Add integration tests for impersonation

jonathanedey · jonathanedey · commit e9f6d400c2f0 · 2025-02-10T09:55:36.000-05:00
diff --git a/test/integration/data-connect.spec.ts b/test/integration/data-connect.spec.ts
@@ -16,7 +16,7 @@
 
 import * as chai from 'chai';
 import * as chaiAsPromised from 'chai-as-promised';
-import { getDataConnect, ConnectorConfig } from '../../lib/data-connect/index';
+import { getDataConnect, ConnectorConfig, GraphqlOptions } from '../../lib/data-connect/index';
 
 chai.should();
 chai.use(chaiAsPromised);
@@ -26,61 +26,65 @@ const expect = chai.expect;
 /*
 // Schema
 type User @table(key: "uid") {
-	uid: String!
-	name: String!
-	address: String!
+  uid: String!
+  name: String!
+  address: String!
 }
+*/
+type User = {
+  uid?: string;
+  name?: string;
+  address?: string;
+  // Generated
+  emails_on_from?: Email[];
+};
 
+/*
+// Schema
 type Email @table {
-	subject: String!
-	date: Date!
-	text: String!
-	from: User!
+  subject: String!
+  date: Date!
+  text: String!
+  from: User!
 }
 */
+type Email = {
+  subject?: string;
+  date?: string;
+  text?: string;
+  from?: User;
+  // Generated
+  id?: string;
+};
 
 interface UserResponse {
-  user: {
-    name: string;
-    uid: string;
-  }
+  user: User;
 }
 
 interface UsersResponse {
-  users: [
-    user: {
-      id: string;
-      name: string;
-      address: string;
-    }
-  ];
+  users: User[];
+}
+
+interface UserUpsertResponse {
+  user_upsert: { uid: string; };
 }
 
 interface UserUpdateResponse {
-  user_upsert: { uid: string }
+  user_update: { uid: string; };
 }
 
 interface EmailsResponse {
-  emails: [
-    email: {
-      text: string;
-      subject: string;
-      id: string;
-      date: string;
-      from: {
-        name: string;
-      }
-    }
-  ];
+  emails: Email[];
 }
 
 interface UserVariables {
-  id: { uid: string };
+  id: { uid: string; };
 }
 
 const connectorConfig: ConnectorConfig = {
   location: 'us-west2',
   serviceId: 'my-service',
+  // serviceId: 'je-test-fdc',
 };
 
 const userId = 'QVBJcy5ndXJ3';
@@ -90,17 +94,30 @@ describe('getDataConnect()', () => {
   const queryListUsers = 'query ListUsers @auth(level: PUBLIC) { users { uid, name, address } }';
   const queryListEmails = 'query ListEmails @auth(level: NO_ACCESS) { emails { id subject text date from { name } } }';
   const queryGetUserById = 'query GetUser($id: User_Key!) { user(key: $id) { uid name } }';
+
+  const queryListUsersImpersonation = `
+    query ListUsers @auth(level: USER) {
+      users(where: { uid: { eq_expr: "auth.uid" } }) { uid, name, address }
+    }`;
+
   const multipleQueries = `
   ${queryListUsers}
   ${queryListEmails}
   `;
+
   const mutation = `mutation user { user_insert(data: {uid: "${userId}", address: "32 St", name: "Fred Car"}) }`;
+
+  const updateImpersonatedUser = `
+    mutation UpdateUser @auth(level: USER) {
+      user_update(key: { uid_expr: "auth.uid" }, data: { address: "32 Elm St.", name: "Fredrick" })
+    }`;
+
   const upsertUser = `mutation UpsertUser($id: String) { 
   user_upsert(data: { uid: $id, address: "32 St.", name: "Fred" }) }`;
 
   describe('executeGraphql()', () => {
     it('executeGraphql() successfully executes a GraphQL mutation', async () => {
-      const resp = await getDataConnect(connectorConfig).executeGraphql<UserUpdateResponse, unknown>(
+      const resp = await getDataConnect(connectorConfig).executeGraphql<UserUpsertResponse, unknown>(
         upsertUser, { variables: { id: userId } }
       );
       //{ data: { user_insert: { uid: 'QVBJcy5ndXJ3' } } }
@@ -111,18 +128,20 @@ describe('getDataConnect()', () => {
     it('executeGraphql() successfully executes a GraphQL', async () => {
       const resp = await getDataConnect(connectorConfig).executeGraphql<UsersResponse, UserVariables>(queryListUsers);
       expect(resp.data.users).to.be.not.empty;
-      expect(resp.data.users[0].name).to.be.not.undefined;
-      expect(resp.data.users[0].address).to.be.not.undefined;
+      expect(resp.data.users.length).to.be.greaterThan(1);
+      expect(resp.data.users[0].uid).to.not.be.undefined;
+      expect(resp.data.users[0].name).to.not.be.undefined;
+      expect(resp.data.users[0].address).to.not.be.undefined;
     });
 
