59 lines
2.6 KiB
TypeScript
59 lines
2.6 KiB
TypeScript
import { describe, expect, it } from "vitest"
|
|
|
|
import { hasPermission, normalizeRole, permissionMatrix } from "./rbac"
|
|
|
|
describe("rbac model", () => {
|
|
it("normalizes valid roles", () => {
|
|
expect(normalizeRole("OWNER")).toBe("owner")
|
|
expect(normalizeRole("support")).toBe("support")
|
|
expect(normalizeRole("ADMIN")).toBe("admin")
|
|
expect(normalizeRole("manager")).toBe("manager")
|
|
expect(normalizeRole("unknown")).toBeNull()
|
|
})
|
|
|
|
it("grants admin full access", () => {
|
|
expect(hasPermission("owner", "users:manage_roles", "global")).toBe(true)
|
|
expect(hasPermission("support", "news:publish", "global")).toBe(true)
|
|
expect(hasPermission("admin", "users:manage_roles", "global")).toBe(true)
|
|
expect(hasPermission("admin", "news:publish", "global")).toBe(true)
|
|
})
|
|
|
|
it("enforces scope hierarchy", () => {
|
|
expect(hasPermission("editor", "news:write", "team")).toBe(true)
|
|
expect(hasPermission("editor", "news:write", "global")).toBe(false)
|
|
expect(hasPermission("editor", "news:publish", "own")).toBe(true)
|
|
})
|
|
|
|
it("keeps matrix explicit for non-admin roles", () => {
|
|
expect(permissionMatrix.editor.length).toBeGreaterThan(0)
|
|
expect(permissionMatrix.manager.length).toBeGreaterThan(0)
|
|
})
|
|
|
|
it("prevents privilege escalation for non-admin roles", () => {
|
|
expect(hasPermission("editor", "users:manage_roles", "global")).toBe(false)
|
|
expect(hasPermission("manager", "users:manage_roles", "global")).toBe(false)
|
|
expect(hasPermission("editor", "dashboard:read", "global")).toBe(true)
|
|
})
|
|
|
|
it("keeps role policy regressions visible for critical permissions", () => {
|
|
const criticalChecks: Array<{
|
|
role: "owner" | "support" | "admin" | "manager" | "editor"
|
|
permission: Parameters<typeof hasPermission>[1]
|
|
scope: Parameters<typeof hasPermission>[2]
|
|
allowed: boolean
|
|
}> = [
|
|
{ role: "owner", permission: "users:manage_roles", scope: "global", allowed: true },
|
|
{ role: "support", permission: "users:manage_roles", scope: "global", allowed: true },
|
|
{ role: "admin", permission: "banner:write", scope: "global", allowed: true },
|
|
{ role: "manager", permission: "users:write", scope: "global", allowed: false },
|
|
{ role: "manager", permission: "users:write", scope: "team", allowed: true },
|
|
{ role: "editor", permission: "news:publish", scope: "team", allowed: false },
|
|
{ role: "editor", permission: "news:publish", scope: "own", allowed: true },
|
|
]
|
|
|
|
for (const check of criticalChecks) {
|
|
expect(hasPermission(check.role, check.permission, check.scope)).toBe(check.allowed)
|
|
}
|
|
})
|
|
})
|