-
Notifications
You must be signed in to change notification settings - Fork 88
/
security_test.dart
165 lines (158 loc) · 6.64 KB
/
security_test.dart
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
import 'package:fake_cloud_firestore/fake_cloud_firestore.dart';
import 'package:firebase_auth_mocks/firebase_auth_mocks.dart';
import 'package:rxdart/rxdart.dart';
import 'package:test/test.dart';
const allowWriteOnlyDescription = '''service cloud.firestore {
match /databases/{database}/documents {
match /some_collection/{document} {
allow write;
}
}
}''';
// https://firebase.google.com/docs/rules/rules-and-auth#leverage_user_information_in_rules
final authUidDescription = '''
service cloud.firestore {
match /databases/{database}/documents {
// Make sure the uid of the requesting user matches name of the user
// document. The wildcard expression {userId} makes the userId variable
// available in rules.
match /users/{userId} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
}
}''';
// https://firebase.google.com/docs/rules/rules-and-auth#define_custom_user_information
// Everyone can read /databases/{database} documents, but only admins can write.
// In /databases/{database}/some_collection/{document}, only writers
// can write and only readers can read.
const claimsDefinition = '''
service cloud.firestore {
match /databases/{database}/documents {
// For attribute-based access control, check for an admin claim
match /only_admin_writes/{document} {
allow write: if request.auth.token.admin == true;
allow read: true;
}
// Alternatively, for role-based access, assign specific roles to users
match /some_collection/{document} {
allow read: if request.auth.token.reader == true;
allow write: if request.auth.token.writer == true;
}
}
}
''';
void main() {
test('by default, allows everything just like before', () {
final instance = FakeFirebaseFirestore();
expect(() => instance.doc('users/user1').set({'name': 'zeta'}),
returnsNormally);
});
test('write', () {
final instance =
FakeFirebaseFirestore(securityRules: allowWriteOnlyDescription);
expect(() => instance.doc('some_collection/doc1').set({'name': 'zeta'}),
returnsNormally);
// Outside of the scope.
expect(() => instance.doc('outside/doc2').set({'name': 'zeta'}),
throwsException);
});
test('read fails if write only', () {
final instance =
FakeFirebaseFirestore(securityRules: allowWriteOnlyDescription);
expect(() => instance.doc('some_collection/doc1').get(), throwsException);
expect(() => instance.doc('outside/doc2').get(), throwsException);
});
test('manually simulating authentication', () async {
final auth = BehaviorSubject<Map<String, dynamic>?>();
final instance = FakeFirebaseFirestore(
securityRules: authUidDescription, authObject: auth);
// Unauthenticated. Make sure we wait until this is finished to
// authenticate.
await expectLater(
() => instance.doc('users/abc').set({'name': 'zeta'}), throwsException);
// Authenticated.
auth.add({'uid': 'abc'});
expect(
() => instance.doc('users/abc').set({'name': 'zeta'}), returnsNormally);
// Wrong uid.
expect(
() => instance.doc('users/def').set({'name': 'zeta'}), throwsException);
});
group('Firebase Auth Mocks', () {
test('users can only read their own document', () async {
final auth = MockFirebaseAuth();
final firestore = FakeFirebaseFirestore(
// Pass security rules to restrict `/users/{user}` documents.
securityRules: authUidDescription,
// Make MockFirebaseAuth inform FakeFirebaseFirestore of sign-in
// changes.
authObject: auth.authForFakeFirestore);
// The user signs-in. FakeFirebaseFirestore knows about it thanks to
// `authObject`.
await auth.signInWithCustomToken('some token');
final uid = auth.currentUser!.uid;
// Now the user can access their user-specific document.
expect(() => firestore.doc('users/$uid').set({'name': 'abc'}),
returnsNormally);
// But not anyone else's.
expect(() => firestore.doc('users/abcdef').set({'name': 'abc'}),
throwsException);
// Nor can they delete
expect(() => firestore.doc('users/abcdef').delete(), throwsException);
});
test('recursive custom claims', () async {
final a = MockFirebaseAuth(
mockUser:
MockUser(displayName: 'sam smith', customClaim: {'admin': true}));
final f = FakeFirebaseFirestore(
securityRules: claimsDefinition, authObject: a.authForFakeFirestore);
await a.signInWithCustomToken('some token');
// Can write in admin only collection.
expect(() => f.doc('only_admin_writes/doc1').set({'name': 'abc'}),
returnsNormally);
// Cannot access random collections.
expect(() => f.doc('other_collection/doc5').set({'name': 'abc'}),
throwsException);
// Should not be able to write in some_collection, since admin is not a
// writer.
expect(() => f.doc('some_collection/painting').get(), throwsException);
});
group('leaf custom custom claims', () {
test('no role', () async {
// No custom claims.
final a = MockFirebaseAuth(mockUser: MockUser(displayName: 'Jim'));
final f = FakeFirebaseFirestore(
securityRules: claimsDefinition,
authObject: a.authForFakeFirestore);
await a.signInWithCustomToken('some token');
// Can read only_admin_writes, since it is open to reading.
expect(() => f.doc('only_admin_writes/doc1').get(), returnsNormally);
// Cannot write the root. Only admins can.
expect(() => f.doc('only_admin_writes/doc1').set({'name': 'abc'}),
throwsException);
// Jim can neither read...
expect(() => f.doc('some_collection/painting').get(), throwsException);
// Nor write.
expect(() => f.doc('some_collection/painting').set({'name': 'tree'}),
throwsException);
});
test('reader', () async {
final a = MockFirebaseAuth(
mockUser:
MockUser(displayName: 'Jack', customClaim: {'reader': true}));
final f = FakeFirebaseFirestore(
securityRules: claimsDefinition,
authObject: a.authForFakeFirestore);
await a.signInWithCustomToken('some token');
// Cannot write the root. Only admins can.
expect(() => f.doc('only_admin_writes/doc1').set({'name': 'abc'}),
throwsException);
// Jack can read.
expect(() => f.doc('some_collection/painting').get(), returnsNormally);
// Jack not write.
expect(() => f.doc('some_collection/painting').set({'name': 'tree'}),
throwsException);
});
});
});
}