     it('executeGraphql() use the operationName when multiple queries are provided', async () => {
       const resp = await getDataConnect(connectorConfig).executeGraphql<EmailsResponse, unknown>(
-        multipleQueries, 
+        multipleQueries,
         { operationName: 'ListEmails' }
       );
       expect(resp.data.emails).to.be.not.empty;
       expect(resp.data.emails[0].id).to.be.not.undefined;
-      expect(resp.data.emails[0].from.name).to.be.not.undefined;
+      expect(resp.data.emails[0].from?.name).to.be.not.undefined;
     });
 
     it('executeGraphql() should throw for a query error', async () => {
@@ -135,8 +154,9 @@ describe('getDataConnect()', () => {
         queryGetUserById,
         { variables: { id: { uid: userId } } }
       );
-      expect(resp.data.user.name).to.be.not.undefined;
       expect(resp.data.user.uid).equals(userId);
+      expect(resp.data.user.name).to.not.be.undefined;
+      expect(resp.data.user.address).to.be.undefined;
     });
   });
 
@@ -145,13 +165,154 @@ describe('getDataConnect()', () => {
       const resp =
         await getDataConnect(connectorConfig).executeGraphqlRead<UsersResponse, UserVariables>(queryListUsers);
       expect(resp.data.users).to.be.not.empty;
+      expect(resp.data.users.length).to.be.greaterThan(1);
+      expect(resp.data.users[0].uid).to.not.be.undefined;
       expect(resp.data.users[0].name).to.be.not.undefined;
       expect(resp.data.users[0].address).to.be.not.undefined;
     });
 
