@api-client/core 0.19.41 → 0.19.42

package/tests/unit/modeling/RuntimeApiModel.spec.ts

@@ -1,8 +1,10 @@
+/* eslint-disable @typescript-eslint/no-unused-vars */
 import { test } from '@japa/runner'
 import { ApiModel } from '../../../src/modeling/ApiModel.js'
-import { RuntimeApiModel, type RuntimeApiModelSchema } from '../../../src/modeling/RuntimeApiModel.js'
+import { RuleEvaluator, RuntimeApiModel, type RuntimeApiModelSchema } from '../../../src/modeling/RuntimeApiModel.js'
 import { DataDomain } from '../../../src/modeling/DataDomain.js'
 import { SemanticType } from '../../../src/modeling/Semantics.js'
+import { AccessRule, AccessRuleExecutionPhase } from '../../../src/modeling/index.js'
 
 test.group('RuntimeApiModel', () => {
   test('initializes from schema', ({ assert }) => {
@@ -150,4 +152,190 @@ test.group('RuntimeApiModel', () => {
     assert.equal(runtimeModel.cachedProperties.role?.key, roleProp.key)
     assert.equal(runtimeModel.cachedProperties.username?.key, usernameProp.key)
   }).tags(['@modeling', '@runtime'])
+
+  test('evaluateAccess - rejects if any mandatory rule fails', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const baseModel = new ApiModel(
+      { key: 'api-1', accessRule: [{ type: 'allowAuthenticated', mandatory: true }] },
+      domain
+    )
+    const runtimeModel = new RuntimeApiModel(baseModel.toJSON() as any, domain.toJSON())
+
+    const mockAction = {
+      entity: { accessRule: [], parent: undefined },
+      action: { kind: 'read', accessRule: [] },
+    } as any
+
+    const evaluator: RuleEvaluator = async (_rule: AccessRule): Promise<boolean> => false // Mandatory rule fails
+    const result = await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+    assert.isFalse(result)
+  }).tags(['@modeling', '@runtime', '@authorization'])
+
+  test('evaluateAccess - rejects by default if no rules hit', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const baseModel = new ApiModel({ key: 'api-1' }, domain)
+    const runtimeModel = new RuntimeApiModel(baseModel.toJSON() as any, domain.toJSON())
+
+    const mockAction = {
+      entity: {
+        accessRule: [{ type: 'allowPublic', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+        parent: undefined,
+      },
+      action: { kind: 'read', accessRule: [] },
+    } as any
+
+    const evaluator: RuleEvaluator = async (_rule: AccessRule): Promise<undefined> => undefined // No rules match
+    const result = await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+    assert.isFalse(result)
+  }).tags(['@modeling', '@runtime', '@authorization'])
+
+  test('evaluateAccess - evaluates from most specific to most general in permission phase', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const baseModel = new ApiModel({ key: 'api-1', accessRule: [{ type: 'allowAuthenticated' }] }, domain)
+    const runtimeModel = new RuntimeApiModel(baseModel.toJSON() as any, domain.toJSON())
+
+    const mockAction = {
+      entity: {
+        accessRule: [{ type: 'allowPublic', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+        parent: undefined,
+      },
+      action: {
+        kind: 'read',
+        accessRule: [{ type: 'matchEmailDomain', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+      },
+    } as any
+
+    const evaluatedOrder: string[] = []
+    const evaluator: RuleEvaluator = async (rule: AccessRule): Promise<undefined> => {
+      evaluatedOrder.push(rule.type)
+      return undefined // Continue to next rule
+    }
+
+    await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+    assert.deepEqual(evaluatedOrder, ['matchEmailDomain', 'allowPublic', 'allowAuthenticated'])
+  }).tags(['@modeling', '@runtime', '@authorization'])
+
+  test('evaluateAccess - short-circuits on explicit allow or deny in permission phase', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const baseModel = new ApiModel({ key: 'api-1', accessRule: [{ type: 'allowAuthenticated' }] }, domain)
+    const runtimeModel = new RuntimeApiModel(baseModel.toJSON() as any, domain.toJSON())
+
+    const mockAction = {
+      entity: {
+        accessRule: [{ type: 'allowPublic', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+        parent: undefined,
+      },
