Polishing for release

licenses/BSL.txt

@@ -36,7 +36,7 @@ ADDITIONAL USE GRANT:   You may use the Licensed Work in accordance with the
                         3. using the Licensed Work to create a work or solution
                         which competes (or might reasonably be expected to
                         compete) with the Licensed Work.
-CHANGE DATE:            2025-12-08
+CHANGE DATE:            2026-18-02
 CHANGE LICENSE:         Apache License, Version 2.0
 
 For information about alternative licensing arrangements, please visit: https://memgraph.com/legal.

src/auth/models.cpp

@@ -30,13 +30,16 @@ DEFINE_string(auth_password_strength_regex, default_password_regex.data(),
 
 namespace auth {
 
+namespace {
 // Constant list of all available permissions.
-constexpr std::array kPermissionsAll = {
+const std::vector<Permission> kPermissionsAll = {
     Permission::MATCH,      Permission::CREATE,    Permission::MERGE,       Permission::DELETE,
     Permission::SET,        Permission::REMOVE,    Permission::INDEX,       Permission::STATS,
     Permission::CONSTRAINT, Permission::DUMP,      Permission::AUTH,        Permission::REPLICATION,
     Permission::DURABILITY, Permission::READ_FILE, Permission::FREE_MEMORY, Permission::TRIGGER,
-    Permission::CONFIG,     Permission::STREAM,    Permission::WEBSOCKET};
+    Permission::CONFIG,     Permission::STREAM,    Permission::MODULE_READ, Permission::MODULE_WRITE,
+    Permission::WEBSOCKET};
+}  // namespace
 
 std::string PermissionToString(Permission permission) {
   switch (permission) {

src/auth/models.hpp

@@ -43,15 +43,6 @@ enum class Permission : uint64_t {
 };
 // clang-format on
 
-// Constant list of all available permissions.
-const std::vector<Permission> kPermissionsAll = {
-    Permission::MATCH,      Permission::CREATE,    Permission::MERGE,       Permission::DELETE,
-    Permission::SET,        Permission::REMOVE,    Permission::INDEX,       Permission::STATS,
-    Permission::CONSTRAINT, Permission::DUMP,      Permission::AUTH,        Permission::REPLICATION,
-    Permission::DURABILITY, Permission::READ_FILE, Permission::FREE_MEMORY, Permission::TRIGGER,
-    Permission::CONFIG,     Permission::STREAM,    Permission::MODULE_READ, Permission::MODULE_WRITE,
-    Permission::WEBSOCKET};
-
 // Function that converts a permission to its string representation.
 std::string PermissionToString(Permission permission);
 

src/communication/context.cpp

@@ -114,7 +114,7 @@ ServerContext::ServerContext(const std::string &key_file, const std::string &cer
   }
 }
 
-ServerContext::ServerContext(ServerContext &&other) noexcept : ctx_(other.ctx_) { other.ctx_ = nullptr; }
+ServerContext::ServerContext(ServerContext &&other) noexcept { std::swap(ctx_, other.ctx_); }
 
 ServerContext &ServerContext::operator=(ServerContext &&other) noexcept {
   if (this == &other) return *this;
@@ -149,6 +149,6 @@ SSL_CTX *ServerContext::context_clone() {
   return ctx_;
 }
 
-bool ServerContext::use_ssl() { return ctx_ != nullptr; }
+bool ServerContext::use_ssl() const { return ctx_ != nullptr; }
 
 }  // namespace communication

src/communication/context.hpp

@@ -96,7 +96,7 @@ class ServerContext final {
   SSL_CTX *context();
   SSL_CTX *context_clone();
 
-  bool use_ssl();
+  bool use_ssl() const;
 
  private:
   SSL_CTX *ctx_{nullptr};

src/communication/websocket/auth.cpp

@@ -16,7 +16,6 @@
 namespace communication::websocket {
 
 bool SafeAuth::Authenticate(const std::string &username, const std::string &password) const {
-  // TODO: Make ReadLock after dealing with Authenticate
   return auth_->Lock()->Authenticate(username, password).has_value();
 }
 
