@blazedpath/commons 0.0.4

package/blz-security/__test__/Security.yaml

@@ -0,0 +1,128 @@
+
+permissions:
+  - name: menu
+    rules:
+      - path: /menu-security/*
+        enable: false
+  - name: views
+    rules:
+      - path: /widgets-containers
+        actions: '**'
+        enable: false
+      - path: /grid-columns
+        actions: emailColumn, ipColumn
+        enable: false 
+      - path: /roles
+        actions: '**'
+        enable: false  
+      - path: /api/service/roles
+        enable: false
+      - path: /api/service/roles/*
+        enable: false
+      - path: /api/service/role
+        enable: false    
+      - path: /api/service/role/*
+        enable: false    
+  - name: roleView
+    rules:
+      - path: /roles
+        actions: View
+        enable: true  
+      - path: /api/service/roles
+        actions: GET
+        enable: true
+      - path: /api/service/role/*
+        actions: GET
+        enable: true
+  - name: roleEdit
+    extends: [roleView]
+    rules:
+      - path: /roles
+        actions: '**'
+        enable: true  
+      - path: /api/service/roles/merged
+        actions: POST
+        enable: true          
+      - path: /api/service/role/*
+        actions: DELETE, PATCH
+        enable: true              
+ # Guest
+  - name: guestMenu
+    extends: [menu]
+    rules:
+      - path: /menu-security/guest
+  - name: guestView
+    extends: [views]
+    rules:
+      - path: /widgets-containers
+        actions: viewGuest
+  - name: guestActions
+    rules:
+      - path: /actions
+        actions: '**'
+        enable: false
+  - name: guestAccounts
+    rules:      
+      - path: /account/*
+        enable: false
+      - path: /api/service/account
+        enable: false
+      - path: /api/service/account/*
+        enable: false                       
+  # User              
+  - name: userMenu
+    extends: [menu]
+    rules:
+      - path: /menu-security/user
+  - name: userView
+    extends: [views]
+    rules:
+      - path: /widgets-containers
+        actions: viewUser
+      - path: /grid-columns
+        actions: emailColumn
+  - name: userActions
+    rules:    
+      - path: /actions
+        actions: '**, edit:** , remove, view:**, hidden' 
+        enable: false
+      - path: /actions
+        actions: 'add, remove:**, edit, id'
+      - path: /actions-dots
+        actions: id
+  - name: userAccounts
+    rules:      
+      - path: /account/*
+      - path: /account/22
+        enable: false
+      - path: /api/service/account      
+      - path: /api/service/account/*
+        enable: false
+      - path: /api/service/account/21   
+  # Admin              
+  - name: adminMenu
+    extends: [menu]
+    rules:
+      - path: /menu-security/*
+  - name: adminView
+    extends: [views]
+    rules:
+      - path: /grid-columns
+        actions: ipColumn
+  - name: adminActions
+    rules:    
+      - path: /actions
+        actions: '**, edit:** , remove, view:**, hidden'
+  - name: adminAccounts
+    rules:      
+      - path: /account/22
+      - path: /api/service/account/22
+roles:
+  - name: Guest
+    permissions: [guestAccounts, guestMenu, guestView, guestActions ]
+  - name: User
+    extends: [Guest]
+    permissions: [ userAccounts, userMenu, userView, userActions, roleView]
+  - name: Admin
+    extends: [User]
+    permissions: [ adminAccounts,adminMenu, adminView, adminActions, roleEdit ]

