diff --git a/src/auth/models.cpp b/src/auth/models.cpp index 4733ee201c..2753b7df59 100644 --- a/src/auth/models.cpp +++ b/src/auth/models.cpp @@ -8,10 +8,8 @@ #include "auth/models.hpp" -#include -#include +#include #include -#include #include @@ -19,6 +17,7 @@ #include "auth/exceptions.hpp" #include "utils/cast.hpp" #include "utils/license.hpp" +#include "utils/logging.hpp" #include "utils/settings.hpp" #include "utils/string.hpp" @@ -101,6 +100,24 @@ std::string PermissionLevelToString(PermissionLevel level) { } } +FineGrainedAccessPermissions Merge(const FineGrainedAccessPermissions &first, + const FineGrainedAccessPermissions &second) { + std::unordered_map permissions{first.GetPermissions()}; + std::optional global_permission; + + if (second.GetGlobalPermission().has_value()) { + global_permission = second.GetGlobalPermission().value(); + } else if (first.GetGlobalPermission().has_value()) { + global_permission = first.GetGlobalPermission().value(); + } + + for (const auto &[label_name, permission] : second.GetPermissions()) { + permissions[label_name] = permission; + } + + return FineGrainedAccessPermissions(permissions, global_permission); +} + Permissions::Permissions(uint64_t grants, uint64_t denies) { // The deny bitmask has higher priority than the grant bitmask. denies_ = denies; @@ -186,112 +203,111 @@ bool operator==(const Permissions &first, const Permissions &second) { bool operator!=(const Permissions &first, const Permissions &second) { return !(first == second); } -const std::string ASTERISK = "*"; +FineGrainedAccessPermissions::FineGrainedAccessPermissions(const std::unordered_map &permissions, + const std::optional &global_permission) + : permissions_(permissions), global_permission_(global_permission) {} + +PermissionLevel FineGrainedAccessPermissions::Has(const std::string &permission, + const LabelPermission label_permission) const { + const auto concrete_permission = std::invoke([&]() -> uint64_t { + if (permissions_.contains(permission)) { + return permissions_.at(permission); + } -FineGrainedAccessPermissions::FineGrainedAccessPermissions(const std::unordered_set &grants, - const std::unordered_set &denies) - : grants_(grants), denies_(denies) {} + if (global_permission_.has_value()) { + return global_permission_.value(); + } -PermissionLevel FineGrainedAccessPermissions::Has(const std::string &permission) const { - if ((denies_.size() == 1 && denies_.find(ASTERISK) != denies_.end()) || denies_.find(permission) != denies_.end()) { - return PermissionLevel::DENY; - } + return 0; + }); - if ((grants_.size() == 1 && grants_.find(ASTERISK) != grants_.end()) || grants_.find(permission) != denies_.end()) { - return PermissionLevel::GRANT; - } + const auto temp_permission = concrete_permission & label_permission; - return PermissionLevel::NEUTRAL; + return temp_permission > 0 ? PermissionLevel::GRANT : PermissionLevel::DENY; } -void FineGrainedAccessPermissions::Grant(const std::string &permission) { +void FineGrainedAccessPermissions::Grant(const std::string &permission, const LabelPermission label_permission) { if (permission == ASTERISK) { - grants_.clear(); - denies_.clear(); - grants_.insert(permission); - - return; - } - - auto deniedPermissionIter = denies_.find(permission); - - if (deniedPermissionIter != denies_.end()) { - denies_.erase(deniedPermissionIter); + global_permission_ = CalculateGrant(label_permission); + } else { + permissions_[permission] |= CalculateGrant(label_permission); } +} - if (grants_.size() == 1 && grants_.find(ASTERISK) != grants_.end()) { - grants_.erase(ASTERISK); +void FineGrainedAccessPermissions::Revoke(const std::string &permission) { + if (permission == ASTERISK) { + permissions_.clear(); + global_permission_ = std::nullopt; + } else { + permissions_.erase(permission); } +} - if (grants_.find(permission) == grants_.end()) { - grants_.insert(permission); +void FineGrainedAccessPermissions::Deny(const std::string &permission, const LabelPermission label_permission) { + if (permission == ASTERISK) { + global_permission_ = CalculateDeny(label_permission); + } else { + permissions_[permission] = CalculateDeny(label_permission); } } -void FineGrainedAccessPermissions::Revoke(const std::string &permission) { - if (permission == ASTERISK) { - grants_.clear(); - denies_.clear(); +nlohmann::json FineGrainedAccessPermissions::Serialize() const { + nlohmann::json data = nlohmann::json::object(); + data["permissions"] = permissions_; + data["global_permission"] = global_permission_.has_value() ? global_permission_.value() : -1; + return data; +} - return; +FineGrainedAccessPermissions FineGrainedAccessPermissions::Deserialize(const nlohmann::json &data) { + if (!data.is_object()) { + throw AuthException("Couldn't load permissions data!"); } - auto deniedPermissionIter = denies_.find(permission); - auto grantedPermissionIter = grants_.find(permission); + std::optional global_permission; - if (deniedPermissionIter != denies_.end()) { - denies_.erase(deniedPermissionIter); + if (data["global_permission"].empty() || data["global_permission"] == -1) { + global_permission = std::nullopt; + } else { + global_permission = data["global_permission"]; } - if (grantedPermissionIter != grants_.end()) { - grants_.erase(grantedPermissionIter); - } + return FineGrainedAccessPermissions(data["permissions"], global_permission); } -void