@@ -28,4 +27,4 @@ bool SafeAuth::HasUserPermission(const std::string &username, const auth::Permis
 }
 
 bool SafeAuth::HasAnyUsers() const { return auth_->ReadLock()->HasUsers(); }
-}  // namespace communication::websocket
+}  // namespace communication::websocket

src/communication/websocket/auth.hpp

@@ -41,4 +41,4 @@ class SafeAuth : public AuthenticationInterface {
  private:
   utils::Synchronized<auth::Auth, utils::WritePrioritizedRWLock> *auth_;
 };
-}  // namespace communication::websocket
+}  // namespace communication::websocket

src/communication/websocket/session.cpp

@@ -181,7 +181,7 @@ void Session::OnRead(const boost::beast::error_code ec, const size_t /*bytes_tra
       response["success"] = false;
       response["message"] = message;
       MG_ASSERT(messages_.empty());
-      messages_.push_back(make_shared<std::string>(response.dump()));
+      messages_.push_back(std::make_shared<std::string>(response.dump()));
       close_ = true;
       DoWrite();
     };
@@ -197,7 +197,7 @@ void Session::OnRead(const boost::beast::error_code ec, const size_t /*bytes_tra
       response["message"] = "User has been successfully authenticated!";
       MG_ASSERT(messages_.empty());
       authenticated_ = true;
-      messages_.push_back(make_shared<std::string>(response.dump()));
+      messages_.push_back(std::make_shared<std::string>(response.dump()));
       DoWrite();
     } catch (const nlohmann::json::out_of_range &out_of_range) {
       const auto err_msg = fmt::format("Invalid JSON for authentication received: {}!", out_of_range.what());

src/communication/websocket/session.hpp

@@ -53,10 +53,10 @@ class Session : public std::enable_shared_from_this<Session> {
   explicit Session(tcp::socket &&socket, ServerContext &context, AuthenticationInterface &auth);
 
   void DoWrite();
-  void OnWrite(boost::beast::error_code ec, size_t bytest_transferred);
+  void OnWrite(boost::beast::error_code ec, size_t bytes_transferred);
 
   void DoRead();
-  void OnRead(boost::beast::error_code ec, size_t bytest_transferred);
+  void OnRead(boost::beast::error_code ec, size_t bytes_transferred);
 
   void DoClose();
   void OnClose(boost::beast::error_code ec);

src/memgraph.cpp

@@ -32,10 +32,9 @@
 #include <spdlog/sinks/dist_sink.h>
 #include <spdlog/sinks/stdout_color_sinks.h>
 
+#include "communication/bolt/v1/constants.hpp"
 #include "communication/websocket/auth.hpp"
 #include "communication/websocket/server.hpp"
-
-#include "communication/bolt/v1/constants.hpp"
 #include "helpers.hpp"
 #include "py/py.hpp"
 #include "query/auth_checker.hpp"
@@ -47,7 +46,6 @@
 #include "query/procedure/module.hpp"
 #include "query/procedure/py_module.hpp"
 #include "requests/requests.hpp"
-#include "spdlog/spdlog.h"
 #include "storage/v2/isolation_level.hpp"
 #include "storage/v2/storage.hpp"
 #include "storage/v2/view.hpp"

src/query/frontend/ast/ast.lcp

@@ -2289,11 +2289,8 @@ const std::vector<AuthQuery::Privilege> kPrivilegesAll = {
     AuthQuery::Privilege::DURABILITY,
     AuthQuery::Privilege::FREE_MEMORY, AuthQuery::Privilege::TRIGGER,
     AuthQuery::Privilege::CONFIG,      AuthQuery::Privilege::STREAM,
-<<<<<<< HEAD
-    AuthQuery::Privilege::MODULE_READ, AuthQuery::Privilege::MODULE_WRITE};
-=======
+    AuthQuery::Privilege::MODULE_READ, AuthQuery::Privilege::MODULE_WRITE,
     AuthQuery::Privilege::WEBSOCKET};
->>>>>>> e15495b7 (Add websocket authentication (#322))
 cpp<#
 
