prosody
e385f3a06673
spec/util_roles_spec.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

spec/util_roles_spec.lua @ 12995:e385f3a06673

moduleapi: Add 'peek' to :may() and new :could() helper to suppress logging The current method logs scary "access denied" messages on failure - this is generally very useful when debugging access control stuff, but in some cases the call is simply a check to see if someone *could* perform an action, even if they haven't requested it yet. One example is determining whether to show the user as an admin in disco. The 'peek' parameter, if true, will suppress such logging. The :could() method is just a simple helper that can make the calling code a bit more readable (suggested by Zash).
author Matthew Wild <mwild1@gmail.com>
date Sun, 26 Mar 2023 14:06:04 +0100
parent 12754:a92ca737d05f
line wrap: on
line source

describe("util.roles", function ()
	randomize(false);
	local roles;
	it("can be loaded", function ()
		roles = require "util.roles";
	end);
	local test_role;
	it("can create a new role", function ()
		test_role = roles.new();
		assert.is_not_nil(test_role);
		assert.is_truthy(roles.is_role(test_role));
	end);
	describe("role object", function ()
		it("can be initialized with permissions", function ()
			local test_role_2 = roles.new({
				permissions = {
					perm1 = true;
					perm2 = false;
				};
			});
			assert.truthy(test_role_2:may("perm1"));
			assert.falsy(test_role_2:may("perm2"));
		end);
		it("has a sensible tostring", function ()
			local test_role_2 = roles.new({
				id = "test-role-2";
				name = "Test Role 2";
			});
			assert.truthy(tostring(test_role_2):find(test_role_2.id, 1, true));
			assert.truthy(tostring(test_role_2):find("Test Role 2", 1, true));
		end);
		it("is restrictive by default", function ()
			assert.falsy(test_role:may("my-permission"));
		end);
		it("allows you to set permissions", function ()
			test_role:set_permission("my-permission", true);
			assert.truthy(test_role:may("my-permission"));
		end);
		it("allows you to set negative permissions", function ()
			test_role:set_permission("my-other-permission", false);
			assert.falsy(test_role:may("my-other-permission"));
		end);
		it("does not allows you to override previously set permissions by default", function ()
			local ok, err = test_role:set_permission("my-permission", false);
			assert.falsy(ok);
			assert.is_equal("policy-already-exists", err);
			-- Confirm old permission still in place
			assert.truthy(test_role:may("my-permission"));
		end);
		it("allows you to explicitly override previously set permissions", function ()
			assert.truthy(test_role:set_permission("my-permission", false, true));
			assert.falsy(test_role:may("my-permission"));
		end);
		describe("inheritance", function ()
			local child_role;
			it("works", function ()
				test_role:set_permission("inherited-permission", true);
				child_role = roles.new({
					inherits = { test_role };
				});
				assert.truthy(child_role:may("inherited-permission"));
				assert.falsy(child_role:may("my-permission"));
			end);
			it("allows listing policies", function ()
				local expected = {
					["my-permission"] = false;
					["my-other-permission"] = false;
					["inherited-permission"] = true;
				};
				local received = {};
				for permission_name, permission_policy in child_role:policies() do
					received[permission_name] = permission_policy;
				end
				assert.same(expected, received);
			end);
			it("supports multiple depths of inheritance", function ()
				local grandchild_role = roles.new({
					inherits = { child_role };
				});
				assert.truthy(grandchild_role:may("inherited-permission"));
			end);
			describe("supports ordered inheritance from multiple roles", function ()
				local parent_role = roles.new();
				local final_role = roles.new({
					-- Yes, the names are getting confusing.
					-- btw, test_role is inherited through child_role.
					inherits = { parent_role, child_role };
				});

				local test_cases = {
					-- { <final_role policy>, <parent_role policy>, <test_role policy> }
					{ true,   nil, false, result = true };
					{  nil, false,  true, result = false };
					{  nil,  true, false, result = true };
					{  nil,  nil,  false, result = false };
					{  nil,  nil,   true, result = true };
				};

				for n, test_case in ipairs(test_cases) do
					it("(case "..n..")", function ()
						local perm_name = ("multi-inheritance-perm-%d"):format(n);
						assert.truthy(final_role:set_permission(perm_name, test_case[1]));
						assert.truthy(parent_role:set_permission(perm_name, test_case[2]));
						assert.truthy(test_role:set_permission(perm_name, test_case[3]));
						assert.equal(test_case.result, final_role:may(perm_name));
					end);
				end
			end);
			it("updates child roles when parent roles change", function ()
				assert.truthy(child_role:may("inherited-permission"));
				assert.truthy(test_role:set_permission("inherited-permission", false, true));
				assert.falsy(child_role:may("inherited-permission"));
			end);
		end);
		describe("cloning", function ()
			local cloned_role;
			it("works", function ()
				assert.truthy(test_role:set_permission("perm-1", true));
				cloned_role = test_role:clone();
				assert.truthy(cloned_role:may("perm-1"));
			end);
			it("isolates changes", function ()
				-- After cloning, changes in either the original or the clone
				-- should not appear in the other.
				assert.truthy(test_role:set_permission("perm-1", false, true));
				assert.truthy(test_role:set_permission("perm-2", true));
				assert.truthy(cloned_role:set_permission("perm-3", true));
				assert.truthy(cloned_role:may("perm-1"));
				assert.falsy(cloned_role:may("perm-2"));
				assert.falsy(test_role:may("perm-3"));
			end);
		end);
	end);
end);