gristlabs_grist-core/test/gen-server/lib/previewer.ts

import {Organization} from 'app/gen-server/entity/Organization';
import {HomeDBManager} from 'app/gen-server/lib/homedb/HomeDBManager';
import axios from 'axios';
import {AxiosRequestConfig} from 'axios';
import {assert} from 'chai';
import {TestServer} from 'test/gen-server/apiUtils';
import {configForUser} from 'test/gen-server/testUtils';
import * as testUtils from 'test/server/testUtils';


const previewer = configForUser('thumbnail');

function permit(permitKey: string): AxiosRequestConfig {
  return {
    responseType: 'json',
    validateStatus: (status: number) => true,
    headers: {
      Permit: permitKey
    }
  };
}

describe('previewer', function() {

  let home: TestServer;
  let dbManager: HomeDBManager;
  let homeUrl: string;

  testUtils.setTmpLogLevel('error');

  before(async function() {
    home = new TestServer(this);
    await home.start(['home', 'docs']);
    dbManager = home.dbManager;
    homeUrl = home.serverUrl;
    // for these tests, give the previewer an api key.
    await dbManager.connection.query(`update users set api_key = 'api_key_for_thumbnail' where name = 'Preview'`);
  });

  after(async function() {
    await home.stop();
  });

  it('has view access to all orgs', async function() {
    const resp = await axios.get(`${homeUrl}/api/orgs`, previewer);
    assert.equal(resp.status, 200);
    const orgs: any[] = resp.data;
    assert.lengthOf(orgs, await Organization.count());
    orgs.forEach((org: any) => assert.equal(org.access, 'viewers'));
  });

  it('has view access to workspaces and docs', async function() {
    const oid = await dbManager.testGetId('NASA');
    const resp = await axios.get(`${homeUrl}/api/orgs/${oid}/workspaces`, previewer);
    assert.equal(resp.status, 200);
    const workspaces: any[] = resp.data;
    assert.lengthOf(workspaces, 2);
    workspaces.forEach((ws: any) => {
      assert.equal(ws.access, 'viewers');
      const docs: any[] = ws.docs;
      docs.forEach((doc: any) => assert.equal(doc.access, 'viewers'));
    });
  });

  it('cannot delete or update docs and workspaces', async function() {
    const oid = await dbManager.testGetId('NASA');
    let resp = await axios.get(`${homeUrl}/api/orgs/${oid}/workspaces`, previewer);
    assert.equal(resp.status, 200);

    const wsId = resp.data[0].id;
    const docId = resp.data[0].docs[0].id;

    resp = await axios.get(`${homeUrl}/api/docs/${docId}`, previewer);
    assert.equal(resp.status, 200);
    resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, previewer);
    assert.equal(resp.status, 403);
    resp = await axios.patch(`${homeUrl}/api/docs/${docId}`, {name: 'diff'}, previewer);
    assert.equal(resp.status, 403);

    resp = await axios.get(`${homeUrl}/api/workspaces/${wsId}`, previewer);
    assert.equal(resp.status, 200);
    resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, previewer);
    assert.equal(resp.status, 403);
    resp = await axios.patch(`${homeUrl}/api/workspaces/${wsId}`, {name: 'diff'}, previewer);
    assert.equal(resp.status, 403);
  });

  it('can delete workspaces and docs using permits', async function() {
    const oid = await dbManager.testGetId('NASA');
    let resp = await axios.get(`${homeUrl}/api/orgs/${oid}/workspaces`, previewer);
    assert.equal(resp.status, 200);

    const wsId = resp.data[0].id;
    const docId = resp.data[0].docs[0].id;

    const store = home.getWorkStore().getPermitStore('internal');
    const goodDocPermit = await store.setPermit({docId});
    const badDocPermit = await store.setPermit({docId: 'dud'});
    const goodWsPermit = await store.setPermit({workspaceId: wsId});
    const badWsPermit = await store.setPermit({workspaceId: wsId + 1});

