WIP: postdeploy debug

src/storage/kv/get.js

@@ -12,6 +12,8 @@
 
 export default async function getKv(env, daCtx) {
   const body = await env.DA_CONFIG.get(daCtx.fullKey);
+  const object = body ? JSON.parse(body) : null;
+  console.log('read config via getKv', daCtx.fullKey, object?.permissions?.data);
   if (body) return { body, status: 200 };
   return { body: JSON.stringify({ error: 'not found' }), status: 404 };
 }

src/storage/kv/put.js

@@ -39,6 +39,12 @@ async function save(env, key, string) {
     await env.DA_CONFIG.put(key, string);
     // Validate the content is there
     body = await env.DA_CONFIG.get(key);
+    try {
+      const object = body ? JSON.parse(body) : null;
+      console.log('read config via save', key, object?.permissions?.data);
+    } catch (e) {
+      // ignore
+    }
     status = 201;
   } catch {
     body = JSON.stringify({ error: 'Couldn\'t parse or save config.' });

src/utils/auth.js

@@ -226,12 +226,15 @@ export async function getAclCtx(env, org, users, key, api) {
 
   const props = await env.DA_CONFIG?.get(org, { type: 'json' });
 
+  console.log('read config via getAclCtx', org, props?.permissions?.data);
+
   if (props && props[':type'] === 'sheet' && props[':sheetname'] === 'permissions') {
     // It's a single-sheet, move the data to the right place
     props.permissions = { data: props.data };
   }
 
   if (!props?.permissions?.data) {
+    console.log('no permissions data', pathLookup);
     return {
       pathLookup,
       actionSet: new Set(['read', 'write']),
@@ -312,6 +315,11 @@ export async function getAclCtx(env, org, users, key, api) {
   //   actionTrace = pathActions.actionTrace;
   // }
 
+  console.log('getAclCtx', org, users);
+  console.log('actionSet', actionSet);
+  console.log('actionTrace', actionTrace);
+  console.log('pathLookup', pathLookup);
+
   return { pathLookup, actionSet, actionTrace };
 }
 

test/it/it-tests.js

@@ -62,13 +62,16 @@ export default (ctx) => describe('Integration Tests: it tests', function () {
     assert.strictEqual(resp.status, 200, `Expected 200 OK, got ${resp.status} - user: ${superUser.email}`);
 
     const body = await resp.json();
+    // check initial config is clean
     assert.strictEqual(body.total, 2, `Expected 2, got ${body.total}`);
     assert.strictEqual(body.data[0].path, 'CONFIG', `Expected CONFIG, got ${body.data[0].path}`);
     assert.strictEqual(body.data[0].groups, superUser.email, `Expected user email, got ${body.data[0].groups}`);
     assert.strictEqual(body.data[0].actions, 'write', `Expected write, got ${body.data[0].actions}`);
     assert.strictEqual(body.data[1].path, '/+**', `Expected /+**, got ${body.data[1].path}`);
     assert.strictEqual(body.data[1].groups, superUser.email, `Expected user email, got ${body.data[1].groups}`);
     assert.strictEqual(body.data[1].actions, 'write', `Expected write, got ${body.data[1].actions}`);
+    assert.strictEqual(body[':type'], 'sheet', `Expected sheet, got ${body[':type']}`);
+    assert.strictEqual(body[':sheetname'], 'permissions', `Expected permissions, got ${body[':sheetname']}`);
   });
 
   it('[anonymous] cannot delete root folder', async () => {
@@ -334,6 +337,8 @@ export default (ctx) => describe('Integration Tests: it tests', function () {
       limit: newConfigData.length,
       offset: 0,
       data: newConfigData,
+      ':type': 'sheet',
+      ':sheetname': 'permissions',
     }));
     resp = await fetch(url, {
       method: 'POST',
@@ -354,6 +359,17 @@ export default (ctx) => describe('Integration Tests: it tests', function () {
     assert.strictEqual(resp.status, 200, `Expected 200 OK, got ${resp.status}`);
   });
 
+  it('[limited user] still cannot read page1', async () => {
+    const {
+      serverUrl, org, repo, limitedUser,
+    } = ctx;
+    const url = `${serverUrl}/source/${org}/${repo}/test-folder/page1.html`;
+    const resp = await fetch(url, {
+      headers: { Authorization: `Bearer ${limitedUser.accessToken}` },
+    });
+    assert.strictEqual(resp.status, 403, `Expected 403 Unauthorized, got ${resp.status} - user: ${limitedUser.email}`);
+  });
+
   it('[super user] should remove added entries to clean up the config', async () => {
     const {
       serverUrl, org, repo, superUser,
@@ -370,6 +386,8 @@ export default (ctx) => describe('Integration Tests: it tests', function () {
       limit: newConfigData.length,
       offset: 0,
       data: newConfigData,
+      ':type': 'sheet',
+      ':sheetname': 'permissions',
     }));
     resp = await fetch(url, {
       method: 'POST',
@@ -388,10 +406,11 @@ export default (ctx) => describe('Integration Tests: it tests', function () {
     assert.strictEqual(body.data[1].path, '/+**', `Expected /+**, got ${body.data[1].path}`);
     assert.strictEqual(body.data[1].groups, superUser.email, `Expected user email, got ${body.data[1].groups}`);
     assert.strictEqual(body.data[1].actions, 'write', `Expected write, got ${body.data[1].actions}`);
+    assert.strictEqual(body[':type'], 'sheet', `Expected sheet, got ${body[':type']}`);
+    assert.strictEqual(body[':sheetname'], 'permissions', `Expected permissions, got ${body[':sheetname']}`);
   });
 
-  // TODO: currently the auth session is stored in memory, so the limited user can still read page2
-  it.skip('[limited user] cannot read page2 anymore', async () => {
+  it('[limited user] cannot read page2 anymore', async () => {
     const {
       serverUrl, org, repo, limitedUser,
     } = ctx;

wrangler.toml

@@ -3,6 +3,9 @@ main = "src/index.js"
 compatibility_date = "2024-11-11"
 keep_vars = true
 
+[observability]
+enabled = false
+
 # ----------------------------------------------------------------------
 # production environment
 [env.production]
@@ -122,5 +125,4 @@ r2_buckets = [
 ENVIRONMENT = "it"
 VERSION="0.0.0-it"
 DA_COLLAB = "http://localhost:4711"
-AEM_BUCKET_NAME = "aem-content-local"
-
+AEM_BUCKET_NAME = "aem-content-local"