FineGrainedAccessPermissions::Deny(const std::string &permission) { - if (permission == ASTERISK) { - grants_.clear(); - denies_.clear(); - denies_.insert(permission); - - return; - } - - auto grantedPermissionIter = grants_.find(permission); +const std::unordered_map &FineGrainedAccessPermissions::GetPermissions() const { + return permissions_; +} +const std::optional &FineGrainedAccessPermissions::GetGlobalPermission() const { return global_permission_; }; - if (grantedPermissionIter != grants_.end()) { - grants_.erase(grantedPermissionIter); - } +uint64_t FineGrainedAccessPermissions::CalculateGrant(LabelPermission label_permission) { + uint64_t shift{1}; + uint64_t result{0}; + auto uint_label_permission = static_cast(label_permission); - if (denies_.size() == 1 && denies_.find(ASTERISK) != denies_.end()) { - denies_.erase(ASTERISK); + while (uint_label_permission > 0) { + result |= uint_label_permission; + uint_label_permission >>= shift; } - if (denies_.find(permission) == denies_.end()) { - denies_.insert(permission); - } + return result; } -nlohmann::json FineGrainedAccessPermissions::Serialize() const { - nlohmann::json data = nlohmann::json::object(); - data["grants"] = grants_; - data["denies"] = denies_; - return data; -} +uint64_t FineGrainedAccessPermissions::CalculateDeny(LabelPermission label_permission) { + uint64_t shift{1}; + uint64_t result{0}; + auto uint_label_permission = static_cast(label_permission); -FineGrainedAccessPermissions FineGrainedAccessPermissions::Deserialize(const nlohmann::json &data) { - if (!data.is_object()) { - throw AuthException("Couldn't load permissions data!"); + while (uint_label_permission <= LabelPermissionMax) { + result |= uint_label_permission; + uint_label_permission <<= shift; } - return FineGrainedAccessPermissions(data["grants"], data["denies"]); + return LabelPermissionAll - result; } -const std::unordered_set &FineGrainedAccessPermissions::grants() const { return grants_; } -const std::unordered_set &FineGrainedAccessPermissions::denies() const { return denies_; } - bool operator==(const FineGrainedAccessPermissions &first, const FineGrainedAccessPermissions &second) { - return first.grants() == second.grants() && first.denies() == second.denies(); + return first.GetPermissions() == second.GetPermissions() && + first.GetGlobalPermission() == second.GetGlobalPermission(); } bool operator!=(const FineGrainedAccessPermissions &first, const FineGrainedAccessPermissions &second) { @@ -321,7 +337,7 @@ FineGrainedAccessHandler FineGrainedAccessHandler::Deserialize(const nlohmann::j if (!data.is_object()) { throw AuthException("Couldn't load role data!"); } - if (!data["label_permissions"].is_object() && !data["edge_type_permissions"].is_object()) { + if (!data["label_permissions"].is_object() || !data["edge_type_permissions"].is_object()) { throw AuthException("Couldn't load label_permissions or edge_type_permissions data!"); } auto label_permissions = FineGrainedAccessPermissions::Deserialize(data["label_permissions"]); @@ -439,46 +455,16 @@ Permissions User::GetPermissions() const { FineGrainedAccessPermissions User::GetFineGrainedAccessLabelPermissions() const { if (role_) { - std::unordered_set resultGrants; - - std::set_union(fine_grained_access_handler_.label_permissions().grants().begin(), - fine_grained_access_handler_.label_permissions().grants().end(), - role_->fine_grained_access_handler().label_permissions().grants().begin(), - role_->fine_grained_access_handler().label_permissions().grants().end(), - std::inserter(resultGrants, resultGrants.begin())); - - std::unordered_set resultDenies; - - std::set_union(fine_grained_access_handler_.label_permissions().denies().begin(), - fine_grained_access_handler_.label_permissions().denies().end(), - role_->fine_grained_access_handler().label_permissions().denies().begin(), - role_->fine_grained_access_handler().label_permissions().denies().end(), - std::inserter(resultDenies, resultDenies.begin())); - - return FineGrainedAccessPermissions(resultGrants, resultDenies); + return Merge(role()->fine_grained_access_handler().label_permissions(), + fine_grained_access_handler_.label_permissions()); } return fine_grained_access_handler_.label_permissions(); } FineGrainedAccessPermissions User::GetFineGrainedAccessEdgeTypePermissions() const { if (role_) { - std::unordered_set resultGrants; - - std::set_union(fine_grained_access_handler_.edge_type_permissions().grants().begin(), - fine_grained_access_handler_.edge_type_permissions().grants().end(), - role_->fine_grained_access_handler().edge_type_permissions().grants().begin(), - role_->fine_grained_access_handler().edge_type_permissions().grants().end(), - std::inserter(resultGrants, resultGrants.begin())); - - std::unordered_set resultDenies; - - std::set_union(fine_grained_access_handler_.edge_type_permissions().denies().begin(), - fine_grained_access_handler_.edge_type_permissions().denies().end(), - role_->fine_grained_access_handler().edge_type_permissions().denies().begin(), - role_->fine_grained_access_handler().edge_type_permissions().denies().end(), - std::inserter(resultDenies, resultDenies.begin())); - - return FineGrainedAccessPermissions(resultGrants, resultDenies); + return Merge(role()->fine_grained_access_handler().edge_type_permissions(), + fine_grained_access_handler_.edge_type_permissions()); } return