Skip to content

Commit 8c9b3a0

Browse files
committed
test: prove the nil watch owner guard blocks public read
1 parent 2ac683e commit 8c9b3a0

1 file changed

Lines changed: 59 additions & 8 deletions

File tree

operations/src/notifications/watch/authorization.rs

Lines changed: 59 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -176,29 +176,80 @@ pub async fn filter_authorized_watch_subscriptions(
176176
#[cfg(test)]
177177
mod tests {
178178
use super::*;
179-
use aruna_core::structs::{WatchEventKind, data_watch_resource_path};
179+
use aruna_core::effects::StorageEffect;
180+
use aruna_core::events::{Event, StorageEvent};
181+
use aruna_core::keyspaces::AUTH_KEYSPACE;
182+
use aruna_core::structs::{
183+
Actor, GroupAuthorizationDocument, RealmAuthorizationDocument, WatchEventKind,
184+
data_watch_resource_path,
185+
};
180186
use aruna_storage::FjallStorage;
181187

182188
fn node(seed: u8) -> NodeId {
183189
iroh::SecretKey::from_bytes(&[seed; 32]).public()
184190
}
185191

186-
// Anonymous callers carry a nil user id and own no inbox to deliver into, so
187-
// a watch stays a user-plane feature even where the watched resource is
188-
// publicly readable. The nil owner is refused before any role is evaluated.
192+
// A public (Everyone) role granting READ on the watched bucket would let a
193+
// nil caller through on the permission path alone. Anonymous callers own no
194+
// inbox to deliver into, so the nil-owner guard must still refuse the watch
195+
// before any role is evaluated, even where the resource is publicly readable.
189196
#[tokio::test]
190197
async fn anonymous_owner_refused() {
191198
let dir = tempfile::tempdir().expect("temp dir");
199+
let storage =
200+
FjallStorage::open(dir.path().to_str().expect("temp path")).expect("storage opens");
201+
let realm_id = RealmId([9u8; 32]);
202+
let owner = UserId::new(Ulid::from_bytes([1u8; 16]), realm_id);
203+
let group_id = Ulid::from_bytes([4u8; 16]);
204+
let node_id = node(3);
205+
206+
let actor = Actor {
207+
node_id,
208+
user_id: owner,
209+
realm_id,
210+
};
211+
let realm_auth = RealmAuthorizationDocument::new_default_realm_doc(realm_id);
212+
let mut group_auth =
213+
GroupAuthorizationDocument::new_default_group_doc(owner, realm_id, group_id);
214+
group_auth
215+
.roles
216+
.values_mut()
217+
.find(|role| role.name == "viewer")
218+
.expect("viewer role")
219+
.assigned_users
220+
.insert(UserId::nil(realm_id));
221+
for (key, value) in [
222+
(
223+
realm_id.as_bytes().to_vec(),
224+
realm_auth.to_bytes(&actor).unwrap(),
225+
),
226+
(
227+
group_id.to_bytes().to_vec(),
228+
group_auth.to_bytes(&actor).unwrap(),
229+
),
230+
] {
231+
match storage
232+
.send_storage_effect(StorageEffect::Write {
233+
key_space: AUTH_KEYSPACE.to_string(),
234+
key: key.into(),
235+
value: value.into(),
236+
txn_id: None,
237+
})
238+
.await
239+
{
240+
Event::Storage(StorageEvent::WriteResult { .. }) => {}
241+
other => panic!("unexpected auth write event: {other:?}"),
242+
}
243+
}
244+
192245
let context = DriverContext {
193-
storage_handle: FjallStorage::open(dir.path().to_str().expect("temp path"))
194-
.expect("storage opens"),
246+
storage_handle: storage,
195247
net_handle: None,
196248
blob_handle: None,
197249
metadata_handle: None,
198250
task_handle: None,
199251
};
200-
let realm_id = RealmId([9u8; 32]);
201-
let prefix = data_watch_resource_path(Ulid::from_bytes([4u8; 16]), node(3), "bucket", "");
252+
let prefix = data_watch_resource_path(group_id, node_id, "bucket", "");
202253

203254
assert_eq!(
204255
is_watch_authorized(

0 commit comments

Comments
 (0)