decision_agent 0.1.4 → 0.1.7

data/spec/versioning_spec.rb

@@ -186,6 +186,259 @@ RSpec.describe "DecisionAgent Versioning System" do
         expect(comparison).to be_nil
       end
     end
+
+    describe "#delete_version" do
+      it "deletes a version and removes it from index" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content, metadata: { status: "draft" })
+        adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        # Delete v1 (draft, not active)
+        result = adapter.delete_version(version_id: v1[:id])
+        expect(result).to be true
+
+        # Verify it's deleted
+        expect(adapter.get_version(version_id: v1[:id])).to be_nil
+      end
+
+      it "raises error when trying to delete active version" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        expect do
+          adapter.delete_version(version_id: v1[:id])
+        end.to raise_error(DecisionAgent::ValidationError, /Cannot delete active version/)
+      end
+
+      it "raises error for nonexistent version" do
+        expect do
+          adapter.delete_version(version_id: "nonexistent")
+        end.to raise_error(DecisionAgent::NotFoundError)
+      end
+
+      it "handles file already deleted" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content, metadata: { status: "draft" })
+        adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        # Delete the file manually
+        rule_dir = File.join(adapter.storage_path, rule_id)
+        filename = "#{v1[:version_number]}.json"
+        filepath = File.join(rule_dir, filename)
+        FileUtils.rm_f(filepath)
+
+        # Should handle gracefully
+        result = adapter.delete_version(version_id: v1[:id])
+        expect(result).to be false
+      end
+
+      it "converts index lookup errors to NotFoundError" do
+        # Simulate an error during index lookup
+        allow(adapter).to receive(:get_rule_id_from_index).and_raise(StandardError.new("Index error"))
+
+        expect do
+          adapter.delete_version(version_id: "test_version")
+        end.to raise_error(DecisionAgent::NotFoundError, /Version not found: test_version/)
+      end
+
+      it "handles missing directory when searching for version files" do
+        # Create a version
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content, metadata: { status: "draft" })
+        adapter.create_version(rule_id: rule_id, content: rule_content)
+        version_id = v1[:id]
+
+        # Manually remove the rule directory to simulate missing directory
+        rule_dir = File.join(adapter.storage_path, rule_id)
+        FileUtils.rm_rf(rule_dir)
+
+        # The version should still be in the index, but directory is gone
+        # This simulates a stale index entry
+        # When delete_version is called, it will find the rule_id from index,
+        # but the directory won't exist when searching for files
+        result = adapter.delete_version(version_id: version_id)
+        expect(result).to be false
+      end
+
+      it "handles version ID type mismatches with string conversion" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content, metadata: { status: "draft" })
+        adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        # Version IDs are stored as strings, but test that .to_s comparison works
+        # This ensures the code handles cases where version_id might be passed as different types
+        version_id = v1[:id]
+        expect(version_id).to be_a(String)
+
+        # Should work with string version_id
+        result = adapter.delete_version(version_id: version_id)
+        expect(result).to be true
+
+        # Verify it's actually deleted
+        expect(adapter.get_version(version_id: version_id)).to be_nil
+      end
+
+      it "handles file read errors gracefully when searching for version" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content, metadata: { status: "draft" })
+        adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        # Delete the actual version file but keep it in the index
+        # This simulates a scenario where the file was manually deleted
+        rule_dir = File.join(adapter.storage_path, rule_id)
+        filename = "#{v1[:version_number]}.json"
+        filepath = File.join(rule_dir, filename)
+        FileUtils.rm_f(filepath)
+
+        # The version should still be in the index, but the file is gone
+        # When delete_version is called, it will:
+        # 1. Find rule_id from index
+        # 2. List versions - v1 won't be found (file deleted), but v2 will be
+        # 3. Since v1 not in list, search through files
+        # 4. Should handle missing files gracefully and return false
+        result = adapter.delete_version(version_id: v1[:id])
+        expect(result).to be false
+      end
+
+      it "handles case where version is in index but not in versions list and directory missing" do
+        # Create a version
