c09b175c76
* [T1006-MG < T1017-MG] Add LBA checks to all read procedures in C API (#515) * Initial Impl * NextPermittedEdge introduced * revert moving constructor to cpp * edge from and edge to methods expanded with lba check * minor fix * added check to path expand procedure * Added integration tests for read query procedures * additional check * changed iterator type to reference * comments from pr Co-authored-by: Josip Mrden <josip.mrden@memgraph.io> * [T1006-MG < T1018-MG] Add LBA checks to all update procedures in C API (#516) * Initial Impl * NextPermittedEdge introduced * revert moving constructor to cpp * edge from and edge to methods expanded with lba check * minor fix * extended update methods * added check to path expand procedure * Added integration tests for read query procedures * Added integration tests for update query modules * additional check * changed iterator type to reference * fixed bug in Update property for node; fixed 2 e2e tests * replaced enum Co-authored-by: Josip Mrden <josip.mrden@memgraph.io> * [T1006-MG < T1019-MG] Add LBA checks to all Create and Delete procedures in C API (#517) * Initial Impl * NextPermittedEdge introduced * revert moving constructor to cpp * edge from and edge to methods expanded with lba check * minor fix * extended update methods * initial implementation * added check to path expand procedure * Added integration tests for read query procedures * Added integration tests for update query modules * Added unit tests for creation of vertex, adding and removing vertex label * additional check * changed iterator type to reference * Added unit tests for create edge * Corrected query module in create edge * fixed bug in Update property for node; fixed 2 e2e tests * fixed merge errors * Expanded FineGrainedAuthChecker with HasGlobalPermissionOnVertices and HasGlobalPermissionOnEdges * Removed two wrong checks; Added two global checks * return null added * introduced new mgp_error value * fixed endless loop * replaced enum * intermediate * tests updated * PermissionDeniedError -> AuthorizationError rename * rename in enum permission_denied error -> authorization error * mgp_vertex_remove_label check improved * quotes changed; order of imports fixed * string constant introduced * import fixed * yaml format Co-authored-by: Josip Mrden <josip.mrden@memgraph.io> Co-authored-by: Josip Mrden <josip.mrden@memgraph.io>
300 lines
11 KiB
Python
300 lines
11 KiB
Python
# Copyright 2022 Memgraph Ltd.
|
|
#
|
|
# Use of this software is governed by the Business Source License
|
|
# included in the file licenses/BSL.txt; by using this file, you agree to be bound by the terms of the Business Source
|
|
# License, and you may not use this file except in compliance with the Business Source License.
|
|
#
|
|
# As of the Change Date specified in that file, in accordance with
|
|
# the Business Source License, use of this software will be governed
|
|
# by the Apache License, Version 2.0, included in the file
|
|
# licenses/APL.txt.
|
|
|
|
import pytest
|
|
import sys
|
|
|
|
from common import (
|
|
connect,
|
|
execute_and_fetch_all,
|
|
mgclient,
|
|
reset_create_delete_permissions,
|
|
)
|
|
|
|
AUTHORIZATION_ERROR_IDENTIFIER = "AuthorizationError"
|
|
|
|
create_vertex_query = "CALL create_delete.create_vertex() YIELD created_node RETURN labels(created_node);"
|
|
remove_label_vertex_query = "CALL create_delete.remove_label('create_delete_label') YIELD node RETURN labels(node);"
|
|
set_label_vertex_query = "CALL create_delete.set_label('new_create_delete_label') YIELD node RETURN labels(node);"
|
|
create_edge_query = "MATCH (n:create_delete_label_1), (m:create_delete_label_2) CALL create_delete.create_edge(n, m) YIELD nr_of_edges RETURN nr_of_edges;"
|
|
delete_edge_query = "CALL create_delete.delete_edge() YIELD * RETURN *;"
|
|
|
|
|
|
def test_can_not_create_vertex_when_given_nothing():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, create_vertex_query)
|
|
|
|
|
|
def test_can_create_vertex_when_given_global_create_delete():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT CREATE_DELETE ON LABELS * TO user;")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
result = execute_and_fetch_all(test_cursor, create_vertex_query)
|
|
|
|
len(result[0][0]) == 1
|
|
|
|
|
|
def test_can_not_create_vertex_when_given_global_read():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT READ ON LABELS * TO user;")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, create_vertex_query)
|
|
|
|
|
|
def test_can_not_create_vertex_when_given_global_update():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT UPDATE ON LABELS :create_delete_label TO user;")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, create_vertex_query)
|
|
|
|
|
|
def test_can_add_vertex_label_when_given_create_delete():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(
|
|
admin_cursor,
|
|
"GRANT CREATE_DELETE ON LABELS :new_create_delete_label, UPDATE ON LABELS :create_delete_label TO user;",
