Test and deploy storage rules

sbutz · Dec 26, 2023 · 07a6b6b · 07a6b6b
1 parent f2c973a
commit 07a6b6b
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 6 deletions.
diff --git a/.github/workflows/deploy-on-merge.yml b/.github/workflows/deploy-on-merge.yml
@@ -7,10 +7,10 @@ on:
     branches:
       - master
 jobs:
-  firestore_deploy:
+  rules_deploy:
     runs-on: ubuntu-latest
     env: 
-      working-directory: ./firestore
+      working-directory: ./firebase
       GOOGLE_APPLICATION_CREDENTIALS: /opt/gcp_key.json
     steps:
       - uses: actions/checkout@v3
@@ -20,7 +20,7 @@ jobs:
         working-directory: ${{ env.working-directory }}
 
   functions_deploy:
-    needs: firestore_deploy
+    needs: rules_deploy
     runs-on: ubuntu-latest
     env: 
       working-directory: ./functions
@@ -35,7 +35,7 @@ jobs:
         working-directory: ${{ env.working-directory }}
 
   client_deploy:
-    needs: [firestore_deploy, functions_deploy]
+    needs: [rules_deploy, functions_deploy]
     runs-on: ubuntu-latest
     env: 
       working-directory: ./client

diff --git a/firebase/package.json b/firebase/package.json
@@ -6,8 +6,8 @@
   "author": "",
   "license": "ISC",
   "scripts": {
-    "deploy": "npx firebase-tools deploy --only firestore:rules",
-    "test": "npx firebase-tools emulators:exec --only firestore 'jest -i'",
+    "deploy": "npx firebase-tools deploy --only 'firestore:rules,storage:rules",
+    "test": "npx firebase-tools emulators:exec --only 'firestore,storage' 'jest -i'",
     "export": "npx firebase-tools emulators:export ./emulator_data",
     "lint": "eslint test/"
   },

diff --git a/firebase/src/firestore/default_deny.test.ts b/firebase/src/firestore/default_deny.test.ts
@@ -18,6 +18,10 @@ beforeAll(async () => {
   });
 });
 
+afterEach(async () => {
+  await testEnv.clearFirestore();
+});
+
 afterAll(async () => {
   await testEnv.cleanup();
 });

diff --git a/firebase/src/storage/default_deny.test.ts b/firebase/src/storage/default_deny.test.ts
@@ -0,0 +1,37 @@
+import { readFileSync } from 'fs';
+import { assertFails, initializeTestEnvironment, RulesTestEnvironment } from '@firebase/rules-unit-testing';
+import { uploadString, getBytes } from 'firebase/storage';
+
+let testEnv: RulesTestEnvironment;
+const clubId = 'bc73';
+const fileName = 'foo.txt';
+
+
+beforeAll(async () => {
+  testEnv = await initializeTestEnvironment({
+    storage: {
+      rules: readFileSync('storage.rules', 'utf8'),
+    },
+  });
+});
+
+afterEach(async () => {
+  await testEnv.clearStorage();
+});
+
+afterAll(async () => {
+  await testEnv.cleanup();
+});
+
+it('should forbid abitrary read/write access', async () => {
+  const unauthenticatedContext = testEnv.unauthenticatedContext();
+  await assertFails(uploadString(unauthenticatedContext.storage().ref(fileName), "123"));
+
+  const authenticatedContext = testEnv.authenticatedContext("alice", { clubId, admin: true})
+  await assertFails(uploadString(authenticatedContext.storage().ref(fileName), "123"));
+
+  await testEnv.withSecurityRulesDisabled(async (context) => {
+    await uploadString(context.storage().ref(fileName), "123");
+  });
+  await assertFails(getBytes(authenticatedContext.storage().ref(fileName)));
+});