add some access/credentials tests + emit events if unauthorized

[paulo-ocean]

Fixes #840

Changes proposed in this PR:

[alexcos20]

why do we need to emit events?

[paulo-ocean]

why do we need to emit events?

we don't necessarily need them for the functionality, but its important to properly test access related stuff... for the tests infrastructure basically... without this its impossible to know what happened if something went wrong..

consider the following:
i can try to publish an asset, but a lot of things could fail, either i'm not allowed to publish it... or i cannot validate it, or i cannot decrypt it. or some other generic error... we have now multiple roles and a lot of credentials configurations involved as well...

If i try to look for that asset, and something failed, its not there, its not indexed, but how do i know what happened?... Where was the issue?..

If we emit some AUTH related events, we can catch those (if we want) and properly test the access/credentials/roles changes.. we can at least distinguish if it was access related

Without it, we can't..

That was the main idea. Not necessary but useful

[giurgiur99]

Should we keep the events mentioned here? I don't find them mandatory. @alexcos20

[mariacarmina]

why do we need to emit events?

we don't necessarily need them for the functionality, but its important to properly test access related stuff... for the tests infrastructure basically... without this its impossible to know what happened if something went wrong..

consider the following: i can try to publish an asset, but a lot of things could fail, either i'm not allowed to publish it... or i cannot validate it, or i cannot decrypt it. or some other generic error... we have now multiple roles and a lot of credentials configurations involved as well...

If i try to look for that asset, and something failed, its not there, its not indexed, but how do i know what happened?... Where was the issue?..

If we emit some AUTH related events, we can catch those (if we want) and properly test the access/credentials/roles changes.. we can at least distinguish if it was access related

Without it, we can't..

That was the main idea. Not necessary but useful

Regarding this comment, I think maintaining events for authorisation checks is overengineering/overcomplicated, the error should be traceable via logs as we do for decryption errors, validation errors and so on. My suggestion is to not over complicate and remove them + tests update.

[giurgiur99]

LGTM now

[alexcos20]

lgtm