission::MATCH);
|
|
|
|
role->permissions().Deny(Permission::MERGE);
|
2018-07-27 16:54:20 +08:00
|
|
|
auth.SaveRole(*role);
|
|
|
|
|
2018-08-14 17:34:00 +08:00
|
|
|
auto user = auth.AddUser("user");
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_TRUE(user);
|
2018-08-14 17:34:00 +08:00
|
|
|
user->permissions().Grant(Permission::MATCH);
|
|
|
|
user->permissions().Deny(Permission::MERGE);
|
2018-07-27 16:54:20 +08:00
|
|
|
user->UpdatePassword("world");
|
|
|
|
user->SetRole(*role);
|
|
|
|
auth.SaveUser(*user);
|
|
|
|
|
2018-08-14 17:34:00 +08:00
|
|
|
auto new_user = auth.GetUser("user");
|
2018-07-27 16:54:20 +08:00
|
|
|
ASSERT_TRUE(new_user);
|
|
|
|
ASSERT_EQ(*user, *new_user);
|
|
|
|
}
|
|
|
|
|
2018-08-14 17:34:00 +08:00
|
|
|
TEST_F(AuthWithStorage, UserRoleUniqueName) {
|
|
|
|
ASSERT_TRUE(auth.AddUser("user"));
|
|
|
|
ASSERT_TRUE(auth.AddRole("role"));
|
|
|
|
ASSERT_FALSE(auth.AddRole("user"));
|
|
|
|
ASSERT_FALSE(auth.AddUser("role"));
|
|
|
|
}
|
|
|
|
|
2019-02-22 20:20:54 +08:00
|
|
|
TEST(AuthWithoutStorage, CaseInsensitivity) {
|
|
|
|
{
|
|
|
|
auto user1 = User("test");
|
|
|
|
auto user2 = User("Test");
|
|
|
|
ASSERT_EQ(user1, user2);
|
|
|
|
ASSERT_EQ(user1.username(), user2.username());
|
|
|
|
ASSERT_EQ(user1.username(), "test");
|
|
|
|
ASSERT_EQ(user2.username(), "test");
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto perms = Permissions();
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
auto fine_grained_access_handler = FineGrainedAccessHandler();
|
|
|
|
auto user1 = User("test", "pw", perms, fine_grained_access_handler);
|
|
|
|
auto user2 = User("Test", "pw", perms, fine_grained_access_handler);
|
2019-02-22 20:20:54 +08:00
|
|
|
ASSERT_EQ(user1, user2);
|
|
|
|
ASSERT_EQ(user1.username(), user2.username());
|
|
|
|
ASSERT_EQ(user1.username(), "test");
|
|
|
|
ASSERT_EQ(user2.username(), "test");
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto role1 = Role("role");
|
|
|
|
auto role2 = Role("Role");
|
|
|
|
ASSERT_EQ(role1, role2);
|
|
|
|
ASSERT_EQ(role1.rolename(), role2.rolename());
|
|
|
|
ASSERT_EQ(role1.rolename(), "role");
|
|
|
|
ASSERT_EQ(role2.rolename(), "role");
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto perms = Permissions();
|
[E129-MG <-T0982-MG] implement edge type filtering (#489)
* GRANT, REVOKE, DENY and access_checker DONE
* Added AccessChecker to ExecutionContext
* grammar expanded; (#462)
* current
* T0954 mg expand user and role to hold permissions on labels (#465)
* added FineGrainedAccessPermissions class to model
* expanded user and role with fine grained access permissions
* fixed grammar
* [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464)
* GRANT, DENY, REVOKE added in interpreter and mainVisitor
* Commented labelPermissons
* remove labelsPermission adding
* Fixed
* Removed extra lambda
* fixed
* [E129<-T0955-MG] Expand ExecutionContext with label related information (#467)
* added
* Added FineGrainedAccessChecker to Context
* fixed
* Added filtering
* testing
* Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp
* Removed storage changes
* MATCH filtering working
* EdgeTypeFiltering working, just need to test everything again
* Removed FineGrainedAccessChecker
* Removed Expand Path
* Fix
* Tested FineGrainedAccessHandler, need to test AuthChecker
* Added integration test for lba
* Fixed merge conflicts
* PR fix
* fixed
* PR fix
* Fix test
* removed .vscode, .cache, .githooks
* githooks
* added tests
* fixed build
* Changed ast.lcp and User pointer to value in context.hpp
* Fixed test
* Remove denies on grant all
* AuthChecker