package/blz-security/__test__/autorization.test.js

@@ -0,0 +1,105 @@
+/* eslint-disable no-undef */
+const { h3lp } = require('h3lp')
+const Yaml = require('js-yaml')
+const path = require('path')
+const AuthorizationService = require('../authorizationService')
+const _ = require('underscore')
+const logger = require('pino')()
+
+let authorizationService = null
+let config = null
+
+describe('Permission Service', () => {
+  beforeAll(async () => {
+    authorizationService = new AuthorizationService(_,logger)
+    const content = await h3lp.fs.read(path.join(__dirname, '/Security.yaml'))
+    const list = await Yaml.loadAll(content)
+    config = authorizationService.importSecurityConfig(list[0])
+  })
+
+  test('Permissions by Guest', () => {
+    const permissions = config.roles.find(p => p.name === 'Guest').permissions.join(',')
+    expect('guestAccounts,guestMenu,guestView,guestActions').toStrictEqual(permissions)
+  })
+  test('Permissions by User', () => {
+    const permissions = config.roles.find(p => p.name === 'User').permissions.join(',')
+    expect('userAccounts,userMenu,userView,userActions,roleView,guestAccounts,guestMenu,guestView,guestActions').toStrictEqual(permissions)
+  })
+  test('Permissions by Admin', () => {
+    const permissions = config.roles.find(p => p.name === 'Admin').permissions.join(',')
+    expect('adminAccounts,adminMenu,adminView,adminActions,roleEdit,userAccounts,userMenu,userView,userActions,roleView,guestAccounts,guestMenu,guestView,guestActions').toStrictEqual(permissions)
+  })
+  test('authorized by Guest', () => {
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account', '*', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account/21', '*', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account/22', '*', ['Guest']))
+
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/menu-security/guest', '', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/menu-security/user', '', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/menu-security/admin', '', ['Guest']))
+  })
+  test('authorized by User', () => {
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account', '*', ['User']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account/21', '*', ['User']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account/22', '*', ['User']))
+
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/menu-security/guest', '', ['User']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/menu-security/user', '', ['User']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/menu-security/admin', '', ['User']))
+  })
+  test('authorized by Admin', () => {
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account', '*', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account/21', '*', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account/22', '*', ['Admin']))
+
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/menu-security/guest', '', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/menu-security/user', '', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/menu-security/admin', '', ['Admin']))
+  })
+  test('authorized by Guest and User', () => {
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account', '*', ['Guest', 'User']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account/21', '*', ['Guest', 'User']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account/22', '*', ['Guest', 'User']))
+  })
+  test('authorized by User and Admin', () => {
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account', '*', ['User', 'Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account/21', '*', ['User', 'Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/account/22', '*', ['User', 'Admin']))
+  })
+  test('Role access to Guest', () => {
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/roles', '', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'View', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'Add', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'Edit', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'Remove', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/roles', 'GET', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/roles/merged', 'POST', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/role/1', 'GET', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/role/1', 'DELETE', ['Guest']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/role/1', 'PATCH', ['Guest']))
+  })
+  test('Role access to User', () => {
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/roles', '', ['User']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'View', ['User']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'Add', ['User']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'Edit', ['User']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'Remove', ['User']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/roles', 'GET', ['User']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/roles/merged', 'POST', ['User']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/role/1', 'GET', ['User']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/role/1', 'DELETE', ['User']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/service/role/1', 'PATCH', ['User']))
+  })
+  test('Role access to Admin', () => {
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/roles', '', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'View', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'Add', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'Edit', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/roles', 'Remove', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/roles', 'GET', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/roles/merged', 'POST', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/role/1', 'GET', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/role/1', 'DELETE', ['Admin']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/service/role/1', 'PATCH', ['Admin']))
+  })
+})

package/blz-security/__test__/orderManagement.test.js

@@ -0,0 +1,26 @@
+/* eslint-disable no-undef */
+const { h3lp } = require('h3lp')
+const Yaml = require('js-yaml')
+const path = require('path')
+const AuthorizationService = require('../authorizationService')
+const _ = require('underscore')
+const logger = require('pino')()
+
+let authorizationService = null
+
+describe('Permission Service', () => {
+  beforeAll(async () => {
+    authorizationService = new AuthorizationService(_,logger)
+    const content = await h3lp.fs.read(path.join(__dirname, '/OrderManagement.yaml'))
+    const list = await Yaml.loadAll(content)
+    config = authorizationService.importSecurityConfig(list[0])
+  })
+
+  test('Paths with query parameters', () => {
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/ext-common-business/businessDomains', 'GET', ['OMUserMenu']))
+    expect(false).toStrictEqual(authorizationService.defaultAuthorized('/api/ext-common-business/businessDomains?offset=0&limit=1', 'GET', ['OMUserMenu']))
+
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/ext-common-business/businessDomains', 'delete', ['OMUserMenu']))
+    expect(true).toStrictEqual(authorizationService.defaultAuthorized('/api/ext-common-business/businessDomains?offset=0&limit=1', 'DELETE', ['OMUserMenu']))
+  })
+})

package/blz-security/__test__/secureUrl.test.js

@@ -0,0 +1,79 @@
+/* eslint-disable no-undef */
+const SecureUrlService = require('../secureUrlService')
+const logger = require('pino')()
+let secureUrlService = null
+
+describe('SecureUrlService', () => {
+  beforeAll(async () => {
+    secureUrlService = new SecureUrlService(logger)
+  })
+
+  test('Front path', () => {
+    const session_key = 'N2ZkZGY4NmItYzVmYi00ZDFkLWI0OGEtMTY1MmM4YmI0ZThm'
+    const path = 'https://case-management-portal-beesion-dev.apps.ocp01.iplan.com.ar/#/tkt-incident/sw-2783/manage'
+    const token = secureUrlService.createToken(path, session_key)
+    expect(() => secureUrlService.validate(path, token, session_key, 15000)).not.toThrow();
+    expect(secureUrlService.validate(path, token, session_key, 15000)).toBeUndefined();
+  })
+
+  test('Front path with params', () => {
+    const session_key = 'N2ZkZGY4NmItYzVmYi00ZDFkLWI0OGEtMTY1MmM4YmI0ZThm'
+    const path = 'https://case-management-portal-beesion-dev.apps.ocp01.iplan.com.ar/#/tkt-incident/sw-2783/manage?param1=1&param2=a'
+    const token = secureUrlService.createToken(path, session_key)
+    expect(() => secureUrlService.validate(path, token, session_key, 15000)).not.toThrow();
+    expect(secureUrlService.validate(path, token, session_key, 15000)).toBeUndefined();
+  })
+
+  test('Api path', () => {
+    const session_key = 'N2ZkZGY4NmItYzVmYi00ZDFkLWI0OGEtMTY1MmM4YmI0ZThm'
+    const path = '/api/case-adapter/bpm'
+    const token = secureUrlService.createToken(path, session_key)
+    expect(() => secureUrlService.validate(path, token, session_key, 15000)).not.toThrow();
+    expect(secureUrlService.validate(path, token, session_key, 15000)).toBeUndefined();
+  })
+
+  test('Path with special characters with token expired', () => {
+    const session_key = '2cd68756-0099-48b4-9f42-57b3553f60c7'
+    const path = '/api/ms-business/party/%7BpartyId%7D'
+    const token = secureUrlService.createToken(path, session_key)
+    try {
+      secureUrlService.validate(path, token, session_key, -1);
+      fail('Expected SecureUrlService.validate to throw an error');
+    } catch (error) {
+      expect(error.message).toBe('The token has expired.');
+      expect(error.name).toBe('SecureUrlError');
+      expect(error.code).toBe(408); // o el campo que uses para el código
+    }
+  })
+
+  test('Path with special characters', () => {
+    const session_key = '2cd68756-0099-48b4-9f42-57b3553f60c7'
+    const path = '/api/ms-business/party/%7BpartyId%7D'
+    const token = secureUrlService.createToken(path, session_key)
+    expect(() => secureUrlService.validate(path, token, session_key, 15000)).not.toThrow();
+    expect(secureUrlService.validate(path, token, session_key, 15000)).toBeUndefined();
+  })
+
+  test('Path with special characters and session key in base64 with token expired', () => {
+    const session_key = 'N2ZkZGY4NmItYzVmYi00ZDFkLWI0OGEtMTY1MmM4YmI0ZThm'
+    const path = '/api/case-adapter/bpm/%7BinstanceId%7D/save-and-continue'
+    const token = secureUrlService.createToken(path, session_key)
+    try {      
+      secureUrlService.validate(path, token, session_key, -1);
+      fail('Expected SecureUrlService.validate to throw an error');
+    } catch (error) {
+      expect(error.message).toBe('The token has expired.');
+      expect(error.name).toBe('SecureUrlError');
+      expect(error.code).toBe(408); // o el campo que uses para el código
+    }
+  })
+
+  test('Path with special characters and session key in base64', () => {
+    const session_key = 'N2ZkZGY4NmItYzVmYi00ZDFkLWI0OGEtMTY1MmM4YmI0ZThm'
+    const path = '/api/case-adapter/bpm/%7BinstanceId%7D/save-and-continue'
+    const token = secureUrlService.createToken(path, session_key)
+    expect(() => secureUrlService.validate(path, token, session_key, 15000)).not.toThrow();
+    expect(secureUrlService.validate(path, token, session_key, 15000)).toBeUndefined();
+  })
+  
+})

