consistencytestutil

package
v1.39.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 12, 2024 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CreateDispatcherForTesting

func CreateDispatcherForTesting(t *testing.T, withCaching bool) dispatch.Dispatcher

CreateDispatcherForTesting creates a dispatcher for consistency testing, with or without caching enabled.

func ListTestConfigs

func ListTestConfigs() ([]string, error)

ListTestConfigs returns a list of all test configuration files defined in the testconfigs directory. Must be invoked from a test defined in the integrationtesting folder.

Types

type Accessibility

type Accessibility int
const (
	// NotAccessible indicates that the subject is not accessible for the resource+permission.
	NotAccessible Accessibility = 0

	// NotAccessibleDueToPrespecifiedCaveat indicates that the subject is not accessible for the
	// resource+permission due to a caveat whose context is fully prespecified on the relationship.
	NotAccessibleDueToPrespecifiedCaveat Accessibility = 1

	// AccessibleDirectly indicates that the subject is directly accessible for the resource+permission,
	// rather than via a wildcard.
	AccessibleDirectly Accessibility = 2

	// AccessibleViaWildcardOnly indicates that the subject is only granted permission by virtue
	// of a wildcard being present, i.e. the subject is not directly found for a relation used by
	// the permission.
	AccessibleViaWildcardOnly Accessibility = 3

	// AccessibleBecauseTheSame indicates that the resource+permission and subject are exactly
	// the same.
	AccessibleBecauseTheSame Accessibility = 4
)

type AccessibilitySet

type AccessibilitySet struct {
	// ResourcesByNamespace is a multimap of all defined resources, by resource namespace.
	ResourcesByNamespace *mapz.MultiMap[string, tuple.ObjectAndRelation]

	// SubjectsByNamespace is a multimap of all defined subjects, by subject namespace.
	SubjectsByNamespace *mapz.MultiMap[string, tuple.ObjectAndRelation]

	// RelationshipsByResourceNamespace is a multimap of all defined relationships, by resource namespace.
	RelationshipsByResourceNamespace *mapz.MultiMap[string, tuple.Relationship]

	// UncomputedPermissionshipByRelationship is a map from a relationship string of the form
	// "resourceType:resourceObjectID#permission@subjectType:subjectObjectID" to its
	// associated *uncomputed* (i.e. caveats not processed) permissionship state.
	UncomputedPermissionshipByRelationship map[string]dispatchv1.ResourceCheckResult_Membership

	// PermissionshipByRelationship is a map from a relationship string of the form
	// "resourceType:resourceObjectID#permission@subjectType:subjectObjectID" to its
	// associated computed (i.e. caveats processed) permissionship state.
	PermissionshipByRelationship map[string]dispatchv1.ResourceCheckResult_Membership

	// AccessibilityByRelationship is a map from a relationship string of the form
	// "resourceType:resourceObjectID#permission@subjectType:subjectObjectID" to its
	// associated computed accessibility state.
	AccessibilityByRelationship map[string]Accessibility
}

AccessibilitySet is a helper for tracking the accessibility, permissions, resources and subjects found for consistency testing.

func BuildAccessibilitySet

func BuildAccessibilitySet(t *testing.T, ccd ConsistencyClusterAndData) *AccessibilitySet

BuildAccessibilitySet builds and returns an accessibility set for the given consistency cluster and data. Note that this function does *a lot* of checks, and should not be used outside of testing.

func (*AccessibilitySet) AccessibiliyAndPermissionshipFor

func (as *AccessibilitySet) AccessibiliyAndPermissionshipFor(resourceAndRelation tuple.ObjectAndRelation, subject tuple.ObjectAndRelation) (Accessibility, dispatchv1.ResourceCheckResult_Membership, bool)

AccessibiliyAndPermissionshipFor returns the computed accessibility and permissionship for the given resource+permission and subject. If not found, returns false.

func (*AccessibilitySet) AllSubjectsNoWildcards

func (as *AccessibilitySet) AllSubjectsNoWildcards() []tuple.ObjectAndRelation

AllSubjectsNoWildcards returns all *defined*, non-wildcard subjects found.

func (*AccessibilitySet) DirectlyAccessibleDefinedSubjects

func (as *AccessibilitySet) DirectlyAccessibleDefinedSubjects(resourceAndRelation tuple.ObjectAndRelation) []tuple.ObjectAndRelation

DirectlyAccessibleDefinedSubjects returns all subjects that have direct access/permission on the resource+permission. Direct access is defined as not being granted access via a wildcard.