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content, metadata: { status: "draft" })
+        version_id = v1[:id]
+
+        # Remove the directory but keep the index entry
+        rule_dir = File.join(adapter.storage_path, rule_id)
+        FileUtils.rm_rf(rule_dir)
+
+        # This tests the path where:
+        # 1. get_rule_id_from_index returns a rule_id (version is in index)
+        # 2. list_versions_unsafe returns empty (directory doesn't exist)
+        # 3. Dir.glob fails with Errno::ENOENT (directory missing)
+        # 4. Should return false gracefully
+        result = adapter.delete_version(version_id: version_id)
+        expect(result).to be false
+      end
+
+      it "handles unexpected errors during lock operation and converts to NotFoundError" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content, metadata: { status: "draft" })
+
+        # Simulate an unexpected error during the lock operation (e.g., mutex error, file system error)
+        allow(adapter).to receive(:list_versions_unsafe).and_raise(StandardError.new("Unexpected lock error"))
+
+        # Should convert unexpected error to NotFoundError instead of letting it propagate as 500
+        expect do
+          adapter.delete_version(version_id: v1[:id])
+        end.to raise_error(DecisionAgent::NotFoundError, /Version not found: #{v1[:id]}/)
+      end
+
+      it "preserves ValidationError when trying to delete active version" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        # Should raise ValidationError, not NotFoundError
+        expect do
+          adapter.delete_version(version_id: v1[:id])
+        end.to raise_error(DecisionAgent::ValidationError, /Cannot delete active version/)
+      end
+    end
+
+    describe "#list_versions_unsafe" do
+      it "handles corrupted JSON files gracefully" do
+        # Create a valid version
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        # Create a corrupted JSON file in the same directory
+        rule_dir = File.join(adapter.storage_path, rule_id)
+        corrupted_file = File.join(rule_dir, "999.json")
+        File.write(corrupted_file, "invalid json content{")
+
+        # Should skip corrupted files and return only valid versions
+        versions = adapter.send(:list_versions_unsafe, rule_id: rule_id)
+        expect(versions.length).to eq(1)
+        expect(versions.first[:id]).to eq(v1[:id])
+
+        # Clean up
+        FileUtils.rm_f(corrupted_file)
+      end
+
+      it "handles missing files gracefully" do
+        # Create a valid version
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        # Delete the file but keep directory
+        rule_dir = File.join(adapter.storage_path, rule_id)
+        filename = "#{v1[:version_number]}.json"
+        filepath = File.join(rule_dir, filename)
+        FileUtils.rm_f(filepath)
+
+        # Should handle missing files gracefully
+        versions = adapter.send(:list_versions_unsafe, rule_id: rule_id)
+        expect(versions).to be_an(Array)
+        # May or may not include the deleted version depending on timing
+      end
+    end
+
+    describe "index management" do
+      it "loads index on initialization" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        # Create new adapter instance - should load index
+        new_adapter = DecisionAgent::Versioning::FileStorageAdapter.new(storage_path: temp_dir)
+
+        # Should be able to find version using index
+        found = new_adapter.get_version(version_id: v1[:id])
+        expect(found).not_to be_nil
+      end
+
+      it "handles corrupted JSON files in index loading" do
+        # Create a corrupted JSON file
+        rule_dir = File.join(temp_dir, rule_id)
+        FileUtils.mkdir_p(rule_dir)
+        corrupted_file = File.join(rule_dir, "1.json")
+        File.write(corrupted_file, "invalid json content{")
+
+        # Should handle gracefully and skip corrupted files
+        expect do
+          _new_adapter = DecisionAgent::Versioning::FileStorageAdapter.new(storage_path: temp_dir)
+        end.not_to raise_error
+      end
+
+      it "updates index when creating versions" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        # Index should be updated
+        found = adapter.get_version(version_id: v1[:id])
+        expect(found).not_to be_nil
+      end
+
+      it "removes from index when deleting versions" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content, metadata: { status: "draft" })
+        adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        version_id = v1[:id]
+        adapter.delete_version(version_id: version_id)
+
+        # Should not find in index
+        expect(adapter.get_version(version_id: version_id)).to be_nil
+      end
+    end
+
+    describe "filename sanitization" do
+      it "sanitizes special characters in rule_id" do
+        special_rule_id = "rule/with\\special:chars*?"
