# Test RLS on instance and account_instance table

In [None]:
from laminhub_rest.core.account import delete_account
from laminhub_rest.core.instance import delete_instance
from laminhub_rest.connector import connect_hub, connect_hub_with_auth
import pytest
from laminhub_rest.utils._test import (
    create_test_auth,
    create_test_account,
    create_test_storage,
)
from laminhub_rest.core.instance._crud import (
    sb_select_instance_by_name,
    sb_select_instance,
    sb_insert_instance,
    sb_update_instance,
    sb_delete_instance,
)
from laminhub_rest.core.collaborator._crud import (
    sb_insert_collaborator,
    sb_select_collaborator,
    sb_update_collaborator,
    sb_delete_collaborator,
)
import string, secrets
from uuid import uuid4
from laminhub_rest._clean_ci import clean_ci

In [None]:
def base26(n_char: int):
    alphabet = string.ascii_lowercase
    return "".join(secrets.choice(alphabet) for i in range(n_char))

## Parametrize 

In [None]:
hub = connect_hub()

# Create account 1
auth_1 = create_test_auth()
access_token_1 = auth_1["access_token"]
account_1 = create_test_account(handle=auth_1["handle"], access_token=access_token_1)
account_id_1 = account_1["id"]
account_handle_1 = account_1["handle"]
account_hub_1 = connect_hub_with_auth(access_token=access_token_1)

# Create account 2
auth_2 = create_test_auth()
access_token_2 = auth_2["access_token"]
account_2 = create_test_account(handle=auth_2["handle"], access_token=access_token_2)
account_id_2 = account_2["id"]
account_handle_2 = account_2["handle"]
account_hub_2 = connect_hub_with_auth(access_token=access_token_2)

# Create account 3
auth_3 = create_test_auth()
access_token_3 = auth_3["access_token"]
account_3 = create_test_account(handle=auth_3["handle"], access_token=access_token_3)
account_id_3 = account_3["id"]
account_handle_3 = account_3["handle"]
account_hub_3 = connect_hub_with_auth(access_token=access_token_3)

# Create account 4
auth_4 = create_test_auth()
access_token_4 = auth_4["access_token"]
account_4 = create_test_account(handle=auth_4["handle"], access_token=access_token_4)
account_id_4 = account_4["id"]
account_handle_4 = account_4["handle"]
account_hub_4 = connect_hub_with_auth(access_token=access_token_4)

# Create storage
storage = create_test_storage(access_token=access_token_1)

## Enable authenticated accounts to create instance

In [None]:
instance_name = f"lamin.ci.instance.{base26(6)}"
instance_id = uuid4().hex
db = f"postgresql://postgres:pwd@0.0.0.0:5432/{instance_name}"

instance = sb_insert_instance(
    instance_fields={
        "id": instance_id,
        "account_id": account_id_1,
        "name": instance_name,
        "storage_id": storage["id"],
        "db": db,
        "public": True,
    },
    supabase_client=account_hub_1,
)

assert instance is not None

## Enable `owner` to add collaborators

A owner can add himself as an admin.

In [None]:
sb_insert_collaborator(
    account_instance_fields={
        "account_id": account_id_1,
        "instance_id": instance["id"],
        "role": "admin",
    },
    supabase_client=account_hub_1,
)

assert (
    sb_select_collaborator(
        instance_id=instance["id"],
        account_id=account_id_1,
        supabase_client=account_hub_1,
    )
    is not None
)

Add another collaborator as an admin.

## Enable admin accounts to add collaborators

A admin can add a collaborator as an admin.

In [None]:
sb_insert_collaborator(
    account_instance_fields={
        "account_id": account_id_2,
        "instance_id": instance["id"],
        "role": "admin",
    },
    supabase_client=account_hub_1,
)

assert (
    sb_select_collaborator(
        instance_id=instance["id"],
        account_id=account_id_2,
        supabase_client=account_hub_1,
    )
    is not None
)

A admin can add a collaborator with a read role.

In [None]:
sb_insert_collaborator(
    account_instance_fields={
        "account_id": account_id_3,
        "instance_id": instance["id"],
        "role": "read",
    },
    supabase_client=account_hub_2,
)

assert (
    sb_select_collaborator(
        instance_id=instance["id"],
        account_id=account_id_3,
        supabase_client=account_hub_2,
    )
    is not None
)

A collaborator with a read role can't add a collaborator.

In [None]:
with pytest.raises(Exception) as error:
    sb_insert_collaborator(
        account_instance_fields={
            "account_id": account_id_4,
            "instance_id": instance["id"],
            "role": "read",
        },
        supabase_client=account_hub_3,
    )

assert "new row violates row-level security policy" in error.value.message

A non collaborator can't add a collaborator.

In [None]:
with pytest.raises(Exception) as error:
    sb_insert_collaborator(
        account_instance_fields={
            "account_id": account_id_4,
            "instance_id": instance["id"],
            "role": "read",
        },
        supabase_client=account_hub_4,
    )

assert "new row violates row-level security policy" in error.value.message

## Enable admin to update collaborators

A admin can update a collaborator.

In [None]:
sb_update_collaborator(
    account_id=account_id_3,
    instance_id=instance["id"],
    role="write",
    supabase_client=account_hub_2,
)

assert (
    sb_select_collaborator(
        account_id=account_id_3,
        instance_id=instance["id"],
        supabase_client=account_hub_2,
    )["role"]
    == "write"
)

A member with a non admin role can't update a collaborator.

