FR: Ability to run against Firestore rules, as part of the admin JS SDK

[akauppi]

I noticed that the Admin SDK has a section on SecurityRules.

Would it be possible, at some point, to have the functionality in the Admin SDK to evaluate rules? I'd use this for testing my Firestore security rules.

Motivation:

The admin SDK is already used in Firebase backend testing. However, I am not aware of a way how I can apply security rules while using it. Therefore, testing whether certain access is allowed or not needs to be done using the client SDK or REST API.

If this were the case, @firebase/rules-unit-testing could then be implemented with the Admin SDK only. It currently has the firebase 8.5.0 client SDK as its dependency, which conflicts with using 9.x beta in one's project. (being the reason why I cannot use it, and am implementing the rules testing using REST API, instead)

[hiranya911]

I don't quite follow. Access control with security rules is a feature only available when using the client SDKS (web, Android and iOS). While the Admin SDK supports administrating/managing the security rules, the Firestore API calls made by the Admin SDK are not regulated by the rules. Is your feature request to change that?

Also note that the Admin SDK is very different from the client SDKs (especially in terms of features like auth), so it's not a good substitute for testing how rules impact clients.

[akauppi]

I must have been a bit hasty in writing that original post. Apologies. I’ll try to explain better.

In my opinion, the current toolset for testing (Firestore) Security Rules is lacking, because there is not a way to ask “would this operation be allowed” - without such operation being carried out. This is what I was trying to suggest in the original post.

What I forgot is that in order to evaluate rules, it’s not enough to have the rules. One needs the data as well, since rules often are conditional on the existing data. Thus... this is less of the business of the admin SDK, as you rightly state.

As I currently see it, the ideal place would be for the Firestore REST API to allow something like “dryrun” parameter that would behave as normal, but not carry out the set/delete what-not.

[IchordeDionysos]

You can test using the emulators :)
https://firebase.google.com/docs/firestore/security/test-rules-emulator

Which works perfectly!