+        version = adapter.create_version(rule_id: special_rule_id, content: rule_content)
+
+        # Should create valid filename
+        expect(version[:rule_id]).to eq(special_rule_id)
+
+        # Should be able to retrieve it
+        found = adapter.get_version(version_id: version[:id])
+        expect(found).not_to be_nil
+      end
+    end
+
+    describe "error handling" do
+      it "handles update_version_status_unsafe with invalid status" do
+        v1 = adapter.create_version(rule_id: rule_id, content: rule_content)
+
+        # Try to update with invalid status via reflection (testing private method behavior)
+        expect do
+          adapter.send(:update_version_status_unsafe, v1[:id], "invalid_status", rule_id)
+        end.to raise_error(DecisionAgent::ValidationError, /Invalid status/)
+      end
+    end
   end
 
   describe DecisionAgent::Versioning::VersionManager do

data/spec/web/middleware/auth_middleware_spec.rb

@@ -0,0 +1,133 @@
+require "spec_helper"
+require "rack/test"
+require_relative "../../../lib/decision_agent/web/middleware/auth_middleware"
+
+RSpec.describe DecisionAgent::Web::Middleware::AuthMiddleware do
+  include Rack::Test::Methods
+
+  let(:authenticator) { double("Authenticator") }
+  let(:access_audit_logger) { double("AccessAuditLogger") }
+  let(:app) { ->(_env) { [200, {}, ["OK"]] } }
+  let(:middleware) { described_class.new(app, authenticator: authenticator, access_audit_logger: access_audit_logger) }
+
+  describe "#initialize" do
+    it "initializes with app and authenticator" do
+      expect(middleware.instance_variable_get(:@app)).to eq(app)
+      expect(middleware.instance_variable_get(:@authenticator)).to eq(authenticator)
+      expect(middleware.instance_variable_get(:@access_audit_logger)).to eq(access_audit_logger)
+    end
+
+    it "initializes without access_audit_logger" do
+      middleware = described_class.new(app, authenticator: authenticator)
+      expect(middleware.instance_variable_get(:@access_audit_logger)).to be_nil
+    end
+  end
+
+  describe "#call" do
+    context "with Authorization header" do
+      it "extracts token from Bearer header" do
+        user = double("User", id: "user1")
+        session = double("Session", token: "token123")
+        auth_result = { user: user, session: session }
+
+        allow(authenticator).to receive(:authenticate).with("token123").and_return(auth_result)
+
+        env = Rack::MockRequest.env_for("/", "HTTP_AUTHORIZATION" => "Bearer token123")
+        status, = middleware.call(env)
+
+        expect(status).to eq(200)
+        expect(env["decision_agent.user"]).to eq(user)
+        expect(env["decision_agent.session"]).to eq(session)
+      end
+
+      it "handles missing Bearer prefix" do
+        env = Rack::MockRequest.env_for("/", "HTTP_AUTHORIZATION" => "token123")
+        status, = middleware.call(env)
+
+        expect(status).to eq(200)
+        expect(env["decision_agent.user"]).to be_nil
+      end
+    end
+
+    context "with session cookie" do
+      it "extracts token from cookie" do
+        user = double("User", id: "user1")
+        session = double("Session", token: "cookie_token")
+        auth_result = { user: user, session: session }
+
+        allow(authenticator).to receive(:authenticate).with("cookie_token").and_return(auth_result)
+
+        env = Rack::MockRequest.env_for("/")
+        request = Rack::Request.new(env)
+        allow(request).to receive(:cookies).and_return("decision_agent_session" => "cookie_token")
+        allow(Rack::Request).to receive(:new).and_return(request)
+
+        status, = middleware.call(env)
+
+        expect(status).to eq(200)
+        expect(env["decision_agent.user"]).to eq(user)
+      end
+    end
+
+    context "with query parameter" do
+      it "extracts token from query parameter" do
+        user = double("User", id: "user1")
+        session = double("Session", token: "query_token")
+        auth_result = { user: user, session: session }
+
+        allow(authenticator).to receive(:authenticate).with("query_token").and_return(auth_result)
+
+        env = Rack::MockRequest.env_for("/?token=query_token")
+        status, = middleware.call(env)
+
+        expect(status).to eq(200)
+        expect(env["decision_agent.user"]).to eq(user)
+      end
+    end
+
+    context "without token" do
+      it "calls app without setting user" do
+        env = Rack::MockRequest.env_for("/")
+        status, = middleware.call(env)
+
+        expect(status).to eq(200)
+        expect(env["decision_agent.user"]).to be_nil
+        expect(env["decision_agent.session"]).to be_nil
+      end
+    end
+
+    context "with invalid token" do
+      it "calls app without setting user when authentication fails" do
+        allow(authenticator).to receive(:authenticate).with("invalid_token").and_return(nil)
+
+        env = Rack::MockRequest.env_for("/", "HTTP_AUTHORIZATION" => "Bearer invalid_token")
+        status, = middleware.call(env)
+
+        expect(status).to eq(200)
+        expect(env["decision_agent.user"]).to be_nil
+        expect(env["decision_agent.session"]).to be_nil
+      end
+    end
+
+    context "token priority" do
+      it "prefers Authorization header over cookie" do
