Skip to content

Commit 95486dc

Browse files
committed
PR(MAIN): Gate & Test - DAC Operations
These operations were gated and tested: - AddDACPolicy - AddDACActorRelationship - DeleteDACActorRelationship
1 parent fc8d997 commit 95486dc

4 files changed

Lines changed: 313 additions & 0 deletions

File tree

internal/db/db.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -229,6 +229,11 @@ func (db *DB) AddDACPolicy(
229229
ctx, span := tracer.Start(ctx)
230230
defer span.End()
231231

232+
err := db.checkAdminAccess(ctx, acpTypes.AdminDACPolicyAddPerm)
233+
if err != nil {
234+
return client.AddPolicyResult{}, err
235+
}
236+
232237
if !db.documentACP.HasValue() {
233238
return client.AddPolicyResult{}, client.ErrACPOperationButACPNotAvailable
234239
}
@@ -307,6 +312,11 @@ func (db *DB) AddDACActorRelationship(
307312
ctx, span := tracer.Start(ctx)
308313
defer span.End()
309314

315+
err := db.checkAdminAccess(ctx, acpTypes.AdminDACRelationAddPerm)
316+
if err != nil {
317+
return client.AddActorRelationshipResult{}, err
318+
}
319+
310320
if !db.documentACP.HasValue() {
311321
return client.AddActorRelationshipResult{}, client.ErrACPOperationButACPNotAvailable
312322
}
@@ -355,6 +365,11 @@ func (db *DB) DeleteDACActorRelationship(
355365
ctx, span := tracer.Start(ctx)
356366
defer span.End()
357367