fine_grained_access_handler_.edge_type_permissions(); } diff --git a/src/auth/models.hpp b/src/auth/models.hpp index 85459b7a29..5556f43610 100644 --- a/src/auth/models.hpp +++ b/src/auth/models.hpp @@ -10,12 +10,12 @@ #include #include -#include +#include #include -#include namespace memgraph::auth { +const std::string ASTERISK = "*"; // These permissions must have values that are applicable for usage in a // bitmask. // clang-format off @@ -44,15 +44,34 @@ enum class Permission : uint64_t { }; // clang-format on +// clang-format off +enum class LabelPermission : uint64_t { + READ = 1, + EDIT = 1U << 1U, + CREATE_DELETE = 1U << 2U +}; +// clang-format on + +constexpr inline uint64_t operator|(LabelPermission lhs, LabelPermission rhs) { + return static_cast(lhs) | static_cast(rhs); +} + +constexpr inline uint64_t operator|(uint64_t lhs, LabelPermission rhs) { return lhs | static_cast(rhs); } + +constexpr inline uint64_t operator&(uint64_t lhs, LabelPermission rhs) { + return (lhs & static_cast(rhs)) != 0; +} + +constexpr uint64_t LabelPermissionAll = memgraph::auth::LabelPermission::CREATE_DELETE | + memgraph::auth::LabelPermission::EDIT | memgraph::auth::LabelPermission::READ; +constexpr uint64_t LabelPermissionMax = static_cast(memgraph::auth::LabelPermission::CREATE_DELETE); +constexpr uint64_t LabelPermissionMin = static_cast(memgraph::auth::LabelPermission::READ); + // Function that converts a permission to its string representation. std::string PermissionToString(Permission permission); // Class that indicates what permission level the user/role has. -enum class PermissionLevel { - GRANT, - NEUTRAL, - DENY, -}; +enum class PermissionLevel : uint8_t { GRANT, NEUTRAL, DENY }; // Function that converts a permission level to its string representation. std::string PermissionLevelToString(PermissionLevel level); @@ -98,34 +117,36 @@ bool operator!=(const Permissions &first, const Permissions &second); class FineGrainedAccessPermissions final { public: - explicit FineGrainedAccessPermissions(const std::unordered_set &grants = {}, - const std::unordered_set &denies = {}); - + explicit FineGrainedAccessPermissions(const std::unordered_map &permissions = {}, + const std::optional &global_permission = std::nullopt); FineGrainedAccessPermissions(const FineGrainedAccessPermissions &) = default; FineGrainedAccessPermissions &operator=(const FineGrainedAccessPermissions &) = default; FineGrainedAccessPermissions(FineGrainedAccessPermissions &&) = default; FineGrainedAccessPermissions &operator=(FineGrainedAccessPermissions &&) = default; ~FineGrainedAccessPermissions() = default; - PermissionLevel Has(const std::string &permission) const; + PermissionLevel Has(const std::string &permission, LabelPermission label_permission) const; - void Grant(const std::string &permission); + void Grant(const std::string &permission, LabelPermission label_permission); void Revoke(const std::string &permission); - void Deny(const std::string &permission); + void Deny(const std::string &permission, LabelPermission label_permission); nlohmann::json Serialize() const; /// @throw AuthException if unable to deserialize. static FineGrainedAccessPermissions Deserialize(const nlohmann::json &data); - const std::unordered_set &grants() const; - const std::unordered_set &denies() const; + const std::unordered_map &GetPermissions() const; + const std::optional &GetGlobalPermission() const; private: - std::unordered_set grants_{}; - std::unordered_set denies_{}; + std::unordered_map permissions_{}; + std::optional global_permission_; + + static uint64_t CalculateGrant(LabelPermission label_permission); + static uint64_t CalculateDeny(LabelPermission label_permission); }; bool operator==(const FineGrainedAccessPermissions &first, const FineGrainedAccessPermissions &second); @@ -252,4 +273,7 @@ class User final { }; bool operator==(const User &first, const User &second); + +FineGrainedAccessPermissions Merge(const FineGrainedAccessPermissions &first, + const FineGrainedAccessPermissions &second); } // namespace memgraph::auth diff --git a/src/glue/auth_checker.cpp b/src/glue/auth_checker.cpp index d96ced174d..b29561289c 100644 --- a/src/glue/auth_checker.cpp +++ b/src/glue/auth_checker.cpp @@ -21,14 +21,15 @@ namespace { bool IsUserAuthorizedLabels(const memgraph::auth::User &user, const memgraph::query::DbAccessor &dba, const std::vector &labels) { return std::all_of(labels.begin(), labels.end(), [&dba, &user](const auto label) { - return user.GetFineGrainedAccessLabelPermissions().Has(dba.LabelToName(label)) == - memgraph::auth::PermissionLevel::GRANT; + return user.GetFineGrainedAccessLabelPermissions().Has( + dba.LabelToName(label), memgraph::auth::LabelPermission::READ) == memgraph::auth::PermissionLevel::GRANT; }); } bool IsUserAuthorizedEdgeType(const memgraph::auth::User &user, const memgraph::query::DbAccessor &dba, const memgraph::storage::EdgeTypeId &edgeType) { - return user.GetFineGrainedAccessEdgeTypePermissions().Has(dba.EdgeTypeToName(edgeType)) == + return user.GetFineGrainedAccessEdgeTypePermissions().Has(dba.EdgeTypeToName(edgeType), + memgraph::auth::LabelPermission::READ) == memgraph::auth::PermissionLevel::GRANT; } } // namespace diff --git a/src/memgraph.cpp b/src/memgraph.cpp index dde14004f2..b611186d0c 100644 --- a/src/memgraph.cpp +++ b/src/memgraph.cpp @@ -756,43 +756,57 @@ class AuthQueryHandler final : public memgraph::query::AuthQueryHandler { void GrantPrivilege(const std::string &user_or_role, const std::vector &privileges, - const std::vector &labels, const std::vector &edgeTypes) override { - EditPermissions(user_or_role, privileges, labels, edgeTypes, [](auto *permissions, const auto &permission) { - // TODO (mferencevic): should we first check that the - // privilege is granted/denied/revoked before - // unconditionally granting/denying/revoking it? - permissions->Grant(permission); - }); + const std::vector &labels, const std::vector &edge_types) override { + EditPermissions( + user_or_role, privileges, labels, edge_types, + [](auto &permissions, const auto &permission) { + // TODO (mferencevic): should we first check that the + // privilege is granted/denied/revoked before + // unconditionally granting/denying/revoking it? + permissions.Grant(permission); + }, + [](auto &label_permissions, const auto &label) { + label_permissions.Grant(label, memgraph::auth::LabelPermission::CREATE_DELETE); + }); } void DenyPrivilege(const std::string &user_or_role, const std::vector &privileges, - const std::vector &labels, const std::vector &edgeTypes) override { - EditPermissions(user_or_role, privileges, labels, edgeTypes, [](auto *permissions, const auto &permission) { - // TODO (mferencevic): should we first check that the - // privilege is granted/denied/revoked before - // unconditionally granting/denying/revoking it? - permissions->Deny(permission); - }); + const std::vector &labels, const std::vector &edge_types) override { + EditPermissions( + user_or_role, privileges, labels, edge_types, + [](auto &permissions, const auto &permission) { + // TODO (mferencevic): should we first check that the + // privilege is granted/denied/revoked before + // unconditionally granting/denying/revoking it? + permissions.Deny(permission); + }, + [](auto &label_permissions, const auto &label) { + label_permissions.Deny(label, memgraph::auth::LabelPermission::READ); + }); } void RevokePrivilege(const std::string &user_or_role, const std::vector &privileges, - const std::vector &labels, const std::vector &edgeTypes) override { - EditPermissions(user_or_role, privileges, labels, edgeTypes, [](auto *permissions, const auto &permission) { - // TODO (mferencevic): should we first check that the - // privilege is granted/denied/revoked before - // unconditionally granting/denying/revoking it? - permissions->Revoke(permission); - }); + const std::vector &labels, const std::vector &edge_types) override { + EditPermissions( + user_or_role, privileges, labels, edge_types, + [](auto &permissions, const auto &permission) { + // TODO (mferencevic): should we first check that the + // privilege is granted/denied/revoked before + // unconditionally granting/denying/revoking it? + permissions.Revoke(permission); + }, + [](auto &label_permissions, const auto &label) { label_permissions.Revoke(label); }); } private: - template + template void EditPermissions(const std::string &user_or_role, const std::vector &privileges, const std::vector &labels, const std::vector &edgeTypes, - const TEditFun &edit_fun) { + const TEditPermissionsFun &edit_permissions_fun, + const TEditFineGrainedPermissionsFun &edit_fine_grained_permissions_fun) { if (!std::regex_match(user_or_role, name_regex_)) { throw memgraph::query::QueryRuntimeException("Invalid user or role name."); } @@ -810,25 +824,25 @@ class AuthQueryHandler final : public memgraph::query::AuthQueryHandler { } if (user) { for (const auto &permission : permissions) { - edit_fun(&user->permissions(), permission); + edit_permissions_fun(user->permissions(), permission); } for (const auto &label : labels) { - edit_fun(&user->fine_grained_access_handler().label_permissions(), label); + edit_fine_grained_permissions_fun(user->fine_grained_access_handler().label_permissions(), label); } for (const auto &edgeType : edgeTypes) { - edit_fun(&user->fine_grained_access_handler().edge_type_permissions(), edgeType); + edit_fine_grained_permissions_fun(user->fine_grained_access_handler().edge_type_permissions(), edgeType); } locked_auth->SaveUser(*user); } else { for (const auto &permission : permissions) { - edit_fun(&role->permissions(), permission); + edit_permissions_fun(role->permissions(), permission); } for (const auto &label : labels) { - edit_fun(&user->fine_grained_access_handler().label_permissions(), label); + edit_fine_grained_permissions_fun(user->fine_grained_access_handler().label_permissions(), label); } for (const auto &edgeType : edgeTypes) { - edit_fun(&role->fine_grained_access_handler().edge_type_permissions(), edgeType); + edit_fine_grained_permissions_fun(role->fine_grained_access_handler().edge_type_permissions(), edgeType); } locked_auth->SaveRole(*role); diff --git a/tests/e2e/write_procedures/procedures/read.py b/tests/e2e/write_procedures/procedures/read.py index 3f791a37a1..0532fda1a0 100644 --- a/tests/e2e/write_procedures/procedures/read.py +++ b/tests/e2e/write_procedures/procedures/read.py @@ -13,8 +13,7 @@ @mgp.read_proc -def underlying_graph_is_mutable(ctx: mgp.ProcCtx, - object: mgp.Any) -> mgp.Record(mutable=bool): +def underlying_graph_is_mutable(ctx: mgp.ProcCtx, object: mgp.Any) -> mgp.Record(mutable=bool): return mgp.Record(mutable=object.underlying_graph_is_mutable()) diff --git