nodedb 0.2.0

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

// SPDX-License-Identifier: BUSL-1.1

//! Cross-tenant isolation: Document (sparse) engine — negative (write-collision) cases.
//!
//! Verifies that Tenant B writing to the same collection + document_id as Tenant A
//! cannot overwrite or delete Tenant A's document.

use nodedb::bridge::envelope::{ErrorCode, PhysicalPlan, Status};
use nodedb::bridge::physical_plan::DocumentOp;

use crate::helpers::*;

/// Tenant B PointPut on the same doc_id must not overwrite Tenant A's document.
#[test]
fn sparse_cross_tenant_put_does_not_overwrite() {
    let (mut core, mut tx, mut rx, _dir) = make_core();

    // Tenant A inserts a document.
    send_ok_as_tenant(
        &mut core,
        &mut tx,
        &mut rx,
        TENANT_A,
        PhysicalPlan::Document(DocumentOp::PointPut {
            collection: "profiles".into(),
            document_id: "user_1".into(),
            value: b"{\"name\":\"alice\",\"secret\":\"tenant_a_secret\"}".to_vec(),
            surrogate: nodedb_types::Surrogate::ZERO,
            pk_bytes: Vec::new(),
        }),
    );

    // Tenant B puts a document with the same collection + doc_id.
    send_ok_as_tenant(
        &mut core,
        &mut tx,
        &mut rx,
        TENANT_B,
        PhysicalPlan::Document(DocumentOp::PointPut {
            collection: "profiles".into(),
            document_id: "user_1".into(),
            value: b"{\"name\":\"bob\",\"secret\":\"tenant_b_secret\"}".to_vec(),
            surrogate: nodedb_types::Surrogate::ZERO,
            pk_bytes: Vec::new(),
        }),
    );

    // Tenant A's PointGet must still return the original document.
    let resp_a = send_raw_as_tenant(
        &mut core,
        &mut tx,
        &mut rx,
        TENANT_A,
        PhysicalPlan::Document(DocumentOp::PointGet {
            collection: "profiles".into(),
            document_id: "user_1".into(),
            rls_filters: Vec::new(),
            system_as_of_ms: None,
            valid_at_ms: None,
            surrogate: nodedb_types::Surrogate::ZERO,
            pk_bytes: Vec::new(),
        }),
    );
    assert_eq!(resp_a.status, Status::Ok);
    let json_a = payload_json(&resp_a.payload);
    assert!(
        json_a.contains("tenant_a_secret"),
        "Tenant A's document must be intact after Tenant B's cross-tenant Put; got: {json_a}"
    );
    assert!(
        !json_a.contains("tenant_b_secret"),
        "Tenant B's data must NOT appear in Tenant A's document; got: {json_a}"
    );
}

/// Tenant B PointDelete on a doc_id that Tenant A owns must not affect Tenant A.
#[test]
fn sparse_cross_tenant_delete_does_not_affect_owner() {
    let (mut core, mut tx, mut rx, _dir) = make_core();

    // Tenant A inserts a document.
    send_ok_as_tenant(
        &mut core,
        &mut tx,
        &mut rx,
        TENANT_A,
        PhysicalPlan::Document(DocumentOp::PointPut {
            collection: "records".into(),
            document_id: "rec_42".into(),
            value: b"{\"data\":\"confidential\"}".to_vec(),
            surrogate: nodedb_types::Surrogate::ZERO,
            pk_bytes: Vec::new(),
        }),
    );

    // Tenant B attempts to delete the same document.  In B's namespace
    // the document doesn't exist, so the engine must either return Ok
    // (0 rows deleted) or NotFound.
    let resp_del = send_raw_as_tenant(
        &mut core,
        &mut tx,
        &mut rx,
        TENANT_B,
        PhysicalPlan::Document(DocumentOp::PointDelete {
            collection: "records".into(),
            document_id: "rec_42".into(),
            surrogate: nodedb_types::Surrogate::ZERO,
            pk_bytes: Vec::new(),
            returning: None,
        }),
    );
    let ok_or_not_found =
        resp_del.status == Status::Ok || resp_del.error_code == Some(ErrorCode::NotFound);
    assert!(
        ok_or_not_found,
        "Cross-tenant document delete must be Ok or NotFound, got {:?}",
        resp_del.error_code
    );

    // Tenant A's document must still be present.
    let resp_a = send_raw_as_tenant(
        &mut core,
        &mut tx,
        &mut rx,
        TENANT_A,
        PhysicalPlan::Document(DocumentOp::PointGet {
            collection: "records".into(),
            document_id: "rec_42".into(),
            rls_filters: Vec::new(),
            system_as_of_ms: None,
            valid_at_ms: None,
            surrogate: nodedb_types::Surrogate::ZERO,
            pk_bytes: Vec::new(),
        }),
    );
    assert_eq!(resp_a.status, Status::Ok);
    let json_a = payload_json(&resp_a.payload);
    assert!(
        json_a.contains("confidential"),
        "Tenant A's document must survive Tenant B's cross-tenant delete; got: {json_a}"
    );
}