368+
err := db.checkAdminAccess(ctx, acpTypes.AdminDACRelationDeletePerm)
369+
if err != nil {
370+
return client.DeleteActorRelationshipResult{}, err
371+
}
372+
358373
if !db.documentACP.HasValue() {
359374
return client.DeleteActorRelationshipResult{}, client.ErrACPOperationButACPNotAvailable
360375
}
Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
// Copyright 2025 Democratized Data Foundation
2+
//
3+
// Use of this software is governed by the Business Source License
4+
// included in the file licenses/BSL.txt.
5+
//
6+
// As of the Change Date specified in that file, in accordance with
7+
// the Business Source License, use of this software will be governed
8+
// by the Apache License, Version 2.0, included in the file
9+
// licenses/APL.txt.
10+
11+
package test_acp_aac
12+
13+
import (
14+
"testing"
15+
16+
testUtils "github.com/sourcenetwork/defradb/tests/integration"
17+
)
18+
19+
func TestAAC_GatesAddingDACPolicy_AllowIfAuthorizedElseError(t *testing.T) {
20+
policy := `
21+
name: Test Policy
22+
description: A Policy
23+
actor:
24+
name: actor
25+
resources:
26+
users:
27+
permissions:
28+
read:
29+
expr: owner + reader + updater + deleter
30+
update:
31+
expr: owner + updater
32+
delete:
33+
expr: owner + deleter
34+
relations:
35+
owner:
36+
types:
37+
- actor
38+
reader:
39+
types:
40+
- actor
41+
updater:
42+
types:
43+
- actor
44+
deleter:
45+
types:
46+
- actor
47+
`
48+
49+
test := testUtils.TestCase{
50+
Description: "admin acp correctly gates adding DAC policy operation, allow if authorized, otherwise error",
51+
Actions: []any{
52+
// Starting with ACC, so only authorized user(s) can perform operations.
53+
testUtils.Close{},
54+
testUtils.Start{
55+
Identity: testUtils.ClientIdentity(1),
56+
EnableAAC: true,
57+
},
58+
59+
// We haven't authorized non-identities. So, this should error.
60+
testUtils.AddDACPolicy{
61+
Identity: testUtils.NoIdentity(),
62+
Policy: policy,
63+
ExpectedError: "not authorized to perform operation",
64+
},
65+
66+
// Wrong user/identity will also not be authorized.
67+
testUtils.AddDACPolicy{
68+
Identity: testUtils.ClientIdentity(2),
69+
Policy: policy,
70+
ExpectedError: "not authorized to perform operation",
71+
},
72+
73+
// This should work as the identity is authorized.
74+
testUtils.AddDACPolicy{
75+
Identity: testUtils.ClientIdentity(1),
76+
Policy: policy,
77+
},
78+
},
79+
}
80+
81+
testUtils.ExecuteTestCase(t, test)
82+
}
Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
// Copyright 2025 Democratized Data Foundation
2+
//
3+
// Use of this software is governed by the Business Source License
4+
// included in the file licenses/BSL.txt.
5+
//
6+
// As of the Change Date specified in that file, in accordance with
7+
// the Business Source License, use of this software will be governed
8+
// by the Apache License, Version 2.0, included in the file
9+
// licenses/APL.txt.
10+
11+
package test_acp_aac
12+
13+
import (
14+
"testing"
15+
16+
testUtils "github.com/sourcenetwork/defradb/tests/integration"
17+
)
18+
19+
func TestAAC_GatesAddingDACRelationship_AllowIfAuthorizedElseError(t *testing.T) {
20+
test := testUtils.TestCase{
21+
Description: "admin acp correctly gates adding DAC relationship operation, allow if authorized, otherwise error",
22+
Actions: []any{
23+
// Setup that we can do before aac is enabled.
24+
testUtils.AddDACPolicy{
25+
Identity: testUtils.ClientIdentity(1),
26+
Policy: `
27+
name: Test Policy
28+
description: A Policy
29+
actor:
30+
name: actor
31+
resources:
32+
users:
33+
permissions:
34+
read:
35+
expr: owner + reader + updater + deleter
36+
update:
37+
expr: owner + updater
38+
delete:
39+
expr: owner + deleter
40+
relations:
41+
owner:
42+
types:
43+
- actor
44+
reader:
45+
types:
46+
- actor
47+
updater:
48+
types:
49+
- actor
50+
deleter:
51+
types:
52+
- actor
53+
`,
54+
},
55+
testUtils.SchemaUpdate{
56+
Schema: `type Users @policy(id: "{{.Policy0}}", resource: "users") { name: String }`,
57+
Replace: map[string]testUtils.ReplaceType{"Policy0": testUtils.NewPolicyIndex(0)},
58+
},
59+
testUtils.CreateDoc{
60+
Identity: testUtils.ClientIdentity(1),
61+
CollectionID: 0,
62+
Doc: `{ "name": "Shahzad" }`,
63+
},
64+
65+
// Starting with ACC, so only authorized user(s) can perform operations.
66+
testUtils.Close{},