     it('executeGraphqlRead() should throw for a GraphQL mutation', async () => {
       return getDataConnect(connectorConfig).executeGraphqlRead(mutation)
-        .should.eventually.be.rejected;
+        .should.eventually.be.rejected.and.have.property('code', 'data-connect/permission-denied');
+    });
+  });
+
+  describe('Impersonation', () => {
+    const optsAuthorizedClaims: GraphqlOptions<undefined> = {
+      impersonate: {
+        authClaims: {
+          sub: userId,
+          email_verified: true
+        }
+      }
+    };
+
+    const optsNonExistingClaims: GraphqlOptions<undefined> = {
+      impersonate: {
+        authClaims: {
+          sub: 'non-exisiting-id',
+          email_verified: true
+        }
+      }
+    };
+
+    const optsUnauthorizedClaims: GraphqlOptions<undefined> = {
+      impersonate: {
+        unauthenticated: true
+      }
+    };
+
+    describe('USER Auth Policy', () => {
+      it('executeGraphqlRead() successfully executes an impersonated query with authenticated claims', async () => {
+        const resp =
+          await getDataConnect(connectorConfig).executeGraphqlRead<UsersResponse, undefined>(
+            queryListUsersImpersonation, optsAuthorizedClaims);
+        expect(resp.data.users).to.be.not.empty;
+        expect(resp.data.users.length).equals(1);
+        expect(resp.data.users[0].uid).equals(userId);
+        expect(resp.data.users[0].name).to.not.be.undefined;
+        expect(resp.data.users[0].address).to.not.be.undefined;
+      });
+
+      it('executeGraphqlRead() should throw for impersonated query with unauthenticated claims', async () => {
+        return getDataConnect(connectorConfig).executeGraphqlRead(queryListUsersImpersonation, optsUnauthorizedClaims)
+          .should.eventually.be.rejected.and.have.property('code', 'data-connect/unauthenticated');
+      });
+
+      it('executeGraphql() successfully executes an impersonated query with authenticated claims', async () => {
+        const resp =
+          await getDataConnect(connectorConfig).executeGraphqlRead<UsersResponse, undefined>(
+            queryListUsersImpersonation, optsAuthorizedClaims);
+        expect(resp.data.users).to.be.not.empty;
+        expect(resp.data.users.length).equals(1);
+        expect(resp.data.users[0].uid).equals(userId);
+        expect(resp.data.users[0].name).to.be.not.undefined;
+        expect(resp.data.users[0].address).to.be.not.undefined;
+      });
+
+      it('executeGraphql() should throw for impersonated query with unauthenticated claims', async () => {
+        return getDataConnect(connectorConfig).executeGraphql(queryListUsersImpersonation, optsUnauthorizedClaims)
+          .should.eventually.be.rejected.and.has.property('code', 'data-connect/unauthenticated');
+      });
+
+      it('executeGraphql() successfully executes an impersonated query with non-existing authenticated claims',
+        async () => {
+          const resp = await getDataConnect(connectorConfig).executeGraphql<UsersResponse, undefined>(
+            queryListUsersImpersonation, optsNonExistingClaims);
+          // Should find no data
+          expect(resp.data.users).to.be.empty;
+        });
+
+      it('executeGraphql() successfully executes an impersonated mutation with authenticated claims',
+        async () => {
+          const resp = await getDataConnect(connectorConfig).executeGraphql<UserUpdateResponse, undefined>(
+            updateImpersonatedUser, optsAuthorizedClaims);
+          expect(resp.data.user_update.uid).equals(userId);
+        });
+
+      it('executeGraphql() should throw for impersonated mutation with unauthenticated claims', async () => {
+        return getDataConnect(connectorConfig).executeGraphql(updateImpersonatedUser, optsUnauthorizedClaims)
+          .should.eventually.be.rejected.and.has.property('code', 'data-connect/unauthenticated');
+      });
+
+      it('executeGraphql() successfully executes an impersonated mutation with non-existing authenticated claims',
+        async () => {
+          const resp = await getDataConnect(connectorConfig).executeGraphql<UserUpdateResponse, undefined>(
+            updateImpersonatedUser, optsNonExistingClaims);
+          // Should find no data
+          expect(resp.data.user_update).to.be.null;
+        });
+    });
+
+    describe('PUBLIC Auth Policy', () => {
+      it('executeGraphql() successfully executes an impersonated query with authenticated claims', async () => {
+        const resp = await getDataConnect(connectorConfig).executeGraphql<UsersResponse, undefined>(
+          queryListUsers, optsAuthorizedClaims);
+        expect(resp.data.users).to.be.not.empty;
+        expect(resp.data.users.length).to.be.greaterThan(1);
+        expect(resp.data.users[0].uid).to.not.be.undefined;
+        expect(resp.data.users[0].name).to.not.be.undefined;
+        expect(resp.data.users[0].address).to.not.be.undefined;
+      });
+
+      it('executeGraphql() successfully executes an impersonated query with unauthenticated claims', async () => {
+        const resp = await getDataConnect(connectorConfig).executeGraphql<UsersResponse, undefined>(
+          queryListUsers, optsUnauthorizedClaims);
+        expect(resp.data.users).to.be.not.empty;
+        expect(resp.data.users.length).to.be.greaterThan(1);
+        expect(resp.data.users[0].uid).to.not.be.undefined;
+        expect(resp.data.users[0].name).to.not.be.undefined;
+        expect(resp.data.users[0].address).to.not.be.undefined;
+      });
+
+      it('executeGraphql() successfully executes an impersonated query with non-existing authenticated claims',
+        async () => {
+          const resp = await getDataConnect(connectorConfig).executeGraphql<UsersResponse, undefined>(
+            queryListUsers, optsNonExistingClaims);
+          expect(resp.data.users).to.be.not.empty;
+          expect(resp.data.users.length).to.be.greaterThan(1);
+          expect(resp.data.users[0].uid).to.not.be.undefined;
+          expect(resp.data.users[0].name).to.not.be.undefined;
+          expect(resp.data.users[0].address).to.not.be.undefined;
+        });
+    });
+
+    describe('NO_ACCESS Auth Policy', () => {
+      it('executeGraphql() should throw for an impersonated query with authenticated claims', async () => {
+        return await getDataConnect(connectorConfig).executeGraphql(queryListEmails, optsAuthorizedClaims)
+          .should.eventually.be.rejected.and.has.property('code', 'data-connect/permission-denied');
+      });
+
+      it('executeGraphql() should throw for an impersonated query with unauthenticated claims', async () => {
+        return await getDataConnect(connectorConfig).executeGraphql(queryListEmails, optsUnauthorizedClaims)
+          .should.eventually.be.rejected.and.has.property('code', 'data-connect/permission-denied');
+      });
+
+      it('executeGraphql() should throw for an impersonated query with non-existing authenticated claims',
+        async () => {
+          return await getDataConnect(connectorConfig).executeGraphql(queryListEmails, optsNonExistingClaims)
+            .should.eventually.be.rejected.and.has.property('code', 'data-connect/permission-denied');
+        });
     });
   });
 });