* Pr fix, auth_checker still not fixed
* Create mg-glue and extract UserBasedAuthChecker from AuthChecker
* Build fixed, need to fix test
* e2e tests
* e2e test working
* Added unit test, e2e and FineGrainedChecker
* Mege E129, auth_checker tests
* Fixed test
* e2e fix
Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com>
Co-authored-by: josipmrden <josip.mrden@external-basf.com>
Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
2022-08-16 21:57:23 +08:00
|
|
|
auto fine_grained_access_handler = FineGrainedAccessHandler();
|
|
|
|
auto role1 = Role("role", perms, fine_grained_access_handler);
|
|
|
|
auto role2 = Role("Role", perms, fine_grained_access_handler);
|
2019-02-22 20:20:54 +08:00
|
|
|
ASSERT_EQ(role1, role2);
|
|
|
|
ASSERT_EQ(role1.rolename(), role2.rolename());
|
|
|
|
ASSERT_EQ(role1.rolename(), "role");
|
|
|
|
ASSERT_EQ(role2.rolename(), "role");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorage, CaseInsensitivity) {
|
|
|
|
// AddUser
|
|
|
|
{
|
|
|
|
auto user = auth.AddUser("Alice", "alice");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "alice");
|
|
|
|
ASSERT_FALSE(auth.AddUser("alice"));
|
|
|
|
ASSERT_FALSE(auth.AddUser("alicE"));
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto user = auth.AddUser("BoB", "bob");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "bob");
|
|
|
|
ASSERT_FALSE(auth.AddUser("bob"));
|
|
|
|
ASSERT_FALSE(auth.AddUser("bOb"));
|
|
|
|
}
|
|
|
|
|
|
|
|
// Authenticate
|
|
|
|
{
|
|
|
|
auto user = auth.Authenticate("alice", "alice");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "alice");
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto user = auth.Authenticate("alICe", "alice");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "alice");
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetUser
|
|
|
|
{
|
|
|
|
auto user = auth.GetUser("alice");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "alice");
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto user = auth.GetUser("aLicE");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "alice");
|
|
|
|
}
|
|
|
|
ASSERT_FALSE(auth.GetUser("carol"));
|
|
|
|
|
|
|
|
// RemoveUser
|
|
|
|
{
|
|
|
|
auto user = auth.AddUser("caRol", "carol");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "carol");
|
|
|
|
ASSERT_TRUE(auth.RemoveUser("cAROl"));
|
|
|
|
ASSERT_FALSE(auth.RemoveUser("carol"));
|
|
|
|
ASSERT_FALSE(auth.GetUser("CAROL"));
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllUsers
|
|
|
|
{
|
|
|
|
auto users = auth.AllUsers();
|
|
|
|
ASSERT_EQ(users.size(), 2);
|
2021-02-18 22:32:43 +08:00
|
|
|
std::sort(users.begin(), users.end(), [](const auto &a, const auto &b) { return a.username() < b.username(); });
|
2019-02-22 20:20:54 +08:00
|
|
|
ASSERT_EQ(users[0].username(), "alice");
|
|
|
|
ASSERT_EQ(users[1].username(), "bob");
|
|
|
|
}
|
|
|
|
|
|
|
|
// AddRole
|
|
|
|
{
|
|
|
|
auto role = auth.AddRole("Moderator");
|
|
|
|
ASSERT_TRUE(role);
|
|
|
|
ASSERT_EQ(role->rolename(), "moderator");
|
|
|
|
ASSERT_FALSE(auth.AddRole("moderator"));
|
|
|
|
ASSERT_FALSE(auth.AddRole("MODERATOR"));
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto role = auth.AddRole("adMIN");
|
|
|
|
ASSERT_TRUE(role);
|
|
|
|
ASSERT_EQ(role->rolename(), "admin");
|
|
|
|
ASSERT_FALSE(auth.AddRole("Admin"));
|
|
|
|
ASSERT_FALSE(auth.AddRole("ADMIn"));
|
|
|
|
}
|
|
|
|
ASSERT_FALSE(auth.AddRole("ALICE"));
|
|
|
|
ASSERT_FALSE(auth.AddUser("ModeRAtor"));
|
|
|
|
|
|
|
|
// GetRole
|
|
|
|
{
|
|
|
|
auto role = auth.GetRole("moderator");
|
|
|
|
ASSERT_TRUE(role);
|
|
|
|
ASSERT_EQ(role->rolename(), "moderator");
