memgraph/tests/unit/auth_handler.cpp
andrejtonev 7ead00f23e
Adding authentication data replication (#1666)
* Add AUTH system tx deltas
* Add auth data RPC and handlers
* Support multiple system deltas in a single transaction
* Added e2e test
* Bugfix: KVStore segfault after move

---------

Co-authored-by: Gareth Lloyd <gareth.lloyd@memgraph.io>
2024-02-05 10:37:00 +00:00

736 lines
26 KiB
C++

// Copyright 2024 Memgraph Ltd.
//
// Use of this software is governed by the Business Source License
// included in the file licenses/BSL.txt; by using this file, you agree to be bound by the terms of the Business Source
// License, and you may not use this file except in compliance with the Business Source License.
//
// As of the Change Date specified in that file, in accordance with
// the Business Source License, use of this software will be governed
// by the Apache License, Version 2.0, included in the file
// licenses/APL.txt.
#include <gflags/gflags.h>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include "auth/auth.hpp"
#include "auth/models.hpp"
#include "glue/auth_global.hpp"
#include "glue/auth_handler.hpp"
#include "query/typed_value.hpp"
#include "utils/file.hpp"
#include "utils/rw_lock.hpp"
#include "utils/synchronized.hpp"
class AuthQueryHandlerFixture : public testing::Test {
protected:
std::filesystem::path test_folder_{std::filesystem::temp_directory_path() / "MG_tests_unit_auth_handler"};
memgraph::auth::SynchedAuth auth{
test_folder_ / ("unit_auth_handler_test_" + std::to_string(static_cast<int>(getpid()))),
memgraph::auth::Auth::Config{/* default */}};
memgraph::glue::AuthQueryHandler auth_handler{&auth};
std::string user_name = "Mate";
std::string edge_type_repr = "EdgeType1";
std::string label_repr = "Label1";
memgraph::auth::Permissions perms{};
#ifdef MG_ENTERPRISE
memgraph::auth::FineGrainedAccessHandler handler{};
#endif
void SetUp() override {
memgraph::utils::EnsureDir(test_folder_);
memgraph::license::global_license_checker.EnableTesting();
}
void TearDown() override {
std::filesystem::remove_all(test_folder_);
perms = memgraph::auth::Permissions{};
#ifdef MG_ENTERPRISE
handler = memgraph::auth::FineGrainedAccessHandler{};
#endif
}
};
TEST_F(AuthQueryHandlerFixture, GivenAuthQueryHandlerWhenInitializedHaveNoUsernamesOrRolenames) {
ASSERT_EQ(auth_handler.GetUsernames().size(), 0);
ASSERT_EQ(auth_handler.GetRolenames().size(), 0);
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenNoDeniesOrGrantsThenNothingIsReturned) {
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms};
auth->SaveUser(user);
{ ASSERT_EQ(auth_handler.GetUsernames().size(), 1); }
{
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 0);
}
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenAddedGrantPermissionThenItIsReturned) {
perms.Grant(memgraph::auth::Permission::MATCH);
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "MATCH");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "GRANT");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenAddedDenyPermissionThenItIsReturned) {
perms.Deny(memgraph::auth::Permission::MATCH);
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "MATCH");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "DENY");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "DENIED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenPrivilegeRevokedThenNothingIsReturned) {
perms.Deny(memgraph::auth::Permission::MATCH);
perms.Revoke(memgraph::auth::Permission::MATCH);
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 0);
}
TEST_F(AuthQueryHandlerFixture, GivenRoleWhenPrivilegeGrantedThenItIsReturned) {
perms.Grant(memgraph::auth::Permission::MATCH);
memgraph::auth::Role role = memgraph::auth::Role{"Mates_role", perms};
auth->SaveRole(role);
{ ASSERT_EQ(auth_handler.GetRolenames().size(), 1); }
{
auto privileges = auth_handler.GetPrivileges("Mates_role");
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "MATCH");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "GRANT");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "GRANTED TO ROLE");
}
}
TEST_F(AuthQueryHandlerFixture, GivenRoleWhenPrivilegeDeniedThenItIsReturned) {
perms.Deny(memgraph::auth::Permission::MATCH);
memgraph::auth::Role role = memgraph::auth::Role{"Mates_role", perms};
auth->SaveRole(role);
auto privileges = auth_handler.GetPrivileges("Mates_role");
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "MATCH");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "DENY");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "DENIED TO ROLE");
}
TEST_F(AuthQueryHandlerFixture, GivenRoleWhenPrivilegeRevokedThenNothingIsReturned) {
perms.Deny(memgraph::auth::Permission::MATCH);
perms.Revoke(memgraph::auth::Permission::MATCH);
memgraph::auth::Role role = memgraph::auth::Role{"Mates_role", perms};
auth->SaveRole(role);
auto privileges = auth_handler.GetPrivileges("Mates_role");
ASSERT_EQ(privileges.size(), 0);
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedTwoPrivilegesThenBothAreReturned) {
perms.Grant(memgraph::auth::Permission::MATCH);
perms.Grant(memgraph::auth::Permission::CREATE);
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 2);
}
TEST_F(AuthQueryHandlerFixture, GivenUserAndRoleWhenOneGrantedAndOtherGrantedThenBothArePrinted) {
perms.Grant(memgraph::auth::Permission::MATCH);
memgraph::auth::Role role = memgraph::auth::Role{"Mates_role", perms};
auth->SaveRole(role);
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms};
user.SetRole(role);
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "MATCH");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "GRANT");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "GRANTED TO USER, GRANTED TO ROLE");
}
TEST_F(AuthQueryHandlerFixture, GivenUserAndRoleWhenOneDeniedAndOtherDeniedThenBothArePrinted) {
perms.Deny(memgraph::auth::Permission::MATCH);
memgraph::auth::Role role = memgraph::auth::Role{"Mates_role", perms};
auth->SaveRole(role);
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms};
user.SetRole(role);
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "MATCH");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "DENY");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "DENIED TO USER, DENIED TO ROLE");
}
TEST_F(AuthQueryHandlerFixture, GivenUserAndRoleWhenOneGrantedAndOtherDeniedThenBothArePrinted) {
memgraph::auth::Permissions role_perms{};
role_perms.Deny(memgraph::auth::Permission::MATCH);
memgraph::auth::Role role = memgraph::auth::Role{"Mates_role", role_perms};
auth->SaveRole(role);
memgraph::auth::Permissions user_perms{};
user_perms.Grant(memgraph::auth::Permission::MATCH);
memgraph::auth::User user = memgraph::auth::User{
user_name,
std::nullopt,
user_perms,
};
user.SetRole(role);
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "MATCH");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "DENY");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "GRANTED TO USER, DENIED TO ROLE");
}
TEST_F(AuthQueryHandlerFixture, GivenUserAndRoleWhenOneDeniedAndOtherGrantedThenBothArePrinted) {
memgraph::auth::Permissions role_perms{};
role_perms.Grant(memgraph::auth::Permission::MATCH);
memgraph::auth::Role role = memgraph::auth::Role{"Mates_role", role_perms};
auth->SaveRole(role);
memgraph::auth::Permissions user_perms{};
user_perms.Deny(memgraph::auth::Permission::MATCH);
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, user_perms};
user.SetRole(role);
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "MATCH");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "DENY");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "DENIED TO USER, GRANTED TO ROLE");
}
#ifdef MG_ENTERPRISE
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedPrivilegeOnLabelThenIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant(label_repr, memgraph::auth::FineGrainedPermission::READ);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{read_permission},
memgraph::auth::FineGrainedAccessPermissions{},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "LABEL :Label1");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "READ");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "LABEL PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedMultiplePrivilegesOnLabelThenTopOneIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant(label_repr, memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant(label_repr, memgraph::auth::FineGrainedPermission::UPDATE);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{read_permission},
memgraph::auth::FineGrainedAccessPermissions{},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "LABEL :Label1");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "UPDATE");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "LABEL PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedAllPrivilegesOnLabelThenTopOneIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant(label_repr, memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant(label_repr, memgraph::auth::FineGrainedPermission::UPDATE);
read_permission.Grant(label_repr, memgraph::auth::FineGrainedPermission::CREATE_DELETE);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{read_permission},
memgraph::auth::FineGrainedAccessPermissions{},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "LABEL :Label1");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "CREATE_DELETE");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "LABEL PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedGlobalPrivilegeOnLabelThenIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::READ);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{read_permission},
memgraph::auth::FineGrainedAccessPermissions{},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "ALL LABELS");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "READ");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "GLOBAL LABEL PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedGlobalMultiplePrivilegesOnLabelThenTopOneIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::UPDATE);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{read_permission},
memgraph::auth::FineGrainedAccessPermissions{},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "ALL LABELS");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "UPDATE");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "GLOBAL LABEL PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedGlobalAllPrivilegesOnLabelThenTopOneIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::UPDATE);
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::CREATE_DELETE);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{read_permission},
memgraph::auth::FineGrainedAccessPermissions{},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "ALL LABELS");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "CREATE_DELETE");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "GLOBAL LABEL PERMISSION GRANTED TO USER");
}
// EDGE_TYPES
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedPrivilegeOnEdgeTypeThenIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant(edge_type_repr, memgraph::auth::FineGrainedPermission::READ);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{},
