Affected by GO-2023-2166 and 4 other vulnerabilities

GO-2023-2166: SpiceDB leaks information in log files when URI cannot be parsed in github.com/authzed/spicedb

GO-2024-2597: Integer overflow in chunking helper causes dispatching to miss elements or panic in github.com/authzed/spicedb

GO-2024-2716: SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used in github.com/authzed/spicedb

GO-2024-2939: SpiceDB exclusions can result in no permission returned when permission expected in github.com/authzed/spicedb

GO-2024-3131: SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb

consistencytestutil

package

v1.25.0 Latest Latest Go to latest Published: Sep 1, 2023 License: Apache-2.0 Imports: 33 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/authzed/spicedb

Links

Open Source Insights

Documentation ¶

Index ¶

func CreateDispatcherForTesting(t *testing.T, withCaching bool) dispatch.Dispatcher
func ListTestConfigs() ([]string, error)
type Accessibility
type AccessibilitySet
- func BuildAccessibilitySet(t *testing.T, ccd ConsistencyClusterAndData) *AccessibilitySet
type ConsistencyClusterAndData
- func BuildDataAndCreateClusterForTesting(t *testing.T, consistencyTestFilePath string, ds datastore.Datastore) ConsistencyClusterAndData
- func LoadDataAndCreateClusterForTesting(t *testing.T, consistencyTestFilePath string, revisionDelta time.Duration) ConsistencyClusterAndData
type ObjectAndPermission
type ServiceTester
- func ServiceTesters(conn *grpc.ClientConn) []ServiceTester

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CreateDispatcherForTesting ¶

func CreateDispatcherForTesting(t *testing.T, withCaching bool) dispatch.Dispatcher

CreateDispatcherForTesting creates a dispatcher for consistency testing, with or without caching enabled.

func ListTestConfigs ¶

func ListTestConfigs() ([]string, error)

ListTestConfigs returns a list of all test configuration files defined in the testconfigs directory. Must be invoked from a test defined in the integrationtesting folder.

Types ¶

type Accessibility ¶

type Accessibility int

const (
	// NotAccessible indicates that the subject is not accessible for the resource+permission.
	NotAccessible Accessibility = 0

	// NotAccessibleDueToPrespecifiedCaveat indicates that the subject is not accessible for the
	// resource+permission due to a caveat whose context is fully prespecified on the relationship.
	NotAccessibleDueToPrespecifiedCaveat Accessibility = 1

	// AccessibleDirectly indicates that the subject is directly accessible for the resource+permission,
	// rather than via a wildcard.
	AccessibleDirectly Accessibility = 2

	// AccessibleViaWildcardOnly indicates that the subject is only granted permission by virtue
	// of a wildcard being present, i.e. the subject is not directly found for a relation used by
	// the permission.
	AccessibleViaWildcardOnly Accessibility = 3

	// AccessibleBecauseTheSame indicates that the resource+permission and subject are exactly
	// the same.
	AccessibleBecauseTheSame Accessibility = 4
)

type AccessibilitySet ¶

type AccessibilitySet struct {
	// ResourcesByNamespace is a multimap of all defined resources, by resource namespace.
	ResourcesByNamespace *mapz.MultiMap[string, *core.ObjectAndRelation]

	// SubjectsByNamespace is a multimap of all defined subjects, by subject namespace.
	SubjectsByNamespace *mapz.MultiMap[string, *core.ObjectAndRelation]

	// RelationshipsByResourceNamespace is a multimap of all defined relationships, by resource namespace.
	RelationshipsByResourceNamespace *mapz.MultiMap[string, *core.RelationTuple]

	// UncomputedPermissionshipByRelationship is a map from a relationship string of the form
	// "resourceType:resourceObjectID#permission@subjectType:subjectObjectID" to its
	// associated *uncomputed* (i.e. caveats not processed) permissionship state.
	UncomputedPermissionshipByRelationship map[string]dispatchv1.ResourceCheckResult_Membership

	// PermissionshipByRelationship is a map from a relationship string of the form
	// "resourceType:resourceObjectID#permission@subjectType:subjectObjectID" to its
	// associated computed (i.e. caveats processed) permissionship state.
	PermissionshipByRelationship map[string]dispatchv1.ResourceCheckResult_Membership

	// AccessibilityByRelationship is a map from a relationship string of the form
	// "resourceType:resourceObjectID#permission@subjectType:subjectObjectID" to its
	// associated computed accessibility state.
	AccessibilityByRelationship map[string]Accessibility
}

AccessibilitySet is a helper for tracking the accessibility, permissions, resources and subjects found for consistency testing.

func BuildAccessibilitySet ¶

func BuildAccessibilitySet(t *testing.T, ccd ConsistencyClusterAndData) *AccessibilitySet

BuildAccessibilitySet builds and returns an accessibility set for the given consistency cluster and data. Note that this function does *a lot* of checks, and should not be used outside of testing.