In [None]:
sb_update_collaborator(
    account_id=account_id_3,
    instance_id=instance["id"],
    role="write",
    supabase_client=account_hub_3,
)

assert (
    sb_select_collaborator(
        account_id=account_id_2,
        instance_id=instance["id"],
        supabase_client=account_hub_3,
    )["role"]
    == "admin"
)

## Enable admin to delete collaborators

In [None]:
sb_delete_collaborator(
    account_id=account_id_2, instance_id=instance["id"], supabase_client=account_hub_3
)

collaborator = sb_select_collaborator(
    account_id=account_id_2, instance_id=instance["id"], supabase_client=account_hub_3
)

assert collaborator is not None

In [None]:
sb_delete_collaborator(
    account_id=account_id_3, instance_id=instance["id"], supabase_client=account_hub_2
)

collaborator = sb_select_collaborator(
    account_id=account_id_3, instance_id=instance["id"], supabase_client=account_hub_2
)

assert collaborator is None

## Enable owner to delete collaborators (even if he is not part of account_instance table)

In [None]:
instance_name = f"lamin.ci.instance.{base26(6)}"
instance_id = uuid4().hex
db = f"postgresql://postgres:pwd@0.0.0.0:5432/{instance_name}"

instance = sb_insert_instance(
    instance_fields={
        "id": instance_id,
        "account_id": account_id_1,
        "name": instance_name,
        "storage_id": storage["id"],
        "db": db,
        "public": True,
    },
    supabase_client=account_hub_1,
)

sb_insert_collaborator(
    account_instance_fields={
        "account_id": account_id_2,
        "instance_id": instance["id"],
        "role": "admin",
    },
    supabase_client=account_hub_1,
)

sb_delete_collaborator(
    account_id=account_id_2, instance_id=instance["id"], supabase_client=account_hub_1
)

assert (
    sb_select_collaborator(
        account_id=account_id_2,
        instance_id=instance["id"],
        supabase_client=account_hub_1,
    )
    is None
)

## Enable everyone to select public instances

In [None]:
instance = sb_select_instance(id=instance["id"], supabase_client=account_hub_4)

assert instance is not None

## Enable members to select their instances

Create a private instance with 1 member

In [None]:
instance_name = f"lamin.ci.instance.{base26(6)}"
instance_id = uuid4().hex
db = f"postgresql://postgres:pwd@0.0.0.0:5432/{instance_name}"

private_instance = sb_insert_instance(
    instance_fields={
        "id": instance_id,
        "account_id": account_id_1,
        "name": instance_name,
        "storage_id": storage["id"],
        "db": db,
        "public": False,
    },
    supabase_client=account_hub_1,
)

sb_insert_collaborator(
    account_instance_fields={
        "account_id": account_id_1,
        "instance_id": private_instance["id"],
        "role": "read",
    },
    supabase_client=account_hub_1,
)

In [None]:
assert (
    sb_select_instance(id=private_instance["id"], supabase_client=account_hub_1)
    is not None
)

In [None]:
assert (
    sb_select_instance(id=private_instance["id"], supabase_client=account_hub_3) is None
)

## Enable admin accounts to update their instances 

In [None]:
sb_update_instance(
    instance_id=instance["id"],
    instance_fields={"description": "Description"},
    supabase_client=account_hub_3,
)

assert (
    sb_select_instance(id=instance["id"], supabase_client=account_hub_3)["description"]
    is None
)

In [None]:
sb_insert_collaborator(
    account_instance_fields={
        "account_id": account_id_3,
        "instance_id": instance["id"],
        "role": "admin",
    },
    supabase_client=account_hub_1,
)

sb_update_instance(
    instance_id=instance["id"],
    instance_fields={"description": "Description"},
    supabase_client=account_hub_3,
)

assert (
    sb_select_instance(id=instance["id"], supabase_client=account_hub_3)["description"]
    == "Description"
)

## Enable owners to select their instances

Delete all colaborators of the private instance

In [None]:
(
    account_hub_1.table("account_instance")
    .delete()
    .eq("instance_id", private_instance["id"])
    .execute()
)

In [None]:
(
    account_hub_1.table("account_instance")
    .select("*")
    .eq("instance_id", private_instance["id"])
    .execute()
)

Ensure the owner can still select it

In [None]:
assert (
    sb_select_instance(id=private_instance["id"], supabase_client=account_hub_1)
    is not None
)

## Enable owners to delete their instances

In [None]:
sb_delete_instance(id=private_instance["id"], supabase_client=account_hub_2)

assert (
    sb_select_instance(id=private_instance["id"], supabase_client=account_hub_1)
    is not None
)

In [None]:
sb_delete_instance(id=private_instance["id"], supabase_client=account_hub_1)

assert (
    sb_select_instance(id=private_instance["id"], supabase_client=account_hub_1) is None
)

## Clean up test assets

In [None]:
delete_account(account_handle_1, access_token_1)
delete_account(account_handle_2, access_token_2)
delete_account(account_handle_3, access_token_3)
delete_account(account_handle_4, access_token_4)
delete_instance(
    owner=account_handle_1, name=instance["name"], _access_token=access_token_1
)

In [None]:
clean_ci()