csharp-client/src/Weaviate.Client.Tests/Integration/TestRbacAuthorization.cs at ceefe276b4b84f96857dfc9e944dae644cc8fee6 · weaviate/csharp-client · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
namespace Weaviate.Client.Tests.Integration;

using System.Linq;
using Weaviate.Client;
using Weaviate.Client.Models;
using Xunit;

/// <summary>
/// RBAC Groups integration tests (Rest:8092 gRPC:50063). Authorization checks for various operations.
/// </summary>
public class TestRbacAuthorization : IntegrationTests
{
    public override ushort RestPort => 8092;
    public override ushort GrpcPort => 50063;
    private const string ADMIN_API_KEY = "admin-key";

    public override async ValueTask InitializeAsync()
    {
        await base.InitializeAsync();

        RequireVersion("1.32.0");
    }

    public override ICredentials? Credentials => Auth.ApiKey(ADMIN_API_KEY);

    [Fact, Trait("Category", "RBAC")]
    public async Task TestAuthorizationFailure()
    {
        // Generate random names for collection and user
        var collectionName = $"AuthorizationTest";
        var userId = Helpers.GenerateUniqueIdentifier("user");

        // Create collection
        var collectionConfig = new CollectionConfig
        {
            Name = collectionName,
            Properties = new[]
            {
                new Property { Name = "name", DataType = new[] { "string" } },
            },
        };

        var client = await CollectionFactory<object>(collectionConfig);

        // Create a role with only read permission for this collection
        var readOnlyRole = await _weaviate.Roles.Create(
            "read-only-role",
            [
                new Permissions.Collections(collectionName) { Read = true },
                new Permissions.Data(collectionName, null, null) { Read = true },
            ],
            TestContext.Current.CancellationToken
        );

        // Create a user and assign the read-only role
        var apiKey = await _weaviate.Users.Db.Create(
            userId,
            cancellationToken: TestContext.Current.CancellationToken
        );
        await _weaviate.Users.Db.AssignRoles(
            userId,
            new[] { readOnlyRole.Name },
            cancellationToken: TestContext.Current.CancellationToken
        );

        // Create a new client with the user's API key
        var userClient = await new WeaviateClientBuilder()
            .WithRestEndpoint("localhost")
            .WithRestPort(RestPort)
            .WithGrpcEndpoint("localhost")
            .WithGrpcPort(GrpcPort)
            .WithCredentials(Auth.ApiKey(apiKey))
            .BuildAsync();

        var userCollection = userClient.Collections.Use(collectionName);

        // Try to insert data and assert that authorization exception is thrown
        await Assert.ThrowsAsync<WeaviateAuthorizationException>(async () =>
        {
            await userCollection.Data.Insert(
                new { name = "should fail" },
                cancellationToken: TestContext.Current.CancellationToken
            );
        });
    }
}