func (*AccessibilitySet) AccessibiliyAndPermissionshipFor ¶

func (as *AccessibilitySet) AccessibiliyAndPermissionshipFor(resourceAndRelation *core.ObjectAndRelation, subject *core.ObjectAndRelation) (Accessibility, dispatchv1.ResourceCheckResult_Membership, bool)

AccessibiliyAndPermissionshipFor returns the computed accessibility and permissionship for the given resource+permission and subject. If not found, returns false.

func (*AccessibilitySet) AllSubjectsNoWildcards ¶

func (as *AccessibilitySet) AllSubjectsNoWildcards() []*core.ObjectAndRelation

AllSubjectsNoWildcards returns all *defined*, non-wildcard subjects found.

func (*AccessibilitySet) DirectlyAccessibleDefinedSubjects ¶

func (as *AccessibilitySet) DirectlyAccessibleDefinedSubjects(resourceAndRelation *core.ObjectAndRelation) []*core.ObjectAndRelation

DirectlyAccessibleDefinedSubjects returns all subjects that have direct access/permission on the resource+permission. Direct access is defined as not being granted access via a wildcard.

func (*AccessibilitySet) DirectlyAccessibleDefinedSubjectsOfType ¶

func (as *AccessibilitySet) DirectlyAccessibleDefinedSubjectsOfType(resourceAndRelation *core.ObjectAndRelation, subjectType *core.RelationReference) map[string]ObjectAndPermission

DirectlyAccessibleDefinedSubjectsOfType returns all subjects that have direct access/permission on the resource+permission and match the given subject type. Direct access is defined as not being granted access via a wildcard.

func (*AccessibilitySet) LookupAccessibleResources ¶

func (as *AccessibilitySet) LookupAccessibleResources(resourceType *core.RelationReference, subject *core.ObjectAndRelation) map[string]ObjectAndPermission

LookupAccessibleResources returns all resources of the given type that are accessible to the given subject.

func (*AccessibilitySet) SubjectTypes ¶

func (as *AccessibilitySet) SubjectTypes() []*core.RelationReference

SubjectTypes returns all *defined* subject types found.

func (*AccessibilitySet) UncomputedPermissionshipFor ¶

func (as *AccessibilitySet) UncomputedPermissionshipFor(resourceAndRelation *core.ObjectAndRelation, subject *core.ObjectAndRelation) (dispatchv1.ResourceCheckResult_Membership, bool)

UncomputedPermissionshipFor returns the uncomputed permissionship for the given resource+permission and subject. If not found, returns false.

type ConsistencyClusterAndData ¶

type ConsistencyClusterAndData struct {
	Conn      *grpc.ClientConn
	DataStore datastore.Datastore
	Ctx       context.Context
	Populated *validationfile.PopulatedValidationFile
}

ConsistencyClusterAndData holds a connection to a SpiceDB "cluster" (size 1) running the V1 API for the given data.

func BuildDataAndCreateClusterForTesting ¶

func BuildDataAndCreateClusterForTesting(t *testing.T, consistencyTestFilePath string, ds datastore.Datastore) ConsistencyClusterAndData

BuildDataAndCreateClusterForTesting loads the data found in a consistency test file, builds a cluster for it, and returns both the data and cluster.

func LoadDataAndCreateClusterForTesting ¶

func LoadDataAndCreateClusterForTesting(t *testing.T, consistencyTestFilePath string, revisionDelta time.Duration) ConsistencyClusterAndData

LoadDataAndCreateClusterForTesting loads the data found in a consistency test file, builds a cluster for it, and returns both the data and cluster.

type ObjectAndPermission ¶

type ObjectAndPermission struct {
	ObjectID   string
	IsCaveated bool
}

ObjectAndPermission contains an object ID and whether it is a caveated result.

type ServiceTester ¶

type ServiceTester interface {
	Name() string
	Check(ctx context.Context, resource *core.ObjectAndRelation, subject *core.ObjectAndRelation, atRevision datastore.Revision, caveatContext map[string]any) (v1.CheckPermissionResponse_Permissionship, error)
	Expand(ctx context.Context, resource *core.ObjectAndRelation, atRevision datastore.Revision) (*core.RelationTupleTreeNode, error)
	Write(ctx context.Context, relationship *core.RelationTuple) error
	Read(ctx context.Context, namespaceName string, atRevision datastore.Revision) ([]*core.RelationTuple, error)
	LookupResources(ctx context.Context, resourceRelation *core.RelationReference, subject *core.ObjectAndRelation, atRevision datastore.Revision, cursor *v1.Cursor, limit uint32) ([]*v1.LookupResourcesResponse, *v1.Cursor, error)
	LookupSubjects(ctx context.Context, resource *core.ObjectAndRelation, subjectRelation *core.RelationReference, atRevision datastore.Revision, caveatContext map[string]any) (map[string]*v1.LookupSubjectsResponse, error)
	BulkCheck(ctx context.Context, items []*v1.BulkCheckPermissionRequestItem, atRevision datastore.Revision) ([]*v1.BulkCheckPermissionPair, error)
}

func ServiceTesters ¶

func ServiceTesters(conn *grpc.ClientConn) []ServiceTester

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL