nodedb 0.2.1

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402

// SPDX-License-Identifier: BUSL-1.1

//! Privilege-matrix gating tests for admin-level database DDL.
//!
//! For each operation in the role matrix, two tests verify:
//! 1. Positive: the allowed identity succeeds (or gets 0A000 for
//!    not-yet-implemented, never 42501).
//! 2. Negative: the forbidden identity is denied with SQLSTATE 42501 and
//!    a `PermissionDenied` audit event is emitted.

mod common;

use common::pgwire_auth_helpers::{
    assert_audit_has, cluster_admin_user, database_owner_user, ddl_err, ddl_ok,
    make_state_with_catalog, readonly_user, superuser, try_ddl,
};
use nodedb::control::security::audit::AuditEvent;
use nodedb_types::id::DatabaseId;

// Pre-create a database named `foo` and return its `DatabaseId`.
async fn setup_foo_db(state: &nodedb::control::state::SharedState) -> DatabaseId {
    let su = superuser();
    ddl_ok(state, &su, "CREATE DATABASE foo").await;
    state
        .credentials
        .catalog()
        .as_ref()
        .expect("catalog must be present")
        .get_database_id_by_name("foo")
        .unwrap()
        .expect("foo db must exist after CREATE DATABASE")
}

// ─── CREATE DATABASE ──────────────────────────────────────────────────────────

#[tokio::test]
async fn create_database_cluster_admin_allowed() {
    let state = make_state_with_catalog();
    let ca = cluster_admin_user();
    ddl_ok(&state, &ca, "CREATE DATABASE testcreate1").await;
}

#[tokio::test]
async fn create_database_readonly_denied() {
    let state = make_state_with_catalog();
    let ro = readonly_user();
    let err = ddl_err(&state, &ro, "CREATE DATABASE testcreate2").await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, None);
}

// ─── DROP DATABASE ────────────────────────────────────────────────────────────

#[tokio::test]
async fn drop_database_superuser_allowed() {
    let state = make_state_with_catalog();
    setup_foo_db(&state).await;
    let su = superuser();
    ddl_ok(&state, &su, "DROP DATABASE foo").await;
}

#[tokio::test]
async fn drop_database_cluster_admin_denied() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let ca = cluster_admin_user();
    let err = ddl_err(&state, &ca, "DROP DATABASE foo").await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, Some(foo_id));
}

// ─── DROP DATABASE FORCE ─────────────────────────────────────────────────────

#[tokio::test]
async fn drop_database_force_superuser_allowed() {
    let state = make_state_with_catalog();
    setup_foo_db(&state).await;
    let su = superuser();
    ddl_ok(&state, &su, "DROP DATABASE foo FORCE").await;
}

#[tokio::test]
async fn drop_database_force_cluster_admin_denied() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let ca = cluster_admin_user();
    let err = ddl_err(&state, &ca, "DROP DATABASE foo FORCE").await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, Some(foo_id));
}

// ─── ALTER DATABASE … RENAME ──────────────────────────────────────────────────

#[tokio::test]
async fn alter_database_rename_owner_allowed() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let owner = database_owner_user(foo_id);
    ddl_ok(&state, &owner, "ALTER DATABASE foo RENAME TO foorename").await;
}

#[tokio::test]
async fn alter_database_rename_cluster_admin_denied() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let ca = cluster_admin_user();
    let err = ddl_err(&state, &ca, "ALTER DATABASE foo RENAME TO foorenamed").await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, Some(foo_id));
}

// ─── ALTER DATABASE … SET QUOTA ───────────────────────────────────────────────

#[tokio::test]
async fn alter_database_set_quota_cluster_admin_allowed() {
    let state = make_state_with_catalog();
    setup_foo_db(&state).await;
    let ca = cluster_admin_user();
    ddl_ok(
        &state,
        &ca,
        "ALTER DATABASE foo SET QUOTA (max_memory_bytes = 1073741824)",
    )
    .await;
}

#[tokio::test]
async fn alter_database_set_quota_db_owner_denied() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let owner = database_owner_user(foo_id);
    let err = ddl_err(
        &state,
        &owner,
        "ALTER DATABASE foo SET QUOTA (max_memory_bytes = 1073741824)",
    )
    .await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, Some(foo_id));
}

// ─── ALTER DATABASE … SET AUDIT_DML ──────────────────────────────────────────

#[tokio::test]
async fn alter_database_set_audit_dml_cluster_admin_allowed() {
    let state = make_state_with_catalog();
    setup_foo_db(&state).await;
    let ca = cluster_admin_user();
    ddl_ok(&state, &ca, "ALTER DATABASE foo SET AUDIT_DML = 'writes'").await;
}

#[tokio::test]
async fn alter_database_set_audit_dml_db_owner_denied() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let owner = database_owner_user(foo_id);
    let err = ddl_err(
        &state,
        &owner,
        "ALTER DATABASE foo SET AUDIT_DML = 'writes'",
    )
    .await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, Some(foo_id));
}

// ─── ALTER DATABASE … MATERIALIZE ────────────────────────────────────────────

#[tokio::test]
async fn alter_database_materialize_owner_allowed() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let owner = database_owner_user(foo_id);
    // A non-clone database materializes as a no-op (no collections to materialize).
    ddl_ok(&state, &owner, "ALTER DATABASE foo MATERIALIZE").await;
}

#[tokio::test]
async fn alter_database_materialize_readonly_denied() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let ro = readonly_user();
    let err = ddl_err(&state, &ro, "ALTER DATABASE foo MATERIALIZE").await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, Some(foo_id));
}

