diff --git a/src/storage/kv/get.js b/src/storage/kv/get.js index 31d96d6..17e3bd9 100644 --- a/src/storage/kv/get.js +++ b/src/storage/kv/get.js @@ -12,6 +12,8 @@ export default async function getKv(env, daCtx) { const body = await env.DA_CONFIG.get(daCtx.fullKey); + const object = body ? JSON.parse(body) : null; + console.log('read config via getKv', daCtx.fullKey, object?.permissions?.data); if (body) return { body, status: 200 }; return { body: JSON.stringify({ error: 'not found' }), status: 404 }; } diff --git a/src/storage/kv/put.js b/src/storage/kv/put.js index 14ea645..00d215e 100644 --- a/src/storage/kv/put.js +++ b/src/storage/kv/put.js @@ -39,6 +39,12 @@ async function save(env, key, string) { await env.DA_CONFIG.put(key, string); // Validate the content is there body = await env.DA_CONFIG.get(key); + try { + const object = body ? JSON.parse(body) : null; + console.log('read config via save', key, object?.permissions?.data); + } catch (e) { + // ignore + } status = 201; } catch { body = JSON.stringify({ error: 'Couldn\'t parse or save config.' }); diff --git a/src/utils/auth.js b/src/utils/auth.js index 6f4f933..529cc88 100644 --- a/src/utils/auth.js +++ b/src/utils/auth.js @@ -226,12 +226,15 @@ export async function getAclCtx(env, org, users, key, api) { const props = await env.DA_CONFIG?.get(org, { type: 'json' }); + console.log('read config via getAclCtx', org, props?.permissions?.data); + if (props && props[':type'] === 'sheet' && props[':sheetname'] === 'permissions') { // It's a single-sheet, move the data to the right place props.permissions = { data: props.data }; } if (!props?.permissions?.data) { + console.log('no permissions data', pathLookup); return { pathLookup, actionSet: new Set(['read', 'write']), @@ -312,6 +315,11 @@ export async function getAclCtx(env, org, users, key, api) { // actionTrace = pathActions.actionTrace; // } + console.log('getAclCtx', org, users); + console.log('actionSet', actionSet); + console.log('actionTrace', actionTrace); + console.log('pathLookup', pathLookup); + return { pathLookup, actionSet, actionTrace }; } diff --git a/test/it/it-tests.js b/test/it/it-tests.js index c650b04..25170cd 100644 --- a/test/it/it-tests.js +++ b/test/it/it-tests.js @@ -62,6 +62,7 @@ export default (ctx) => describe('Integration Tests: it tests', function () { assert.strictEqual(resp.status, 200, `Expected 200 OK, got ${resp.status} - user: ${superUser.email}`); const body = await resp.json(); + // check initial config is clean assert.strictEqual(body.total, 2, `Expected 2, got ${body.total}`); assert.strictEqual(body.data[0].path, 'CONFIG', `Expected CONFIG, got ${body.data[0].path}`); assert.strictEqual(body.data[0].groups, superUser.email, `Expected user email, got ${body.data[0].groups}`); @@ -69,6 +70,8 @@ export default (ctx) => describe('Integration Tests: it tests', function () { assert.strictEqual(body.data[1].path, '/+**', `Expected /+**, got ${body.data[1].path}`); assert.strictEqual(body.data[1].groups, superUser.email, `Expected user email, got ${body.data[1].groups}`); assert.strictEqual(body.data[1].actions, 'write', `Expected write, got ${body.data[1].actions}`); + assert.strictEqual(body[':type'], 'sheet', `Expected sheet, got ${body[':type']}`); + assert.strictEqual(body[':sheetname'], 'permissions', `Expected permissions, got ${body[':sheetname']}`); }); it('[anonymous] cannot delete root folder', async () => { @@ -334,6 +337,8 @@ export default (ctx) => describe('Integration Tests: it tests', function () { limit: newConfigData.length, offset: 0, data: newConfigData, + ':type': 'sheet', + ':sheetname': 'permissions', })); resp = await fetch(url, { method: 'POST', @@ -354,6 +359,17 @@ export default (ctx) => describe('Integration Tests: it tests', function () { assert.strictEqual(resp.status, 200, `Expected 200 OK, got ${resp.status}`); }); + it('[limited user] still cannot read page1', async () => { + const { + serverUrl, org, repo, limitedUser, + } = ctx; + const url = `${serverUrl}/source/${org}/${repo}/test-folder/page1.html`; + const resp = await fetch(url, { + headers: { Authorization: `Bearer ${limitedUser.accessToken}` }, + }); + assert.strictEqual(resp.status, 403, `Expected 403 Unauthorized, got ${resp.status} - user: ${limitedUser.email}`); + }); + it('[super user] should remove added entries to clean up the config', async () => { const { serverUrl, org, repo, superUser, @@ -370,6 +386,8 @@ export default (ctx) => describe('Integration Tests: it tests', function () { limit: newConfigData.length, offset: 0, data: newConfigData, + ':type': 'sheet', + ':sheetname': 'permissions', })); resp = await fetch(url, { method: 'POST', @@ -388,10 +406,11 @@ export default (ctx) => describe('Integration Tests: it tests', function () { assert.strictEqual(body.data[1].path, '/+**', `Expected /+**, got ${body.data[1].path}`); assert.strictEqual(body.data[1].groups, superUser.email, `Expected user email, got ${body.data[1].groups}`); assert.strictEqual(body.data[1].actions, 'write', `Expected write, got ${body.data[1].actions}`); + assert.strictEqual(body[':type'], 'sheet', `Expected sheet, got ${body[':type']}`); + assert.strictEqual(body[':sheetname'], 'permissions', `Expected permissions, got ${body[':sheetname']}`); }); - // TODO: currently the auth session is stored in memory, so the limited user can still read page2 - it.skip('[limited user] cannot read page2 anymore', async () => { + it('[limited user] cannot read page2 anymore', async () => { const { serverUrl, org, repo, limitedUser, } = ctx; diff --git a/wrangler.toml b/wrangler.toml index 5e08a2e..9b3be90 100644 --- a/wrangler.toml +++ b/wrangler.toml @@ -3,6 +3,9 @@ main = "src/index.js" compatibility_date = "2024-11-11" keep_vars = true +[observability] +enabled = false + # ---------------------------------------------------------------------- # production environment [env.production] @@ -122,5 +125,4 @@ r2_buckets = [ ENVIRONMENT = "it" VERSION="0.0.0-it" DA_COLLAB = "http://localhost:4711" -AEM_BUCKET_NAME = "aem-content-local" - +AEM_BUCKET_NAME = "aem-content-local" \ No newline at end of file