Tests stabilization

src/adapter/auth-oso/Cargo.toml

@@ -26,19 +26,21 @@ database-common = { workspace = true }
 init-on-startup = { workspace = true }
 internal-error = { workspace = true }
 kamu-accounts = { workspace = true }
+kamu-accounts-inmem = { workspace = true }
+kamu-accounts-services = { workspace = true }
 kamu-auth-rebac = { workspace = true }
 kamu-auth-rebac-services = { workspace = true }
 kamu-core = { workspace = true, default-features = false, features = ["oso"] }
 kamu-datasets = { workspace = true }
+kamu-datasets-inmem = { workspace = true }
 kamu-datasets-services = { workspace = true }
 messaging-outbox = { workspace = true }
 opendatafabric = { workspace = true }
 
 async-trait = "0.1"
 dill = "0.9"
 futures = { version = "0.3", default-features = false }
-oso = "0.27"
-oso-derive = "0.27"
+oso = { version = "0.27", default-features = false, features = ["derive"] }
 tokio = { version = "1", default-features = false, features = ["macros"] }
 tracing = { version = "0.1", default-features = false }
 
@@ -48,7 +50,4 @@ kamu-auth-rebac-inmem = { workspace = true }
 kamu-auth-rebac-services = { workspace = true }
 time-source = { workspace = true }
 
-tempfile = "3"
 test-log = { version = "0.2", features = ["trace"] }
-tokio = { version = "1", default-features = false, features = [] }
-tracing-subscriber = { version = "0.3", features = ["env-filter"] }

src/adapter/auth-oso/src/dataset_resource.rs

@@ -38,16 +38,14 @@ impl DatasetResource {
         }
     }
 
-    #[allow(dead_code)]
-    pub fn authorize_reader(&mut self, reader: &str) {
+    pub fn authorize_reader(&mut self, reader_account_id: &odf::AccountID) {
         self.authorized_users
-            .insert(reader.to_string(), ROLE_READER);
+            .insert(reader_account_id.to_string(), ROLE_READER);
     }
 
-    #[allow(dead_code)]
-    pub fn authorize_editor(&mut self, editor: &str) {
+    pub fn authorize_editor(&mut self, editor_account_id: &odf::AccountID) {
         self.authorized_users
-            .insert(editor.to_string(), ROLE_EDITOR);
+            .insert(editor_account_id.to_string(), ROLE_EDITOR);
     }
 }
 

src/adapter/auth-oso/src/oso_resource_service_initializator.rs

@@ -110,7 +110,7 @@ impl InitOnStartup for OsoResourceServiceInitializator {
                 .await
                 .int_err()?;
 
-            let user_actor = UserActor::new(&account.id, false, properties.is_admin);
+            let user_actor = UserActor::logged(&account.id, properties.is_admin);
 
             user_actors.push((account.id.to_string(), user_actor));
         }

src/adapter/auth-oso/src/oso_resource_service_inmem.rs

@@ -54,7 +54,8 @@ pub struct OsoResourceServiceInMem {
 #[meta(MessageConsumerMeta {
     consumer_name: MESSAGE_CONSUMER_KAMU_AUTH_OSO_OSO_RESOURCE_SERVICE,
     feeding_producers: &[MESSAGE_PRODUCER_KAMU_CORE_DATASET_SERVICE],
-    delivery: MessageDeliveryMechanism::Transactional,
+    // This is a workaround, since we need the result of processing immediately, not after some time
+    delivery: MessageDeliveryMechanism::Immediate,
  })]
 impl OsoResourceServiceInMem {
     pub fn new() -> Self {
@@ -90,10 +91,6 @@ impl OsoResourceServiceInMem {
         (user_actor, dataset_resource)
     }
 