    // Check that external store is no good for internal use.
    const externalStore = home.getWorkStore().getPermitStore('external');
    const externalDocPermit = await externalStore.setPermit({docId});
    resp = await axios.get(`${homeUrl}/api/docs/${docId}`, permit(externalDocPermit));
    //assert.equal(resp.status, 401);

    resp = await axios.get(`${homeUrl}/api/docs/${docId}`, permit(badDocPermit));
    assert.equal(resp.status, 403);
    resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, permit(badDocPermit));
    assert.equal(resp.status, 403);
    resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, permit(goodWsPermit));
    assert.equal(resp.status, 403);
    resp = await axios.get(`${homeUrl}/api/docs/${docId}`, permit(goodDocPermit));
    assert.equal(resp.status, 403);
    resp = await axios.patch(`${homeUrl}/api/docs/${docId}`, {name: 'diff'}, permit(goodDocPermit));
    assert.equal(resp.status, 403);
    resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, permit(goodDocPermit));
    assert.equal(resp.status, 200);

    resp = await axios.get(`${homeUrl}/api/workspaces/${wsId}`, permit(badWsPermit));
    assert.equal(resp.status, 403);
    resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, permit(badWsPermit));
    assert.equal(resp.status, 403);
    resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, permit(goodDocPermit));
    assert.equal(resp.status, 403);
    resp = await axios.get(`${homeUrl}/api/workspaces/${wsId}`, permit(goodWsPermit));
    assert.equal(resp.status, 403);
    resp = await axios.patch(`${homeUrl}/api/workspaces/${wsId}`, {name: 'diff'}, permit(goodWsPermit));
    assert.equal(resp.status, 403);
    resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, permit(goodWsPermit));
    assert.equal(resp.status, 200);

  });
});
(core) test: move gen-server tests into core Summary: These are tests that we just never moved into the public repo. It's just a small chore to make them public. Test Plan: Make sure the tests still pass Reviewers: jarek Reviewed By: jarek Differential Revision: https://phab.getgrist.com/D4311 2024-08-07 17:20:20 +00:00			`import {Organization} from 'app/gen-server/entity/Organization';`
			`import {HomeDBManager} from 'app/gen-server/lib/homedb/HomeDBManager';`
			`import axios from 'axios';`
			`import {AxiosRequestConfig} from 'axios';`
			`import {assert} from 'chai';`
			`import {TestServer} from 'test/gen-server/apiUtils';`
			`import {configForUser} from 'test/gen-server/testUtils';`
			`import * as testUtils from 'test/server/testUtils';`


			`const previewer = configForUser('thumbnail');`

			`function permit(permitKey: string): AxiosRequestConfig {`
			`return {`
			`responseType: 'json',`
			`validateStatus: (status: number) => true,`
			`headers: {`
			`Permit: permitKey`
			`}`
			`};`
			`}`

			`describe('previewer', function() {`

			`let home: TestServer;`
			`let dbManager: HomeDBManager;`
			`let homeUrl: string;`

			`testUtils.setTmpLogLevel('error');`

			`before(async function() {`
			`home = new TestServer(this);`
			`await home.start(['home', 'docs']);`
			`dbManager = home.dbManager;`
			`homeUrl = home.serverUrl;`
			`// for these tests, give the previewer an api key.`
			await dbManager.connection.query(`update users set api_key = 'api_key_for_thumbnail' where name = 'Preview'`);
			`});`

			`after(async function() {`
			`await home.stop();`
			`});`

			`it('has view access to all orgs', async function() {`
			const resp = await axios.get(`${homeUrl}/api/orgs`, previewer);
			`assert.equal(resp.status, 200);`
			`const orgs: any[] = resp.data;`
			`assert.lengthOf(orgs, await Organization.count());`
			`orgs.forEach((org: any) => assert.equal(org.access, 'viewers'));`
			`});`

			`it('has view access to workspaces and docs', async function() {`
			`const oid = await dbManager.testGetId('NASA');`
			const resp = await axios.get(`${homeUrl}/api/orgs/${oid}/workspaces`, previewer);
			`assert.equal(resp.status, 200);`
			`const workspaces: any[] = resp.data;`
			`assert.lengthOf(workspaces, 2);`
			`workspaces.forEach((ws: any) => {`
			`assert.equal(ws.access, 'viewers');`
			`const docs: any[] = ws.docs;`
			`docs.forEach((doc: any) => assert.equal(doc.access, 'viewers'));`
			`});`
			`});`

			`it('cannot delete or update docs and workspaces', async function() {`
			`const oid = await dbManager.testGetId('NASA');`
			let resp = await axios.get(`${homeUrl}/api/orgs/${oid}/workspaces`, previewer);
			`assert.equal(resp.status, 200);`

			`const wsId = resp.data[0].id;`
			`const docId = resp.data[0].docs[0].id;`

			resp = await axios.get(`${homeUrl}/api/docs/${docId}`, previewer);
			`assert.equal(resp.status, 200);`
			resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, previewer);
			`assert.equal(resp.status, 403);`
			resp = await axios.patch(`${homeUrl}/api/docs/${docId}`, {name: 'diff'}, previewer);
			`assert.equal(resp.status, 403);`

			resp = await axios.get(`${homeUrl}/api/workspaces/${wsId}`, previewer);
			`assert.equal(resp.status, 200);`
			resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, previewer);
			`assert.equal(resp.status, 403);`
			resp = await axios.patch(`${homeUrl}/api/workspaces/${wsId}`, {name: 'diff'}, previewer);
			`assert.equal(resp.status, 403);`
			`});`

			`it('can delete workspaces and docs using permits', async function() {`
			`const oid = await dbManager.testGetId('NASA');`
			let resp = await axios.get(`${homeUrl}/api/orgs/${oid}/workspaces`, previewer);
			`assert.equal(resp.status, 200);`

			`const wsId = resp.data[0].id;`
			`const docId = resp.data[0].docs[0].id;`

			`const store = home.getWorkStore().getPermitStore('internal');`
			`const goodDocPermit = await store.setPermit({docId});`
			`const badDocPermit = await store.setPermit({docId: 'dud'});`
			`const goodWsPermit = await store.setPermit({workspaceId: wsId});`
			`const badWsPermit = await store.setPermit({workspaceId: wsId + 1});`

			`// Check that external store is no good for internal use.`
			`const externalStore = home.getWorkStore().getPermitStore('external');`
			`const externalDocPermit = await externalStore.setPermit({docId});`
			resp = await axios.get(`${homeUrl}/api/docs/${docId}`, permit(externalDocPermit));
			`//assert.equal(resp.status, 401);`

			resp = await axios.get(`${homeUrl}/api/docs/${docId}`, permit(badDocPermit));
			`assert.equal(resp.status, 403);`
			resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, permit(badDocPermit));
			`assert.equal(resp.status, 403);`
			resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, permit(goodWsPermit));
			`assert.equal(resp.status, 403);`
			resp = await axios.get(`${homeUrl}/api/docs/${docId}`, permit(goodDocPermit));
			`assert.equal(resp.status, 403);`
			resp = await axios.patch(`${homeUrl}/api/docs/${docId}`, {name: 'diff'}, permit(goodDocPermit));
			`assert.equal(resp.status, 403);`
			resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, permit(goodDocPermit));
			`assert.equal(resp.status, 200);`

			resp = await axios.get(`${homeUrl}/api/workspaces/${wsId}`, permit(badWsPermit));
			`assert.equal(resp.status, 403);`
			resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, permit(badWsPermit));
			`assert.equal(resp.status, 403);`
			resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, permit(goodDocPermit));
			`assert.equal(resp.status, 403);`
			resp = await axios.get(`${homeUrl}/api/workspaces/${wsId}`, permit(goodWsPermit));
			`assert.equal(resp.status, 403);`
			resp = await axios.patch(`${homeUrl}/api/workspaces/${wsId}`, {name: 'diff'}, permit(goodWsPermit));
			`assert.equal(resp.status, 403);`
			resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, permit(goodWsPermit));
			`assert.equal(resp.status, 200);`

			`});`
			`});`