mirror of
https://github.com/hasura/graphql-engine.git
synced 2024-12-15 17:31:56 +03:00
1698f9dd91
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8856 Co-authored-by: Daniel Harvey <4729125+danieljharvey@users.noreply.github.com> GitOrigin-RevId: 38ad67de9b3d765c4eb50943dd52b8fc32317540
50 lines
2.6 KiB
Haskell
50 lines
2.6 KiB
Haskell
module Hasura.RQL.PermissionSpec (spec) where
|
|
|
|
import Data.HashMap.Strict qualified as Map
|
|
import Data.HashSet qualified as Set
|
|
import Hasura.Prelude
|
|
import Hasura.RQL.DDL.Schema.Cache
|
|
import Hasura.RQL.DDL.Schema.Cache.Permission
|
|
import Hasura.RQL.Types.Action
|
|
import Hasura.RQL.Types.Roles
|
|
import Test.Hspec
|
|
|
|
spec :: Spec
|
|
spec = do
|
|
booleanPermissionSpec
|
|
|
|
mkRoleNameE :: Text -> RoleName
|
|
mkRoleNameE = fromMaybe (error "rolename error") . mkRoleName
|
|
|
|
orderRolesE :: [Role] -> OrderedRoles
|
|
orderRolesE = either (error "orderRoles error") id . runExcept . orderRoles
|
|
|
|
-- | spec to test permissions inheritance for boolean permissions (actions and custom function permissions)
|
|
booleanPermissionSpec :: Spec
|
|
booleanPermissionSpec = do
|
|
let role1Name = mkRoleNameE "role1"
|
|
role2Name = mkRoleNameE "role2"
|
|
role3Name = mkRoleNameE "role3"
|
|
inheritedRole1Name = mkRoleNameE "inheritedRole1"
|
|
inheritedRole2Name = mkRoleNameE "inheritedRole2"
|
|
inheritedRole3Name = mkRoleNameE "inheritedRole3"
|
|
role1 = Role role1Name $ ParentRoles mempty
|
|
role2 = Role role2Name $ ParentRoles mempty
|
|
role3 = Role role3Name $ ParentRoles mempty
|
|
inheritedRole1 = Role inheritedRole1Name $ ParentRoles $ Set.fromList [role1Name, role2Name]
|
|
inheritedRole2 = Role inheritedRole2Name $ ParentRoles $ Set.fromList [role3Name, inheritedRole1Name]
|
|
inheritedRole3 = Role inheritedRole3Name $ ParentRoles $ Set.fromList [role1Name, role2Name]
|
|
orderedRoles = orderRolesE [role1, role2, role3, inheritedRole1, inheritedRole2, inheritedRole3]
|
|
metadataPermissions =
|
|
Map.fromList $ [(role3Name, ActionPermissionInfo role3Name), (inheritedRole1Name, ActionPermissionInfo inheritedRole1Name)]
|
|
processedPermissions = mkBooleanPermissionMap ActionPermissionInfo metadataPermissions orderedRoles
|
|
describe "Action Permissions" $ do
|
|
it "overrides the inherited permission for a role if permission already exists in the metadata" $
|
|
Map.lookup inheritedRole1Name processedPermissions
|
|
`shouldBe` (Just (ActionPermissionInfo inheritedRole1Name))
|
|
it "when a role doesn't have a metadata permission and at least one of its parents has, then the inherited role should inherit the permission" $
|
|
Map.lookup inheritedRole2Name processedPermissions
|
|
`shouldBe` (Just (ActionPermissionInfo inheritedRole2Name))
|
|
it "when a role doesn't have a metadata permission and none of the parents have permissions, then the inherited role should not inherit the permission" $
|
|
Map.lookup inheritedRole3Name processedPermissions `shouldBe` Nothing
|