+        user_header = double("User", id: "header_user")
+        user_cookie = double("User", id: "cookie_user")
+        session_header = double("Session")
+        session_cookie = double("Session")
+
+        allow(authenticator).to receive(:authenticate).with("header_token").and_return({ user: user_header, session: session_header })
+        allow(authenticator).to receive(:authenticate).with("cookie_token").and_return({ user: user_cookie, session: session_cookie })
+
+        env = Rack::MockRequest.env_for("/?token=cookie_token", "HTTP_AUTHORIZATION" => "Bearer header_token")
+        request = Rack::Request.new(env)
+        allow(request).to receive(:cookies).and_return("decision_agent_session" => "cookie_token")
+        allow(Rack::Request).to receive(:new).and_return(request)
+
+        middleware.call(env)
+
+        expect(env["decision_agent.user"]).to eq(user_header)
+      end
+    end
+  end
+end

data/spec/web/middleware/permission_middleware_spec.rb

@@ -0,0 +1,247 @@
+require "spec_helper"
+require "rack/test"
+require_relative "../../../lib/decision_agent/web/middleware/permission_middleware"
+
+RSpec.describe DecisionAgent::Web::Middleware::PermissionMiddleware do
+  include Rack::Test::Methods
+
+  let(:permission_checker) { double("PermissionChecker") }
+  let(:access_audit_logger) { double("AccessAuditLogger") }
+  let(:app) { ->(_env) { [200, {}, ["OK"]] } }
+  let(:user) { double("User", id: "user1", email: "user@example.com") }
+
+  describe "#initialize" do
+    it "initializes with app and permission_checker" do
+      middleware = described_class.new(app, permission_checker: permission_checker)
+      expect(middleware.instance_variable_get(:@app)).to eq(app)
+      expect(middleware.instance_variable_get(:@permission_checker)).to eq(permission_checker)
+      expect(middleware.instance_variable_get(:@required_permission)).to be_nil
+    end
+
+    it "initializes with required_permission" do
+      middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :write)
+      expect(middleware.instance_variable_get(:@required_permission)).to eq(:write)
+    end
+
+    it "initializes with access_audit_logger" do
+      middleware = described_class.new(app, permission_checker: permission_checker, access_audit_logger: access_audit_logger)
+      expect(middleware.instance_variable_get(:@access_audit_logger)).to eq(access_audit_logger)
+    end
+  end
+
+  describe "#call" do
+    context "without user" do
+      it "returns 401 when user is not authenticated" do
+        middleware = described_class.new(app, permission_checker: permission_checker)
+        env = Rack::MockRequest.env_for("/")
+
+        status, headers, body = middleware.call(env)
+
+        expect(status).to eq(401)
+        expect(headers["Content-Type"]).to include("application/json")
+        body_text = body.first
+        expect(JSON.parse(body_text)["error"]).to eq("Authentication required")
+      end
+    end
+
+    context "with inactive user" do
+      it "returns 403 when user is not active" do
+        middleware = described_class.new(app, permission_checker: permission_checker)
+        env = Rack::MockRequest.env_for("/")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:active?).with(user).and_return(false)
+
+        status, _, body = middleware.call(env)
+
+        expect(status).to eq(403)
+        body_text = body.first
+        expect(JSON.parse(body_text)["error"]).to eq("User account is not active")
+      end
+    end
+
+    context "without required permission" do
+      it "calls app when no permission required" do
+        middleware = described_class.new(app, permission_checker: permission_checker)
+        env = Rack::MockRequest.env_for("/")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:active?).with(user).and_return(true)
+
+        status, _, body = middleware.call(env)
+
+        expect(status).to eq(200)
+        expect(body.first).to eq("OK")
+      end
+    end
+
+    context "with required permission" do
+      let(:middleware) { described_class.new(app, permission_checker: permission_checker, required_permission: :write, access_audit_logger: access_audit_logger) }
+
+      before do
+        allow(permission_checker).to receive(:active?).with(user).and_return(true)
+      end
+
+      it "calls app when permission is granted" do
+        env = Rack::MockRequest.env_for("/api/rules/123")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:can?).with(user, :write, nil).and_return(true)
+        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
+        allow(access_audit_logger).to receive(:log_permission_check)
+
+        status, _, body = middleware.call(env)
+
+        expect(status).to eq(200)
+        expect(body.first).to eq("OK")
+      end
+
+      it "returns 403 when permission is denied" do
+        env = Rack::MockRequest.env_for("/api/rules/123")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:can?).with(user, :write, nil).and_return(false)
+        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
+        allow(access_audit_logger).to receive(:log_permission_check)
+
+        status, _, body = middleware.call(env)
+
+        expect(status).to eq(403)
+        body_text = body.first
+        expect(JSON.parse(body_text)["error"]).to eq("Permission denied: write")