a/tests/unit/auth.cpp b/tests/unit/auth.cpp index d270e6f4ac..49cb72d1ae 100644 --- a/tests/unit/auth.cpp +++ b/tests/unit/auth.cpp @@ -11,6 +11,7 @@ #include #include +#include #include #include @@ -176,25 +177,29 @@ TEST_F(AuthWithStorage, UserRoleFineGrainedAccessHandler) { user->GetFineGrainedAccessEdgeTypePermissions()); // Grant one label to user . - user->fine_grained_access_handler().label_permissions().Grant("labelTest"); + user->fine_grained_access_handler().label_permissions().Grant("labelTest", LabelPermission::CREATE_DELETE); // Grant one edge type to user . - user->fine_grained_access_handler().edge_type_permissions().Grant("edgeTypeTest"); + user->fine_grained_access_handler().edge_type_permissions().Grant("edgeTypeTest", LabelPermission::CREATE_DELETE); // Check permissions. - ASSERT_EQ(user->fine_grained_access_handler().label_permissions().Has("labelTest"), PermissionLevel::GRANT); - ASSERT_EQ(user->fine_grained_access_handler().edge_type_permissions().Has("edgeTypeTest"), PermissionLevel::GRANT); + ASSERT_EQ(user->fine_grained_access_handler().label_permissions().Has("labelTest", LabelPermission::READ), + PermissionLevel::GRANT); + ASSERT_EQ(user->fine_grained_access_handler().edge_type_permissions().Has("edgeTypeTest", LabelPermission::READ), + PermissionLevel::GRANT); ASSERT_EQ(user->fine_grained_access_handler().label_permissions(), user->GetFineGrainedAccessLabelPermissions()); ASSERT_EQ(user->fine_grained_access_handler().edge_type_permissions(), user->GetFineGrainedAccessEdgeTypePermissions()); // Deny one label to user . - user->fine_grained_access_handler().label_permissions().Deny("labelTest1"); + user->fine_grained_access_handler().label_permissions().Deny("labelTest1", LabelPermission::READ); // Deny one edge type to user . - user->fine_grained_access_handler().edge_type_permissions().Deny("edgeTypeTest1"); + user->fine_grained_access_handler().edge_type_permissions().Deny("edgeTypeTest1", LabelPermission::READ); // Check permissions. - ASSERT_EQ(user->fine_grained_access_handler().label_permissions().Has("labelTest1"), PermissionLevel::DENY); - ASSERT_EQ(user->fine_grained_access_handler().edge_type_permissions().Has("edgeTypeTest1"), PermissionLevel::DENY); + ASSERT_EQ(user->fine_grained_access_handler().label_permissions().Has("labelTest1", LabelPermission::READ), + PermissionLevel::DENY); + ASSERT_EQ(user->fine_grained_access_handler().edge_type_permissions().Has("edgeTypeTest1", LabelPermission::READ), + PermissionLevel::DENY); ASSERT_EQ(user->fine_grained_access_handler().label_permissions(), user->GetFineGrainedAccessLabelPermissions()); ASSERT_EQ(user->fine_grained_access_handler().edge_type_permissions(), user->GetFineGrainedAccessEdgeTypePermissions()); @@ -205,25 +210,29 @@ TEST_F(AuthWithStorage, UserRoleFineGrainedAccessHandler) { ASSERT_NE(role, std::nullopt); // Grant label and edge type to role and role to user. - role->fine_grained_access_handler().label_permissions().Grant("roleLabelTest"); - role->fine_grained_access_handler().edge_type_permissions().Grant("roleEdgeTypeTest"); + role->fine_grained_access_handler().label_permissions().Grant("roleLabelTest", LabelPermission::CREATE_DELETE); + role->fine_grained_access_handler().edge_type_permissions().Grant("roleEdgeTypeTest", LabelPermission::CREATE_DELETE); user->SetRole(*role); // Check permissions. { - ASSERT_EQ(user->GetFineGrainedAccessLabelPermissions().Has("roleLabelTest"), PermissionLevel::GRANT); - ASSERT_EQ(user->GetFineGrainedAccessEdgeTypePermissions().Has("roleEdgeTypeTest"), PermissionLevel::GRANT); + ASSERT_EQ(user->GetFineGrainedAccessLabelPermissions().Has("roleLabelTest", LabelPermission::READ), + PermissionLevel::GRANT); + ASSERT_EQ(user->GetFineGrainedAccessEdgeTypePermissions().Has("roleEdgeTypeTest", LabelPermission::READ), + PermissionLevel::GRANT); } // Deny label and edge type to role and role to user. - role->fine_grained_access_handler().label_permissions().Deny("roleLabelTest1"); - role->fine_grained_access_handler().edge_type_permissions().Deny("roleEdgeTypeTest1"); + role->fine_grained_access_handler().label_permissions().Deny("roleLabelTest1", LabelPermission::READ); + role->fine_grained_access_handler().edge_type_permissions().Deny("roleEdgeTypeTest1", LabelPermission::READ); user->SetRole(*role); // Check permissions. { - ASSERT_EQ(user->GetFineGrainedAccessLabelPermissions().Has("roleLabelTest1"), PermissionLevel::DENY); - ASSERT_EQ(user->GetFineGrainedAccessEdgeTypePermissions().Has("roleEdgeTypeTest1"), PermissionLevel::DENY); + ASSERT_EQ(user->GetFineGrainedAccessLabelPermissions().Has("roleLabelTest1", LabelPermission::READ), + PermissionLevel::DENY); + ASSERT_EQ(user->GetFineGrainedAccessEdgeTypePermissions().Has("roleEdgeTypeTest1", LabelPermission::READ), + PermissionLevel::DENY); } } @@ -475,6 +484,361 @@ TEST(AuthWithoutStorage, PermissionsMaskTest) { ASSERT_EQ(p4.denies(), 2); } +TEST(AuthWithoutStorage, FineGrainedAccessPermissions) { + const std::string any_label = "AnyString"; + const std::string check_label = "Label"; + const std::string non_check_label = "OtherLabel"; + const std::string asterisk = "*"; + + { + FineGrainedAccessPermissions fga_permissions1, fga_permissions2; + ASSERT_TRUE(fga_permissions1 == fga_permissions2); + } + + { + FineGrainedAccessPermissions fga_permissions; + ASSERT_TRUE(fga_permissions.GetPermissions().empty()); + ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt); + + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::READ), PermissionLevel::DENY); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(any_label, LabelPermission::CREATE_DELETE); + + ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt); + ASSERT_FALSE(fga_permissions.GetPermissions().empty()); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Deny(any_label, LabelPermission::CREATE_DELETE); + + ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt); + ASSERT_FALSE(fga_permissions.GetPermissions().empty()); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Deny(any_label, LabelPermission::CREATE_DELETE); + + ASSERT_EQ(fga_permissions.GetGlobalPermission(), LabelPermissionAll); + ASSERT_FALSE(fga_permissions.GetPermissions().empty()); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Revoke(any_label); + + ASSERT_EQ(fga_permissions.GetGlobalPermission(), LabelPermissionAll); + ASSERT_TRUE(fga_permissions.GetPermissions().empty()); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(any_label, LabelPermission::CREATE_DELETE); + fga_permissions.Revoke(any_label); + + ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt); + ASSERT_TRUE(fga_permissions.GetPermissions().empty()); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(any_label, LabelPermission::CREATE_DELETE); + fga_permissions.Revoke(asterisk); + + ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt); + ASSERT_TRUE(fga_permissions.GetPermissions().empty()); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Deny(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Revoke(any_label); + + ASSERT_EQ(fga_permissions.GetGlobalPermission(), LabelPermission::EDIT | LabelPermission::READ); + ASSERT_TRUE(fga_permissions.GetPermissions().empty()); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Deny(any_label, LabelPermission::CREATE_DELETE); + fga_permissions.Revoke(any_label); + + ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt); + ASSERT_TRUE(fga_permissions.GetPermissions().empty()); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Deny(any_label, LabelPermission::CREATE_DELETE); + fga_permissions.Revoke(asterisk); + + ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt); + ASSERT_TRUE(fga_permissions.GetPermissions().empty()); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(check_label, LabelPermission::CREATE_DELETE); + fga_permissions.Deny(non_check_label, LabelPermission::CREATE_DELETE); + fga_permissions.Revoke(asterisk); + + ASSERT_EQ(fga_permissions.GetGlobalPermission(), std::nullopt); + ASSERT_TRUE(fga_permissions.GetPermissions().empty()); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::EDIT); + + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Deny(asterisk, LabelPermission::CREATE_DELETE); + + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Deny(asterisk, LabelPermission::EDIT); + + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Deny(asterisk, LabelPermission::READ); + + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::READ), PermissionLevel::DENY); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::READ); + fga_permissions.Grant(check_label, LabelPermission::EDIT); + + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::READ), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::READ); + fga_permissions.Deny(check_label, LabelPermission::CREATE_DELETE); + + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::READ), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Deny(check_label, LabelPermission::EDIT); + + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::READ), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::CREATE_DELETE), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Deny(check_label, LabelPermission::CREATE_DELETE); + + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::READ), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::CREATE_DELETE), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Deny(asterisk, LabelPermission::CREATE_DELETE); + + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Deny(asterisk, LabelPermission::EDIT); + + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Deny(asterisk, LabelPermission::READ); + + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(any_label, LabelPermission::READ), PermissionLevel::DENY); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Deny(check_label, LabelPermission::READ); + fga_permissions.Revoke(asterisk); + + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::READ), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::READ), PermissionLevel::DENY); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Deny(check_label, LabelPermission::EDIT); + fga_permissions.Revoke(asterisk); + + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::READ), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::READ), PermissionLevel::DENY); + } + + { + FineGrainedAccessPermissions fga_permissions; + fga_permissions.Grant(asterisk, LabelPermission::CREATE_DELETE); + fga_permissions.Deny(check_label, LabelPermission::CREATE_DELETE); + fga_permissions.Revoke(asterisk); + + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(check_label, LabelPermission::READ), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions.Has(non_check_label, LabelPermission::READ), PermissionLevel::DENY); + } +} +TEST_F(AuthWithStorage, FineGrainedAccessCheckerMerge) { + auto any_label = "AnyString"; + auto check_label = "Label"; + auto asterisk = "*"; + + { + FineGrainedAccessPermissions fga_permissions1, fga_permissions2; + fga_permissions1.Grant(asterisk, LabelPermission::READ); + + auto fga_permissions3 = memgraph::auth::Merge(fga_permissions1, fga_permissions2); + + ASSERT_EQ(fga_permissions3.