test(policy): move raw sql regression to e2e

Author: pkudinov

packages/plugins/policy/package.json

@@ -7,7 +7,6 @@
         "build": "tsc --noEmit && tsup-node",
         "watch": "tsup-node --watch",
         "lint": "eslint src --ext ts",
-        "test": "vitest run",
         "pack": "pnpm pack"
     },
     "keywords": [],
@@ -47,10 +46,7 @@
     },
     "devDependencies": {
         "@types/better-sqlite3": "catalog:",
-        "@types/pg": "^8.0.0",
         "@zenstackhq/eslint-config": "workspace:*",
-        "@zenstackhq/testtools": "workspace:*",
-        "@zenstackhq/typescript-config": "workspace:*",
-        "@zenstackhq/vitest-config": "workspace:*"
+        "@zenstackhq/typescript-config": "workspace:*"
     }
 }

packages/plugins/policy/vitest.config.ts

@@ -1,8 +1,9 @@
+import { PolicyPlugin } from '@zenstackhq/plugin-policy';
 import type { ClientContract } from '@zenstackhq/orm';
 import type { SchemaDef } from '@zenstackhq/orm/schema';
 import { createTestClient } from '@zenstackhq/testtools';
-import { beforeAll, describe, expect, it } from 'vitest';
-import { PolicyPlugin } from '../src/plugin';
+import { sql } from 'kysely';
+import { afterEach, describe, expect, it } from 'vitest';
 
 const schema = `
 model User {
@@ -24,49 +25,42 @@ model Secret {
 }
 `;
 
-describe('PolicyPlugin raw SQL', () => {
-    let unsafeClient: ClientContract<SchemaDef>;
-    let rawClient: ClientContract<SchemaDef>;
-    let adminClient: ClientContract<SchemaDef>;
-    let defaultClient: ClientContract<SchemaDef>;
-    let defaultRawClient: ClientContract<SchemaDef>;
-    let defaultAdminClient: ClientContract<SchemaDef>;
-
-    beforeAll(async () => {
-        unsafeClient = await createTestClient(schema, {
-            plugins: [new PolicyPlugin({ dangerouslyAllowRawSql: true })],
-            provider: 'postgresql',
-            dbName: 'policy_raw_sql_dangerous',
-        });
-        rawClient = unsafeClient.$unuseAll();
-        adminClient = unsafeClient.$setAuth({ id: 'admin', role: 'admin' });
+describe('Policy raw SQL tests', () => {
+    const clients: ClientContract<SchemaDef>[] = [];
 
-        await rawClient.user.create({
-            data: {
-                id: 'admin',
-                role: 'admin',
-            },
-        });
+    afterEach(async () => {
+        await Promise.all(clients.splice(0).map((client) => client.$disconnect()));
+    });
 
-        defaultClient = await createTestClient(schema, {
-            plugins: [new PolicyPlugin()],
-            provider: 'postgresql',
-            dbName: 'policy_raw_sql_default',
+    function ref(client: ClientContract<SchemaDef>, col: string) {
+        return client.$schema.provider.type === 'mysql' ? sql.raw(`\`${col}\``) : sql.raw(`"${col}"`);
+    }
+
+    async function createPolicyClient(options?: { dangerouslyAllowRawSql?: boolean; dbName: string }) {
+        const unsafeClient = await createTestClient(schema, {
+            dbName: options?.dbName,
+            plugins: [new PolicyPlugin({ dangerouslyAllowRawSql: options?.dangerouslyAllowRawSql })],
         });
-        defaultRawClient = defaultClient.$unuseAll();
-        defaultAdminClient = defaultClient.$setAuth({ id: 'admin', role: 'admin' });
+        clients.push(unsafeClient);
+
+        const rawClient = unsafeClient.$unuseAll();
+        const adminClient = unsafeClient.$setAuth({ id: 'admin', role: 'admin' });
 
-        await defaultRawClient.user.create({
+        await rawClient.user.create({
             data: {
                 id: 'admin',
                 role: 'admin',
             },
         });
-    });
+
+        return { adminClient };
+    }
 
     it('keeps rejecting raw SQL by default', async () => {
+        const { adminClient } = await createPolicyClient({ dbName: 'policy_raw_sql_default' });
+
         await expect(
-            defaultAdminClient.$transaction(async (tx) => {
+            adminClient.$transaction(async (tx) => {
                 await tx.secret.create({
                     data: {
                         id: 'secret-default',
@@ -76,15 +70,20 @@ describe('PolicyPlugin raw SQL', () => {
                 });
 
                 await tx.$queryRaw<{ value: string }[]>`
-                    SELECT "value"
-                    FROM "Secret"
-                    WHERE "id" = ${'secret-default'}
+                    SELECT ${ref(tx, 'Secret')}.${ref(tx, 'value')}
+                    FROM ${ref(tx, 'Secret')}
+                    WHERE ${ref(tx, 'Secret')}.${ref(tx, 'id')} = ${'secret-default'}
                 `;
             }),
         ).rejects.toThrow('non-CRUD queries are not allowed');
     });
 
     it('allows raw SQL inside a transaction when dangerous raw SQL is enabled', async () => {
+        const { adminClient } = await createPolicyClient({
+            dangerouslyAllowRawSql: true,
+            dbName: 'policy_raw_sql_dangerous',
+        });
+
         await adminClient.$transaction(async (tx) => {
             await tx.secret.create({
                 data: {
@@ -95,9 +94,9 @@ describe('PolicyPlugin raw SQL', () => {
             });
 
             const rows = await tx.$queryRaw<{ value: string }[]>`
-                SELECT "value"
-                FROM "Secret"
-                WHERE "id" = ${'secret-1'}
+                SELECT ${ref(tx, 'Secret')}.${ref(tx, 'value')}
+                FROM ${ref(tx, 'Secret')}
+                WHERE ${ref(tx, 'Secret')}.${ref(tx, 'id')} = ${'secret-1'}
             `;
 
             expect(rows).toEqual([{ value: 'top-secret' }]);