@firebase/rules-unit-testing v2: `Null value error. for 'get'` when accessing `resource` in security rules

[sceee]

[REQUIRED] Describe your environment

• Operating System version: Windows 10
• Browser version: N/A
• Firebase SDK version: 9
• Firebase Product: firestore

[REQUIRED] Describe the problem

After migrating to @firebase/rules-unit-testing v2, some tests fail that passed before using v1.

The issue seems to be lying down somewhere here in these rules:

match /test/{id} {
      function getRole(rsc) {
        // Read from the "members" map in the resource (rsc).
        return int(rsc.data.members[request.auth.uid]);
      }

      function isOneOfRoles(rsc, array) {
        // Determine if the user is one of an array of roles
        return (getRole(rsc) in array);
      }

    allow read: if isOneOfRoles(resource, [1, 2]); // <-- This is the line mentioned in the error message
}

After migrating to v2, a test performing a get request to a resource in this collection fails with false for 'get' @ LX, Null value error. for 'get' @ LXX (the last line mentioned here is the line marked above)

Using the admin SDK I ensured that the data is there and the members map is correctly filled:

{
    members: { user: 2 },
}

So it seems for whatever reason this code int(rsc.data.members[request.auth.uid]) no longer executes correctly after updating to v2 and returns NULL.
I guess (but could not verify using the debug statement as it prints nothing) that request.auth.uid is null or at least not what I set using the authenticatedContext(...) call.

Steps to reproduce:

1. Create a document test/123 with the following data:

{
    members: {
        user: 2
    }
}

2. Have the above mentioned security rules checking that user is in the members map with value 1 or 2.
3. Execute test code below

Relevant Code:

const userDB = firebaseTestEnvironment.authenticatedContext('user', { email: 'user@example.com' }).firestore()
...
// Test code
await assertSucceeds(userDB.collection('test').doc('123').get()) // Fails with the above error

[sceee]

Well, my previous assumption was wrong, it seems that resource is empty for this request.

It probably has to do something with #5462 - as @yuchenshi mentioned over there, the admin SDK can directly connect to the emulator.

So I initialized an admin Firestore access using

const adminDb = getFirestore()

and created the data using

await adminDb.collection('test').doc('user').set({members: { user: 2 }})

Could it be, that the admin access using getFirestore() accesses a different database than the userDB created using authenticatedContext(...)?

[sceee]

So after further testing, it's definitely that resource in the Firestore rule is null for whatever reason.

If I adjust the rule for the document path to be read (test/user) to be just:

allow read: if resource != null;

the request made with userDB (initialized via firebaseTestEnvironment.authenticatedContext('user', { email: 'user@example.com' }).firestore()) is declined with false for 'get'.

Now if I change the rule to:

allow read: if resource == null;

it passes.

So it definitely seems that resource is not correctly populated when using the new authenticatedContext.

Side info: if I do exactly the same get call with an admin DB context (getFirestore() from admin SDK), the call passes. Obviously it bypasses the security rules but it means the data is also there.

[yuchenshi]

@sceee I think you have a projectId mismatch here -- your Admin SDK may be writing to project-id-a while your firebaseTestEnvironment is working on project-id-b for example.

I'd recommend setting the projectId for both SDKs. For Admin SDK, you can do initializeApp({projectId: "demo-example"}), and similarly initializeTestEnvironment({projectId: 'demo-example'}). Or try setting the GCLOUD_PROJECT environment variable for both.

[sceee]

@yuchenshi thank you very much, that was actually the wrong part as I've set a projectId for the firebaseTestEnvironment... :(

My bad, sorry. It's so tricky to set it all up as I was expecting it just somehow uses the project from the emulator.