// ─── ALTER DATABASE … PROMOTE ────────────────────────────────────────────────

#[tokio::test]
async fn alter_database_promote_superuser_allowed() {
    let state = make_state_with_catalog();
    setup_foo_db(&state).await;
    let su = superuser();
    // foo is not a mirror; PROMOTE may return Ok (idempotent no-op) or 0A000
    // (not a mirror) depending on the descriptor state. Either way the gate
    // passed — the only thing this test must reject is SQLSTATE 42501.
    let result = try_ddl(&state, &su, "ALTER DATABASE foo PROMOTE").await;
    if let Err(err) = result {
        assert!(
            !err.contains("42501"),
            "superuser must pass the gate; got: {err}"
        );
    }
}

#[tokio::test]
async fn alter_database_promote_cluster_admin_denied() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let ca = cluster_admin_user();
    let err = ddl_err(&state, &ca, "ALTER DATABASE foo PROMOTE").await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, Some(foo_id));
}

// ─── CLONE DATABASE ───────────────────────────────────────────────────────────

#[tokio::test]
async fn clone_database_superuser_allowed() {
    let state = make_state_with_catalog();
    setup_foo_db(&state).await;
    let su = superuser();
    ddl_ok(&state, &su, "CLONE DATABASE bar FROM foo").await;
}

#[tokio::test]
async fn clone_database_cluster_admin_denied() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let ca = cluster_admin_user();
    let err = ddl_err(&state, &ca, "CLONE DATABASE barclone FROM foo").await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, Some(foo_id));
}

// ─── MIRROR DATABASE ─────────────────────────────────────────────────────────

#[tokio::test]
async fn mirror_database_superuser_allowed() {
    let state = make_state_with_catalog();
    let su = superuser();
    // The local mirror descriptor is created before the cross-cluster link
    // attempt; the call may return Ok (descriptor inserted, link pending)
    // or a non-42501 error if the source cluster cannot be reached. Either
    // way the gate passed.
    let result = try_ddl(
        &state,
        &su,
        "MIRROR DATABASE mymirror FROM cluster1.sourcedb",
    )
    .await;
    if let Err(err) = result {
        assert!(
            !err.contains("42501"),
            "superuser must pass the gate; got: {err}"
        );
    }
}

#[tokio::test]
async fn mirror_database_cluster_admin_denied() {
    let state = make_state_with_catalog();
    let ca = cluster_admin_user();
    let err = ddl_err(
        &state,
        &ca,
        "MIRROR DATABASE mymirror2 FROM cluster1.sourcedb",
    )
    .await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, None);
}

// ─── MOVE TENANT ─────────────────────────────────────────────────────────────

#[tokio::test]
async fn move_tenant_superuser_allowed() {
    let state = make_state_with_catalog();
    let su = superuser();
    // No tenant named 't' exists; we expect 42P01 (not found), not 42501.
    // The gate was passed; tenant lookup failed.
    let err = ddl_err(&state, &su, "MOVE TENANT t FROM foo TO bar").await;
    assert!(
        !err.contains("42501"),
        "superuser must pass the gate; got: {err}"
    );
}

#[tokio::test]
async fn move_tenant_cluster_admin_denied() {
    let state = make_state_with_catalog();
    setup_foo_db(&state).await;
    let ca = cluster_admin_user();
    let err = ddl_err(&state, &ca, "MOVE TENANT t FROM foo TO bar").await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    // db_id for source 'foo' was resolved before the gate.
    let foo_id = state
        .credentials
        .catalog()
        .as_ref()
        .expect("catalog must be present")
        .get_database_id_by_name("foo")
        .unwrap()
        .expect("foo must still exist");
    assert_audit_has(&state, AuditEvent::PermissionDenied, Some(foo_id));
}

// ─── BACKUP DATABASE ─────────────────────────────────────────────────────────

#[tokio::test]
async fn backup_database_owner_allowed_gets_not_implemented() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let owner = database_owner_user(foo_id);
    let err = ddl_err(&state, &owner, "BACKUP DATABASE foo TO 's3://x'").await;
    // The gate passed; the placeholder returns 0A000 (not yet implemented).
    assert!(
        !err.contains("42501"),
        "database_owner must pass the gate; got: {err}"
    );
    assert!(
        err.contains("0A000") || err.contains("not yet implemented"),
        "expected 0A000/not yet implemented after gate pass; got: {err}"
    );
}

#[tokio::test]
async fn backup_database_readonly_denied() {
    let state = make_state_with_catalog();
    let foo_id = setup_foo_db(&state).await;
    let ro = readonly_user();
    let err = ddl_err(&state, &ro, "BACKUP DATABASE foo TO 's3://x'").await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, Some(foo_id));
}

// ─── RESTORE DATABASE ────────────────────────────────────────────────────────

#[tokio::test]
async fn restore_database_superuser_allowed_gets_not_implemented() {
    let state = make_state_with_catalog();
    let su = superuser();
    let err = ddl_err(&state, &su, "RESTORE DATABASE foo FROM 's3://x'").await;
    // Superuser passes the gate; the placeholder returns 0A000.
    assert!(
        !err.contains("42501"),
        "superuser must pass the gate; got: {err}"
    );
    assert!(
        err.contains("0A000") || err.contains("not yet implemented"),
        "expected 0A000/not yet implemented after gate pass; got: {err}"
    );
}

#[tokio::test]
async fn restore_database_cluster_admin_denied() {
    let state = make_state_with_catalog();
    let ca = cluster_admin_user();
    let err = ddl_err(&state, &ca, "RESTORE DATABASE foo FROM 's3://x'").await;
    assert!(
        err.contains("42501") || err.contains("permission denied"),
        "expected 42501/permission denied, got: {err}"
    );
    assert_audit_has(&state, AuditEvent::PermissionDenied, None);
}