test(client): support read-only clients

packages/runtime/test-runtime-utils/src/insecureTokenProvider.ts

@@ -15,6 +15,7 @@ import { IInsecureUser } from "./insecureUsers.js";
  *
  * As the name implies, this is not secure and should not be used in production.
  * It simply makes examples where authentication is not relevant easier to bootstrap.
+ * @sealed
  * @internal
  */
 export class InsecureTokenProvider implements ITokenProvider {
@@ -38,43 +39,36 @@ export class InsecureTokenProvider implements ITokenProvider {
 		 * @defaultValue [ ScopeType.DocRead, ScopeType.DocWrite, ScopeType.SummaryWrite ]
 		 */
 		private readonly scopes?: ScopeType[],
+
+		/**
+		 * Optional. Override of attach container scopes. If a param is not provided,
+		 * InsecureTokenProvider will use the value of {@link InsecureTokenProvider.scopes}.
+		 *
+		 * @remarks Common use of this parameter is to allow write for container
+		 * attach and just read for all other access. Effectively can create a
+		 * create and then read-only client.
+		 *
+		 * @param attachContainerScopes - See {@link @fluidframework/protocol-definitions#ITokenClaims.scopes}
+		 *
+		 * @defaultValue {@link InsecureTokenProvider.scopes}
+		 */
+		private readonly attachContainerScopes?: ScopeType[],
 	) {}
 
-	/**
-	 * {@inheritDoc @fluidframework/routerlicious-driver#ITokenProvider.fetchOrdererToken}
-	 */
-	public async fetchOrdererToken(
-		tenantId: string,
-		documentId?: string,
-	): Promise<ITokenResponse> {
+	private async fetchToken(tenantId: string, documentId?: string): Promise<ITokenResponse> {
+		const generalScopes = this.scopes ?? [
+			ScopeType.DocRead,
+			ScopeType.DocWrite,
+			ScopeType.SummaryWrite,
+		];
+		const scopes = (documentId ? undefined : this.attachContainerScopes) ?? generalScopes;
 		return {
 			fromCache: true,
-			jwt: generateToken(
-				tenantId,
-				this.tenantKey,
-				this.scopes ?? [ScopeType.DocRead, ScopeType.DocWrite, ScopeType.SummaryWrite],
-				documentId,
-				this.user,
-			),
+			jwt: generateToken(tenantId, this.tenantKey, scopes, documentId, this.user),
 		};
 	}
 
-	/**
-	 * {@inheritDoc @fluidframework/routerlicious-driver#ITokenProvider.fetchStorageToken}
-	 */
-	public async fetchStorageToken(
-		tenantId: string,
-		documentId: string,
-	): Promise<ITokenResponse> {
-		return {
-			fromCache: true,
-			jwt: generateToken(
-				tenantId,
-				this.tenantKey,
-				this.scopes ?? [ScopeType.DocRead, ScopeType.DocWrite, ScopeType.SummaryWrite],
-				documentId,
-				this.user,
-			),
-		};
-	}
+	public readonly fetchOrdererToken = this.fetchToken.bind(this);
+
+	public readonly fetchStorageToken = this.fetchToken.bind(this);
 }

packages/service-clients/end-to-end-tests/azure-client/src/test/AzureTokenFactory.ts

@@ -11,14 +11,15 @@ export function createAzureTokenProvider(
 	id: string,
 	name: string,
 	scopes?: ScopeType[],
+	attachScopes?: ScopeType[],
 ): ITokenProvider {
 	const key = process.env.azure__fluid__relay__service__key as string;
 	if (key) {
 		const userConfig = {
 			id,
 			name,
 		};
-		return new InsecureTokenProvider(key, userConfig, scopes);
+		return new InsecureTokenProvider(key, userConfig, scopes, attachScopes);
 	} else {
 		throw new Error("Cannot create token provider.");
 	}

packages/service-clients/end-to-end-tests/azure-client/src/test/multiprocess/childClient.ts

@@ -13,6 +13,7 @@ import {
 } from "@fluidframework/azure-client";
 import { AttachState } from "@fluidframework/container-definitions";
 import { ConnectionState } from "@fluidframework/container-loader";
+import type { ScopeType } from "@fluidframework/driver-definitions/legacy";
 import type { ContainerSchema, IFluidContainer } from "@fluidframework/fluid-static";
 import {
 	getPresence,
@@ -26,10 +27,8 @@ import {
 import { InsecureTokenProvider } from "@fluidframework/test-runtime-utils/internal";
 import { timeoutPromise } from "@fluidframework/test-utils/internal";
 
-import type { ScopeType } from "../AzureClientFactory.js";
 import { createAzureTokenProvider } from "../AzureTokenFactory.js";
 import { TestDataObject } from "../TestDataObject.js";
-import type { configProvider } from "../utils.js";
 
 import type { MessageFromChild, MessageToChild, UserIdAndName } from "./messageTypes.js";
 