+      action: {
+        kind: 'read',
+        accessRule: [{ type: 'matchEmailDomain', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+      },
+    } as any
+
+    const evaluatedOrder: string[] = []
+    const evaluator = async (rule: any) => {
+      evaluatedOrder.push(rule.type)
+      if (rule.type === 'allowPublic') return true
+      return undefined
+    }
+
+    const result = await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+    assert.isTrue(result)
+    // Should not reach the api-rule
+    assert.deepEqual(evaluatedOrder, ['matchEmailDomain', 'allowPublic'])
+  }).tags(['@modeling', '@runtime', '@authorization'])
+
+  test('evaluateAccess - passes mandatory phase and uses permission phase result', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const baseModel = new ApiModel(
+      { key: 'api-1', accessRule: [{ type: 'allowAuthenticated', mandatory: true }] },
+      domain
+    )
+    const runtimeModel = new RuntimeApiModel(baseModel.toJSON() as any, domain.toJSON())
+
+    const mockAction = {
+      entity: {
+        accessRule: [{ type: 'allowPublic', metadata: { read: AccessRuleExecutionPhase.PRE_FETCH } }],
+        parent: undefined,
+      },
+      action: { kind: 'read', accessRule: [] },
+    } as any
+
+    const evaluator = async (rule: any) => {
+      if (rule.mandatory) return true // passes mandatory check
+      if (rule.type === 'allowPublic') return false // explicitly denies
+      return undefined
+    }
+
+    const result = await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+    assert.isFalse(result) // Denied by permission rule
+  }).tags(['@modeling', '@runtime', '@authorization'])
+
+  test('evaluateAccess - shadows parent rules of the same type', async ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const model = domain.addModel({ key: 'mod-1' })
+    const entity = model.addEntity({ key: 'ent-1' })
+
+    // Create base model with exposing and actions directly in schema
+    const baseModel = new ApiModel(
+      {
+        key: 'api-1',
+        accessRule: [{ type: 'allowAuthenticated' }, { type: 'matchEmailDomain' }],
+        exposes: [
+          {
+            key: entity.key,
+            entity: { key: entity.key },
+            accessRule: [
+              { type: 'allowPublic', mandatory: false },
+              { type: 'matchEmailDomain', mandatory: true },
+            ],
+            actions: [
+              {
+                kind: 'read',
+                accessRule: [{ type: 'allowAuthenticated', mandatory: true }],
+              },
+            ],
+            hasCollection: true,
+            kind: 'Core#ExposedEntity',
+            resourcePath: '',
+          },
+        ],
+      },
+      domain
+    )
+
+    // Hierarchy will be:
+    // Action: allowAuthenticated (mandatory)
+    // Entity: allowPublic, matchEmailDomain (mandatory)
+    // API: allowAuthenticated, matchEmailDomain
+
+    // Effective Rules (with shadowing):
+    // Action's allowAuthenticated (mandatory) shadows API's allowAuthenticated
+    // Entity's matchEmailDomain (mandatory) shadows API's matchEmailDomain
+    // Entity's allowPublic is kept
+
+    // Mandatory: allowAuthenticated, matchEmailDomain
+    // Permission: allowPublic
+
+    const schema: RuntimeApiModelSchema = {
+      ...baseModel.toJSON(),
+      routingMap: {
+        GET: [{ path: '/test', lookup: { exposedEntityKey: entity.key, actionKind: 'read' } }],
+      },
+    }
+
+    const runtimeModel = new RuntimeApiModel(schema, domain.toJSON())
+    const mockAction = runtimeModel.lookupAction('GET', '/test')!
+
+    const evaluatedOrder: string[] = []
+    const evaluator: RuleEvaluator = async (rule: AccessRule): Promise<boolean | undefined> => {
+      evaluatedOrder.push(`${rule.type}${rule.mandatory ? '-mandatory' : ''}`)
+      if (rule.mandatory) return true
+      return undefined
+    }
+
+    await runtimeModel.evaluateAccess(mockAction, evaluator, AccessRuleExecutionPhase.PRE_FETCH)
+
+    // Check that we only evaluate the shadowed rules, exactly once per phase
+    assert.deepEqual(evaluatedOrder, ['allowAuthenticated-mandatory', 'matchEmailDomain-mandatory', 'allowPublic'])
+  }).tags(['@modeling', '@runtime', '@authorization'])
 })

