e15576f56c
* GRANT, REVOKE, DENY and access_checker DONE * Added AccessChecker to ExecutionContext * grammar expanded; (#462) * current * T0954 mg expand user and role to hold permissions on labels (#465) * added FineGrainedAccessPermissions class to model * expanded user and role with fine grained access permissions * fixed grammar * [E129 < T0953-MG] GRANT, DENY, REVOKE added in interpreter and mainVisitor (#464) * GRANT, DENY, REVOKE added in interpreter and mainVisitor * Commented labelPermissons * remove labelsPermission adding * Fixed * Removed extra lambda * fixed * [E129<-T0955-MG] Expand ExecutionContext with label related information (#467) * added * Added FineGrainedAccessChecker to Context * fixed * Added filtering * testing * Added edge filtering to storage, need to add filtering in simple Expand in operator.cpp * Removed storage changes * MATCH filtering working * EdgeTypeFiltering working, just need to test everything again * Removed FineGrainedAccessChecker * Removed Expand Path * Fix * Tested FineGrainedAccessHandler, need to test AuthChecker * Added integration test for lba * Fixed merge conflicts * PR fix * fixed * PR fix * Fix test * removed .vscode, .cache, .githooks * githooks * added tests * fixed build * Changed ast.lcp and User pointer to value in context.hpp * Fixed test * Remove denies on grant all * AuthChecker * Pr fix, auth_checker still not fixed * Create mg-glue and extract UserBasedAuthChecker from AuthChecker * Build fixed, need to fix test * e2e tests * e2e test working * Added unit test, e2e and FineGrainedChecker * Mege E129, auth_checker tests * Fixed test * e2e fix Co-authored-by: Boris Taševski <36607228+BorisTasevski@users.noreply.github.com> Co-authored-by: josipmrden <josip.mrden@external-basf.com> Co-authored-by: János Benjamin Antal <benjamin.antal@memgraph.io>
136 lines
5.5 KiB
Python
136 lines
5.5 KiB
Python
#!/usr/bin/python3 -u
|
|
|
|
# Copyright 2021 Memgraph Ltd.
|
|
#
|
|
# Use of this software is governed by the Business Source License
|
|
# included in the file licenses/BSL.txt; by using this file, you agree to be bound by the terms of the Business Source
|
|
# License, and you may not use this file except in compliance with the Business Source License.
|
|
#
|
|
# As of the Change Date specified in that file, in accordance with
|
|
# the Business Source License, use of this software will be governed
|
|
# by the Apache License, Version 2.0, included in the file
|
|
# licenses/APL.txt.
|
|
|
|
import argparse
|
|
import atexit
|
|
import os
|
|
import subprocess
|
|
import sys
|
|
import tempfile
|
|
import time
|
|
from typing import List
|
|
|
|
SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
|
|
PROJECT_DIR = os.path.normpath(os.path.join(SCRIPT_DIR, "..", "..", ".."))
|
|
|
|
UNAUTHORIZED_ERROR = "You are not authorized to execute this query! Please " "contact your database administrator."
|
|
|
|
|
|
def wait_for_server(port, delay=0.1):
|
|
cmd = ["nc", "-z", "-w", "1", "127.0.0.1", str(port)]
|
|
while subprocess.call(cmd) != 0:
|
|
time.sleep(0.01)
|
|
time.sleep(delay)
|
|
|
|
|
|
def execute_tester(
|
|
binary, queries, should_fail=False, failure_message="", username="", password="", check_failure=True
|
|
):
|
|
args = [binary, "--username", username, "--password", password]
|
|
if should_fail:
|
|
args.append("--should-fail")
|
|
if failure_message:
|
|
args.extend(["--failure-message", failure_message])
|
|
if check_failure:
|
|
args.append("--check-failure")
|
|
args.extend(queries)
|
|
subprocess.run(args).check_returncode()
|
|
|
|
|
|
def execute_filtering(binary: str, queries: List[str], expected: int, username: str = "", password: str = "") -> None:
|
|
args = [binary, "--username", username, "--password", password]
|
|
|
|
args.extend(queries)
|
|
args.append(str(expected))
|
|
|
|
subprocess.run(args).check_returncode()
|
|
|
|
|
|
def execute_test(memgraph_binary: str, tester_binary: str, filtering_binary: str) -> None:
|
|
storage_directory = tempfile.TemporaryDirectory()
|
|
memgraph_args = [memgraph_binary, "--data-directory", storage_directory.name]
|
|
|
|
def execute_admin_queries(queries):
|
|
return execute_tester(
|
|
tester_binary, queries, should_fail=False, check_failure=True, username="admin", password="admin"
|
|
)
|
|
|
|
def execute_user_queries(queries, should_fail=False, failure_message="", check_failure=True):
|
|
return execute_tester(tester_binary, queries, should_fail, failure_message, "user", "user", check_failure)
|
|
|
|
# Start the memgraph binary
|
|
memgraph = subprocess.Popen(list(map(str, memgraph_args)))
|
|
time.sleep(0.1)
|
|
assert memgraph.poll() is None, "Memgraph process died prematurely!"