package/blz-security/__test__/solveMergeRule.test.js

@@ -0,0 +1,109 @@
+/* eslint-disable no-undef */
+const AuthorizationService = require('../authorizationService')
+const _ = require('underscore')
+const logger = require('pino')()
+
+const authorizationService = new AuthorizationService(_,logger)
+const typesPreviousRules = [
+  { path: '/api/ms-financing-setting/fnc-types', actions: 'GET', enable: true },
+  { path: '/api/ms-financing-setting/fnc-types', actions: 'POST', enable: false }
+]
+const actionPreviousRules = [
+  { path: '/api/ms-financing-setting/fnc-action', actions: '*', enable: false }
+]
+const catalogPreviousRules = [
+  { path: '/api/ms-financing-setting/fnc-catalog', actions: '*', enable: true }
+]
+
+describe('Types use case', () => {
+  test('Set disable previous disable', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(typesPreviousRules, { path: '/api/ms-financing-setting/fnc-types', actions: 'POST', enable: false }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-types","actions":"GET","enable":true},{"path":"/api/ms-financing-setting/fnc-types","actions":"POST","enable":false}]').toStrictEqual(result)
+  })
+  test('Set enable previous disable', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(typesPreviousRules, { path: '/api/ms-financing-setting/fnc-types', actions: 'POST', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-types","actions":"GET,POST","enable":true}]').toStrictEqual(result)
+  })
+  test('Add enable', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(typesPreviousRules, { path: '/api/ms-financing-setting/fnc-types', actions: 'PUT', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-types","actions":"GET,PUT","enable":true},{"path":"/api/ms-financing-setting/fnc-types","actions":"POST","enable":false}]').toStrictEqual(result)
+  })
+  test('disable two actions, one set disable previously and other not exists', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(typesPreviousRules, { path: '/api/ms-financing-setting/fnc-types', actions: 'POST,DELETE', enable: false }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-types","actions":"GET","enable":true},{"path":"/api/ms-financing-setting/fnc-types","actions":"POST,DELETE","enable":false}]').toStrictEqual(result)
+  })
+  test('Enable two actions, one set disable previously and other not exists', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(typesPreviousRules, { path: '/api/ms-financing-setting/fnc-types', actions: 'POST,DELETE', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-types","actions":"GET,POST,DELETE","enable":true}]').toStrictEqual(result)
+  })
+  test('Add enable all rule', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(typesPreviousRules, { path: '/api/ms-financing-setting/fnc-types', actions: '*', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-types","actions":"*","enable":true}]').toStrictEqual(result)
+  })
+  test('Add disable all rule', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(typesPreviousRules, { path: '/api/ms-financing-setting/fnc-types', actions: '*', enable: false }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-types","actions":"GET","enable":true},{"path":"/api/ms-financing-setting/fnc-types","actions":"*","enable":false}]').toStrictEqual(result)
+  })
+})
+
+describe('Action use case', () => {
+  test('Set disable previous disable', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(actionPreviousRules, { path: '/api/ms-financing-setting/fnc-action', actions: 'POST', enable: false }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-action","actions":"*","enable":false}]').toStrictEqual(result)
+  })
+  test('Set enable previous disable', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(actionPreviousRules, { path: '/api/ms-financing-setting/fnc-action', actions: 'POST', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-action","actions":"*","enable":false},{"path":"/api/ms-financing-setting/fnc-action","actions":"POST","enable":true}]').toStrictEqual(result)
+  })
