Skip to content

Commit 24993ba

Browse files
committed
PR(MAIN): Gate & Test - Get Schema + Get Schema By Version
1 parent d50aaec commit 24993ba

6 files changed

Lines changed: 155 additions & 2 deletions

File tree

acp/types/types.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,8 @@ const (
8888
AdminAACStatusPerm
8989
AdminAACRelationAddPerm
9090
AdminAACRelationDeletePerm
91+
AdminSchemaGetPerm
92+
AdminSchemaGetByVersionPerm
9193
AdminSchemaAddPerm
9294
AdminSchemaPatchPerm
9395
AdminPatchCollectionPerm
@@ -111,6 +113,8 @@ var RequiredResourcePermissionsForAdmin = []string{
111113
"aac-status",
112114
"aac-relation-add",
113115
"aac-relation-delete",
116+
"schema-get",
117+
"schema-get-by-version",
114118
"schema-add",
115119
"schema-patch",
116120
"patch-collection",
@@ -158,6 +162,10 @@ resources:
158162
expr: owner + admin
159163
aac-relation-delete:
160164
expr: owner + admin
165+
schema-get:
166+
expr: owner + admin
167+
schema-get-by-version:
168+
expr: owner + admin
161169
schema-add:
162170
expr: owner + admin
163171
schema-patch:

internal/db/store.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,11 @@ func (db *DB) GetSchemaByVersionID(ctx context.Context, versionID string) (clien
9191
ctx, span := tracer.Start(ctx)
9292
defer span.End()
9393

94+
err := db.checkAdminAccess(ctx, acpTypes.AdminSchemaGetByVersionPerm)
95+
if err != nil {
96+
return client.SchemaDescription{}, err
97+
}
98+
9499
ctx, txn, err := ensureContextTxn(ctx, db, true)
95100
if err != nil {
96101
return client.SchemaDescription{}, err
@@ -109,6 +114,11 @@ func (db *DB) GetSchemas(
109114
ctx, span := tracer.Start(ctx)
110115
defer span.End()
111116

