Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
zyy
/
knowledge
1
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Мод: 67e33e907d
Салаанууд Тагууд
knowledge
/
tests
/
auth
/
permission.test.ts

permission.test.ts 2.7 KB
Түүх Анхны өгөгдөл

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. import { describe, it, expect } from 'vitest';
    2. 

  2. import { db } from '../../src/db';
    3. 

  3. import { checkPermission } from '../../src/lib/auth/permission';
    4. 

  4. import { eq } from 'drizzle-orm';
    5. 

  5. import { users, groups, roles, permissions, userGroups, groupRoles, rolePermissions, userRoles, resources, aclRules } from '../../src/db/schema/auth';
    6. 

  6. import { resources as resourceSchema, aclRules as aclRulesSchema } from '../../src/db/schema/resource';
    7. 

  7. 

  8. describe('Permission Engine Integration Tests', () => {
    9. 

  9.   // 注意:这些测试依赖于 Seed 脚本注入的数据
    10. 

  10.   // 管理员: admin@ekb.com
    11. 

  11.   // 测试用户: tester@ekb.com (已被禁止访问 /projects/secret)
    12. 

  12. 

  13.   const ADMIN_EMAIL = 'admin@ekb.com';
    14. 

  14.   const TESTER_EMAIL = 'tester@ekb.com';
    15. 

  15. 

  16.   it('should allow admin to access any resource via RBAC', async () => {
    17. 

  17.     // 获取管理员 ID
    18. 

  18.     const [admin] = await db.select().from(users).where(eq(users.email, ADMIN_EMAIL));
    19. 

  19. 

  20.     // 模拟管理员上下文 (假设他属于一个拥有 editor 角色的组)
    21. 

  21.     // 在 Seed 中,admin 被赋予了 editor 角色
    22. 

  22.     const [engGroup] = await db.select().from(groups).where(eq(groups.name, 'Engineering Department'));
    23. 

  23. 

  24.     const result = await checkPermission(
    25. 

  25.       { userId: admin.id, groupIds: [engGroup.id] },
    26. 

  26.       '/any/path',
    27. 

  27.       'read',
    28. 

  28.       'document'
    29. 

  29.     );
    30. 

  30. 

  31.     expect(result.granted).toBe(true);
    32. 

  32.   });
    33. 

  33. 

  34.   it('should deny tester access to secret folder due to explicit ACL deny rule', async () => {
    35. 

  35.     // 获取测试用户 ID
    36. 

  36.     const [tester] = await db.select().from(users).where(eq(users.email, TESTER_EMAIL));
    37. 

  37. 

  38.     const result = await checkPermission(
    39. 

  39.       { userId: tester.id, groupIds: [] },
    40. 

  40.       '/projects/secret',
    41. 

  41.       'read',
    42. 

  42.       'document'
    43. 

  43.     );
    44. 

  44. 

  45.     expect(result.granted).toBe(false);
    46. 

  46.     expect(result.reason).toBe('Explicitly denied by ACL rule');
    47. 

  47.   });
    48. 

  48. 

  49.   it('should allow tester access to public folder (no deny rule)', async () => {
    50. 

  50.     const [tester] = await db.select().from(users).where(eq(users.email, TESTER_EMAIL));
    51. 

  51. 

  52.     const result = await checkPermission(
    53. 

  53.       { userId: tester.id, groupIds: [] },
    54. 

  54.       '/public',
    55. 

  55.       'read',
    56. 

  56.       'document'
    57. 

  57.     );
    58. 

  58. 

  59.     // 注意:由于 tester 本身没有 RBAC 权限,这里应该返回 false (Default Deny)
    60. 

  60.     expect(result.granted).toBe(false);
    61. 

  61.   });
    62. 

  62. 

  63.   it('should respect path inheritance for ACL rules', async () => {
    64. 

  64.     const [tester] = await db.select().from(users).where(eq(users.email, TESTER_EMAIL));
    65. 

  65. 

  66.     // 测试访问子路径 /projects/secret/sub-file,应该同样被拒绝
    67. 

  67.     const result = await checkPermission(
    68. 

  68.       { userId: tester.id, groupIds: [] },
    69. 

  69.       '/projects/secret/sub-file',
    70. 

  70.       'read',
    71. 

  71.       'document'
    72. 

  72.     );
    73. 

  73. 

  74.     expect(result.granted).toBe(false);
    75. 

  75.     expect(result.reason).toBe('Explicitly denied by ACL rule');
    76. 

  76.   });
    77. 

  77. });
    78.