chore(api-tests): talk about permissions, not explicit roles

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8359
GitOrigin-RevId: 5f0f106c8479b03bc3dbf445116c545bc43a2891
This commit is contained in:
Tom Harding 2023-03-16 16:47:53 +00:00 committed by hasura-bot
parent ec24ea7182
commit 3c683b0852
4 changed files with 37 additions and 39 deletions

View File

@ -61,7 +61,7 @@ import Harness.Exceptions (bracket, withFrozenCallStack)
import Harness.Http qualified as Http
import Harness.Logging
import Harness.Quoter.Yaml (fromYaml, yaml)
import Harness.TestEnvironment (Protocol (..), Server (..), TestEnvironment (..), getServer, requestProtocol, serverUrl, testLogMessage)
import Harness.TestEnvironment (Protocol (..), Server (..), TestEnvironment (..), TestingRole (..), getServer, requestProtocol, serverUrl, testLogMessage)
import Harness.WebSockets (responseListener)
import Hasura.App qualified as App
import Hasura.Logging (Hasura)
@ -121,10 +121,13 @@ postWithHeadersStatus ::
postWithHeadersStatus statusCode testEnv@(getServer -> Server {urlPrefix, port}) path headers requestBody = do
testLogMessage testEnv $ LogHGERequest (T.pack path) requestBody
let headers' :: Http.RequestHeaders
headers' = case testingRole testEnv of
Just role -> ("X-Hasura-Role", txtToBs role) : headers
Nothing -> headers
let role :: ByteString
role = case permissions testEnv of
Admin -> "admin"
NonAdmin _ -> "test-role"
headers' :: Http.RequestHeaders
headers' = ("X-Hasura-Role", role) : headers
responseBody <- withFrozenCallStack case requestProtocol (globalEnvironment testEnv) of
WebSocket connection -> postWithHeadersStatusViaWebSocket connection headers' requestBody

View File

@ -55,7 +55,7 @@ selectPermission =
SelectPermissionDetails
{ selectPermissionSource = Nothing,
selectPermissionTable = mempty,
selectPermissionRole = mempty,
selectPermissionRole = "test-role",
selectPermissionColumns = mempty,
selectPermissionRows = object [],
selectPermissionAllowAggregations = False,
@ -67,7 +67,7 @@ updatePermission =
UpdatePermissionDetails
{ updatePermissionSource = Nothing,
updatePermissionTable = mempty,
updatePermissionRole = mempty,
updatePermissionRole = "test-role",
updatePermissionColumns = mempty,
updatePermissionRows = object []
}
@ -77,7 +77,7 @@ insertPermission =
InsertPermissionDetails
{ insertPermissionSource = Nothing,
insertPermissionTable = mempty,
insertPermissionRole = mempty,
insertPermissionRole = "test-role",
insertPermissionColumns = mempty,
insertPermissionRows = object []
}

View File

@ -63,6 +63,7 @@ import Harness.TestEnvironment
Server (..),
TestEnvironment (..),
TestingMode (..),
TestingRole (..),
UniqueTestId (..),
logger,
)
@ -283,7 +284,7 @@ setupTestEnvironment name globalTestEnvironment = do
{ fixtureName = name,
uniqueTestId = uniqueTestId,
globalEnvironment = globalTestEnvironment,
testingRole = Nothing
permissions = Admin
}
-- create source databases
@ -459,17 +460,14 @@ withPermissions (toList -> permissions) spec = do
where
succeeding :: (ActionWith TestEnvironment -> IO ()) -> ActionWith TestEnvironment -> IO ()
succeeding k test = k \testEnvironment -> do
let permissions' :: [Permission]
permissions' = fmap (withRole "success") permissions
for_ permissions $
postMetadata_ testEnvironment
. Permissions.createPermissionMetadata testEnvironment
for_ permissions' \permission ->
postMetadata_ testEnvironment do
Permissions.createPermissionMetadata testEnvironment permission
test testEnvironment {testingRole = Just "success"}
`finally` for_ permissions' \permission ->
postMetadata_ testEnvironment do
Permissions.dropPermissionMetadata testEnvironment permission
test testEnvironment {permissions = NonAdmin permissions} `finally` do
for_ permissions $
postMetadata_ testEnvironment
. Permissions.dropPermissionMetadata testEnvironment
failing :: (ActionWith TestEnvironment -> IO ()) -> ActionWith TestEnvironment -> IO ()
failing k test = k \testEnvironment -> do
@ -477,12 +475,9 @@ withPermissions (toList -> permissions) spec = do
-- they lead to test failures.
for_ (subsequences permissions) \subsequence ->
unless (subsequence == permissions) do
let permissions' :: [Permission]
permissions' = map (withRole "failure") subsequence
for_ permissions' \permission ->
postMetadata_ testEnvironment do
Permissions.createPermissionMetadata testEnvironment permission
for_ subsequence $
postMetadata_ testEnvironment
. Permissions.createPermissionMetadata testEnvironment
let attempt :: IO () -> IO ()
attempt x =
@ -491,18 +486,12 @@ withPermissions (toList -> permissions) spec = do
expectationFailure $
mconcat
[ "Unexpectedly adequate permissions:\n",
ppShow permissions'
ppShow subsequence
]
Left (_ :: SomeException) ->
pure ()
attempt (test testEnvironment {testingRole = Just "failure"})
`finally` for_ permissions' \permission ->
postMetadata_ testEnvironment do
Permissions.dropPermissionMetadata testEnvironment permission
withRole :: Text -> Permission -> Permission
withRole role = \case
SelectPermission p -> Permissions.SelectPermission p {Permissions.selectPermissionRole = role}
UpdatePermission p -> Permissions.UpdatePermission p {Permissions.updatePermissionRole = role}
InsertPermission p -> Permissions.InsertPermission p {Permissions.insertPermissionRole = role}
attempt (test testEnvironment {permissions = NonAdmin subsequence}) `finally` do
for_ subsequence $
postMetadata_ testEnvironment
. Permissions.dropPermissionMetadata testEnvironment

View File

@ -8,6 +8,7 @@ module Harness.TestEnvironment
Protocol (..),
Server (..),
TestingMode (..),
TestingRole (..),
UniqueTestId (..),
debugger,
getServer,
@ -32,6 +33,7 @@ import Data.UUID (UUID)
import Data.Word
import Database.PostgreSQL.Simple.Options (Options)
import Harness.Logging.Messages
import Harness.Permissions.Types (Permission)
import Harness.Services.Composed qualified as Services
import Harness.Test.BackendType
import Harness.Test.FixtureName
@ -90,11 +92,15 @@ data TestEnvironment = TestEnvironment
uniqueTestId :: UniqueTestId,
-- | the backend types of the tests
fixtureName :: FixtureName,
-- | The role we attach to requests made within the tests. This allows us
-- to test permissions.
testingRole :: Maybe Text
-- | The permissions we'd like to use for testing.
permissions :: TestingRole
}
-- | The role we're going to use for testing. Either we're an admin, in which
-- case all permissions are implied, /or/ we're a regular user, in which case
-- the given permissions will be applied.
data TestingRole = Admin | NonAdmin [Permission]
-- | How should we make requests to `graphql-engine`? Both WebSocket- and HTTP-
-- based requests are supported.
data Protocol = HTTP | WebSocket WS.Connection