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions3.Has(any_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions3.Has(any_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions1, fga_permissions2; + fga_permissions2.Grant(asterisk, LabelPermission::READ); + + auto fga_permissions3 = memgraph::auth::Merge(fga_permissions1, fga_permissions2); + + ASSERT_EQ(fga_permissions3.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions3.Has(any_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions3.Has(any_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions1, fga_permissions2; + fga_permissions1.Grant(asterisk, LabelPermission::READ); + fga_permissions2.Grant(asterisk, LabelPermission::EDIT); + + auto fga_permissions3 = memgraph::auth::Merge(fga_permissions1, fga_permissions2); + + ASSERT_EQ(fga_permissions3.Has(any_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions3.Has(any_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions3.Has(any_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions1, fga_permissions2; + fga_permissions1.Grant(asterisk, LabelPermission::READ); + fga_permissions1.Grant(check_label, LabelPermission::EDIT); + fga_permissions2.Grant(asterisk, LabelPermission::EDIT); + + auto fga_permissions3 = memgraph::auth::Merge(fga_permissions1, fga_permissions2); + + ASSERT_EQ(fga_permissions3.Has(check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions3.Has(check_label, LabelPermission::EDIT), PermissionLevel::GRANT); + ASSERT_EQ(fga_permissions3.Has(check_label, LabelPermission::READ), PermissionLevel::GRANT); + } + + { + FineGrainedAccessPermissions fga_permissions1, fga_permissions2; + fga_permissions1.Grant(asterisk, LabelPermission::READ); + fga_permissions1.Grant(check_label, LabelPermission::CREATE_DELETE); + fga_permissions2.Grant(asterisk, LabelPermission::EDIT); + fga_permissions2.Grant(check_label, LabelPermission::READ); + + auto fga_permissions3 = memgraph::auth::Merge(fga_permissions1, fga_permissions2); + + ASSERT_EQ(fga_permissions3.Has(check_label, LabelPermission::CREATE_DELETE), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions3.Has(check_label, LabelPermission::EDIT), PermissionLevel::DENY); + ASSERT_EQ(fga_permissions3.Has(check_label, LabelPermission::READ), PermissionLevel::GRANT); + } +} + TEST(AuthWithoutStorage, UserSerializeDeserialize) { auto user = User("test"); user.permissions().Grant(Permission::MATCH); diff --git a/tests/unit/auth_checker.cpp b/tests/unit/auth_checker.cpp index 54f796b96b..307e5742ea 100644 --- a/tests/unit/auth_checker.cpp +++ b/tests/unit/auth_checker.cpp @@ -46,7 +46,7 @@ class FineGrainedAuthCheckerFixture : public testing::Test { TEST_F(FineGrainedAuthCheckerFixture, GrantedAllLabels) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().label_permissions().Grant("*"); + user.fine_grained_access_handler().label_permissions().Grant("*", memgraph::auth::LabelPermission::CREATE_DELETE); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_TRUE(auth_checker.Accept(dba, v1, memgraph::storage::View::NEW)); @@ -59,7 +59,7 @@ TEST_F(FineGrainedAuthCheckerFixture, GrantedAllLabels) { TEST_F(FineGrainedAuthCheckerFixture, GrantedAllEdgeTypes) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().edge_type_permissions().Grant("*"); + user.fine_grained_access_handler().edge_type_permissions().Grant("*", memgraph::auth::LabelPermission::CREATE_DELETE); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_TRUE(auth_checker.Accept(dba, r1)); @@ -70,7 +70,7 @@ TEST_F(FineGrainedAuthCheckerFixture, GrantedAllEdgeTypes) { TEST_F(FineGrainedAuthCheckerFixture, DeniedAllLabels) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().label_permissions().Deny("*"); + user.fine_grained_access_handler().label_permissions().Deny("*", memgraph::auth::LabelPermission::READ); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_FALSE(auth_checker.Accept(dba, v1, memgraph::storage::View::NEW)); @@ -83,7 +83,7 @@ TEST_F(FineGrainedAuthCheckerFixture, DeniedAllLabels) { TEST_F(FineGrainedAuthCheckerFixture, DeniedAllEdgeTypes) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().edge_type_permissions().Deny("*"); + user.fine_grained_access_handler().edge_type_permissions().Deny("*", memgraph::auth::LabelPermission::READ); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_FALSE(auth_checker.Accept(dba, r1)); @@ -94,7 +94,7 @@ TEST_F(FineGrainedAuthCheckerFixture, DeniedAllEdgeTypes) { TEST_F(FineGrainedAuthCheckerFixture, GrantLabel) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().label_permissions().Grant("l1"); + user.fine_grained_access_handler().label_permissions().Grant("l1", memgraph::auth::LabelPermission::CREATE_DELETE); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_TRUE(auth_checker.Accept(dba, v1, memgraph::storage::View::NEW)); @@ -103,7 +103,7 @@ TEST_F(FineGrainedAuthCheckerFixture, GrantLabel) { TEST_F(FineGrainedAuthCheckerFixture, DenyLabel) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().label_permissions().Deny("l3"); + user.fine_grained_access_handler().label_permissions().Deny("l3", memgraph::auth::LabelPermission::READ); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_FALSE(auth_checker.Accept(dba, v3, memgraph::storage::View::NEW)); @@ -112,9 +112,9 @@ TEST_F(FineGrainedAuthCheckerFixture, DenyLabel) { TEST_F(FineGrainedAuthCheckerFixture, GrantAndDenySpecificLabels) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().label_permissions().Grant("l1"); - user.fine_grained_access_handler().label_permissions().Grant("l2"); - user.fine_grained_access_handler().label_permissions().Deny("l3"); + user.fine_grained_access_handler().label_permissions().Grant("l1", memgraph::auth::LabelPermission::CREATE_DELETE); + user.fine_grained_access_handler().label_permissions().Grant("l2", memgraph::auth::LabelPermission::CREATE_DELETE); + user.fine_grained_access_handler().label_permissions().Deny("l3", memgraph::auth::LabelPermission::READ); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_TRUE(auth_checker.Accept(dba, v1, memgraph::storage::View::NEW)); @@ -127,9 +127,9 @@ TEST_F(FineGrainedAuthCheckerFixture, GrantAndDenySpecificLabels) { TEST_F(FineGrainedAuthCheckerFixture, MultipleVertexLabels) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().label_permissions().Grant("l1"); - user.fine_grained_access_handler().label_permissions().Grant("l2"); - user.fine_grained_access_handler().label_permissions().Deny("l3"); + user.fine_grained_access_handler().label_permissions().Grant("l1", memgraph::auth::LabelPermission::CREATE_DELETE); + user.fine_grained_access_handler().label_permissions().Grant("l2", memgraph::auth::LabelPermission::CREATE_DELETE); + user.fine_grained_access_handler().label_permissions().Deny("l3", memgraph::auth::LabelPermission::READ); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_TRUE(v1.AddLabel(dba.NameToLabel("l3")).HasValue()); ASSERT_TRUE(v2.AddLabel(dba.NameToLabel("l1")).HasValue()); @@ -143,7 +143,8 @@ TEST_F(FineGrainedAuthCheckerFixture, MultipleVertexLabels) { TEST_F(FineGrainedAuthCheckerFixture, GrantEdgeType) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().edge_type_permissions().Grant("edge_type_1"); + user.fine_grained_access_handler().edge_type_permissions().Grant("edge_type_1", + memgraph::auth::LabelPermission::CREATE_DELETE); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_TRUE(auth_checker.Accept(dba, r1)); @@ -151,7 +152,7 @@ TEST_F(FineGrainedAuthCheckerFixture, GrantEdgeType) { TEST_F(FineGrainedAuthCheckerFixture, DenyEdgeType) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().edge_type_permissions().Deny("edge_type_1"); + user.fine_grained_access_handler().edge_type_permissions().Deny("edge_type_1", memgraph::auth::LabelPermission::READ); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_FALSE(auth_checker.Accept(dba, r1)); @@ -159,8 +160,9 @@ TEST_F(FineGrainedAuthCheckerFixture, DenyEdgeType) { TEST_F(FineGrainedAuthCheckerFixture, GrantAndDenySpecificEdgeTypes) { memgraph::auth::User user{"test"}; - user.fine_grained_access_handler().edge_type_permissions().Grant("edge_type_1"); - user.fine_grained_access_handler().edge_type_permissions().Deny("edge_type_2"); + user.fine_grained_access_handler().edge_type_permissions().Grant("edge_type_1", + memgraph::auth::LabelPermission::CREATE_DELETE); + user.fine_grained_access_handler().edge_type_permissions().Deny("edge_type_2", memgraph::auth::LabelPermission::READ); memgraph::glue::FineGrainedAuthChecker auth_checker{user}; ASSERT_TRUE(auth_checker.Accept(dba, r1)); diff --git a/tests/unit/query_plan_match_filter_return.cpp b/tests/unit/query_plan_match_filter_return.cpp index fb22b6cc0d..3d6256db57 100644 --- a/tests/unit/query_plan_match_filter_return.cpp +++ b/tests/unit/query_plan_match_filter_return.cpp @@ -427,9 +427,11 @@ TEST_F(ExpandFixture, ExpandWithEdgeFiltering) { auto user = memgraph::auth::User("test"); - user.fine_grained_access_handler().edge_type_permissions().Grant("Edge"); - user.fine_grained_access_handler().edge_type_permissions().Deny("edge_type_test"); - user.fine_grained_access_handler().label_permissions().Grant("*"); + user.fine_grained_access_handler().edge_type_permissions().Grant("Edge", + memgraph::auth::LabelPermission::CREATE_DELETE); + user.fine_grained_access_handler().edge_type_permissions().Deny("edge_type_test", + memgraph::auth::LabelPermission::READ); + user.fine_grained_access_handler().label_permissions().Grant("*", memgraph::auth::LabelPermission::CREATE_DELETE); memgraph::storage::EdgeTypeId edge_type_test{db.NameToEdgeType("edge_type_test")}; ASSERT_TRUE(dba.InsertEdge(&v1, &v2, edge_type_test).HasValue()); @@ -448,7 +450,8 @@ TEST_F(ExpandFixture, ExpandWithEdgeFiltering) { EXPECT_EQ(2, test_expand(user, EdgeAtom::Direction::IN, memgraph::storage::View::OLD)); EXPECT_EQ(4, test_expand(user, EdgeAtom::Direction::BOTH, memgraph::storage::View::OLD)); - user.fine_grained_access_handler().edge_type_permissions().Grant("edge_type_test"); + user.fine_grained_access_handler().edge_type_permissions().Grant("edge_type_test", + memgraph::auth::LabelPermission::CREATE_DELETE); EXPECT_EQ(4, test_expand(user, EdgeAtom::Direction::OUT, memgraph::storage::View::OLD)); EXPECT_EQ(4, test_expand(user, EdgeAtom::Direction::IN, memgraph::storage::View::OLD));