Documentation ¶
Index ¶
- func CreateDispatcherForTesting(t *testing.T, withCaching bool) dispatch.Dispatcher
- func ListTestConfigs() ([]string, error)
- type Accessibility
- type AccessibilitySet
- func (as *AccessibilitySet) AccessibiliyAndPermissionshipFor(resourceAndRelation tuple.ObjectAndRelation, subject tuple.ObjectAndRelation) (Accessibility, dispatchv1.ResourceCheckResult_Membership, bool)
- func (as *AccessibilitySet) AllSubjectsNoWildcards() []tuple.ObjectAndRelation
- func (as *AccessibilitySet) DirectlyAccessibleDefinedSubjects(resourceAndRelation tuple.ObjectAndRelation) []tuple.ObjectAndRelation
- func (as *AccessibilitySet) DirectlyAccessibleDefinedSubjectsOfType(resourceAndRelation tuple.ObjectAndRelation, ...) map[string]ObjectAndPermission
- func (as *AccessibilitySet) LookupAccessibleResources(resourceType tuple.RelationReference, subject tuple.ObjectAndRelation) map[string]ObjectAndPermission
- func (as *AccessibilitySet) SubjectTypes() []tuple.RelationReference
- func (as *AccessibilitySet) UncomputedPermissionshipFor(resourceAndRelation tuple.ObjectAndRelation, subject tuple.ObjectAndRelation) (dispatchv1.ResourceCheckResult_Membership, bool)
- type ConsistencyClusterAndData
- type ObjectAndPermission
- type ServiceTester
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateDispatcherForTesting ¶
func CreateDispatcherForTesting(t *testing.T, withCaching bool) dispatch.Dispatcher
CreateDispatcherForTesting creates a dispatcher for consistency testing, with or without caching enabled.
func ListTestConfigs ¶
ListTestConfigs returns a list of all test configuration files defined in the testconfigs directory. Must be invoked from a test defined in the integrationtesting folder.
Types ¶
type Accessibility ¶
type Accessibility int
const ( // NotAccessible indicates that the subject is not accessible for the resource+permission. NotAccessible Accessibility = 0 // NotAccessibleDueToPrespecifiedCaveat indicates that the subject is not accessible for the // resource+permission due to a caveat whose context is fully prespecified on the relationship. NotAccessibleDueToPrespecifiedCaveat Accessibility = 1 // AccessibleDirectly indicates that the subject is directly accessible for the resource+permission, // rather than via a wildcard. AccessibleDirectly Accessibility = 2 // AccessibleViaWildcardOnly indicates that the subject is only granted permission by virtue // of a wildcard being present, i.e. the subject is not directly found for a relation used by // the permission. AccessibleViaWildcardOnly Accessibility = 3 // AccessibleBecauseTheSame indicates that the resource+permission and subject are exactly // the same. AccessibleBecauseTheSame Accessibility = 4 )
type AccessibilitySet ¶
type AccessibilitySet struct { // ResourcesByNamespace is a multimap of all defined resources, by resource namespace. ResourcesByNamespace *mapz.MultiMap[string, tuple.ObjectAndRelation] // SubjectsByNamespace is a multimap of all defined subjects, by subject namespace. SubjectsByNamespace *mapz.MultiMap[string, tuple.ObjectAndRelation] // RelationshipsByResourceNamespace is a multimap of all defined relationships, by resource namespace. RelationshipsByResourceNamespace *mapz.MultiMap[string, tuple.Relationship] // UncomputedPermissionshipByRelationship is a map from a relationship string of the form // "resourceType:resourceObjectID#permission@subjectType:subjectObjectID" to its // associated *uncomputed* (i.e. caveats not processed) permissionship state. UncomputedPermissionshipByRelationship map[string]dispatchv1.ResourceCheckResult_Membership // PermissionshipByRelationship is a map from a relationship string of the form // "resourceType:resourceObjectID#permission@subjectType:subjectObjectID" to its // associated computed (i.e. caveats processed) permissionship state. PermissionshipByRelationship map[string]dispatchv1.ResourceCheckResult_Membership // AccessibilityByRelationship is a map from a relationship string of the form // "resourceType:resourceObjectID#permission@subjectType:subjectObjectID" to its // associated computed accessibility state. AccessibilityByRelationship map[string]Accessibility }
AccessibilitySet is a helper for tracking the accessibility, permissions, resources and subjects found for consistency testing.
func BuildAccessibilitySet ¶
func BuildAccessibilitySet(t *testing.T, ccd ConsistencyClusterAndData) *AccessibilitySet
BuildAccessibilitySet builds and returns an accessibility set for the given consistency cluster and data. Note that this function does *a lot* of checks, and should not be used outside of testing.
func (*AccessibilitySet) AccessibiliyAndPermissionshipFor ¶
func (as *AccessibilitySet) AccessibiliyAndPermissionshipFor(resourceAndRelation tuple.ObjectAndRelation, subject tuple.ObjectAndRelation) (Accessibility, dispatchv1.ResourceCheckResult_Membership, bool)
AccessibiliyAndPermissionshipFor returns the computed accessibility and permissionship for the given resource+permission and subject. If not found, returns false.