|
|
)
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
result = execute_and_fetch_all(test_cursor, set_label_vertex_query)
|
|
|
|
assert "create_delete_label" in result[0][0]
|
|
assert "new_create_delete_label" in result[0][0]
|
|
|
|
|
|
def test_can_not_add_vertex_label_when_given_update():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(
|
|
admin_cursor, "GRANT UPDATE ON LABELS :new_create_delete_label, :create_delete_label TO user;"
|
|
)
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, set_label_vertex_query)
|
|
|
|
|
|
def test_can_not_add_vertex_label_when_given_read():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(
|
|
admin_cursor, "GRANT READ ON LABELS :new_create_delete_label, UPDATE ON LABELS :create_delete_label TO user;"
|
|
)
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, set_label_vertex_query)
|
|
|
|
|
|
def test_can_remove_vertex_label_when_given_create_delete():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT CREATE_DELETE ON LABELS :create_delete_label TO user;")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
result = execute_and_fetch_all(test_cursor, remove_label_vertex_query)
|
|
|
|
assert result[0][0] != ":create_delete_label"
|
|
|
|
|
|
def test_can_remove_vertex_label_when_given_global_create_delete():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT CREATE_DELETE ON LABELS * TO user;")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
result = execute_and_fetch_all(test_cursor, remove_label_vertex_query)
|
|
|
|
assert result[0][0] != ":create_delete_label"
|
|
|
|
|
|
def test_can_not_remove_vertex_label_when_given_update():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT UPDATE ON LABELS :create_delete_label TO user;")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, remove_label_vertex_query)
|
|
|
|
|
|
def test_can_not_remove_vertex_label_when_given_global_update():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT UPDATE ON LABELS * TO user;")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, remove_label_vertex_query)
|
|
|
|
|
|
def test_can_not_remove_vertex_label_when_given_read():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT READ ON LABELS :create_delete_label TO user;")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, remove_label_vertex_query)
|
|
|
|
|
|
def test_can_not_remove_vertex_label_when_given_global_read():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT READ ON LABELS * TO user;")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, remove_label_vertex_query)
|
|
|
|
|
|
def test_can_not_create_edge_when_given_nothing():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, create_edge_query)
|
|
|
|
|
|
def test_can_not_create_edge_when_given_read():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT READ ON EDGE_TYPES :new_create_delete_edge_type TO user")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, create_edge_query)
|
|
|
|
|
|
def test_can_not_create_edge_when_given_update():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(admin_cursor, "GRANT UPDATE ON EDGE_TYPES :new_create_delete_edge_type TO user")
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, create_edge_query)
|
|
|
|
|
|
def test_can_create_edge_when_given_create_delete():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(
|
|
admin_cursor,
|
|
"GRANT CREATE_DELETE ON EDGE_TYPES :new_create_delete_edge_type TO user",
|
|
)
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
no_of_edges = execute_and_fetch_all(test_cursor, create_edge_query)
|
|
|
|
assert no_of_edges[0][0] == 2
|
|
|
|
|
|
def test_can_not_delete_edge_when_given_nothing():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, delete_edge_query)
|
|
|
|
|
|
def test_can_not_delete_edge_when_given_read():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(
|
|
admin_cursor,
|
|
"GRANT READ ON EDGE_TYPES :create_delete_edge_type TO user",
|
|
)
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, delete_edge_query)
|
|
|
|
|
|
def test_can_not_delete_edge_when_given_update():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(
|
|
admin_cursor,
|
|
"GRANT UPDATE ON EDGE_TYPES :create_delete_edge_type TO user",
|
|
)
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
with pytest.raises(mgclient.DatabaseError, match=AUTHORIZATION_ERROR_IDENTIFIER):
|
|
execute_and_fetch_all(test_cursor, delete_edge_query)
|
|
|
|
|
|
def test_can_delete_edge_when_given_create_delete():
|
|
admin_cursor = connect(username="admin", password="test").cursor()
|
|
reset_create_delete_permissions(admin_cursor)
|
|
|
|
execute_and_fetch_all(
|
|
admin_cursor,
|
|
"GRANT CREATE_DELETE ON EDGE_TYPES :create_delete_edge_type TO user",
|
|
)
|
|
|
|
test_cursor = connect(username="user", password="test").cursor()
|
|
|
|
no_of_edges = execute_and_fetch_all(test_cursor, delete_edge_query)
|
|
|
|
assert no_of_edges[0][0] == 0
|
|
|
|
|
|
if __name__ == "__main__":
|
|
sys.exit(pytest.main([__file__, "-rA"]))
|