@highflame/policy 2.0.8 → 2.0.9

package/src/parser.test.ts

@@ -1,251 +0,0 @@
-/**
- * Parser unit tests
- *
- * Tests the Cedar text → PolicyRule conversion using the official Cedar engine.
- * These tests demonstrate how a client like highflame-authz would use the parser.
- */
-
-import { readFileSync } from 'fs';
-import { resolve, dirname } from 'path';
-import { fileURLToPath } from 'url';
-import { describe, it, expect } from 'vitest';
-import { parseCedarToRules } from './parser.js';
-import { rulesToCedar } from './builder.js';
-import type { PolicyRule } from './builder.js';
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-
-describe('parseCedarToRules', () => {
-  it('should parse a simple permit policy', () => {
-    const cedarText = `
-      @id("allow-read-files")
-      permit(
-        principal is User,
-        action == Action::"read_file",
-        resource is FilePath
-      );
-    `;
-
-    const result = parseCedarToRules(cedarText);
-
-    expect(result.errors).toHaveLength(0);
-    expect(result.rules).toHaveLength(1);
-    expect(result.unstructured).toHaveLength(0);
-
-    const rule = result.rules[0];
-    expect(rule.annotations.id).toBe('allow-read-files');
-    expect(rule.effect).toBe('permit');
-    expect(rule.principal).toEqual({ type: 'User' });
-    expect(rule.action).toBe('read_file');
-    expect(rule.resource).toEqual({ type: 'FilePath' });
-    expect(rule.enabled).toBe(true);
-  });
-
-  it('should parse a policy with when conditions', () => {
-    const cedarText = `
-      @id("block-high-risk")
-      forbid(
-        principal,
-        action == Action::"execute_tool",
-        resource
-      )
-      when {
-        context.threat_level == "high"
-      };
-    `;
-
-    const result = parseCedarToRules(cedarText);
-
-    expect(result.errors).toHaveLength(0);
-    expect(result.rules).toHaveLength(1);
-
-    const rule = result.rules[0];
-    expect(rule.annotations.id).toBe('block-high-risk');
-    expect(rule.effect).toBe('forbid');
-    expect(rule.action).toBe('execute_tool');
-
-    // Check condition was parsed
-    expect(rule.conditions.length).toBeGreaterThanOrEqual(0);
-    // If condition parsing works, it should have the condition
-    // If not, it should be in rawCondition
-    if (rule.conditions.length > 0) {
-      expect(rule.conditions[0].field).toBe('threat_level');
-      expect(rule.conditions[0].operator).toBe('eq');
-      expect(rule.conditions[0].value).toBe('high');
-    } else {
-      expect(rule.rawCondition).toBeDefined();
-    }
-  });
-
-  it('should return errors for invalid Cedar syntax', () => {
-    const invalidCedar = `
-      permit(
-        principal is User
-        // missing comma and rest of policy
-    `;
-
-    const result = parseCedarToRules(invalidCedar);
-
-    expect(result.errors.length).toBeGreaterThan(0);
-  });
-
-  it('should handle multiple policies', () => {
-    const cedarText = `
-      @id("rule-1")
-      permit(principal, action == Action::"read", resource);
-
-      @id("rule-2")
-      forbid(principal, action == Action::"delete", resource);
-    `;
-
-    const result = parseCedarToRules(cedarText);
-
-    expect(result.errors).toHaveLength(0);
-    expect(result.rules).toHaveLength(2);
-    expect(result.rules[0].effect).toBe('permit');
-    expect(result.rules[1].effect).toBe('forbid');
-  });
-
-  it('should put policies with unless clauses in unstructured', () => {
-    const cedarText = `
-      permit(principal, action, resource)
-      unless {
-        context.is_blocked == true
-      };
-    `;
-
-    const result = parseCedarToRules(cedarText);
-
-    // Unless clauses can't be represented as PolicyRule
-    expect(result.rules).toHaveLength(0);
-    expect(result.unstructured.length).toBeGreaterThan(0);
-  });
-
-  it('should store complex conditions as Cedar text in rawCondition', () => {
-    // Use a condition with boolean AND that can't be mapped to structured format
-    const cedarText = `
-      @id("complex-condition")
-      permit(principal, action, resource)
-      when {
-        context.a == "x" && context.b == "y"
-      };
-    `;
-
-    const result = parseCedarToRules(cedarText);
-
-    expect(result.errors).toHaveLength(0);
-    expect(result.rules).toHaveLength(1);
-
-    const rule = result.rules[0];
-
-    // The complex && condition should be in rawCondition as readable Cedar text
-    if (rule.rawCondition) {
-      // Verify it's Cedar expression text (not JSON AST)
-      expect(rule.rawCondition).toContain('context.a');
-      expect(rule.rawCondition).toContain('context.b');
-      // Should not be JSON