@@ -54,8 +53,8 @@ if (useAzure && endPoint === undefined) {
 const getOrCreatePresenceContainer = async (
 	id: string | undefined,
 	user: UserIdAndName,
-	config?: ReturnType<typeof configProvider>,
 	scopes?: ScopeType[],
+	createScopes?: ScopeType[],
 ): Promise<{
 	container: IFluidContainer;
 	presence: Presence;
@@ -68,12 +67,17 @@ const getOrCreatePresenceContainer = async (
 	const connectionProps: AzureRemoteConnectionConfig | AzureLocalConnectionConfig = useAzure
 		? {
 				tenantId,
-				tokenProvider: createAzureTokenProvider(user.id ?? "foo", user.name ?? "bar", scopes),
+				tokenProvider: createAzureTokenProvider(
+					user.id ?? "foo",
+					user.name ?? "bar",
+					scopes,
+					createScopes,
+				),
 				endpoint: endPoint,
 				type: "remote",
 			}
 		: {
-				tokenProvider: new InsecureTokenProvider("fooBar", user, scopes),
+				tokenProvider: new InsecureTokenProvider("fooBar", user, scopes, createScopes),
 				endpoint: "http://localhost:7071",
 				type: "local",
 			};
@@ -319,6 +323,8 @@ class MessageHandler {
 		const { container, presence, containerId } = await getOrCreatePresenceContainer(
 			msg.containerId,
 			msg.user,
+			msg.scopes,
+			msg.createScopes,
 		);
 		this.container = container;
 		this.presence = presence;

packages/service-clients/end-to-end-tests/azure-client/src/test/multiprocess/messageTypes.ts

@@ -5,6 +5,7 @@
 
 // eslint-disable-next-line import/no-internal-modules
 import type { JsonSerializable } from "@fluidframework/core-interfaces/internal";
+import type { ScopeType } from "@fluidframework/driver-definitions/legacy";
 import type { AttendeeId } from "@fluidframework/presence/beta";
 
 export interface UserIdAndName {
@@ -40,6 +41,8 @@ interface PingCommand {
 export interface ConnectCommand {
 	command: "connect";
 	user: UserIdAndName;
+	scopes: ScopeType[];
+	createScopes?: ScopeType[];
 	/**
 	 * The ID of the Fluid container to connect to.
 	 * If not provided, a new Fluid container will be created.

packages/service-clients/end-to-end-tests/azure-client/src/test/multiprocess/orchestratorUtils.ts

@@ -5,6 +5,7 @@
 
 import { fork, type ChildProcess } from "node:child_process";
 
+import { ScopeType } from "@fluidframework/driver-definitions/legacy";
 import type { AttendeeId } from "@fluidframework/presence/beta";
 import { timeoutAwait, timeoutPromise } from "@fluidframework/test-utils/internal";
 
@@ -80,13 +81,18 @@ export async function forkChildProcesses(
  *
  * @param id - Suffix used to construct stable test user identity.
  */
-export function composeConnectMessage(id: string | number): ConnectCommand {
+function composeConnectMessage(
+	id: string | number,
+	scopes: ScopeType[] = [ScopeType.DocRead],
+): ConnectCommand {
 	return {
 		command: "connect",
 		user: {
 			id: `test-user-id-${id}`,
 			name: `test-user-name-${id}`,
 		},
+		scopes,
+		createScopes: [ScopeType.DocWrite],
 	};
 }
 
@@ -98,7 +104,7 @@ export function composeConnectMessage(id: string | number): ConnectCommand {
  */
 export async function connectChildProcesses(
 	childProcesses: ChildProcess[],
-	readyTimeoutMs: number,
+	{ writeClients, readyTimeoutMs }: { writeClients: number; readyTimeoutMs: number },
 ): Promise<{
 	containerCreatorAttendeeId: AttendeeId;
 	attendeeIdPromises: Promise<AttendeeId>[];
@@ -122,7 +128,15 @@ export async function connectChildProcesses(
 			}
 		});
 	});
-	firstChild.send(composeConnectMessage(0));
+	{
+		// Note that DocWrite is used to have this attendee be the "leader".
+		// DocRead would also be valid as DocWrite is specified for attach when there
+		// is no document id (container id).
+		const connectContainerCreator = composeConnectMessage(0, [
+			writeClients > 0 ? ScopeType.DocWrite : ScopeType.DocRead,
+		]);
+		firstChild.send(connectContainerCreator);
+	}
 	const { containerCreatorAttendeeId, containerId } = await timeoutAwait(
 		containerReadyPromise,
 		{
@@ -137,7 +151,9 @@ export async function connectChildProcesses(
 			attendeeIdPromises.push(Promise.resolve(containerCreatorAttendeeId));
 			continue;
 		}
-		const message = composeConnectMessage(index);
+		const message = composeConnectMessage(index, [
+			index < writeClients ? ScopeType.DocWrite : ScopeType.DocRead,
+		]);
 		message.containerId = containerId;
 		attendeeIdPromises.push(
 			new Promise<AttendeeId>((resolve, reject) => {
@@ -160,9 +176,17 @@ export async function connectChildProcesses(
  */
 export async function connectAndWaitForAttendees(
 	children: ChildProcess[],
-	attendeeCountRequired: number,
-	childConnectTimeoutMs: number,
-	attendeesJoinedTimeoutMs: number,
+	{
+		writeClients,
+		attendeeCountRequired,
+		childConnectTimeoutMs,
+		attendeesJoinedTimeoutMs,
+	}: {
+		writeClients: number;
+		attendeeCountRequired: number;
+		childConnectTimeoutMs: number;
+		attendeesJoinedTimeoutMs: number;
+	},
 	earlyExitPromise: Promise<never>,
 ): Promise<{ containerCreatorAttendeeId: AttendeeId }> {
 	const attendeeConnectedPromise = new Promise<void>((resolve) => {
@@ -176,7 +200,10 @@ export async function connectAndWaitForAttendees(
 			}
 		});
 	});
-	const connectResult = await connectChildProcesses(children, childConnectTimeoutMs);
+	const connectResult = await connectChildProcesses(children, {
+		writeClients,
+		readyTimeoutMs: childConnectTimeoutMs,
+	});
 	Promise.all(connectResult.attendeeIdPromises).catch((error) => {
 		console.error("Error connecting children:", error);
 	});