func (*AccessibilitySet) AllSubjectsNoWildcards ¶
func (as *AccessibilitySet) AllSubjectsNoWildcards() []tuple.ObjectAndRelation
AllSubjectsNoWildcards returns all *defined*, non-wildcard subjects found.
func (*AccessibilitySet) DirectlyAccessibleDefinedSubjects ¶
func (as *AccessibilitySet) DirectlyAccessibleDefinedSubjects(resourceAndRelation tuple.ObjectAndRelation) []tuple.ObjectAndRelation
DirectlyAccessibleDefinedSubjects returns all subjects that have direct access/permission on the resource+permission. Direct access is defined as not being granted access via a wildcard.
func (*AccessibilitySet) DirectlyAccessibleDefinedSubjectsOfType ¶
func (as *AccessibilitySet) DirectlyAccessibleDefinedSubjectsOfType(resourceAndRelation tuple.ObjectAndRelation, subjectType tuple.RelationReference) map[string]ObjectAndPermission
DirectlyAccessibleDefinedSubjectsOfType returns all subjects that have direct access/permission on the resource+permission and match the given subject type. Direct access is defined as not being granted access via a wildcard.
func (*AccessibilitySet) LookupAccessibleResources ¶
func (as *AccessibilitySet) LookupAccessibleResources(resourceType tuple.RelationReference, subject tuple.ObjectAndRelation) map[string]ObjectAndPermission
LookupAccessibleResources returns all resources of the given type that are accessible to the given subject.
func (*AccessibilitySet) SubjectTypes ¶
func (as *AccessibilitySet) SubjectTypes() []tuple.RelationReference
SubjectTypes returns all *defined* subject types found.
func (*AccessibilitySet) UncomputedPermissionshipFor ¶
func (as *AccessibilitySet) UncomputedPermissionshipFor(resourceAndRelation tuple.ObjectAndRelation, subject tuple.ObjectAndRelation) (dispatchv1.ResourceCheckResult_Membership, bool)
UncomputedPermissionshipFor returns the uncomputed permissionship for the given resource+permission and subject. If not found, returns false.
type ConsistencyClusterAndData ¶
type ConsistencyClusterAndData struct { Conn *grpc.ClientConn DataStore datastore.Datastore Ctx context.Context Populated *validationfile.PopulatedValidationFile }
ConsistencyClusterAndData holds a connection to a SpiceDB "cluster" (size 1) running the V1 API for the given data.
func BuildDataAndCreateClusterForTesting ¶
func BuildDataAndCreateClusterForTesting(t *testing.T, consistencyTestFilePath string, ds datastore.Datastore, additionalServerOptions ...server.ConfigOption) ConsistencyClusterAndData
BuildDataAndCreateClusterForTesting loads the data found in a consistency test file, builds a cluster for it, and returns both the data and cluster.
func LoadDataAndCreateClusterForTesting ¶
func LoadDataAndCreateClusterForTesting(t *testing.T, consistencyTestFilePath string, revisionDelta time.Duration, additionalServerOptions ...server.ConfigOption) ConsistencyClusterAndData
LoadDataAndCreateClusterForTesting loads the data found in a consistency test file, builds a cluster for it, and returns both the data and cluster.
type ObjectAndPermission ¶
ObjectAndPermission contains an object ID and whether it is a caveated result.
type ServiceTester ¶
type ServiceTester interface { Name() string Check(ctx context.Context, resource tuple.ObjectAndRelation, subject tuple.ObjectAndRelation, atRevision datastore.Revision, caveatContext map[string]any) (v1.CheckPermissionResponse_Permissionship, error) Expand(ctx context.Context, resource tuple.ObjectAndRelation, atRevision datastore.Revision) (*core.RelationTupleTreeNode, error) Write(ctx context.Context, relationship tuple.Relationship) error Read(ctx context.Context, namespaceName string, atRevision datastore.Revision) ([]tuple.Relationship, error) LookupResources(ctx context.Context, resourceRelation tuple.RelationReference, subject tuple.ObjectAndRelation, atRevision datastore.Revision, cursor *v1.Cursor, limit uint32, caveatContext map[string]any) ([]*v1.LookupResourcesResponse, *v1.Cursor, error) LookupSubjects(ctx context.Context, resource tuple.ObjectAndRelation, subjectRelation tuple.RelationReference, atRevision datastore.Revision, caveatContext map[string]any) (map[string]*v1.LookupSubjectsResponse, error) // NOTE: ExperimentalService/BulkCheckPermission has been promoted to PermissionsService/CheckBulkPermissions BulkCheck(ctx context.Context, items []*v1.BulkCheckPermissionRequestItem, atRevision datastore.Revision) ([]*v1.BulkCheckPermissionPair, error) CheckBulk(ctx context.Context, items []*v1.CheckBulkPermissionsRequestItem, atRevision datastore.Revision) ([]*v1.CheckBulkPermissionsPair, error) }
func ServiceTesters ¶
func ServiceTesters(conn *grpc.ClientConn) []ServiceTester