Merge pull request #1 from amsprost/main

Caveat support for bundle
linkorb · Apr 12, 2023 · 4563156 · 4563156
2 parents 045bdde + 5d7eb10
commit 4563156
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 6 deletions.
diff --git a/composer.json b/composer.json
@@ -20,7 +20,7 @@
     ],
     "require": {
         "php": ">=7.4",
-        "linkorb/spicedb-php": "^1.0",
+        "linkorb/spicedb-php": "^1.1",
         "symfony/dependency-injection": "^4.4|^5.4|^6.0",
         "symfony/config": "^4.4|^5.4|^6.0",
         "symfony/http-kernel": "^4.4|^5.4|^6.0",

diff --git a/src/Security/AuthzedSubject.php b/src/Security/AuthzedSubject.php
@@ -11,12 +11,19 @@ class AuthzedSubject
     private SubjectReference $subject;
     private ObjectReference $object;
     private ?Consistency $consistency;
+    private ?array $caveatContext;
 
-    public function __construct(SubjectReference $subject, ObjectReference $object, Consistency $consistency = null)
+    public function __construct(
+        SubjectReference $subject,
+        ObjectReference  $object,
+        Consistency      $consistency = null,
+        array            $caveatContext = null
+    )
     {
-        $this->subject     = $subject;
-        $this->object      = $object;
-        $this->consistency = $consistency;
+        $this->subject       = $subject;
+        $this->object        = $object;
+        $this->consistency   = $consistency;
+        $this->caveatContext = $caveatContext;
     }
 
     public function getSubject(): SubjectReference
@@ -33,4 +40,9 @@ public function getConsistency(): ?Consistency
     {
         return $this->consistency;
     }
+
+    public function getCaveatContext(): ?array
+    {
+        return $this->caveatContext;
+    }
 }
diff --git a/src/Security/AuthzedVoter.php b/src/Security/AuthzedVoter.php
@@ -49,7 +49,8 @@ protected function voteOnAttribute(string $attribute, $subject, TokenInterface $
                     $subject->getConsistency(),
                     $subject->getObject(),
                     $attribute,
-                    $subject->getSubject()
+                    $subject->getSubject(),
+                    $subject->getCaveatContext()
                 )
             );
         } catch (SpiceDBServerException $e) {

diff --git a/tests/BundleTest.php b/tests/BundleTest.php
@@ -4,6 +4,7 @@
 
 use LinkORB\Authzed\ConnectorInterface;
 use LinkORB\Authzed\Dto\ObjectReference;
+use LinkORB\Authzed\Dto\Request\PermissionCheck as PermissionCheckRequest;
 use LinkORB\Authzed\Dto\Response\PermissionCheck;
 use LinkORB\Authzed\Dto\SubjectReference;
 use LinkORB\Authzed\SpiceDB;
@@ -107,4 +108,39 @@ public function testVoterException()
             ['view']
         );
     }
+
+    public function testVoterCaveat()
+    {
+        static::bootKernel();
+
+        $container = static::getContainer();
+
+        $subject = new AuthzedSubject(
+            new SubjectReference(new ObjectReference('user_data', '456')),
+            new ObjectReference('user', '123'),
+            null,
+            ['second_parameter' => 'hello world']
+        );
+
+        $client = $this->createMock(ConnectorInterface::class);
+        $client->expects($this->once())
+            ->method('checkPermission')
+            ->with(new PermissionCheckRequest(
+                $subject->getConsistency(),
+                $subject->getObject(),
+                'view',
+                $subject->getSubject(),
+                $subject->getCaveatContext()
+            ))
+            ->willReturn(new PermissionCheck(null, PermissionCheck::PERMISSIONSHIP_NO_PERMISSION));
+        $container->set(SpiceDB::class, $client);
+
+        $voter = $container->get(AuthzedVoter::class);
+        $this->assertInstanceOf(AuthzedVoter::class, $voter);
+
+        $this->assertEquals(
+            VoterInterface::ACCESS_DENIED,
+            $voter->vote(new NullToken(), $subject, ['view'])
+        );
+    }
 }