fix: Fix secure and playground connection (#43)

Signed-off-by: Oğuzhan Durgun <oguzhandurgun95@gmail.com> Co-authored-by: Charith Ellawala <charithe@users.noreply.github.com>
cerbos · Jun 22, 2023 · 5c0fac1 · 5c0fac1
1 parent 4647f08
commit 5c0fac1
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 11 deletions.
diff --git a/psalm.xml b/psalm.xml
@@ -1,6 +1,7 @@
 <?xml version="1.0"?>
 <psalm
     errorLevel="2"
+    threads="1"
     resolveFromConfigFile="true"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="https://getpsalm.org/schema/config"
@@ -9,5 +10,8 @@
     <projectFiles>
         <directory name="src/Sdk" />
         <directory name="tests" />
+        <ignoreFiles>
+            <directory name="vendor" />
+        </ignoreFiles>
     </projectFiles>
 </psalm>
diff --git a/src/Sdk/Builder/CerbosClientBuilder.php b/src/Sdk/Builder/CerbosClientBuilder.php
@@ -91,16 +91,32 @@ public function withPlayground(string $playgroundInstanceId): CerbosClientBuilde
      * @throws Exception
      */
     public function build(): CerbosClient {
-        if (!is_null($this->caCertificate) && !is_null($this->tlsKey) && !is_null($this->tlsCertificate)){
-            $credentials = ChannelCredentials::createSsl(
-                $this->caCertificate,
-                $this->tlsKey,
-                $this->tlsCertificate
-            );
-        } else if ($this->plaintext) {
+        if ($this->plaintext) {
+            if ($this->playgroundInstanceId != "") {
+                throw new Exception("cannot use a plaintext connection to interact with the Cerbos Playground");
+            }
+
             $credentials = ChannelCredentials::createInsecure();
-        } else {
-            throw new Exception("either use the withPlaintext(true) or provide tlsKey and tlsCertificate");
+        }
+        else if (!is_null($this->caCertificate)) {
+            if (!is_null($this->tlsCertificate) && !is_null($this->tlsKey)) {
+                $credentials = ChannelCredentials::createSsl(
+                    $this->caCertificate,
+                    $this->tlsKey,
+                    $this->tlsCertificate
+                );
+            }
+            else {
+                $credentials = ChannelCredentials::createSsl(
+                    $this->caCertificate
+                );
+            }
+        }
+        else {
+            /**
+             * @psalm-suppress TooFewArguments
+             */
+            $credentials = ChannelCredentials::createSsl();
         }
 
         $csc = new CerbosServiceClient(

diff --git a/tests/CerbosClientTest.php b/tests/CerbosClientTest.php
@@ -273,4 +273,34 @@ public function testPlanResourcesValidation(): void{
         $this->assertFalse($planResourcesResult->isAlwaysAllowed(), "planResourcesResult is always allowed");
         $this->assertFalse($planResourcesResult->isConditional(), "planResourcesResult is conditional");
     }
+
+    public function testPlayground(): void {
+        $request = CheckResourcesRequest::newInstance()
+            ->withRequestId("1")
+            ->withPrincipal(
+                Principal::newInstance("sajit")
+                    ->withRole("ADMIN")
+                    ->withAttribute("department", AttributeValue::stringValue("IT"))
+            )
+            ->withResourceEntry(
+                ResourceEntry::newInstance("expense", "XX125")
+                    ->withAttribute("ownerId", AttributeValue::stringValue("sally"))
+                    ->withAttribute("createdAt", AttributeValue::stringValue("2021-10-01T10:00:00.021-05:00"))
+                    ->withAttribute("vendor", AttributeValue::stringValue("Flux Water Gear"))
+                    ->withAttribute("region", AttributeValue::stringValue("EMEA"))
+                    ->withAttribute("amount", AttributeValue::intValue(500))
+                    ->withAttribute("status", AttributeValue::stringValue("OPEN"))
+                    ->withActions(["approve", "delete"])
+            );
+
+        try {
+            $checkResourcesResult = $this->playgroundClient->checkResources($request);
+            $resultEntry = $checkResourcesResult->find("XX125");
+        } catch (Exception $e) {
+            $this->fail($e->getMessage());
+        }
+
+        $this->assertTrue($resultEntry->isAllowed("approve"), "result of XX125 for approve action is wrong");
+        $this->assertTrue($resultEntry->isAllowed("delete"), "result of XX125 for delete action is wrong");
+    }
 }
diff --git a/tests/TestCase.php b/tests/TestCase.php
@@ -13,8 +13,9 @@
 
 abstract class TestCase extends \PHPUnit\Framework\TestCase
 {
-    private string $host = "localhost:3593";
-    private string $playgroundInstanceId = "XhkOi82fFKk3YW60e2c806Yvm0trKEje"; // See: https://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje
+    private string $host = 'localhost:3593';
+    private string $playgroundHost = 'demo-pdp.cerbos.cloud';
+    private string $playgroundInstanceId = 'XhkOi82fFKk3YW60e2c806Yvm0trKEje'; // See: https://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje
     protected CerbosClient $client;
     protected CerbosClient $playgroundClient;
 
@@ -27,5 +28,6 @@ protected function setUp(): void
         parent::setUp();
 
         $this->client = CerbosClientBuilder::newInstance($this->host)->withPlaintext(true)->build();
+        $this->playgroundClient = CerbosClientBuilder::newInstance($this->playgroundHost)->withPlayground($this->playgroundInstanceId)->build();
     }
 }