cf-modkit-db 0.7.0

ModKit database library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

//! Integration tests for the secure ORM layer.

#[cfg(test)]
#[cfg_attr(coverage_nightly, coverage(off))]
#[allow(clippy::disallowed_methods)]
mod integration_tests {
    use crate::secure::AccessScope;
    use modkit_security::access_scope::{ScopeConstraint, ScopeFilter, pep_properties};
    use uuid::Uuid;

    #[test]
    fn test_access_scope_is_deny_all() {
        // Empty scope = deny all
        let scope = AccessScope::default();
        assert!(scope.is_deny_all());

        // Scope with tenants is not deny-all
        let scope = AccessScope::for_tenants(vec![Uuid::new_v4()]);
        assert!(!scope.is_deny_all());

        // Scope with resources is not deny-all
        let scope = AccessScope::for_resources(vec![Uuid::new_v4()]);
        assert!(!scope.is_deny_all());

        // Scope with both is not deny-all
        let scope = AccessScope::single(ScopeConstraint::new(vec![
            ScopeFilter::in_uuids(pep_properties::OWNER_TENANT_ID, vec![Uuid::new_v4()]),
            ScopeFilter::in_uuids(pep_properties::RESOURCE_ID, vec![Uuid::new_v4()]),
        ]));
        assert!(!scope.is_deny_all());
    }

    #[test]
    fn test_empty_scope_is_deny_all() {
        let empty_scope = AccessScope::default();

        assert!(empty_scope.is_deny_all());
        assert!(
            empty_scope
                .all_values_for(pep_properties::OWNER_TENANT_ID)
                .is_empty()
        );
        assert!(
            empty_scope
                .all_values_for(pep_properties::RESOURCE_ID)
                .is_empty()
        );
    }

    #[test]
    fn test_access_scope_builders() {
        let tid = Uuid::new_v4();
        let rid = Uuid::new_v4();

        let scope = AccessScope::for_tenants(vec![tid]);
        assert_eq!(
            scope.all_uuid_values_for(pep_properties::OWNER_TENANT_ID),
            &[tid]
        );
        assert!(
            scope
                .all_uuid_values_for(pep_properties::RESOURCE_ID)
                .is_empty()
        );

        let scope = AccessScope::for_resources(vec![rid]);
        assert!(
            scope
                .all_uuid_values_for(pep_properties::OWNER_TENANT_ID)
                .is_empty()
        );
        assert_eq!(
            scope.all_uuid_values_for(pep_properties::RESOURCE_ID),
            &[rid]
        );

        let scope = AccessScope::single(ScopeConstraint::new(vec![
            ScopeFilter::in_uuids(pep_properties::OWNER_TENANT_ID, vec![tid]),
            ScopeFilter::in_uuids(pep_properties::RESOURCE_ID, vec![rid]),
        ]));
        assert_eq!(
            scope.all_uuid_values_for(pep_properties::OWNER_TENANT_ID),
            &[tid]
        );
        assert_eq!(
            scope.all_uuid_values_for(pep_properties::RESOURCE_ID),
            &[rid]
        );
    }

    #[test]
    fn test_allow_all_is_unconstrained() {
        let scope = AccessScope::allow_all();
        assert!(scope.is_unconstrained());
        assert!(!scope.is_deny_all());
    }

    #[test]
    fn test_or_constraints() {
        let t1 = Uuid::new_v4();
        let t2 = Uuid::new_v4();
        let r1 = Uuid::new_v4();

        let scope = AccessScope::from_constraints(vec![
            ScopeConstraint::new(vec![
                ScopeFilter::in_uuids(pep_properties::OWNER_TENANT_ID, vec![t1]),
                ScopeFilter::in_uuids(pep_properties::RESOURCE_ID, vec![r1]),
            ]),
            ScopeConstraint::new(vec![ScopeFilter::in_uuids(
                pep_properties::OWNER_TENANT_ID,
                vec![t2],
            )]),
        ]);

        assert_eq!(scope.constraints().len(), 2);
        assert!(scope.contains_uuid(pep_properties::OWNER_TENANT_ID, t1));
        assert!(scope.contains_uuid(pep_properties::OWNER_TENANT_ID, t2));
        assert!(scope.contains_uuid(pep_properties::RESOURCE_ID, r1));
        // all_values_for collects from all constraints
        assert_eq!(
            scope.all_values_for(pep_properties::OWNER_TENANT_ID).len(),
            2
        );
    }

    #[test]
    fn test_has_property() {
        let tid = Uuid::new_v4();
        let scope = AccessScope::for_tenant(tid);
        assert!(scope.has_property(pep_properties::OWNER_TENANT_ID));
        assert!(!scope.has_property(pep_properties::RESOURCE_ID));
    }
}