memgraph/tests/e2e/lba_procedures/read_permission_queries.py
andrejtonev 6a4ef55e90
Better auth user/role handling (#1699)
* Stop auth module from creating users
* Explicit about auth policy (check if no users defined OR auth module used)
* Role supports database access definition
* Authenticate() returns user or role
* AuthChecker generates QueryUserOrRole (can be empty)
* QueryUserOrRole actually authorizes
* Add auth cache invalidation
* Better database access queries (GRANT, DENY, REVOKE DATABASE)
2024-02-22 14:00:39 +00:00

172 lines
5.8 KiB
Python

# Copyright 2023 Memgraph Ltd.
#
# Use of this software is governed by the Business Source License
# included in the file licenses/BSL.txt; by using this file, you agree to be bound by the terms of the Business Source
# License, and you may not use this file except in compliance with the Business Source License.
#
# As of the Change Date specified in that file, in accordance with
# the Business Source License, use of this software will be governed
# by the Apache License, Version 2.0, included in the file
# licenses/APL.txt.
import sys
from typing import List
import pytest
from common import *
match_query = "MATCH (n) RETURN n;"
match_by_id_query = "MATCH (n) WHERE ID(n) >= 0 RETURN n;"
match_by_label_query = "MATCH (n) RETURN n;"
match_by_label_property_range_query = "MATCH (n) WHERE n.prop < 7 RETURN n;"
match_by_label_property_value_query = "MATCH (n {prop: 5}) RETURN n;"
match_by_label_property_query = "MATCH (n) WHERE n.prop IS NOT NULL RETURN n;"
read_node_without_index_operation_cases = [
["GRANT READ ON LABELS :read_label TO user;"],
["GRANT READ ON LABELS * TO user;"],
["GRANT UPDATE ON LABELS :read_label TO user;"],
["GRANT UPDATE ON LABELS * TO user;"],
["GRANT CREATE_DELETE ON LABELS :read_label TO user;"],
["GRANT CREATE_DELETE ON LABELS * TO user;"],
]
read_node_without_index_operation_cases_expected_size = [1, 3, 1, 3, 1, 3]
read_node_with_index_operation_cases = [
["GRANT READ ON LABELS :read_label TO user;"],
["GRANT READ ON LABELS * TO user;"],
["GRANT UPDATE ON LABELS :read_label TO user;"],
["GRANT UPDATE ON LABELS * TO user;"],
["GRANT CREATE_DELETE ON LABELS :read_label TO user;"],
["GRANT CREATE_DELETE ON LABELS * TO user;"],
]
read_node_with_index_operation_cases_expected_sizes = [1, 3, 1, 3, 1, 3]
not_read_node_without_index_operation_cases = [
[],
["GRANT NOTHING ON LABELS :read_label TO user;"],
["GRANT NOTHING ON LABELS * TO user;"],
[
"GRANT UPDATE ON LABELS :read_label TO user;",
"GRANT NOTHING ON LABELS :read_label TO user",
],
[
"GRANT UPDATE ON LABELS * TO user;",
"GRANT NOTHING ON LABELS :read_label TO user",
],
[
"GRANT CREATE_DELETE ON LABELS :read_label TO user;",
"GRANT NOTHING ON LABELS :read_label TO user",
],
[
"GRANT CREATE_DELETE ON LABELS * TO user;",
"GRANT NOTHING ON LABELS :read_label TO user",
],
]
not_read_node_without_index_operation_cases_expected_sizes = [0, 0, 0, 0, 2, 0, 2]
not_read_node_with_index_operation_cases = [
[],
["GRANT NOTHING ON LABELS :read_label TO user;"],
["GRANT NOTHING ON LABELS * TO user;"],
[
"GRANT UPDATE ON LABELS :read_label TO user;",
"GRANT NOTHING ON LABELS :read_label TO user",
],
[
"GRANT UPDATE ON LABELS * TO user;",
"GRANT NOTHING ON LABELS :read_label TO user",
],
[
"GRANT CREATE_DELETE ON LABELS :read_label TO user;",
"GRANT NOTHING ON LABELS :read_label TO user",
],
[
"GRANT CREATE_DELETE ON LABELS * TO user;",
"GRANT NOTHING ON LABELS :read_label TO user",
],
]
not_read_node_with_index_operation_cases_expexted_sizes = [0, 0, 0, 0, 2, 0, 2]
def get_admin_cursor():
return connect(username="admin", password="test").cursor()
def get_user_cursor():
return connect(username="user", password="test").cursor()
def execute_read_node_assertion(
operation_case: List[str], queries: List[str], create_index: bool, expected_size: int, switch: bool
) -> None:
admin_cursor = get_admin_cursor()
if switch:
create_multi_db(admin_cursor)
switch_db(admin_cursor)
reset_permissions(admin_cursor, create_index)
for operation in operation_case:
execute_and_fetch_all(admin_cursor, operation)
# Connect after possible auth changes
user_cursor = get_user_cursor()
if switch:
switch_db(user_cursor)
for mq in queries:
results = execute_and_fetch_all(user_cursor, mq)
assert len(results) == expected_size
@pytest.mark.parametrize("switch", [False, True])
def test_can_read_node_when_authorized(switch):
match_queries_without_index = [match_query, match_by_id_query]
match_queries_with_index = [
match_by_label_query,
match_by_label_property_query,
match_by_label_property_range_query,
match_by_label_property_value_query,
]
for expected_size, operation_case in zip(
read_node_without_index_operation_cases_expected_size, read_node_without_index_operation_cases
):
execute_read_node_assertion(operation_case, match_queries_without_index, False, expected_size, switch)
for expected_size, operation_case in zip(
read_node_with_index_operation_cases_expected_sizes, read_node_with_index_operation_cases
):
execute_read_node_assertion(operation_case, match_queries_with_index, True, expected_size, switch)
@pytest.mark.parametrize("switch", [False, True])
def test_can_not_read_node_when_authorized(switch):
match_queries_without_index = [match_query, match_by_id_query]
match_queries_with_index = [
match_by_label_query,
match_by_label_property_query,
match_by_label_property_range_query,
match_by_label_property_value_query,
]
for expected_size, operation_case in zip(
not_read_node_without_index_operation_cases_expected_sizes, not_read_node_without_index_operation_cases
):
execute_read_node_assertion(operation_case, match_queries_without_index, False, expected_size, switch)
for expected_size, operation_case in zip(
not_read_node_with_index_operation_cases_expexted_sizes, not_read_node_with_index_operation_cases
):
execute_read_node_assertion(operation_case, match_queries_with_index, True, expected_size, switch)
if __name__ == "__main__":
sys.exit(pytest.main([__file__, "-rA"]))