-    fn anonymous_user_actor() -> UserActor {
-        UserActor::new("", true, false)
-    }
-
     fn user_actor(
         &self,
         readable_state: &RwLockReadGuard<'_, State>,
@@ -107,7 +104,7 @@ impl OsoResourceServiceInMem {
                 .get(account_entity_id.as_str())
                 .cloned()
         } else {
-            Some(Self::anonymous_user_actor())
+            Some(UserActor::anonymous())
         }
     }
 

src/adapter/auth-oso/src/user_actor.rs

@@ -25,10 +25,18 @@ pub struct UserActor {
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
 impl UserActor {
-    pub fn new(account_id: &odf::AccountID, anonymous: bool, is_admin: bool) -> Self {
+    pub fn anonymous() -> Self {
+        UserActor {
+            account_id: String::new(),
+            anonymous: true,
+            is_admin: false,
+        }
+    }
+
+    pub fn logged(account_id: &odf::AccountID, is_admin: bool) -> Self {
         Self {
             account_id: account_id.to_string(),
-            anonymous,
+            anonymous: false,
             is_admin,
         }
     }

src/adapter/auth-oso/tests/tests/test_oso.rs

@@ -9,6 +9,9 @@
 
 use kamu_adapter_auth_oso::{DatasetResource, KamuAuthOso, UserActor};
 use kamu_core::auth::DatasetAction;
+use opendatafabric as odf;
+
+// TODO: Private Datasets: cover all other schema branches
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
@@ -28,21 +31,24 @@ macro_rules! assert_forbidden {
 
 #[test_log::test(tokio::test)]
 async fn test_owner_can_read_and_write() {
+    let owner_account_id = random_account_id();
     let is_admin = false;
-    let user_actor = UserActor::new("foo", false, is_admin);
-    let dataset_resource = DatasetResource::new("foo", false);
+    let owner_user_actor = UserActor::logged(&owner_account_id, is_admin);
+
+    let allows_public_read = false;
+    let owned_dataset_resource = DatasetResource::new(&owner_account_id, allows_public_read);
 
     let oso = KamuAuthOso::new().oso;
 
     let write_result = oso.is_allowed(
-        user_actor.clone(),
+        owner_user_actor.clone(),
         DatasetAction::Write,
-        dataset_resource.clone(),
+        owned_dataset_resource.clone(),
     );
     let read_result = oso.is_allowed(
-        user_actor.clone(),
+        owner_user_actor.clone(),
         DatasetAction::Read,
-        dataset_resource.clone(),
+        owned_dataset_resource.clone(),
     );
 
     assert_allowed!(write_result);
@@ -54,20 +60,22 @@ async fn test_owner_can_read_and_write() {
 #[test_log::test(tokio::test)]
 async fn test_unrelated_can_read_public() {
     let is_admin = false;
-    let user_actor = UserActor::new("foo", false, is_admin);
-    let dataset_resource = DatasetResource::new("bar", true);
+    let unrelated_user_actor = UserActor::logged(&random_account_id(), is_admin);
+
+    let allows_public_read = true;
+    let public_dataset_resource = DatasetResource::new(&random_account_id(), allows_public_read);
 
     let oso = KamuAuthOso::new().oso;
 
     let write_result = oso.is_allowed(
-        user_actor.clone(),
+        unrelated_user_actor.clone(),
         DatasetAction::Write,
-        dataset_resource.clone(),
+        public_dataset_resource.clone(),
     );
     let read_result = oso.is_allowed(
-        user_actor.clone(),
+        unrelated_user_actor.clone(),
         DatasetAction::Read,
-        dataset_resource.clone(),
+        public_dataset_resource.clone(),
     );
 
     assert_forbidden!(write_result);
@@ -79,20 +87,22 @@ async fn test_unrelated_can_read_public() {
 #[test_log::test(tokio::test)]
 async fn test_unrelated_cannot_read_private() {
     let is_admin = false;
-    let user_actor = UserActor::new("foo", false, is_admin);
-    let dataset_resource = DatasetResource::new("bar", false);
+    let unrelated_user_actor = UserActor::logged(&random_account_id(), is_admin);
+
+    let allows_public_read = false;
+    let private_dataset_resource = DatasetResource::new(&random_account_id(), allows_public_read);
 
     let oso = KamuAuthOso::new().oso;
 
     let write_result = oso.is_allowed(
-        user_actor.clone(),
+        unrelated_user_actor.clone(),
         DatasetAction::Write,
-        dataset_resource.clone(),
+        private_dataset_resource.clone(),
     );
     let read_result = oso.is_allowed(
-        user_actor.clone(),
+        unrelated_user_actor.clone(),
         DatasetAction::Read,
-        dataset_resource.clone(),
+        private_dataset_resource.clone(),
     );
 
     assert_forbidden!(write_result);
@@ -103,22 +113,26 @@ async fn test_unrelated_cannot_read_private() {
 