package/tests/unit/modeling/actions/Action.spec.ts

@@ -60,7 +60,7 @@ test.group('Action', () => {
       notified = true
     })
 
-    action.accessRule = [new AccessRule(mockExposedEntity(), { type: 'allowPublic' })]
+    action.accessRule = [new AccessRule(mockExposedEntity(), {}, { type: 'allowPublic' })]
     await Promise.resolve()
     assert.isTrue(notified)
   }).tags(['@modeling', '@action', '@observed'])
@@ -111,7 +111,7 @@ test.group('Action', () => {
 
   test('getAllRules() aggregates rules from action and parent', ({ assert }) => {
     const parent = {
-      getAllRules: () => [new AccessRule(mockExposedEntity(), { type: 'allowPublic' })],
+      getAllRules: () => [new AccessRule(mockExposedEntity(), {}, { type: 'allowPublic' })],
       notifyChange: () => {},
     } as unknown as ExposedEntity
 

package/tests/unit/modeling/actions/CreateAction.spec.ts

@@ -59,7 +59,7 @@ test.group('CreateAction', () => {
     })
 
     // Modify inherited property
-    action.accessRule = [new AccessRule(mockExposedEntity(), { type: 'allowPublic' })]
+    action.accessRule = [new AccessRule(mockExposedEntity(), {}, { type: 'allowPublic' })]
     await Promise.resolve()
     assert.isTrue(notified)
   }).tags(['@modeling', '@action', '@create-action', '@observed'])

package/tests/unit/modeling/actions/ReadAction.spec.ts

@@ -59,7 +59,7 @@ test.group('ReadAction', () => {
     })
 
     // Modify inherited property
-    action.accessRule = [new AccessRule(mockExposedEntity(), { type: 'allowPublic' })]
+    action.accessRule = [new AccessRule(mockExposedEntity(), {}, { type: 'allowPublic' })]
     await Promise.resolve()
     assert.isTrue(notified)
   }).tags(['@modeling', '@action', '@read-action', '@observed'])
@@ -71,7 +71,7 @@ test.group('ReadAction', () => {
       notified = true
     })
 
-    action.accessRule.push(new AccessRule(mockExposedEntity(), { type: 'allowPublic' }))
+    action.accessRule.push(new AccessRule(mockExposedEntity(), {}, { type: 'allowPublic' }))
     await Promise.resolve()
     assert.isTrue(notified)
   }).tags(['@modeling', '@action', '@read-action', '@observed'])

package/tests/unit/modeling/exposed_entity.spec.ts

@@ -308,7 +308,7 @@ test.group('ExposedEntity', () => {
 
   test('getAllRules() aggregates rules from entity, parent, and API', ({ assert }) => {
     const model = new ApiModel()
-    model.accessRule = [new AccessRule(model, { type: 'allowPublic' })]
+    model.accessRule = [new AccessRule(model, {}, { type: 'allowPublic' })]
 
     const rootEx = new ExposedEntity(model, {
       key: 'root',

package/tests/unit/modeling/rules/AccessRule.spec.ts

@@ -4,24 +4,24 @@ import { mockExposedEntity } from '../actions/helpers.js'
 
 test.group('AccessRule', () => {
   test('initializes with default values', ({ assert }) => {
-    const rule = new AccessRule(mockExposedEntity())
+    const rule = new AccessRule(mockExposedEntity(), {})
     assert.equal(rule.type, '')
   }).tags(['@modeling', '@access-rule'])
 
   test('initializes with provided values', ({ assert }) => {
     const schema: AccessRuleSchema = { type: 'public' }
-    const rule = new AccessRule(mockExposedEntity(), schema)
+    const rule = new AccessRule(mockExposedEntity(), {}, schema)
     assert.equal(rule.type, 'public')
   }).tags(['@modeling', '@access-rule'])
 
   test('serializes to JSON', ({ assert }) => {
-    const rule = new AccessRule(mockExposedEntity(), { type: 'authenticated' })
+    const rule = new AccessRule(mockExposedEntity(), {}, { type: 'authenticated' })
     const json = rule.toJSON()
     assert.deepEqual(json, { type: 'authenticated' })
   }).tags(['@modeling', '@access-rule'])
 
   test('notifies change', async ({ assert }) => {
-    const rule = new AccessRule(mockExposedEntity(), { type: 'public' })
+    const rule = new AccessRule(mockExposedEntity(), {}, { type: 'public' })
     let notified = false
     rule.addEventListener('change', () => {
       notified = true
@@ -32,7 +32,7 @@ test.group('AccessRule', () => {
   }).tags(['@modeling', '@access-rule'])
 
   test('toJSON returns safe copy (immutability)', ({ assert }) => {
-    const rule = new AccessRule(mockExposedEntity(), { type: 'public' })
+    const rule = new AccessRule(mockExposedEntity(), {}, { type: 'public' })
     const json = rule.toJSON()
 
     // Modify JSON (simulate runtime mutation)

