Skip to content

Commit

Permalink
spicedb: improve auth module
Browse files Browse the repository at this point in the history
Signed-off-by: Victor Login <batazor@evrone.com>
  • Loading branch information
batazor committed Jun 12, 2023
1 parent 7a1a95d commit 02b4ba4
Show file tree
Hide file tree
Showing 3 changed files with 114 additions and 21 deletions.
14 changes: 0 additions & 14 deletions .run/auth_spicedb.run.xml

This file was deleted.

21 changes: 16 additions & 5 deletions internal/pkg/auth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,28 +15,39 @@ import (
"gopkg.in/yaml.v3"
)

// Migrations run the migrations for the authzed service.
func Migrations(ctx context.Context, fs embed.FS) error {
type Auth struct {
client *authzed.Client
}

func New() (*Auth, error) {
var err error
auth := &Auth{}

viper.SetDefault("SPICE_DB_API", "shortlink.spicedb:50051")
viper.SetDefault("SPICE_DB_COMMON_KEY", "secret-shortlink-preshared-key")

client, err := authzed.NewClient(
auth.client, err = authzed.NewClient(
viper.GetString("SPICE_DB_API"),
grpc.WithTransportCredentials(insecure.NewCredentials()),
grpc.WithPerRPCCredentials(insecureMetadataCreds{"authorization": "Bearer " + viper.GetString("SPICE_DB_COMMON_KEY")}),
grpc.WithBlock(),
)
if err != nil {
return err
return nil, err
}

return auth, nil
}

// Migrations run the migrations for the authzed service.
func (a *Auth) Migrations(ctx context.Context, fs embed.FS) error {
permissionsData, err := GetPermissions(fs)
if err != nil {
return err
}

for i := range permissionsData {
_, err = client.WriteSchema(ctx, permissionsData[i])
_, err = a.client.WriteSchema(ctx, permissionsData[i])
if err != nil {
return fmt.Errorf("Failed to write schema: %w", err)
}
Expand Down
100 changes: 98 additions & 2 deletions internal/pkg/auth/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"testing"
"testing/fstest"

pb "github.com/authzed/authzed-go/proto/authzed/api/v1"
"github.com/ory/dockertest/v3"
"github.com/stretchr/testify/require"
)
Expand Down Expand Up @@ -48,6 +49,7 @@ schema:

func TestSpiceDB(t *testing.T) {
ctx := context.Background()
var client *Auth

// uses a sensible default on windows (tcp/http) and linux/osx (socket)
pool, err := dockertest.NewPool("")
Expand Down Expand Up @@ -76,8 +78,8 @@ func TestSpiceDB(t *testing.T) {
errSetenv = os.Setenv("SPICE_DB_API", fmt.Sprintf("localhost:%s", resource.GetPort("50051/tcp")))
require.NoError(t, errSetenv, "Cannot set ENV")

errMigrations := Migrations(ctx, permissions)
require.NoError(t, errMigrations, "Cannot migrate")
client, err = New()
require.NoError(t, err, "Cannot create client")

return nil
}); errRetry != nil {
Expand All @@ -89,7 +91,101 @@ func TestSpiceDB(t *testing.T) {
require.NoError(t, errRetry, "Could not connect to docker")
}

// test migrations
t.Run("Migrations", func(t *testing.T) {
errMigrations := client.Migrations(ctx, permissions)
require.NoError(t, errMigrations, "Cannot migrate")
})

// mock data
emilia := &pb.SubjectReference{Object: &pb.ObjectReference{
ObjectType: "user",
ObjectId: "emilia",
}}

beatrice := &pb.SubjectReference{Object: &pb.ObjectReference{
ObjectType: "user",
ObjectId: "beatrice",
}}

firstItem := &pb.ObjectReference{
ObjectType: "link",
ObjectId: "1",
}

// test write
t.Run("Write", func(t *testing.T) {
request := &pb.WriteRelationshipsRequest{
Updates: []*pb.RelationshipUpdate{
{
// Emilia is a Writer on Post 1
Operation: pb.RelationshipUpdate_OPERATION_CREATE,
Relationship: &pb.Relationship{
Resource: firstItem,
Relation: "writer",
Subject: emilia,
},
},
{
// Beatrice is a Reader on Post 1
Operation: pb.RelationshipUpdate_OPERATION_CREATE,
Relationship: &pb.Relationship{
Resource: firstItem,
Relation: "reader",
Subject: beatrice,
},
},
},
}

_, errWrite := client.client.WriteRelationships(context.Background(), request)
require.NoError(t, errWrite)
})

// check permissions
t.Run("CheckPermissions", func(t *testing.T) {
resp, err := client.client.CheckPermission(ctx, &pb.CheckPermissionRequest{
Resource: firstItem,
Permission: "view",
Subject: emilia,
})
require.NoError(t, err, "Cannot check permission")
require.Equal(t, pb.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION, resp.Permissionship, "Emilia should have view permission")

resp, err = client.client.CheckPermission(ctx, &pb.CheckPermissionRequest{
Resource: firstItem,
Permission: "edit",
Subject: emilia,
})
require.NoError(t, err, "Cannot check permission")
require.Equal(t, pb.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION, resp.Permissionship, "Emilia should have write permission")

resp, err = client.client.CheckPermission(ctx, &pb.CheckPermissionRequest{
Resource: firstItem,
Permission: "view",
Subject: beatrice,
})
require.NoError(t, err, "Cannot check permission")
require.Equal(t, pb.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION, resp.Permissionship, "Beatrice should have view permission")

resp, err = client.client.CheckPermission(ctx, &pb.CheckPermissionRequest{
Resource: firstItem,
Permission: "edit",
Subject: beatrice,
})
require.NoError(t, err, "Cannot check permission")
require.Equal(t, pb.CheckPermissionResponse_PERMISSIONSHIP_NO_PERMISSION, resp.Permissionship, "Beatrice should have write permission")
})

t.Cleanup(func() {
// delete all data
_, errDelete := client.client.DeleteRelationships(ctx, &pb.DeleteRelationshipsRequest{
RelationshipFilter: &pb.RelationshipFilter{
ResourceType: "link",
},
})
require.NoError(t, errDelete, "Cannot delete relationships")

// When you're done, kill and remove the container
if errPurge := pool.Purge(resource); errPurge != nil {
t.Fatalf("Could not purge resource: %s", errPurge)
Expand Down

0 comments on commit 02b4ba4

Please sign in to comment.