 #[test_log::test(tokio::test)]
 async fn test_having_explicit_read_permission_in_private_dataset() {
+    let reader_account_id = random_account_id();
     let is_admin = false;
-    let user_actor = UserActor::new("foo", false, is_admin);
-    let mut dataset_resource = DatasetResource::new("bar", false);
-    dataset_resource.authorize_reader("foo");
+    let reader_user_actor = UserActor::logged(&reader_account_id, is_admin);
+
+    let allows_public_read = false;
+    let mut private_dataset_resource =
+        DatasetResource::new(&random_account_id(), allows_public_read);
+    private_dataset_resource.authorize_reader(&reader_account_id);
 
     let oso = KamuAuthOso::new().oso;
 
     let write_result = oso.is_allowed(
-        user_actor.clone(),
+        reader_user_actor.clone(),
         DatasetAction::Write,
-        dataset_resource.clone(),
+        private_dataset_resource.clone(),
     );
     let read_result = oso.is_allowed(
-        user_actor.clone(),
+        reader_user_actor.clone(),
         DatasetAction::Read,
-        dataset_resource.clone(),
+        private_dataset_resource.clone(),
     );
 
     assert_forbidden!(write_result);
@@ -129,22 +143,26 @@ async fn test_having_explicit_read_permission_in_private_dataset() {
 
 #[test_log::test(tokio::test)]
 async fn test_having_explicit_write_permission_in_private_dataset() {
+    let editor_account_id = random_account_id();
     let is_admin = false;
-    let user_actor = UserActor::new("foo", false, is_admin);
-    let mut dataset_resource = DatasetResource::new("bar", false);
-    dataset_resource.authorize_editor("foo");
+    let editor_user_actor = UserActor::logged(&editor_account_id, is_admin);
+
+    let allows_public_read = false;
+    let mut private_dataset_resource =
+        DatasetResource::new(&random_account_id(), allows_public_read);
+    private_dataset_resource.authorize_editor(&editor_account_id);
 
     let oso = KamuAuthOso::new().oso;
 
     let write_result = oso.is_allowed(
-        user_actor.clone(),
+        editor_user_actor.clone(),
         DatasetAction::Write,
-        dataset_resource.clone(),
+        private_dataset_resource.clone(),
     );
     let read_result = oso.is_allowed(
-        user_actor.clone(),
+        editor_user_actor.clone(),
         DatasetAction::Read,
-        dataset_resource.clone(),
+        private_dataset_resource.clone(),
     );
 
     assert_allowed!(write_result);
@@ -156,18 +174,20 @@ async fn test_having_explicit_write_permission_in_private_dataset() {
 #[test_log::test(tokio::test)]
 async fn test_admin_can_read_and_write_another_private_dataset() {
     let is_admin = true;
-    let user_actor = UserActor::new("foo", false, is_admin);
-    let dataset_resource = DatasetResource::new("bar", false);
+    let admin_user_actor = UserActor::logged(&random_account_id(), is_admin);
+
+    let allows_public_read = false;
+    let dataset_resource = DatasetResource::new(&random_account_id(), allows_public_read);
 
     let oso = KamuAuthOso::new().oso;
 
     let write_result = oso.is_allowed(
-        user_actor.clone(),
+        admin_user_actor.clone(),
         DatasetAction::Write,
         dataset_resource.clone(),
     );
     let read_result = oso.is_allowed(
-        user_actor.clone(),
+        admin_user_actor.clone(),
         DatasetAction::Read,
         dataset_resource.clone(),
     );
@@ -177,3 +197,11 @@ async fn test_admin_can_read_and_write_another_private_dataset() {
 }
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Helpers
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+fn random_account_id() -> odf::AccountID {
+    odf::AccountID::new_generated_ed25519().1
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////