 (lcp:define-class info-query (query)

tests/e2e/websocket/websocket.cpp

@@ -8,6 +8,7 @@
 // the Business Source License, use of this software will be governed
 // by the Apache License, Version 2.0, included in the file
 // licenses/APL.txt.
+
 #include <algorithm>
 #include <chrono>
 #include <cstdint>

tests/e2e/websocket/workloads.yaml

@@ -35,3 +35,4 @@ workloads:
     binary: "tests/e2e/websocket/memgraph__e2e__websocket_ssl"
     args: ["--bolt-port", *bolt_port, "--monitoring-port", *monitoring_port]
     <<: *template_cluster_ssl
+

tests/unit/cypher_main_visitor.cpp

@@ -2174,6 +2174,10 @@ TEST_P(CypherMainVisitorTest, GrantPrivilege) {
                    {AuthQuery::Privilege::STREAM});
   check_auth_query(&ast_generator, "GRANT WEBSOCKET TO user", AuthQuery::Action::GRANT_PRIVILEGE, "", "", "user", {},
                    {AuthQuery::Privilege::WEBSOCKET});
+  check_auth_query(&ast_generator, "GRANT MODULE_READ TO user", AuthQuery::Action::GRANT_PRIVILEGE, "", "", "user", {},
+                   {AuthQuery::Privilege::MODULE_READ});
+  check_auth_query(&ast_generator, "GRANT MODULE_WRITE TO user", AuthQuery::Action::GRANT_PRIVILEGE, "", "", "user", {},
+                   {AuthQuery::Privilege::MODULE_WRITE});
 }
 
 TEST_P(CypherMainVisitorTest, DenyPrivilege) {
@@ -2210,6 +2214,10 @@ TEST_P(CypherMainVisitorTest, DenyPrivilege) {
                    {AuthQuery::Privilege::DUMP});
   check_auth_query(&ast_generator, "DENY WEBSOCKET TO user", AuthQuery::Action::DENY_PRIVILEGE, "", "", "user", {},
                    {AuthQuery::Privilege::WEBSOCKET});
+  check_auth_query(&ast_generator, "DENY MODULE_READ TO user", AuthQuery::Action::DENY_PRIVILEGE, "", "", "user", {},
+                   {AuthQuery::Privilege::MODULE_READ});
+  check_auth_query(&ast_generator, "DENY MODULE_WRITE TO user", AuthQuery::Action::DENY_PRIVILEGE, "", "", "user", {},
+                   {AuthQuery::Privilege::MODULE_WRITE});
 }
 
 TEST_P(CypherMainVisitorTest, RevokePrivilege) {
@@ -2248,6 +2256,10 @@ TEST_P(CypherMainVisitorTest, RevokePrivilege) {
                    {AuthQuery::Privilege::DUMP});
   check_auth_query(&ast_generator, "REVOKE WEBSOCKET FROM user", AuthQuery::Action::REVOKE_PRIVILEGE, "", "", "user",
                    {}, {AuthQuery::Privilege::WEBSOCKET});
+  check_auth_query(&ast_generator, "REVOKE MODULE_READ FROM user", AuthQuery::Action::REVOKE_PRIVILEGE, "", "", "user",
+                   {}, {AuthQuery::Privilege::MODULE_READ});
+  check_auth_query(&ast_generator, "REVOKE MODULE_WRITE FROM user", AuthQuery::Action::REVOKE_PRIVILEGE, "", "", "user",
+                   {}, {AuthQuery::Privilege::MODULE_WRITE});
 }
 
 TEST_P(CypherMainVisitorTest, ShowPrivileges) {