memgraph::auth::FineGrainedAccessPermissions{read_permission},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "EDGE_TYPE :EdgeType1");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "READ");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "EDGE_TYPE PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedMultiplePrivilegesOnEdgeTypeThenTopOneIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant(edge_type_repr, memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant(edge_type_repr, memgraph::auth::FineGrainedPermission::UPDATE);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{},
memgraph::auth::FineGrainedAccessPermissions{read_permission},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "EDGE_TYPE :EdgeType1");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "UPDATE");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "EDGE_TYPE PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedAllPrivilegesOnEdgeTypeThenTopOneIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant(edge_type_repr, memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant(edge_type_repr, memgraph::auth::FineGrainedPermission::UPDATE);
read_permission.Grant(edge_type_repr, memgraph::auth::FineGrainedPermission::CREATE_DELETE);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{},
memgraph::auth::FineGrainedAccessPermissions{read_permission},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "EDGE_TYPE :EdgeType1");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "CREATE_DELETE");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "EDGE_TYPE PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedGlobalPrivilegeOnEdgeTypeThenIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::READ);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{},
memgraph::auth::FineGrainedAccessPermissions{read_permission},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "ALL EDGE_TYPES");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "READ");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "GLOBAL EDGE_TYPE PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedGlobalMultiplePrivilegesOnEdgeTypeThenTopOneIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::UPDATE);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{},
memgraph::auth::FineGrainedAccessPermissions{read_permission},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "ALL EDGE_TYPES");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "UPDATE");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "GLOBAL EDGE_TYPE PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedGlobalAllPrivilegesOnEdgeTypeThenTopOneIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::UPDATE);
read_permission.Grant("*", memgraph::auth::FineGrainedPermission::CREATE_DELETE);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{},
memgraph::auth::FineGrainedAccessPermissions{read_permission},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "ALL EDGE_TYPES");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "CREATE_DELETE");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "GLOBAL EDGE_TYPE PERMISSION GRANTED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedAndDeniedOnLabelThenNoPermission) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant(label_repr, memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant(label_repr, memgraph::auth::FineGrainedPermission::NOTHING);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{read_permission},
memgraph::auth::FineGrainedAccessPermissions{},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "LABEL :Label1");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "NOTHING");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "LABEL PERMISSION DENIED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedAndDeniedOnEdgeTypeThenNoPermission) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant(edge_type_repr, memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant(edge_type_repr, memgraph::auth::FineGrainedPermission::NOTHING);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{},
memgraph::auth::FineGrainedAccessPermissions{read_permission},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "EDGE_TYPE :EdgeType1");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "NOTHING");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "EDGE_TYPE PERMISSION DENIED TO USER");
}
TEST_F(AuthQueryHandlerFixture, GivenUserWhenGrantedReadAndDeniedUpdateThenOneIsDisplayed) {
auto read_permission = memgraph::auth::FineGrainedAccessPermissions();
read_permission.Grant(edge_type_repr, memgraph::auth::FineGrainedPermission::READ);
read_permission.Grant(edge_type_repr, memgraph::auth::FineGrainedPermission::READ);
handler = memgraph::auth::FineGrainedAccessHandler{
memgraph::auth::FineGrainedAccessPermissions{},
memgraph::auth::FineGrainedAccessPermissions{read_permission},
};
memgraph::auth::User user = memgraph::auth::User{user_name, std::nullopt, perms, handler};
auth->SaveUser(user);
auto privileges = auth_handler.GetPrivileges(user_name);
ASSERT_EQ(privileges.size(), 1);
auto result = *privileges.begin();
ASSERT_EQ(result.size(), 3);
ASSERT_TRUE(result[0].IsString());
ASSERT_EQ(result[0].ValueString(), "EDGE_TYPE :EdgeType1");
ASSERT_TRUE(result[1].IsString());
ASSERT_EQ(result[1].ValueString(), "READ");
ASSERT_TRUE(result[2].IsString());
ASSERT_EQ(result[2].ValueString(), "EDGE_TYPE PERMISSION GRANTED TO USER");
}
#endif