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto role = auth.GetRole("MoDERATOR");
|
|
|
|
ASSERT_TRUE(role);
|
|
|
|
ASSERT_EQ(role->rolename(), "moderator");
|
|
|
|
}
|
|
|
|
ASSERT_FALSE(auth.GetRole("root"));
|
|
|
|
|
|
|
|
// RemoveRole
|
|
|
|
{
|
|
|
|
auto role = auth.AddRole("RooT");
|
|
|
|
ASSERT_TRUE(role);
|
|
|
|
ASSERT_EQ(role->rolename(), "root");
|
|
|
|
ASSERT_TRUE(auth.RemoveRole("rOOt"));
|
|
|
|
ASSERT_FALSE(auth.RemoveRole("RoOt"));
|
|
|
|
ASSERT_FALSE(auth.GetRole("RoOt"));
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllRoles
|
|
|
|
{
|
|
|
|
auto roles = auth.AllRoles();
|
|
|
|
ASSERT_EQ(roles.size(), 2);
|
2021-02-18 22:32:43 +08:00
|
|
|
std::sort(roles.begin(), roles.end(), [](const auto &a, const auto &b) { return a.rolename() < b.rolename(); });
|
2019-02-22 20:20:54 +08:00
|
|
|
ASSERT_EQ(roles[0].rolename(), "admin");
|
|
|
|
ASSERT_EQ(roles[1].rolename(), "moderator");
|
|
|
|
}
|
|
|
|
|
|
|
|
// SaveRole
|
|
|
|
{
|
|
|
|
auto role = auth.GetRole("MODErator");
|
|
|
|
ASSERT_TRUE(role);
|
|
|
|
ASSERT_EQ(role->rolename(), "moderator");
|
2022-02-22 20:33:45 +08:00
|
|
|
role->permissions().Grant(memgraph::auth::Permission::MATCH);
|
2019-02-22 20:20:54 +08:00
|
|
|
auth.SaveRole(*role);
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto role = auth.GetRole("modeRATOR");
|
|
|
|
ASSERT_TRUE(role);
|
|
|
|
ASSERT_EQ(role->rolename(), "moderator");
|
2022-02-22 20:33:45 +08:00
|
|
|
ASSERT_EQ(role->permissions().Has(memgraph::auth::Permission::MATCH), memgraph::auth::PermissionLevel::GRANT);
|
2019-02-22 20:20:54 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// SaveUser
|
|
|
|
{
|
|
|
|
auto user = auth.GetUser("aLice");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "alice");
|
|
|
|
auto role = auth.GetRole("moderAtor");
|
|
|
|
ASSERT_TRUE(role);
|
|
|
|
ASSERT_EQ(role->rolename(), "moderator");
|
|
|
|
user->SetRole(*role);
|
|
|
|
auth.SaveUser(*user);
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto user = auth.GetUser("aLIce");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "alice");
|
2021-07-22 22:22:08 +08:00
|
|
|
const auto *role = user->role();
|
|
|
|
ASSERT_NE(role, nullptr);
|
|
|
|
ASSERT_EQ(role->rolename(), "moderator");
|
2019-02-22 20:20:54 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// AllUsersForRole
|
|
|
|
{
|
|
|
|
auto carol = auth.AddUser("caROl");
|
|
|
|
ASSERT_TRUE(carol);
|
|
|
|
ASSERT_EQ(carol->username(), "carol");
|
|
|
|
auto dave = auth.AddUser("daVe");
|
|
|
|
ASSERT_TRUE(dave);
|
|
|
|
ASSERT_EQ(dave->username(), "dave");
|
|
|
|
auto admin = auth.GetRole("aDMin");
|
|
|
|
ASSERT_TRUE(admin);
|
|
|
|
ASSERT_EQ(admin->rolename(), "admin");
|
|
|
|
carol->SetRole(*admin);
|
|
|
|
auth.SaveUser(*carol);
|
|
|
|
dave->SetRole(*admin);
|
|
|
|
auth.SaveUser(*dave);
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto users = auth.AllUsersForRole("modeRAtoR");
|
|
|
|
ASSERT_EQ(users.size(), 1);
|
|
|
|
ASSERT_EQ(users[0].username(), "alice");
|
|
|
|
}
|
|
|
|
{
|
|
|
|
auto users = auth.AllUsersForRole("AdmiN");
|
|
|
|
ASSERT_EQ(users.size(), 2);
|
2021-02-18 22:32:43 +08:00
|
|
|
std::sort(users.begin(), users.end(), [](const auto &a, const auto &b) { return a.username() < b.username(); });
|
2019-02-22 20:20:54 +08:00
|
|
|
ASSERT_EQ(users[0].username(), "carol");
|
|
|
|
ASSERT_EQ(users[1].username(), "dave");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-07-27 16:54:20 +08:00
|
|
|
TEST(AuthWithoutStorage, Crypto) {
|
|
|
|
auto hash = EncryptPassword("hello");
|
|
|
|
ASSERT_TRUE(VerifyPassword("hello", hash));
|
|
|
|