+  test('Add enable', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(actionPreviousRules, { path: '/api/ms-financing-setting/fnc-action', actions: 'PUT', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-action","actions":"*","enable":false},{"path":"/api/ms-financing-setting/fnc-action","actions":"PUT","enable":true}]').toStrictEqual(result)
+  })
+  test('disable two actions, one set disable previously and other not exists', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(actionPreviousRules, { path: '/api/ms-financing-setting/fnc-action', actions: 'POST,DELETE', enable: false }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-action","actions":"*","enable":false}]').toStrictEqual(result)
+  })
+  test('Enable two actions, one set disable previously and other not exists', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(actionPreviousRules, { path: '/api/ms-financing-setting/fnc-action', actions: 'POST,DELETE', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-action","actions":"*","enable":false},{"path":"/api/ms-financing-setting/fnc-action","actions":"POST,DELETE","enable":true}]').toStrictEqual(result)
+  })
+  test('Add enable all rule', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(actionPreviousRules, { path: '/api/ms-financing-setting/fnc-action', actions: '*', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-action","actions":"*","enable":true}]').toStrictEqual(result)
+  })
+  test('Add disable all rule', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(actionPreviousRules, { path: '/api/ms-financing-setting/fnc-action', actions: '*', enable: false }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-action","actions":"*","enable":false}]').toStrictEqual(result)
+  })
+})
+
+describe('Catalog use case', () => {
+  test('Set disable previous disable', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(catalogPreviousRules, { path: '/api/ms-financing-setting/fnc-catalog', actions: 'POST', enable: false }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-catalog","actions":"*","enable":true}]').toStrictEqual(result)
+  })
+  test('Set enable previous disable', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(catalogPreviousRules, { path: '/api/ms-financing-setting/fnc-catalog', actions: 'POST', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-catalog","actions":"*","enable":true}]').toStrictEqual(result)
+  })
+  test('Add enable', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(catalogPreviousRules, { path: '/api/ms-financing-setting/fnc-catalog', actions: 'PUT', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-catalog","actions":"*","enable":true}]').toStrictEqual(result)
+  })
+  test('disable two actions, one set disable previously and other not exists', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(catalogPreviousRules, { path: '/api/ms-financing-setting/fnc-catalog', actions: 'POST,DELETE', enable: false }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-catalog","actions":"*","enable":true}]').toStrictEqual(result)
+  })
+  test('Enable two actions, one set disable previously and other not exists', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(catalogPreviousRules, { path: '/api/ms-financing-setting/fnc-catalog', actions: 'POST,DELETE', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-catalog","actions":"*","enable":true}]').toStrictEqual(result)
+  })
+  test('Add enable all rule', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(catalogPreviousRules, { path: '/api/ms-financing-setting/fnc-catalog', actions: '*', enable: true }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-catalog","actions":"*","enable":true}]').toStrictEqual(result)
+  })
+  test('Add disable all rule', () => {
+    const result = JSON.stringify(authorizationService._solveMergeRule(catalogPreviousRules, { path: '/api/ms-financing-setting/fnc-catalog', actions: '*', enable: false }))
+    expect('[{"path":"/api/ms-financing-setting/fnc-catalog","actions":"*","enable":true}]').toStrictEqual(result)
+  })
+})

