graphql-engine/server/src-test/Hasura/RQL/PermissionSpec.hs

module Hasura.RQL.PermissionSpec (spec) where

import Data.HashMap.Strict qualified as Map
import Data.HashSet qualified as Set
import Hasura.Prelude
import Hasura.RQL.DDL.Schema.Cache
import Hasura.RQL.DDL.Schema.Cache.Permission
import Hasura.RQL.Types.Action
import Hasura.RQL.Types.Roles
import Test.Hspec

spec :: Spec
spec = do
  booleanPermissionSpec

mkRoleNameE :: Text -> RoleName
mkRoleNameE = fromMaybe (error "rolename error") . mkRoleName

orderRolesE :: [Role] -> OrderedRoles
orderRolesE = either (error "orderRoles error") id . runExcept . orderRoles

-- | spec to test permissions inheritance for boolean permissions (actions and custom function permissions)
booleanPermissionSpec :: Spec
booleanPermissionSpec = do
  let role1Name = mkRoleNameE "role1"
      role2Name = mkRoleNameE "role2"
      role3Name = mkRoleNameE "role3"
      inheritedRole1Name = mkRoleNameE "inheritedRole1"
      inheritedRole2Name = mkRoleNameE "inheritedRole2"
      inheritedRole3Name = mkRoleNameE "inheritedRole3"
      role1 = Role role1Name $ ParentRoles mempty
      role2 = Role role2Name $ ParentRoles mempty
      role3 = Role role3Name $ ParentRoles mempty
      inheritedRole1 = Role inheritedRole1Name $ ParentRoles $ Set.fromList [role1Name, role2Name]
      inheritedRole2 = Role inheritedRole2Name $ ParentRoles $ Set.fromList [role3Name, inheritedRole1Name]
      inheritedRole3 = Role inheritedRole3Name $ ParentRoles $ Set.fromList [role1Name, role2Name]
      orderedRoles = orderRolesE [role1, role2, role3, inheritedRole1, inheritedRole2, inheritedRole3]
      metadataPermissions =
        Map.fromList $ [(role3Name, ActionPermissionInfo role3Name), (inheritedRole1Name, ActionPermissionInfo inheritedRole1Name)]
      processedPermissions = mkBooleanPermissionMap ActionPermissionInfo metadataPermissions orderedRoles
  describe "Action Permissions" $ do
    it "overrides the inherited permission for a role if permission already exists in the metadata" $
      Map.lookup inheritedRole1Name processedPermissions
        `shouldBe` (Just (ActionPermissionInfo inheritedRole1Name))
    it "when a role doesn't have a metadata permission and at least one of its parents has, then the inherited role should inherit the permission" $
      Map.lookup inheritedRole2Name processedPermissions
        `shouldBe` (Just (ActionPermissionInfo inheritedRole2Name))
    it "when a role doesn't have a metadata permission and none of the parents have permissions, then the inherited role should not inherit the permission" $
      Map.lookup inheritedRole3Name processedPermissions `shouldBe` Nothing
server: inherited roles for mutations, remote schemas, actions and custom functions https://github.com/hasura/graphql-engine-mono/pull/1715 GitOrigin-RevId: 4818292cff8c3a5b264968e7032887a1e98b6f79 2021-08-09 13:20:04 +03:00			`module Hasura.RQL.PermissionSpec (spec) where`

server, pro: actually reformat the code-base using ormolu This commit applies ormolu to the whole Haskell code base by running `make format`. For in-flight branches, simply merging changes from `main` will result in merge conflicts. To avoid this, update your branch using the following instructions. Replace `<format-commit>` by the hash of this commit. $ git checkout my-feature-branch $ git merge <format-commit>^ # and resolve conflicts normally $ make format $ git commit -a -m "reformat with ormolu" $ git merge -s ours post-ormolu https://github.com/hasura/graphql-engine-mono/pull/2404 GitOrigin-RevId: 75049f5c12f430c615eafb4c6b8e83e371e01c8e 2021-09-24 01:56:37 +03:00			`import Data.HashMap.Strict qualified as Map`
			`import Data.HashSet qualified as Set`
			`import Hasura.Prelude`
			`import Hasura.RQL.DDL.Schema.Cache`
			`import Hasura.RQL.DDL.Schema.Cache.Permission`
			`import Hasura.RQL.Types.Action`
			`import Hasura.RQL.Types.Roles`
			`import Test.Hspec`
server: inherited roles for mutations, remote schemas, actions and custom functions https://github.com/hasura/graphql-engine-mono/pull/1715 GitOrigin-RevId: 4818292cff8c3a5b264968e7032887a1e98b6f79 2021-08-09 13:20:04 +03:00
			`spec :: Spec`
			`spec = do`
			`booleanPermissionSpec`

