From 6b5f2f796ddd7da9ad4142f2fe79f156a767f94b Mon Sep 17 00:00:00 2001
From: ad hoc <postma.marin@protonmail.com>
Date: Thu, 29 Feb 2024 13:58:13 +0100
Subject: [PATCH 1/2] add test

---
 libsql-server/tests/standalone/attach.rs      | 28 +++++++++++++++++++
 ...ts__standalone__attach__attach_auth-2.snap |  2 +-
 ...ests__standalone__attach__attach_auth.snap |  2 +-
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/libsql-server/tests/standalone/attach.rs b/libsql-server/tests/standalone/attach.rs
index 68db8fb721..fc48792bce 100644
--- a/libsql-server/tests/standalone/attach.rs
+++ b/libsql-server/tests/standalone/attach.rs
@@ -181,6 +181,34 @@ fn attach_auth() {
         // succeeds!
         assert_debug_snapshot!(rows.next().await);
 
+        // mixed claims
+        let claims = serde_json::json!({
+            "id": "foo",
+            "p": {
+                "roa": {
+                    "ns": ["bar"]
+                }
+            }
+        });
+        let token = encode(&claims, &enc);
+
+        let foo_db = Database::open_remote_with_connector(
+            "http://foo.primary:8080",
+            &token,
+            TurmoilConnector,
+        )?;
+        let foo_conn = foo_db.connect().unwrap();
+        let txn = foo_conn.transaction().await.unwrap();
+        txn.execute("ATTACH DATABASE bar as attached", ())
+            .await
+            .unwrap();
+        let mut rows = txn
+            .query("SELECT * FROM attached.bar_table", ())
+            .await
+            .unwrap();
+        // succeeds!
+        assert_debug_snapshot!(rows.next().await);
+
         Ok(())
     });
 
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap
index e10a2b7def..3ce90b67ec 100644
--- a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap
+++ b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap
@@ -4,6 +4,6 @@ expression: "txn.execute(\"ATTACH DATABASE bar as bar\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Internal Error: `Not authorized to execute query: Current session doest not have AttachRead permission to namespace bar`\"}",
+        "{\"error\":\"Internal Error: `Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace bar`\"}",
     ),
 )
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap
index 35445b308e..7be2e1ea70 100644
--- a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap
+++ b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap
@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Internal Error: `Not authorized to execute query: Current session doest not have AttachRead permission to namespace foo`\"}",
+        "{\"error\":\"Internal Error: `Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace foo`\"}",
     ),
 )

From eee7f15c678177d50ed72c7568da427dceb96e41 Mon Sep 17 00:00:00 2001
From: ad hoc <postma.marin@protonmail.com>
Date: Thu, 29 Feb 2024 13:58:23 +0100
Subject: [PATCH 2/2] fix auth using attach alias instead of target

---
 libsql-server/src/auth/authenticated.rs       |  2 +-
 libsql-server/src/query_analysis.rs           |  5 +++-
 ...ts__standalone__attach__attach_auth-5.snap | 23 +++++++++++++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-5.snap

diff --git a/libsql-server/src/auth/authenticated.rs b/libsql-server/src/auth/authenticated.rs
index 62b640cac7..7bfc1ad126 100644
--- a/libsql-server/src/auth/authenticated.rs
+++ b/libsql-server/src/auth/authenticated.rs
@@ -63,7 +63,7 @@ impl Authenticated {
             Authenticated::Authorized(a) => {
                 if !a.has_right(Scope::Namespace(namespace.clone()), perm) {
                     Err(crate::Error::NotAuthorized(format!(
-                                "Current session doest not have {perm:?} permission to namespace {namespace}")))
+                                "Current session doesn't not have {perm:?} permission to namespace {namespace}")))
                 } else {
                     Ok(())
                 }
diff --git a/libsql-server/src/query_analysis.rs b/libsql-server/src/query_analysis.rs
index e544d6a05d..a6c4552433 100644
--- a/libsql-server/src/query_analysis.rs
+++ b/libsql-server/src/query_analysis.rs
@@ -125,7 +125,10 @@ impl StmtKind {
                 savepoint_name: Some(_),
                 ..
             }) => Some(Self::Release),
-            Cmd::Stmt(Stmt::Attach { db_name, .. }) => Some(Self::Attach(
+            Cmd::Stmt(Stmt::Attach {
+                expr: Expr::Id(Id(db_name)),
+                ..
+            }) => Some(Self::Attach(
                 NamespaceName::from_string(db_name.to_string()).ok()?,
             )),
             Cmd::Stmt(Stmt::Detach(_)) => Some(Self::Detach),
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-5.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-5.snap
new file mode 100644
index 0000000000..57222c38de
--- /dev/null
+++ b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-5.snap
@@ -0,0 +1,23 @@
+---
+source: libsql-server/tests/standalone/attach.rs
+expression: rows.next().await
+---
+Ok(
+    Some(
+        Row {
+            cols: [
+                Col {
+                    name: Some(
+                        "x",
+                    ),
+                    decltype: None,
+                },
+            ],
+            inner: [
+                Integer {
+                    value: 43,
+                },
+            ],
+        },
+    ),
+)