package/tests/unit/modeling/rules/LifecycleStatus.spec.ts

@@ -0,0 +1,55 @@
+import { test } from '@japa/runner'
+import { LifecycleStatusAccessRule } from '../../../../src/modeling/rules/LifecycleStatus.js'
+import { mockExposedEntity } from '../actions/helpers.js'
+
+test.group('LifecycleStatusAccessRule', () => {
+  test('initializes with default values', ({ assert }) => {
+    const rule = new LifecycleStatusAccessRule(mockExposedEntity())
+    assert.equal(rule.type, 'lifecycleStatus')
+    assert.deepEqual(rule.allowedStatuses, [])
+    assert.deepEqual(rule.deniedStatuses, [])
+  }).tags(['@modeling', '@rule', '@lifecycle-status'])
+
+  test('initializes with provided values', ({ assert }) => {
+    const rule = new LifecycleStatusAccessRule(mockExposedEntity(), {
+      allowedStatuses: ['published'],
+      deniedStatuses: ['archived'],
+    })
+
+    assert.equal(rule.type, 'lifecycleStatus')
+    assert.deepEqual(rule.allowedStatuses, ['published'])
+    assert.deepEqual(rule.deniedStatuses, ['archived'])
+  }).tags(['@modeling', '@rule', '@lifecycle-status'])
+
+  test('toJSON returns valid schema', ({ assert }) => {
+    const rule = new LifecycleStatusAccessRule(mockExposedEntity(), {
+      allowedStatuses: ['active', 'pending'],
+    })
+    const json = rule.toJSON()
+
+    assert.equal(json.type, 'lifecycleStatus')
+    assert.deepEqual(json.allowedStatuses, ['active', 'pending'])
+    assert.isUndefined(json.deniedStatuses)
+  }).tags(['@modeling', '@rule', '@lifecycle-status', '@serialization'])
+
+  test('toJSON omits empty arrays', ({ assert }) => {
+    const rule = new LifecycleStatusAccessRule(mockExposedEntity())
+    const json = rule.toJSON()
+
+    assert.equal(json.type, 'lifecycleStatus')
+    assert.isUndefined(json.allowedStatuses)
+    assert.isUndefined(json.deniedStatuses)
+  }).tags(['@modeling', '@rule', '@lifecycle-status', '@serialization'])
+
+  test('notifies change when allowedStatuses changes', async ({ assert }) => {
+    const rule = new LifecycleStatusAccessRule(mockExposedEntity())
+    let notified = false
+    rule.addEventListener('change', () => {
+      notified = true
+    })
+
+    rule.allowedStatuses.push('draft')
+    await Promise.resolve()
+    assert.isTrue(notified)
+  }).tags(['@modeling', '@rule', '@lifecycle-status', '@observed'])
+})

package/tests/unit/modeling/rules/MatchResourceAttribute.spec.ts

@@ -0,0 +1,66 @@
+import { test } from '@japa/runner'
+import { MatchResourceAttributeAccessRule } from '../../../../src/modeling/rules/MatchResourceAttribute.js'
+import { mockExposedEntity } from '../actions/helpers.js'
+
+test.group('MatchResourceAttributeAccessRule', () => {
+  test('initializes with default values', ({ assert }) => {
+    const rule = new MatchResourceAttributeAccessRule(mockExposedEntity())
+    assert.equal(rule.type, 'matchResourceAttribute')
+    assert.equal(rule.attribute, '')
+    assert.equal(rule.value, '')
+    assert.equal(rule.operator, 'equal')
+  }).tags(['@modeling', '@rule', '@match-resource-attribute'])
+
+  test('initializes with provided values', ({ assert }) => {
+    const rule = new MatchResourceAttributeAccessRule(mockExposedEntity(), {
+      attribute: 'status',
+      value: 'published',
+      operator: 'notEqual',
+    })
+
+    assert.equal(rule.type, 'matchResourceAttribute')
+    assert.equal(rule.attribute, 'status')
+    assert.equal(rule.value, 'published')
+    assert.equal(rule.operator, 'notEqual')
+  }).tags(['@modeling', '@rule', '@match-resource-attribute'])
+
+  test('toJSON returns valid schema', ({ assert }) => {
+    const rule = new MatchResourceAttributeAccessRule(mockExposedEntity(), {
+      attribute: 'age',
+      value: 18,
+      operator: 'greaterThanOrEqual',
+    })
+    const json = rule.toJSON()
+
+    assert.equal(json.type, 'matchResourceAttribute')
+    assert.equal(json.attribute, 'age')
+    assert.equal(json.value, 18)
+    assert.equal(json.operator, 'greaterThanOrEqual')
+  }).tags(['@modeling', '@rule', '@match-resource-attribute', '@serialization'])
+
+  test('toJSON omits operator when it is equal', ({ assert }) => {
+    const rule = new MatchResourceAttributeAccessRule(mockExposedEntity(), {
+      attribute: 'isPublic',
+      value: true,
+      operator: 'equal',
+    })
+    const json = rule.toJSON()
+
+    assert.equal(json.type, 'matchResourceAttribute')
+    assert.equal(json.attribute, 'isPublic')
+    assert.equal(json.value, true)
+    assert.equal(json.operator, 'equal')
+  }).tags(['@modeling', '@rule', '@match-resource-attribute', '@serialization'])
+
+  test('notifies change when attribute changes', async ({ assert }) => {
+    const rule = new MatchResourceAttributeAccessRule(mockExposedEntity())
+    let notified = false
+    rule.addEventListener('change', () => {
+      notified = true
+    })
+
+    rule.attribute = 'visibility'
+    await Promise.resolve()
+    assert.isTrue(notified)
+  }).tags(['@modeling', '@rule', '@match-resource-attribute', '@observed'])
+})