@adsim/wordpress-mcp-server 3.1.0 → 4.5.0

package/tests/unit/tools/perTargetControls.test.js

@@ -0,0 +1,228 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall, getActiveControls, getControlSources, _testSetTarget } from '../../../index.js';
+import { mockSuccess, getAuditLogs, makeRequest, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+const ENV_KEYS = ['WP_READ_ONLY', 'WP_DRAFT_ONLY', 'WP_DISABLE_DELETE', 'WP_DISABLE_PLUGIN_MANAGEMENT', 'WP_REQUIRE_APPROVAL', 'WP_CONFIRM_DESTRUCTIVE', 'WP_MAX_CALLS_PER_MINUTE'];
+const savedEnv = {};
+
+function clearGovEnv() {
+  for (const k of ENV_KEYS) {
+    savedEnv[k] = process.env[k];
+    delete process.env[k];
+  }
+}
+
+function restoreGovEnv() {
+  for (const k of ENV_KEYS) {
+    if (savedEnv[k] === undefined) delete process.env[k];
+    else process.env[k] = savedEnv[k];
+  }
+}
+
+// ────────────────────────────────────────────────────────────
+// getActiveControls — unit tests
+// ────────────────────────────────────────────────────────────
+
+describe('getActiveControls', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); clearGovEnv(); });
+  afterEach(() => { consoleSpy.mockRestore(); restoreGovEnv(); _testSetTarget(null); });
+
+  it('returns global env vars when target has no controls', () => {
+    process.env.WP_READ_ONLY = 'true';
+    process.env.WP_DISABLE_DELETE = 'true';
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p' });
+
+    const c = getActiveControls();
+
+    expect(c.read_only).toBe(true);
+    expect(c.disable_delete).toBe(true);
+    expect(c.draft_only).toBe(false);
+    expect(c.require_approval).toBe(false);
+    expect(c.confirm_destructive).toBe(false);
+    expect(c.disable_plugin_management).toBe(false);
+  });
+
+  it('target read_only:true + global false → blocked (OR strict)', () => {
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { read_only: true } });
+
+    const c = getActiveControls();
+
+    expect(c.read_only).toBe(true);
+  });
+
+  it('global read_only:true + target false → blocked (OR strict)', () => {
+    process.env.WP_READ_ONLY = 'true';
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { read_only: false } });
+
+    const c = getActiveControls();
+
+    expect(c.read_only).toBe(true);
+  });
+
+  it('both global and target true → blocked (OR strict)', () => {
+    process.env.WP_READ_ONLY = 'true';
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { read_only: true } });
+
+    const c = getActiveControls();
+    const s = getControlSources();
+
+    expect(c.read_only).toBe(true);
+    expect(s.read_only_source).toBe('both');
+  });
+
+  it('max_calls_per_minute: MIN of global and target', () => {
+    process.env.WP_MAX_CALLS_PER_MINUTE = '30';
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { max_calls_per_minute: 10 } });
+
+    const c = getActiveControls();
+
+    expect(c.max_calls_per_minute).toBe(10);
+  });
+
+  it('max_calls_per_minute: global unlimited + target=20 → 20', () => {
+    // global is 0 (unlimited) by default
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { max_calls_per_minute: 20 } });
+
+    const c = getActiveControls();
+    const s = getControlSources();
+
+    expect(c.max_calls_per_minute).toBe(20);
+    expect(s.max_calls_per_minute_source).toBe('target');
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// Governance functions use getActiveControls — integration
+// ────────────────────────────────────────────────────────────
+
+describe('Per-target governance integration', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); clearGovEnv(); });
+  afterEach(() => { consoleSpy.mockRestore(); restoreGovEnv(); _testSetTarget(null); });
+
+  it('target read_only blocks write tools via enforceReadOnly', async () => {
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { read_only: true } });
+
+    const result = await call('wp_create_post', { title: 'T', content: 'C' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('READ-ONLY');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_create_post');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('blocked');
+  });
+
+  it('target draft_only blocks publish via enforceDraftOnly', async () => {
+    _testSetTarget('staging', { url: 'https://staging.example.com', username: 'u', password: 'p', controls: { draft_only: true } });
+