117+
err := db.checkAdminAccess(ctx, acpTypes.AdminSchemaGetPerm)
118+
if err != nil {
119+
return nil, err
120+
}
121+
112122
ctx, txn, err := ensureContextTxn(ctx, db, true)
113123
if err != nil {
114124
return nil, err
Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
// Copyright 2025 Democratized Data Foundation
2+
//
3+
// Use of this software is governed by the Business Source License
4+
// included in the file licenses/BSL.txt.
5+
//
6+
// As of the Change Date specified in that file, in accordance with
7+
// the Business Source License, use of this software will be governed
8+
// by the Apache License, Version 2.0, included in the file
9+
// licenses/APL.txt.
10+
11+
package test_acp_aac
12+
13+
import (
14+
"testing"
15+
16+
"github.com/sourcenetwork/defradb/client"
17+
testUtils "github.com/sourcenetwork/defradb/tests/integration"
18+
"github.com/sourcenetwork/immutable"
19+
)
20+
21+
func TestAAC_GatesSchemaGetByVersion_AllowIfAuthorizedElseError(t *testing.T) {
22+
schemaVersionID := "bafkreia2jn5ecrhtvy4fravk6pm3wqiny46m7mqymvjkgat7xiqupgqoai"
23+
24+
test := testUtils.TestCase{
25+
Description: "admin acp correctly gates schema get by version operation, allow if authorized, otherwise error",
26+
Actions: []any{
27+
// Setup that we can do before aac is enabled.
28+
testUtils.SchemaUpdate{
29+
Schema: `
30+
type Users {}
31+
`,
32+
},
33+
34+
// Starting with ACC, so only authorized user(s) can perform operations.
35+
testUtils.Close{},
36+
testUtils.Start{
37+
Identity: testUtils.ClientIdentity(1),
38+
EnableAAC: true,
39+
},
40+
41+
// We haven't authorized non-identities. So, this should error.
42+
testUtils.GetSchema{
43+
VersionID: immutable.Some(schemaVersionID),
44+
ExpectedError: "not authorized to perform operation",
45+
},
46+
47+
// Wrong user/identity will also not be authorized.
48+
testUtils.GetSchema{
49+
Identity: testUtils.ClientIdentity(2),
50+
VersionID: immutable.Some(schemaVersionID),
51+
ExpectedError: "not authorized to perform operation",
52+
},
53+
54+
// This should work as the identity is authorized.
55+
testUtils.GetSchema{
56+
Identity: testUtils.ClientIdentity(1),
57+
VersionID: immutable.Some(schemaVersionID),
58+
ExpectedResults: []client.SchemaDescription{
59+
{
60+
Name: "Users",
61+
Root: schemaVersionID,
62+
VersionID: schemaVersionID,
63+
Fields: []client.SchemaFieldDescription{
64+
{
65+
Name: "_docID",
66+
Kind: client.FieldKind_DocID,
67+
},
68+
},
69+
},
70+
},
71+
},
72+
},
73+
}
74+
75+
testUtils.ExecuteTestCase(t, test)
76+
}
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
// Copyright 2025 Democratized Data Foundation
2+
//
3+
// Use of this software is governed by the Business Source License
4+
// included in the file licenses/BSL.txt.
5+
//
6+
// As of the Change Date specified in that file, in accordance with
7+
// the Business Source License, use of this software will be governed
8+
// by the Apache License, Version 2.0, included in the file
9+
// licenses/APL.txt.
10+
11+
package test_acp_aac
12+
13+
import (
14+
"testing"
15+
16+
"github.com/sourcenetwork/defradb/client"
17+
testUtils "github.com/sourcenetwork/defradb/tests/integration"
18+
)
19+
20+
func TestAAC_GatesSchemaGet_AllowIfAuthorizedElseError(t *testing.T) {
21+
test := testUtils.TestCase{
22+
Description: "admin acp correctly gates schema get operation, allow if authorized, otherwise error",
23+
Actions: []any{
24+
// Starting with ACC, so only authorized user(s) can perform operations.
25+
testUtils.Close{},
26+
testUtils.Start{
27+
Identity: testUtils.ClientIdentity(1),
28+
EnableAAC: true,
29+
},
30+
31+
// We haven't authorized non-identities. So, this should error.
32+
testUtils.GetSchema{
33+
ExpectedError: "not authorized to perform operation",
34+
},
35+
36+
// Wrong user/identity will also not be authorized.
37+
testUtils.GetSchema{
38+
Identity: testUtils.ClientIdentity(2),
39+
ExpectedError: "not authorized to perform operation",
40+
},
41+
42+
// This should work as the identity is authorized.
43+
testUtils.GetSchema{
44+
Identity: testUtils.ClientIdentity(1),
45+
ExpectedResults: []client.SchemaDescription{},
46+
},
47+
},
48+
}
49+
50+
testUtils.ExecuteTestCase(t, test)
51+
}

tests/integration/test_case.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -274,6 +274,11 @@ type GetSchema struct {
274274
// If a value is not provided the patch will be applied to all nodes.
275275
NodeID immutable.Option[int]
276276

277+
// The identity of this request. Optional.
278+
//
279+
// If admin acp is enabled, identity will be used to check if this operation can be performed.
280+
Identity immutable.Option[Identity]
281+
277282
// The VersionID of the schema version to fetch.
278283
//
279284
// This option will be prioritized over all other options.

tests/integration/utils.go

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1155,10 +1155,12 @@ func getSchema(
11551155
s *state,
11561156
action GetSchema,
11571157
) {
1158-
_, nodes := getNodesWithIDs(action.NodeID, s.nodes)
1159-
for _, node := range nodes {
1158+
nodeIDs, nodes := getNodesWithIDs(action.NodeID, s.nodes)
1159+
for index, node := range nodes {
1160+
nodeID := nodeIDs[index]
11601161
var results []client.SchemaDescription
11611162
var err error
1163+
s.ctx = getContextWithIdentity(s.ctx, s, action.Identity, nodeID)
11621164
switch {
11631165
case action.VersionID.HasValue():
11641166
result, e := node.GetSchemaByVersionID(s.ctx, action.VersionID.Value())
@@ -1173,6 +1175,7 @@ func getSchema(
11731175
},
11741176
)
11751177
}
1178+
resetStateContext(s)
11761179

11771180
expectedErrorRaised := AssertError(s.t, s.testCase.Description, err, action.ExpectedError)
11781181
assertExpectedErrorRaised(s.t, s.testCase.Description, action.ExpectedError, expectedErrorRaised)

0 commit comments

Comments
 (0)