+      end
+
+      it "logs permission check when access_audit_logger is provided" do
+        env = Rack::MockRequest.env_for("/api/rules/123")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:can?).with(user, :write, nil).and_return(true)
+        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
+        allow(access_audit_logger).to receive(:log_permission_check)
+
+        middleware.call(env)
+
+        expect(access_audit_logger).to have_received(:log_permission_check).with(
+          user_id: "user1",
+          permission: :write,
+          resource_type: "rule",
+          resource_id: "123",
+          granted: true
+        )
+      end
+
+      it "does not log when access_audit_logger is not provided" do
+        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :write)
+        env = Rack::MockRequest.env_for("/api/rules/123")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:can?).with(user, :write, nil).and_return(true)
+
+        expect { middleware.call(env) }.not_to raise_error
+      end
+    end
+
+    describe "#extract_resource_type" do
+      it "extracts resource type from path" do
+        middleware = described_class.new(app, permission_checker: permission_checker)
+        env = Rack::MockRequest.env_for("/api/rules/123")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:active?).with(user).and_return(true)
+
+        middleware.call(env)
+
+        # Verify extraction happened (indirectly through logging)
+        expect(permission_checker).to have_received(:active?).with(user)
+      end
+
+      it "handles paths without /api/ prefix" do
+        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :read)
+        env = Rack::MockRequest.env_for("/other/path")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:active?).with(user).and_return(true)
+        allow(permission_checker).to receive(:can?).with(user, :read, nil).and_return(true)
+        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
+
+        status, = middleware.call(env)
+
+        expect(status).to eq(200)
+      end
+
+      it "singularizes resource type (removes trailing 's')" do
+        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :read, access_audit_logger: access_audit_logger)
+        env = Rack::MockRequest.env_for("/api/rules/123")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:active?).with(user).and_return(true)
+        allow(permission_checker).to receive(:can?).with(user, :read, nil).and_return(true)
+        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
+        allow(access_audit_logger).to receive(:log_permission_check)
+
+        middleware.call(env)
+
+        expect(access_audit_logger).to have_received(:log_permission_check).with(
+          user_id: "user1",
+          permission: :read,
+          resource_type: "rule",
+          resource_id: "123",
+          granted: true
+        )
+      end
+    end
+
+    describe "#extract_resource_id" do
+      it "extracts id from params" do
+        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :read, access_audit_logger: access_audit_logger)
+        env = Rack::MockRequest.env_for("/api/rules/123?id=456")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:active?).with(user).and_return(true)
+        allow(permission_checker).to receive(:can?).with(user, :read, nil).and_return(true)
+        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
+        allow(access_audit_logger).to receive(:log_permission_check)
+
+        middleware.call(env)
+
+        expect(access_audit_logger).to have_received(:log_permission_check) do |args|
+          expect(args[:resource_id]).to eq("456")
+        end
+      end
+
+      it "extracts rule_id from params" do
+        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :read, access_audit_logger: access_audit_logger)
+        env = Rack::MockRequest.env_for("/api/rules?rule_id=789")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:active?).with(user).and_return(true)
+        allow(permission_checker).to receive(:can?).with(user, :read, nil).and_return(true)
+        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
+        allow(access_audit_logger).to receive(:log_permission_check)
+
+        middleware.call(env)
+
+        expect(access_audit_logger).to have_received(:log_permission_check) do |args|
+          expect(args[:resource_id]).to eq("789")
+        end
+      end
+
+      it "extracts version_id from params" do
+        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :read, access_audit_logger: access_audit_logger)
+        env = Rack::MockRequest.env_for("/api/versions?version_id=999")
+        env["decision_agent.user"] = user
+
+        allow(permission_checker).to receive(:active?).with(user).and_return(true)
+        allow(permission_checker).to receive(:can?).with(user, :read, nil).and_return(true)
+        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
+        allow(access_audit_logger).to receive(:log_permission_check)
+
+        middleware.call(env)
+
+        expect(access_audit_logger).to have_received(:log_permission_check) do |args|
+          expect(args[:resource_id]).to eq("999")
+        end
+      end
+    end
+  end
+end