package/blz-security/__test__/sqlInjectionGuard.test.js

@@ -0,0 +1,203 @@
+/* eslint-disable no-undef */
+const SqlInjectionGuard = require('../sqlInjectionGuard') // Adjust path as needed
+const pino = require('pino')
+
+describe('SqlInjectionGuard', () => {
+    let guard
+
+    beforeEach(() => {
+        delete process.env.blz_securityApiSanitizeOnlyLog
+        delete process.env.blz_securityApiSanitizeAllowedInputRegex
+        guard = new SqlInjectionGuard(pino({ level: 'silent' }))
+    })
+
+    test('accepts safe simple strings', () => {
+        const params = [{ name: 'username', value: 'john_doe' }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    test('accepts safe identifiers with dots and dashes', () => {
+        const params = [{ name: 'email', value: 'test.user-name' }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    test('blocks basic SQL injection attempt', () => {
+        const params = [{ name: 'query', value: "' OR 1=1 --" }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('blocks semicolon followed by DROP statement', () => {
+        const sql = "SELECT * FROM users; DROP TABLE users;"
+        expect(() => guard.validateRawSql(sql)).toThrow()
+    })
+
+    test('blocks string with pg_sleep function', () => {
+        const sql = "SELECT pg_sleep(10);"
+        expect(() => guard.validateRawSql(sql)).toThrow()
+    })
+
+    test('blocks nested object with SQLi', () => {
+        const obj = {
+            user: {
+                comment: "'; DROP TABLE users;"
+            }
+        }
+        expect(() => guard.validateObject(obj)).toThrow()
+    })
+
+    test('blocks deep object traversal with SQLi', () => {
+        const obj = {
+            a: {
+                b: {
+                    c: "' OR '1'='1"
+                }
+            }
+        }
+        expect(() => guard.validateObject(obj)).toThrow()
+    })
+
+    test('does not block number values', () => {
+        const params = [{ name: 'count', value: 12345 }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    test('does not block boolean values', () => {
+        const params = [{ name: 'active', value: true }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    test('does not block empty string', () => {
+        const params = [{ name: 'description', value: '' }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    test('allows <script> input when custom regex allows all characters', () => {
+        process.env.blz_securityApiSanitizeAllowedInputRegex = '^.{1,100}$'
+        guard = new SqlInjectionGuard(pino({ level: 'silent' }))
+        const params = [{ name: 'comment', value: '<script>alert("x")</script>' }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    test('blocks SQL injection even if allowedInputRegex allows special characters', () => {
+        process.env.blz_securityApiSanitizeAllowedInputRegex = '^.{1,100}$'
+        guard = new SqlInjectionGuard(pino({ level: 'silent' }))
+        const params = [{ name: 'input', value: "'; DROP TABLE users;" }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('only logs when onlyLog mode is enabled', () => {
+        process.env.blz_securityApiSanitizeOnlyLog = 'true'
+        guard = new SqlInjectionGuard(pino({ level: 'silent' }))
+        const params = [{ name: 'input', value: "' OR 'x'='x" }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    test('ignores non-string values in validateObject', () => {
+        const obj = {
+            safe: true,
+            count: 42,
+            list: [1, 2, 3],
+            nested: {
+                values: [false, null, undefined]
+            }
+        }
+        expect(() => guard.validateObject(obj)).not.toThrow()
+    })
+
+    test('blocks string containing EXEC', () => {
+        const sql = "EXEC('SELECT * FROM users')"
+        expect(() => guard.validateRawSql(sql)).toThrow()
+    })
+
+    test('blocks string using dbms_lock.sleep', () => {
+        const sql = "SELECT dbms_lock.sleep(10) FROM dual"
+        expect(() => guard.validateRawSql(sql)).toThrow()
+    })
+
+    test('does not block special characters like = or &', () => {
+        const params = [{ name: 'filter', value: 'key=value&x=1' }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    test('does not block values containing HTML but not SQL', () => {
+        const params = [{ name: 'html', value: '<b>bold</b>' }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    test('throws on invalid JSON pattern in env', () => {
+        process.env.blz_securityApiSanitizeDangerousParamPatterns = 'INVALID_JSON'
+        expect(() => {
+            new SqlInjectionGuard(pino({ level: 'silent' }))
+        }).not.toThrow()
+    })
+
+    test('blocks /* comment pattern in param', () => {
+        const params = [{ name: 'q', value: '*/ DROP TABLE' }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('blocks SELECT-FROM pattern', () => {
+        const params = [{ name: 'sql', value: 'SELECT * FROM users' }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('blocks INSERT INTO pattern', () => {
+        const params = [{ name: 'payload', value: 'INSERT INTO table VALUES (1)' }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('blocks UPDATE SET = pattern', () => {
+        const params = [{ name: 'input', value: 'UPDATE table SET name="x"' }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('blocks DELETE FROM pattern', () => {
+        const params = [{ name: 'delete', value: 'DELETE FROM users' }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('allows input with only < at the end', () => {
+        const params = [{ name: 'input', value: 'allowed<' }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    test('allows input with only > at the beginning', () => {
+        const params = [{ name: 'input', value: '>allowed' }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+   
+    test('blocks OR with LIKE pattern', () => {
+        const params = [{ name: 'search', value: "' OR name LIKE '%admin%'" }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('blocks AND with LIKE pattern', () => {
+        const params = [{ name: 'search', value: "' AND role LIKE '%user%'" }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('blocks UNION SELECT statement', () => {
+        const params = [{ name: 'payload', value: "' UNION SELECT password FROM users --" }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('blocks complex obfuscated SQL injection', () => {
+        const params = [{ name: 'value', value: "admin'/**/OR/**/'1'='1" }]
+        expect(() => guard.validateParamList(params)).toThrow()
+    })
+
+    test('does not block input that looks like markup but is valid by whitelist', () => {
+        const params = [{ name: 'input', value: 'example>' }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+
+    // test('blocks expression with encoded SQL keywords', () => {
+    //     const params = [{ name: 'x', value: '%53%45%4C%45%43%54 * FROM users' }] // SELECT
+    //     expect(() => guard.validateParamList(params)).toThrow()
+    // })
+
+    test('does not block input with common punctuation', () => {
+        const params = [{ name: 'text', value: 'Hello, world! How are you?' }]
+        expect(() => guard.validateParamList(params)).not.toThrow()
+    })
+})