func (*AccessibilitySet) DirectlyAccessibleDefinedSubjectsOfType

func (as *AccessibilitySet) DirectlyAccessibleDefinedSubjectsOfType(resourceAndRelation tuple.ObjectAndRelation, subjectType tuple.RelationReference) map[string]ObjectAndPermission

DirectlyAccessibleDefinedSubjectsOfType returns all subjects that have direct access/permission on the resource+permission and match the given subject type. Direct access is defined as not being granted access via a wildcard.

func (*AccessibilitySet) LookupAccessibleResources

func (as *AccessibilitySet) LookupAccessibleResources(resourceType tuple.RelationReference, subject tuple.ObjectAndRelation) map[string]ObjectAndPermission

LookupAccessibleResources returns all resources of the given type that are accessible to the given subject.

func (*AccessibilitySet) SubjectTypes

func (as *AccessibilitySet) SubjectTypes() []tuple.RelationReference

SubjectTypes returns all *defined* subject types found.

func (*AccessibilitySet) UncomputedPermissionshipFor

func (as *AccessibilitySet) UncomputedPermissionshipFor(resourceAndRelation tuple.ObjectAndRelation, subject tuple.ObjectAndRelation) (dispatchv1.ResourceCheckResult_Membership, bool)

UncomputedPermissionshipFor returns the uncomputed permissionship for the given resource+permission and subject. If not found, returns false.

type ConsistencyClusterAndData

type ConsistencyClusterAndData struct {
	Conn      *grpc.ClientConn
	DataStore datastore.Datastore
	Ctx       context.Context
	Populated *validationfile.PopulatedValidationFile
}

ConsistencyClusterAndData holds a connection to a SpiceDB "cluster" (size 1) running the V1 API for the given data.

func BuildDataAndCreateClusterForTesting

func BuildDataAndCreateClusterForTesting(t *testing.T, consistencyTestFilePath string, ds datastore.Datastore, additionalServerOptions ...server.ConfigOption) ConsistencyClusterAndData

BuildDataAndCreateClusterForTesting loads the data found in a consistency test file, builds a cluster for it, and returns both the data and cluster.

func LoadDataAndCreateClusterForTesting

func LoadDataAndCreateClusterForTesting(t *testing.T, consistencyTestFilePath string, revisionDelta time.Duration, additionalServerOptions ...server.ConfigOption) ConsistencyClusterAndData

LoadDataAndCreateClusterForTesting loads the data found in a consistency test file, builds a cluster for it, and returns both the data and cluster.

type ObjectAndPermission

type ObjectAndPermission struct {
	ObjectID   string
	IsCaveated bool
}

ObjectAndPermission contains an object ID and whether it is a caveated result.

type ServiceTester

type ServiceTester interface {
	Name() string
	Check(ctx context.Context, resource tuple.ObjectAndRelation, subject tuple.ObjectAndRelation, atRevision datastore.Revision, caveatContext map[string]any) (v1.CheckPermissionResponse_Permissionship, error)
	Expand(ctx context.Context, resource tuple.ObjectAndRelation, atRevision datastore.Revision) (*core.RelationTupleTreeNode, error)
	Write(ctx context.Context, relationship tuple.Relationship) error
	Read(ctx context.Context, namespaceName string, atRevision datastore.Revision) ([]tuple.Relationship, error)
	LookupResources(ctx context.Context, resourceRelation tuple.RelationReference, subject tuple.ObjectAndRelation, atRevision datastore.Revision, cursor *v1.Cursor, limit uint32, caveatContext map[string]any) ([]*v1.LookupResourcesResponse, *v1.Cursor, error)
	LookupSubjects(ctx context.Context, resource tuple.ObjectAndRelation, subjectRelation tuple.RelationReference, atRevision datastore.Revision, caveatContext map[string]any) (map[string]*v1.LookupSubjectsResponse, error)
	// NOTE: ExperimentalService/BulkCheckPermission has been promoted to PermissionsService/CheckBulkPermissions
	BulkCheck(ctx context.Context, items []*v1.BulkCheckPermissionRequestItem, atRevision datastore.Revision) ([]*v1.BulkCheckPermissionPair, error)
	CheckBulk(ctx context.Context, items []*v1.CheckBulkPermissionsRequestItem, atRevision datastore.Revision) ([]*v1.CheckBulkPermissionsPair, error)
}

func ServiceTesters

func ServiceTesters(conn *grpc.ClientConn) []ServiceTester

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL