quiverdb-server 0.29.0

The Quiver daemon: gRPC + REST with auth, RBAC, audit, and metrics.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

// SPDX-License-Identifier: AGPL-3.0-only
//! The cluster coordinator's membership API is authenticated (ADR-0011): a
//! network-reachable coordinator cannot be reshaped by an unauthenticated caller.
//! Reads (`/cluster/map`, `/cluster/health`) require any valid key; the mutating
//! shard ops require the `admin` role; `/healthz` and `/readyz` stay open. With no
//! keys configured (insecure mode) any caller is admitted — covered by the other
//! cluster tests, which run keyless.

// A test harness; panics are the failure signal (ADR-0017 scopes the
// unwrap/expect ban to non-test code).
#![allow(clippy::unwrap_used, clippy::expect_used)]

use std::time::Duration;

use quiver_server::{Action, ApiKey, CollectionScope, Config, serve};
use tokio::net::TcpListener;

async fn wait_ready(http: &reqwest::Client, base: &str) {
    for _ in 0..200 {
        if let Ok(resp) = http.get(format!("{base}/healthz")).send().await
            && resp.status().is_success()
        {
            return;
        }
        tokio::time::sleep(Duration::from_millis(20)).await;
    }
    panic!("coordinator did not become ready");
}

#[tokio::test]
async fn coordinator_membership_api_requires_auth() {
    let admin = "admin-secret";
    let reader = "reader-secret";

    let rest_listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
    let grpc_listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
    let rest_addr = rest_listener.local_addr().unwrap();
    let grpc_addr = grpc_listener.local_addr().unwrap();

    let config = Config {
        rest_addr,
        grpc_addr,
        coordinator: true,
        // A shard to remove and a read-only key alongside the admin key.
        cluster_shards: vec!["http://127.0.0.1:1".into(), "http://127.0.0.1:2".into()],
        api_keys: vec![
            ApiKey::admin(admin),
            ApiKey {
                secret: reader.to_owned(),
                role: Action::Read,
                collections: CollectionScope::All,
                id: None,
            },
        ],
        ..Default::default()
    };
    let server = tokio::spawn(async move {
        let _ = serve(config, rest_listener, grpc_listener).await;
    });

    let http = reqwest::Client::new();
    let base = format!("http://{rest_addr}");
    wait_ready(&http, &base).await;

    // /healthz is open (liveness) even with keys configured.
    let h = http.get(format!("{base}/healthz")).send().await.unwrap();
    assert_eq!(
        h.status(),
        reqwest::StatusCode::OK,
        "healthz must stay open"
    );

    // --- A mutating op (add a shard) ---
    let add_body = serde_json::json!({"primary_url": "http://127.0.0.1:3", "replica_urls": []});

    // No bearer -> 401.
    let no_key = http
        .post(format!("{base}/cluster/shards"))
        .json(&add_body)
        .send()
        .await
        .unwrap();
    assert_eq!(
        no_key.status(),
        reqwest::StatusCode::UNAUTHORIZED,
        "add_shard without a key must be 401"
    );

    // Read-only key -> 403 (authenticated but role too low for a mutation).
    let ro = http
        .post(format!("{base}/cluster/shards"))
        .bearer_auth(reader)
        .json(&add_body)
        .send()
        .await
        .unwrap();
    assert_eq!(
        ro.status(),
        reqwest::StatusCode::FORBIDDEN,
        "add_shard with a read-only key must be 403"
    );

    // Admin key -> 200, and the shard is added.
    let ok = http
        .post(format!("{base}/cluster/shards"))
        .bearer_auth(admin)
        .json(&add_body)
        .send()
        .await
        .unwrap();
    assert_eq!(
        ok.status(),
        reqwest::StatusCode::OK,
        "add_shard with the admin key must succeed"
    );
    let map: serde_json::Value = ok.json().await.unwrap();
    assert_eq!(map["shards"].as_array().unwrap().len(), 3);

    // --- DELETE is admin-gated too: no key -> 401 ---
    let del_no_key = http
        .delete(format!("{base}/cluster/shards/2"))
        .send()
        .await
        .unwrap();
    assert_eq!(
        del_no_key.status(),
        reqwest::StatusCode::UNAUTHORIZED,
        "remove_shard without a key must be 401"
    );

    // --- A read op (/cluster/map): no key -> 401, read-only key -> 200 ---
    let map_no_key = http
        .get(format!("{base}/cluster/map"))
        .send()
        .await
        .unwrap();
    assert_eq!(
        map_no_key.status(),
        reqwest::StatusCode::UNAUTHORIZED,
        "/cluster/map without a key must be 401"
    );
    let map_ro = http
        .get(format!("{base}/cluster/map"))
        .bearer_auth(reader)
        .send()
        .await
        .unwrap();
    assert_eq!(
        map_ro.status(),
        reqwest::StatusCode::OK,
        "/cluster/map with a read-only key must succeed"
    );

    server.abort();
}