Skip to content

Commit

Permalink
Merge pull request from GHSA-8cph-m685-6v6r
Browse files Browse the repository at this point in the history 
* fix: error handling leading to false positives

* test: add a failing test due to Check and ListObjects differences

* test: change test expectation for ListObjects assertion

* fix: union CheckFuncReducer and associated tests

* fix: intersection CheckFuncReducer

* fix: exclusion CheckFuncReducer

* fix: rewire the cycle detection mechanics to avoid error propagation

* test: add more edge case tests for cyclical evaluations

* test: rename new test that was poorly named

* chore: revert minor change that was unintended

* chore: tidy up changes and drop commented out code

* chore: minor touchups based on some feedback

* test: add test for CloneResolveCheckResponse

* test: add more tests for error around intersection

* test: more test assertions around cloned cached response

* test: add unit test to make sure we cache CycleDetected

* test: add more assertions around CycleDetected field

* chore: rename test names

* chore: fix datastore query count under reporting in intersection reducer
  • Loading branch information
@jon-whit
jon-whit committed Apr 16, 2024
1 parent 6829520 commit b6a6d99
Show file tree
Hide file tree
Showing 11 changed files with 1,253 additions and 281 deletions.
361 changes: 361 additions & 0 deletions assets/tests/consolidated_1_1_tests.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5295,3 +5295,364 @@ tests:
relation: viewer
expectation:
- document:1
- name: cycle_or_cycle_return_false
stages:
- model: |
model
schema 1.1
type user
type document
relations
define editor: [user, document#viewer]
define viewer: [document#editor] or editor
tuples:
- user: document:1#viewer
relation: editor
object: document:1
- user: document:1#editor
relation: viewer
object: document:1
checkAssertions:
- tuple:
object: document:1
relation: viewer
user: user:jon
expectation: false
listObjectsAssertions:
- request:
user: user:jon
type: document
relation: viewer
expectation:
- name: immediate_cycle_through_computed_userset
stages:
- model: |
model
schema 1.1
type user
type document
relations
define editor: [user, document#viewer]
define viewer: editor
tuples:
- user: document:1#viewer
relation: editor
object: document:1
checkAssertions:
- tuple:
object: document:1
relation: viewer
user: user:jon
expectation: false
listObjectsAssertions:
- request:
user: user:jon
type: document
relation: viewer
expectation:
- name: immediate_cycle_through_computed_userset
stages:
- model: |
model
schema 1.1
type user
type document
relations
define editor: [user, document#viewer]
define viewer: editor
tuples:
- user: document:1#viewer
relation: editor
object: document:1
checkAssertions:
- tuple:
object: document:1
relation: viewer
user: user:jon
expectation: false
listObjectsAssertions:
- request:
user: user:jon
type: document
relation: viewer
expectation:
- name: true_butnot_cycle_return_false
stages:
- model: |
model
schema 1.1
type user
type document
relations
define restricted: [user, document#viewer]
define viewer: [user] but not restricted
tuples:
- user: user:jon
relation: viewer
object: document:1
- user: document:1#viewer
relation: restricted
object: document:1
checkAssertions:
- tuple:
object: document:1
relation: viewer
user: user:jon
expectation: false
listObjectsAssertions:
- request:
user: user:jon
type: document
relation: viewer
expectation:
- name: cycle_and_cycle_return_false
stages:
- model: |
model
schema 1.1
type user
type document
relations
define editor: [user, document#viewer]
define viewer: [user, document#editor] and editor
tuples:
- user: document:1#editor
relation: viewer
object: document:1
- user: document:1#viewer
relation: editor
object: document:1
checkAssertions:
- tuple:
object: document:1
relation: viewer
user: user:jon
expectation: false
listObjectsAssertions:
- request:
user: user:jon
type: document
relation: viewer
expectation:
- name: cycle_and_true_return_false
stages:
- model: |
model
schema 1.1
type user
type document
relations
define allowed: [user]
define viewer: [user, document#viewer] and allowed
tuples:
- user: user:jon
relation: allowed
object: document:1
- user: document:1#viewer
relation: viewer
object: document:1
checkAssertions:
- tuple:
object: document:1
relation: viewer
user: user:jon
expectation: false
listObjectsAssertions:
- request:
user: user:jon
type: document
relation: viewer
expectation:
- name: immediate_cycle_return_false
stages:
- model: |
model
schema 1.1
type user
type document
relations
define viewer: [user, document#viewer]
tuples:
- user: document:1#viewer
relation: viewer
object: document:1
checkAssertions:
- tuple:
object: document:1
relation: viewer
user: user:jon
expectation: false
listObjectsAssertions:
- request:
user: user:jon
type: document
relation: viewer
expectation:
- name: cycle_butnot_false_return_false
stages:
- model: |
model
schema 1.1
type user
type document
relations
define restricted: [user]
define viewer: [user, document#viewer] but not restricted
tuples:
- user: document:1#viewer
relation: viewer
object: document:1
checkAssertions:
- tuple:
object: document:1
relation: viewer
user: user:jon
expectation: false
listObjectsAssertions:
- request:
user: user:jon
type: document
relation: viewer
expectation:
- name: false_butnot_cycle_return_false
stages:
- model: |
model
schema 1.1
type user
type document
relations
define restricted: [user, document#viewer]
define viewer: [user] but not restricted
tuples:
- user: document:1#viewer
relation: restricted
object: document:1
checkAssertions:
- tuple:
object: document:1
relation: viewer
user: user:jon
expectation: false
listObjectsAssertions:
- request:
user: user:jon
type: document
relation: viewer
expectation:
- name: err_and_err_return_err
stages:
- model: |
model
schema 1.1
type user
type resource
relations
define a1: a2
define a2: a3
define a3: a4
define a4: a5
define a5: a6
define a6: a7
define a7: a8
define a8: a9
define a9: a10
define a10: a11
define a11: a12
define a12: a13
define a13: a14
define a14: a15
define a15: a16
define a16: a17
define a17: a18
define a18: a19
define a19: a20
define a20: a21
define a21: a22
define a22: a23
define a23: a24
define a24: a25
define a25: a26
define a26: [user]
define can_view: a1 and a1
tuples:
- object: resource:abc
relation: a26
user: user:maria
checkAssertions:
- tuple:
object: resource:abc
relation: can_view
user: user:maria
errorCode: 2002
listObjectsAssertions:
- request:
type: resource
relation: can_view
user: user:maria
errorCode: 2002
- name: err_and_true_return_err
stages:
- model: |
model
schema 1.1
type user
type resource
relations
define a1: a2
define a2: a3
define a3: a4
define a4: a5
define a5: a6
define a6: a7
define a7: a8
define a8: a9
define a9: a10
define a10: a11
define a11: a12
define a12: a13
define a13: a14
define a14: a15
define a15: a16
define a16: a17
define a17: a18
define a18: a19
define a19: a20
define a20: a21
define a21: a22
define a22: a23
define a23: a24
define a24: a25
define a25: a26
define a26: [user]
define can_view: a1 and a26
tuples:
- object: resource:abc
relation: a26
user: user:maria
checkAssertions:
- tuple:
object: resource:abc
relation: can_view
user: user:maria
errorCode: 2002
listObjectsAssertions:
- request:
type: resource
relation: can_view
user: user:maria
errorCode: 2002
Loading

0 comments on commit b6a6d99

Please sign in to comment.