67+
testUtils.Start{
68+
Identity: testUtils.ClientIdentity(1),
69+
EnableAAC: true,
70+
},
71+
72+
// We haven't authorized non-identities. So, this should error.
73+
testUtils.AddDACActorRelationship{
74+
TargetIdentity: testUtils.ClientIdentity(3),
75+
CollectionID: 0,
76+
DocID: 0,
77+
Relation: "reader",
78+
ExpectedError: "not authorized to perform operation",
79+
},
80+
81+
// Wrong user/identity will also not be authorized.
82+
testUtils.AddDACActorRelationship{
83+
RequestorIdentity: testUtils.ClientIdentity(2),
84+
TargetIdentity: testUtils.ClientIdentity(3),
85+
CollectionID: 0,
86+
DocID: 0,
87+
Relation: "reader",
88+
ExpectedError: "not authorized to perform operation",
89+
},
90+
91+
// This should work as the identity is authorized.
92+
testUtils.AddDACActorRelationship{
93+
RequestorIdentity: testUtils.ClientIdentity(1),
94+
TargetIdentity: testUtils.ClientIdentity(3),
95+
CollectionID: 0,
96+
DocID: 0,
97+
Relation: "reader",
98+
ExpectedExistence: false,
99+
},
100+
},
101+
}
102+
103+
testUtils.ExecuteTestCase(t, test)
104+
}
Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
// Copyright 2025 Democratized Data Foundation
2+
//
3+
// Use of this software is governed by the Business Source License
4+
// included in the file licenses/BSL.txt.
5+
//
6+
// As of the Change Date specified in that file, in accordance with
7+
// the Business Source License, use of this software will be governed
8+
// by the Apache License, Version 2.0, included in the file
9+
// licenses/APL.txt.
10+
11+
package test_acp_aac
12+
13+
import (
14+
"testing"
15+
16+
testUtils "github.com/sourcenetwork/defradb/tests/integration"
17+
)
18+
19+
func TestAAC_GatesDeletingDACRelationship_AllowIfAuthorizedElseError(t *testing.T) {
20+
test := testUtils.TestCase{
21+
Description: "admin acp correctly gates deleting DAC relationship operation, allow if authorized, otherwise error",
22+
Actions: []any{
23+
// Setup that we can do before aac is enabled.
24+
testUtils.AddDACPolicy{
25+
Identity: testUtils.ClientIdentity(1),
26+
Policy: `
27+
name: Test Policy
28+
description: A Policy
29+
actor:
30+
name: actor
31+
resources:
32+
users:
33+
permissions:
34+
read:
35+
expr: owner + reader + updater + deleter
36+
update:
37+
expr: owner + updater
38+
delete:
39+
expr: owner + deleter
40+
relations:
41+
owner:
42+
types:
43+
- actor
44+
reader:
45+
types:
46+
- actor
47+
updater:
48+
types:
49+
- actor
50+
deleter:
51+
types:
52+
- actor
53+
`,
54+
},
55+
testUtils.SchemaUpdate{
56+
Schema: `type Users @policy(id: "{{.Policy0}}", resource: "users") { name: String }`,
57+
Replace: map[string]testUtils.ReplaceType{"Policy0": testUtils.NewPolicyIndex(0)},
58+
},
59+
testUtils.CreateDoc{
60+
Identity: testUtils.ClientIdentity(1),
61+
CollectionID: 0,
62+
Doc: `{ "name": "Shahzad" }`,
63+
},
64+
testUtils.AddDACActorRelationship{
65+
RequestorIdentity: testUtils.ClientIdentity(1),
66+
TargetIdentity: testUtils.ClientIdentity(3),
67+
CollectionID: 0,
68+
DocID: 0,
69+
Relation: "reader",
70+
ExpectedExistence: false,
71+
},
72+
73+
// Starting with ACC, so only authorized user(s) can perform operations.
74+
testUtils.Close{},
75+
testUtils.Start{
76+
Identity: testUtils.ClientIdentity(1),
77+
EnableAAC: true,
78+
},
79+
80+
// We haven't authorized non-identities. So, this should error.
81+
testUtils.DeleteDACActorRelationship{
82+
TargetIdentity: testUtils.ClientIdentity(3),
83+
CollectionID: 0,
84+
DocID: 0,
85+
Relation: "reader",
86+
ExpectedError: "not authorized to perform operation",
87+
},
88+
89+
// Wrong user/identity will also not be authorized.
90+
testUtils.DeleteDACActorRelationship{
91+
RequestorIdentity: testUtils.ClientIdentity(2),
92+
TargetIdentity: testUtils.ClientIdentity(3),
93+
CollectionID: 0,
94+
DocID: 0,
95+
Relation: "reader",
96+
ExpectedError: "not authorized to perform operation",
97+
},
98+
99+
// This should work as the identity is authorized.
100+
testUtils.DeleteDACActorRelationship{
101+
RequestorIdentity: testUtils.ClientIdentity(1),
102+
TargetIdentity: testUtils.ClientIdentity(3),
103+
CollectionID: 0,
104+
DocID: 0,
105+
Relation: "reader",
106+
ExpectedRecordFound: true,
107+
},
108+
},
109+
}
110+
111+
testUtils.ExecuteTestCase(t, test)
112+
}

0 commit comments

Comments
 (0)