-      expect(rule.rawCondition.startsWith('[')).toBe(false);
-    }
-    // Either conditions were mapped or rawCondition contains Cedar text
-    expect(rule.conditions.length > 0 || rule.rawCondition).toBeTruthy();
-  });
-
-  it('should round-trip: parse → remove rule → rebuild → re-parse → add back → verify', () => {
-    // Read shared test fixture (builder output format, sorted by @id, Overwatch namespace)
-    const fixturePath = resolve(__dirname, '../../../test-fixtures/round-trip.cedar');
-    const originalCedar = readFileSync(fixturePath, 'utf-8').trimEnd();
-
-    // Step 1: Parse original
-    const originalResult = parseCedarToRules(originalCedar);
-    expect(originalResult.errors).toHaveLength(0);
-    expect(originalResult.rules).toHaveLength(4);
-
-    // Verify we have both simple (structured) and complex (raw) conditions
-    const simpleRule = originalResult.rules.find(r => r.annotations.id === 'simple-block-threats');
-    const complexRule = originalResult.rules.find(r => r.annotations.id === 'complex-block-injection');
-    expect(simpleRule).toBeDefined();
-    expect(complexRule).toBeDefined();
-    expect(simpleRule!.conditions.length).toBeGreaterThan(0);
-    expect(complexRule!.rawCondition).toBeDefined();
-
-    // Step 2: Remove complex rule → rebuild → re-parse
-    const remaining = originalResult.rules.filter(r => r.annotations.id !== 'complex-block-injection');
-    const removedRule = complexRule!;
-    expect(remaining).toHaveLength(3);
-
-    const partialCedar = rulesToCedar(remaining);
-    const partialResult = parseCedarToRules(partialCedar);
-    expect(partialResult.errors).toHaveLength(0);
-    expect(partialResult.rules).toHaveLength(3);
-
-    // Verify each remaining rule is preserved
-    for (const orig of remaining) {
-      const reparsed = partialResult.rules.find(r => r.annotations.id === orig.annotations.id);
-      expect(reparsed).toBeDefined();
-      assertRulesEquivalent(orig, reparsed!);
-    }
-
-    // Step 3: Add back → rebuild → re-parse
-    const allRules = [...partialResult.rules, removedRule];
-    const finalCedar = rulesToCedar(allRules);
-    const finalResult = parseCedarToRules(finalCedar);
-    expect(finalResult.errors).toHaveLength(0);
-    expect(finalResult.rules).toHaveLength(4);
-
-    // Verify ALL rules match original
-    for (const orig of originalResult.rules) {
-      const final_ = finalResult.rules.find(r => r.annotations.id === orig.annotations.id);
-      expect(final_).toBeDefined();
-      assertRulesEquivalent(orig, final_!);
-    }
-
-    // Step 4: Verify parse→build cycle is idempotent.
-    // The engine may normalize rawCondition text (e.g., adding parens), so we
-    // compare against canonical form (first parse→build) rather than original fixture.
-    const originalSorted = [...originalResult.rules].sort((a, b) => a.annotations.id.localeCompare(b.annotations.id));
-    originalSorted.forEach((r, i) => { r.order = i; });
-    const canonicalCedar = rulesToCedar(originalSorted);
-
-    const finalSorted = [...finalResult.rules].sort((a, b) => a.annotations.id.localeCompare(b.annotations.id));
-    finalSorted.forEach((r, i) => { r.order = i; });
-    const finalReconstructed = rulesToCedar(finalSorted);
-    expect(finalReconstructed).toBe(canonicalCedar);
-  });
-
-  it('should warn about duplicate policy IDs', () => {
-    const cedarText = `
-      @id("duplicate-id")
-      permit(principal, action, resource);
-
-      @id("unique-id")
-      forbid(principal, action, resource);
-
-      @id("duplicate-id")
-      permit(principal is User, action, resource);
-    `;
-
-    const result = parseCedarToRules(cedarText);
-
-    // All policies should still be parsed
-    expect(result.rules).toHaveLength(3);
-
-    // Should have a warning about duplicate ID
-    const duplicateError = result.errors.find(e => e.includes("HFP-PARSE-005"));
-    expect(duplicateError).toBeDefined();
-    expect(duplicateError).toContain("duplicate-id");
-    expect(duplicateError).toContain("[0");  // First occurrence at index 0
-    expect(duplicateError).toContain("2");   // Second occurrence at index 2
-  });
-});
-
-/** Assert two PolicyRules are semantically equivalent after round-trip. */
-function assertRulesEquivalent(a: PolicyRule, b: PolicyRule): void {
-  expect(b.annotations.id).toBe(a.annotations.id);
-  expect(b.annotations.name).toBe(a.annotations.name);
-  expect(b.effect).toBe(a.effect);
-  expect(b.action).toEqual(a.action);
-  expect(b.principal).toEqual(a.principal);
-  expect(b.resource).toEqual(a.resource);
-  expect(b.conditions).toEqual(a.conditions);
-  expect(b.rawCondition).toBe(a.rawCondition);
-}