			`mkRoleNameE :: Text -> RoleName`
			`mkRoleNameE = fromMaybe (error "rolename error") . mkRoleName`

			`orderRolesE :: [Role] -> OrderedRoles`
			`orderRolesE = either (error "orderRoles error") id . runExcept . orderRoles`

			`-- \| spec to test permissions inheritance for boolean permissions (actions and custom function permissions)`
			`booleanPermissionSpec :: Spec`
			`booleanPermissionSpec = do`
			`let role1Name = mkRoleNameE "role1"`
			`role2Name = mkRoleNameE "role2"`
			`role3Name = mkRoleNameE "role3"`
			`inheritedRole1Name = mkRoleNameE "inheritedRole1"`
			`inheritedRole2Name = mkRoleNameE "inheritedRole2"`
			`inheritedRole3Name = mkRoleNameE "inheritedRole3"`
			`role1 = Role role1Name $ ParentRoles mempty`
			`role2 = Role role2Name $ ParentRoles mempty`
			`role3 = Role role3Name $ ParentRoles mempty`
			`inheritedRole1 = Role inheritedRole1Name $ ParentRoles $ Set.fromList [role1Name, role2Name]`
			`inheritedRole2 = Role inheritedRole2Name $ ParentRoles $ Set.fromList [role3Name, inheritedRole1Name]`
			`inheritedRole3 = Role inheritedRole3Name $ ParentRoles $ Set.fromList [role1Name, role2Name]`
			`orderedRoles = orderRolesE [role1, role2, role3, inheritedRole1, inheritedRole2, inheritedRole3]`
			`metadataPermissions =`
			`Map.fromList $ [(role3Name, ActionPermissionInfo role3Name), (inheritedRole1Name, ActionPermissionInfo inheritedRole1Name)]`
			`processedPermissions = mkBooleanPermissionMap ActionPermissionInfo metadataPermissions orderedRoles`
			`describe "Action Permissions" $ do`
			`it "overrides the inherited permission for a role if permission already exists in the metadata" $`
			`Map.lookup inheritedRole1Name processedPermissions`
			`shouldBe` (Just (ActionPermissionInfo inheritedRole1Name))
			`it "when a role doesn't have a metadata permission and at least one of its parents has, then the inherited role should inherit the permission" $`
server, pro: actually reformat the code-base using ormolu This commit applies ormolu to the whole Haskell code base by running `make format`. For in-flight branches, simply merging changes from `main` will result in merge conflicts. To avoid this, update your branch using the following instructions. Replace `<format-commit>` by the hash of this commit. $ git checkout my-feature-branch $ git merge <format-commit>^ # and resolve conflicts normally $ make format $ git commit -a -m "reformat with ormolu" $ git merge -s ours post-ormolu https://github.com/hasura/graphql-engine-mono/pull/2404 GitOrigin-RevId: 75049f5c12f430c615eafb4c6b8e83e371e01c8e 2021-09-24 01:56:37 +03:00			`Map.lookup inheritedRole2Name processedPermissions`
server: inherited roles for mutations, remote schemas, actions and custom functions https://github.com/hasura/graphql-engine-mono/pull/1715 GitOrigin-RevId: 4818292cff8c3a5b264968e7032887a1e98b6f79 2021-08-09 13:20:04 +03:00			`shouldBe` (Just (ActionPermissionInfo inheritedRole2Name))
			`it "when a role doesn't have a metadata permission and none of the parents have permissions, then the inherited role should not inherit the permission" $`
server, pro: actually reformat the code-base using ormolu This commit applies ormolu to the whole Haskell code base by running `make format`. For in-flight branches, simply merging changes from `main` will result in merge conflicts. To avoid this, update your branch using the following instructions. Replace `<format-commit>` by the hash of this commit. $ git checkout my-feature-branch $ git merge <format-commit>^ # and resolve conflicts normally $ make format $ git commit -a -m "reformat with ormolu" $ git merge -s ours post-ormolu https://github.com/hasura/graphql-engine-mono/pull/2404 GitOrigin-RevId: 75049f5c12f430c615eafb4c6b8e83e371e01c8e 2021-09-24 01:56:37 +03:00			Map.lookup inheritedRole3Name processedPermissions `shouldBe` Nothing