ASSERT_FALSE(VerifyPassword("hello1", hash));
|
|
|
|
}
|
2023-04-03 22:29:21 +08:00
|
|
|
|
|
|
|
class AuthWithVariousEncryptionAlgorithms : public ::testing::Test {
|
|
|
|
protected:
|
|
|
|
virtual void SetUp() { FLAGS_password_encryption_algorithm = "bcrypt"; }
|
|
|
|
};
|
|
|
|
|
|
|
|
TEST_F(AuthWithVariousEncryptionAlgorithms, VerifyPasswordDefault) {
|
|
|
|
auto hash = EncryptPassword("hello");
|
|
|
|
ASSERT_TRUE(VerifyPassword("hello", hash));
|
|
|
|
ASSERT_FALSE(VerifyPassword("hello1", hash));
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithVariousEncryptionAlgorithms, VerifyPasswordSHA256) {
|
|
|
|
FLAGS_password_encryption_algorithm = "sha256";
|
|
|
|
auto hash = EncryptPassword("hello");
|
|
|
|
ASSERT_TRUE(VerifyPassword("hello", hash));
|
|
|
|
ASSERT_FALSE(VerifyPassword("hello1", hash));
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithVariousEncryptionAlgorithms, VerifyPasswordSHA256_1024) {
|
|
|
|
FLAGS_password_encryption_algorithm = "sha256-multiple";
|
|
|
|
auto hash = EncryptPassword("hello");
|
|
|
|
ASSERT_TRUE(VerifyPassword("hello", hash));
|
|
|
|
ASSERT_FALSE(VerifyPassword("hello1", hash));
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithVariousEncryptionAlgorithms, VerifyPasswordThrow) {
|
|
|
|
FLAGS_password_encryption_algorithm = "abcd";
|
|
|
|
ASSERT_THROW(EncryptPassword("hello"), AuthException);
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithVariousEncryptionAlgorithms, VerifyPasswordEmptyEncryptionThrow) {
|
|
|
|
FLAGS_password_encryption_algorithm = "";
|
|
|
|
ASSERT_THROW(EncryptPassword("hello"), AuthException);
|
|
|
|
}
|
|
|
|
|
|
|
|
class AuthWithStorageWithVariousEncryptionAlgorithms : public ::testing::Test {
|
|
|
|
protected:
|
|
|
|
virtual void SetUp() {
|
|
|
|
memgraph::utils::EnsureDir(test_folder_);
|
|
|
|
FLAGS_auth_password_permit_null = true;
|
|
|
|
FLAGS_auth_password_strength_regex = ".+";
|
|
|
|
FLAGS_password_encryption_algorithm = "bcrypt";
|
|
|
|
|
|
|
|
memgraph::license::global_license_checker.EnableTesting();
|
|
|
|
}
|
|
|
|
|
|
|
|
virtual void TearDown() { fs::remove_all(test_folder_); }
|
|
|
|
|
|
|
|
fs::path test_folder_{fs::temp_directory_path() / "MG_tests_unit_auth"};
|
|
|
|
|
|
|
|
Auth auth{test_folder_ / ("unit_auth_test_" + std::to_string(static_cast<int>(getpid())))};
|
|
|
|
};
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorageWithVariousEncryptionAlgorithms, AddUserDefault) {
|
|
|
|
auto user = auth.AddUser("Alice", "alice");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "alice");
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorageWithVariousEncryptionAlgorithms, AddUserSha256) {
|
|
|
|
FLAGS_password_encryption_algorithm = "sha256";
|
|
|
|
auto user = auth.AddUser("Alice", "alice");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "alice");
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorageWithVariousEncryptionAlgorithms, AddUserSha256_1024) {
|
|
|
|
FLAGS_password_encryption_algorithm = "sha256-multiple";
|
|
|
|
auto user = auth.AddUser("Alice", "alice");
|
|
|
|
ASSERT_TRUE(user);
|
|
|
|
ASSERT_EQ(user->username(), "alice");
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorageWithVariousEncryptionAlgorithms, AddUserThrow) {
|
|
|
|
FLAGS_password_encryption_algorithm = "abcd";
|
|
|
|
ASSERT_THROW(auth.AddUser("Alice", "alice"), AuthException);
|
|
|
|
}
|
|
|
|
|
|
|
|
TEST_F(AuthWithStorageWithVariousEncryptionAlgorithms, AddUserEmptyPasswordEncryptionThrow) {
|
|
|
|
FLAGS_password_encryption_algorithm = "";
|
|
|
|
ASSERT_THROW(auth.AddUser("Alice", "alice"), AuthException);
|
|
|
|
}
|