casbin-node-casbin/test/rbacRoleHierarchyDomains.test.ts at 9fc7afe8ed6799fbc873ef35f959797fcd002892 · apache/casbin-node-casbin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
import { newEnforcer } from '../src';

describe('Test Role Hierarchy with Domains and Wildcards', () => {
  test('getImplicitPermissionsForUser should handle wildcard domains', async () => {
    const e = await newEnforcer(
      'examples/rbac_with_role_hierarchy_domains_model.conf',
      'examples/rbac_with_role_hierarchy_domains_policy.csv'
    );

    // Test michael in tenant1 - should get permissions from abstract_role1 with domain *
    const michaelPerms = await e.getImplicitPermissionsForUser('michael', 'tenant1');

    // Michael should have:
    // - abstract_role1 permissions (devis read/create) with domain *
    expect(michaelPerms).toContainEqual(['abstract_role1', '*', 'devis', 'read']);
    expect(michaelPerms).toContainEqual(['abstract_role1', '*', 'devis', 'create']);

    // Test thomas in tenant1 - should get permissions from abstract_role2 with domain *
    const thomasPerms = await e.getImplicitPermissionsForUser('thomas', 'tenant1');

    // Thomas should have:
    // - abstract_role2 permissions (devis read, organization read/write) with domain *
    expect(thomasPerms).toContainEqual(['abstract_role2', '*', 'devis', 'read']);
    expect(thomasPerms).toContainEqual(['abstract_role2', '*', 'organization', 'read']);
    expect(thomasPerms).toContainEqual(['abstract_role2', '*', 'organization', 'write']);

    // Test theo with super_user - should get permissions from abstract_role2 with domain *
    const theoPerms = await e.getImplicitPermissionsForUser('theo', 'tenant1');

    // Theo should have:
    // - abstract_role2 permissions (devis read, organization read/write) with domain *
    expect(theoPerms).toContainEqual(['abstract_role2', '*', 'devis', 'read']);
    expect(theoPerms).toContainEqual(['abstract_role2', '*', 'organization', 'read']);
    expect(theoPerms).toContainEqual(['abstract_role2', '*', 'organization', 'write']);
  });

  test('enforce should work with wildcard domains in role hierarchy', async () => {
    const e = await newEnforcer(
      'examples/rbac_with_role_hierarchy_domains_model.conf',
      'examples/rbac_with_role_hierarchy_domains_policy.csv'
    );

    // Michael in tenant1 should be able to read devis
    expect(await e.enforce('michael', 'tenant1', 'devis', 'read')).toBe(true);
    expect(await e.enforce('michael', 'tenant1', 'devis', 'create')).toBe(true);

    // Michael in tenant2 should NOT have access (not assigned to tenant2)
    expect(await e.enforce('michael', 'tenant2', 'devis', 'read')).toBe(false);

    // Antoine in tenant2 should be able to read devis
    expect(await e.enforce('antoine', 'tenant2', 'devis', 'read')).toBe(true);

    // Thomas in tenant1 should have organization permissions
    expect(await e.enforce('thomas', 'tenant1', 'organization', 'read')).toBe(true);
    expect(await e.enforce('thomas', 'tenant1', 'organization', 'write')).toBe(true);

    // Theo with super_user should have access to any tenant
    expect(await e.enforce('theo', 'tenant1', 'organization', 'read')).toBe(true);
    expect(await e.enforce('theo', 'tenant2', 'organization', 'read')).toBe(true);
    expect(await e.enforce('theo', 'tenant3', 'organization', 'read')).toBe(true);
  });
});