|
|
wait_for_server(7687)
|
|
|
|
# Register cleanup function
|
|
@atexit.register
|
|
def cleanup():
|
|
if memgraph.poll() is None:
|
|
memgraph.terminate()
|
|
assert memgraph.wait() == 0, "Memgraph process didn't exit cleanly!"
|
|
|
|
# Prepare all users
|
|
execute_admin_queries(
|
|
[
|
|
"CREATE USER admin IDENTIFIED BY 'admin'",
|
|
"GRANT ALL PRIVILEGES TO admin",
|
|
"CREATE USER user IDENTIFIED BY 'user'",
|
|
"GRANT ALL PRIVILEGES TO user",
|
|
"GRANT LABELS :label1, :label2, :label3 TO user",
|
|
"GRANT EDGE_TYPES :edgeType1, :edgeType2 TO user",
|
|
"MERGE (l1:label1 {name: 'test1'})",
|
|
"MERGE (l2:label2 {name: 'test2'})",
|
|
"MATCH (l1:label1),(l2:label2) WHERE l1.name = 'test1' AND l2.name = 'test2' CREATE (l1)-[r:edgeType1]->(l2)",
|
|
"MERGE (l3:label3 {name: 'test3'})",
|
|
"MATCH (l1:label1),(l3:label3) WHERE l1.name = 'test1' AND l3.name = 'test3' CREATE (l1)-[r:edgeType2]->(l3)",
|
|
"MERGE (mix:label3:label1 {name: 'test4'})",
|
|
"MATCH (l1:label1),(mix:label3) WHERE l1.name = 'test1' AND mix.name = 'test4' CREATE (l1)-[r:edgeType2]->(mix)",
|
|
]
|
|
)
|
|
|
|
# Run the test with all combinations of permissions
|
|
print("\033[1;36m~~ Starting edge filtering test ~~\033[0m")
|
|
execute_filtering(filtering_binary, ["MATCH (n)-[r]->(m) RETURN n,r,m"], 3, "user", "user")
|
|
execute_admin_queries(["DENY EDGE_TYPES :edgeType1 TO user"])
|
|
execute_filtering(filtering_binary, ["MATCH (n)-[r]->(m) RETURN n,r,m"], 2, "user", "user")
|
|
execute_admin_queries(["GRANT EDGE_TYPES :edgeType1 TO user", "DENY LABELS :label3 TO user"])
|
|
execute_filtering(filtering_binary, ["MATCH (n)-[r]->(m) RETURN n,r,m"], 1, "user", "user")
|
|
execute_admin_queries(["DENY LABELS :label1 TO user"])
|
|
execute_filtering(filtering_binary, ["MATCH (n)-[r]->(m) RETURN n,r,m"], 0, "user", "user")
|
|
execute_admin_queries(["REVOKE LABELS * FROM user", "REVOKE EDGE_TYPES * FROM user"])
|
|
execute_filtering(filtering_binary, ["MATCH (n)-[r]->(m) RETURN n,r,m"], 0, "user", "user")
|
|
|
|
print("\033[1;36m~~ Finished edge filtering test ~~\033[0m\n")
|
|
|
|
# Shutdown the memgraph binary
|
|
memgraph.terminate()
|
|
assert memgraph.wait() == 0, "Memgraph process didn't exit cleanly!"
|
|
|
|
|
|
if __name__ == "__main__":
|
|
memgraph_binary = os.path.join(PROJECT_DIR, "build", "memgraph")
|
|
tester_binary = os.path.join(PROJECT_DIR, "build", "tests", "integration", "lba", "tester")
|
|
filtering_binary = os.path.join(PROJECT_DIR, "build", "tests", "integration", "lba", "filtering")
|
|
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument("--memgraph", default=memgraph_binary)
|
|
parser.add_argument("--tester", default=tester_binary)
|
|
parser.add_argument("--filtering", default=filtering_binary)
|
|
args = parser.parse_args()
|
|
|
|
execute_test(args.memgraph, args.tester, args.filtering)
|
|
|
|
sys.exit(0)
|