+    const result = await call('wp_create_post', { title: 'T', content: 'C', status: 'publish' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('DRAFT-ONLY');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_create_post');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('error');
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// wp_site_info — per-target controls
+// ────────────────────────────────────────────────────────────
+
+describe('wp_site_info with per-target controls', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); clearGovEnv(); });
+  afterEach(() => { consoleSpy.mockRestore(); restoreGovEnv(); _testSetTarget(null); });
+
+  const siteInfoResponse = { name: 'Test', description: 'T', url: 'https://test.example.com', gmt_offset: 1, timezone_string: 'UTC' };
+  const userMeResponse = { id: 1, name: 'Admin', slug: 'admin', roles: ['administrator'] };
+  const postTypesResponse = { post: { slug: 'post', name: 'Posts', rest_base: 'posts' } };
+
+  it('enterprise_controls reflects target controls', async () => {
+    _testSetTarget('prod', { url: 'https://test.example.com', username: 'testuser', password: 'testpass', controls: { disable_delete: true, confirm_destructive: true } });
+    mockSuccess(siteInfoResponse);
+    mockSuccess(userMeResponse);
+    mockSuccess(postTypesResponse);
+
+    const res = await call('wp_site_info');
+    const data = parseResult(res);
+
+    expect(data.enterprise_controls.delete_disabled).toBe(true);
+    expect(data.enterprise_controls.confirm_destructive).toBe(true);
+    expect(data.enterprise_controls.read_only).toBe(false);
+  });
+
+  it('controls_source indicates "target" when restriction comes from target', async () => {
+    _testSetTarget('prod', { url: 'https://test.example.com', username: 'testuser', password: 'testpass', controls: { disable_delete: true } });
+    mockSuccess(siteInfoResponse);
+    mockSuccess(userMeResponse);
+    mockSuccess(postTypesResponse);
+
+    const res = await call('wp_site_info');
+    const data = parseResult(res);
+
+    expect(data.enterprise_controls.disable_delete_source).toBe('target');
+    expect(data.enterprise_controls.read_only_source).toBe('none');
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// wp_set_target — audit log and controls persistence
+// ────────────────────────────────────────────────────────────
+
+describe('wp_set_target with per-target controls', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); clearGovEnv(); });
+  afterEach(() => { consoleSpy.mockRestore(); restoreGovEnv(); _testSetTarget(null); });
+
+  it('audit log contains effective_controls after switch', async () => {
+    // Pre-populate two targets via _testSetTarget for the first, then manually set second
+    _testSetTarget('staging', { url: 'https://staging.example.com', username: 'u', password: 'p', controls: { draft_only: true, disable_delete: true } });
+
+    // Now call wp_set_target to switch to staging (already current, but validates the flow)
+    const result = await call('wp_set_target', { site: 'staging' });
+    const data = parseResult(result);
+
+    expect(data.success).toBe(true);
+    expect(data.effective_controls).toBeDefined();
+    expect(data.effective_controls.draft_only).toBe(true);
+    expect(data.effective_controls.disable_delete).toBe(true);
+    expect(data.effective_controls.read_only).toBe(false);
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_set_target' && l.status === 'success');
+    expect(entry).toBeDefined();
+    expect(entry.effective_controls).toBeDefined();
+    expect(entry.effective_controls.draft_only).toBe(true);
+  });
+
+  it('per-target controls survive a wp_set_target switch', async () => {
+    // Set up two targets
+    _testSetTarget('dev', { url: 'https://dev.example.com', username: 'u', password: 'p' });
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { read_only: true } });
+    // Current is now 'prod'. Switch to prod explicitly to test persistence.
+
+    const result = await call('wp_set_target', { site: 'prod' });
+    const data = parseResult(result);
+
+    expect(data.effective_controls.read_only).toBe(true);
+
+    // Verify the control actually blocks writes
+    const writeResult = await call('wp_create_post', { title: 'T', content: 'C' });
+    expect(writeResult.isError).toBe(true);
+    expect(writeResult.content[0].text).toContain('READ-ONLY');
+  });
+});