@@ -176,29 +176,80 @@ pub async fn filter_authorized_watch_subscriptions(
176176#[ cfg( test) ]
177177mod tests {
178178 use super :: * ;
179- use aruna_core:: structs:: { WatchEventKind , data_watch_resource_path} ;
179+ use aruna_core:: effects:: StorageEffect ;
180+ use aruna_core:: events:: { Event , StorageEvent } ;
181+ use aruna_core:: keyspaces:: AUTH_KEYSPACE ;
182+ use aruna_core:: structs:: {
183+ Actor , GroupAuthorizationDocument , RealmAuthorizationDocument , WatchEventKind ,
184+ data_watch_resource_path,
185+ } ;
180186 use aruna_storage:: FjallStorage ;
181187
182188 fn node ( seed : u8 ) -> NodeId {
183189 iroh:: SecretKey :: from_bytes ( & [ seed; 32 ] ) . public ( )
184190 }
185191
186- // Anonymous callers carry a nil user id and own no inbox to deliver into, so
187- // a watch stays a user-plane feature even where the watched resource is
188- // publicly readable. The nil owner is refused before any role is evaluated.
192+ // A public (Everyone) role granting READ on the watched bucket would let a
193+ // nil caller through on the permission path alone. Anonymous callers own no
194+ // inbox to deliver into, so the nil-owner guard must still refuse the watch
195+ // before any role is evaluated, even where the resource is publicly readable.
189196 #[ tokio:: test]
190197 async fn anonymous_owner_refused ( ) {
191198 let dir = tempfile:: tempdir ( ) . expect ( "temp dir" ) ;
199+ let storage =
200+ FjallStorage :: open ( dir. path ( ) . to_str ( ) . expect ( "temp path" ) ) . expect ( "storage opens" ) ;
201+ let realm_id = RealmId ( [ 9u8 ; 32 ] ) ;
202+ let owner = UserId :: new ( Ulid :: from_bytes ( [ 1u8 ; 16 ] ) , realm_id) ;
203+ let group_id = Ulid :: from_bytes ( [ 4u8 ; 16 ] ) ;
204+ let node_id = node ( 3 ) ;
205+
206+ let actor = Actor {
207+ node_id,
208+ user_id : owner,
209+ realm_id,
210+ } ;
211+ let realm_auth = RealmAuthorizationDocument :: new_default_realm_doc ( realm_id) ;
212+ let mut group_auth =
213+ GroupAuthorizationDocument :: new_default_group_doc ( owner, realm_id, group_id) ;
214+ group_auth
215+ . roles
216+ . values_mut ( )
217+ . find ( |role| role. name == "viewer" )
218+ . expect ( "viewer role" )
219+ . assigned_users
220+ . insert ( UserId :: nil ( realm_id) ) ;
221+ for ( key, value) in [
222+ (
223+ realm_id. as_bytes ( ) . to_vec ( ) ,
224+ realm_auth. to_bytes ( & actor) . unwrap ( ) ,
225+ ) ,
226+ (
227+ group_id. to_bytes ( ) . to_vec ( ) ,
228+ group_auth. to_bytes ( & actor) . unwrap ( ) ,
229+ ) ,
230+ ] {
231+ match storage
232+ . send_storage_effect ( StorageEffect :: Write {
233+ key_space : AUTH_KEYSPACE . to_string ( ) ,
234+ key : key. into ( ) ,
235+ value : value. into ( ) ,
236+ txn_id : None ,
237+ } )
238+ . await
239+ {
240+ Event :: Storage ( StorageEvent :: WriteResult { .. } ) => { }
241+ other => panic ! ( "unexpected auth write event: {other:?}" ) ,
242+ }
243+ }
244+
192245 let context = DriverContext {
193- storage_handle : FjallStorage :: open ( dir. path ( ) . to_str ( ) . expect ( "temp path" ) )
194- . expect ( "storage opens" ) ,
246+ storage_handle : storage,
195247 net_handle : None ,
196248 blob_handle : None ,
197249 metadata_handle : None ,
198250 task_handle : None ,
199251 } ;
200- let realm_id = RealmId ( [ 9u8 ; 32 ] ) ;
201- let prefix = data_watch_resource_path ( Ulid :: from_bytes ( [ 4u8 ; 16 ] ) , node ( 3 ) , "bucket" , "" ) ;
252+ let prefix = data_watch_resource_path ( group_id, node_id, "bucket" , "" ) ;
202253
203254 assert_eq ! (
204255 is_watch_authorized(
0 commit comments