npm - @jmruthers/pace-core - Versions diffs - 0.5.3 → 0.5.4 - Mend

@jmruthers/pace-core 0.5.3 → 0.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (106) hide show

package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx ADDED Viewed

@@ -0,0 +1,806 @@
+/**
+ * @file PermissionEnforcer Component Tests
+ * @package @jmruthers/pace-core
+ * @module RBAC/Components/PermissionEnforcer
+ * @since 2.0.0
+ *
+ * Comprehensive tests for the PermissionEnforcer component covering all critical functionality.
+ */
+import { render, screen, waitFor } from '@testing-library/react';
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { ReactNode } from 'react';
+import { PermissionEnforcer } from '../PermissionEnforcer';
+import { useCan } from '../../hooks';
+import { useUnifiedAuth } from '../../../providers/UnifiedAuthProvider';
+// Mock the RBAC hooks
+vi.mock('../../hooks', () => ({
+  useCan: vi.fn()
+}));
+// Mock the auth provider
+vi.mock('../../../providers/UnifiedAuthProvider', () => ({
+  useUnifiedAuth: vi.fn()
+}));
+// Mock the event context utility
+vi.mock('../../utils/eventContext', () => ({
+  createScopeFromEvent: vi.fn()
+}));
+import { createScopeFromEvent } from '../../utils/eventContext';
+// Mock data
+const mockUser = {
+  id: 'user-123',
+  email: 'test@example.com'
+};
+const mockScope = {
+  organisationId: 'org-123',
+  eventId: 'event-123',
+  appId: 'app-123'
+};
+const mockPermissions = ['read:events', 'manage:events'] as const;
+const mockOperation = 'event-management';
+// Test component
+const TestComponent = ({ children }: { children: ReactNode }) => (
+  <div data-testid="test-component">{children}</div>
+);
+const TestFallback = () => (
+  <div data-testid="test-fallback">Access Denied</div>
+);
+const TestLoading = () => (
+  <div data-testid="test-loading">Loading...</div>
+);
+describe('PermissionEnforcer Component', () => {
+  const mockUseCan = vi.mocked(useCan);
+  const mockUseUnifiedAuth = vi.mocked(useUnifiedAuth);
+  const mockCreateScopeFromEvent = vi.mocked(createScopeFromEvent);
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Default mock implementations
+    mockUseUnifiedAuth.mockReturnValue({
+      user: mockUser,
+      selectedOrganisationId: 'org-123',
+      selectedEventId: 'event-123',
+      supabase: {} as any
+    });
+    mockUseCan.mockReturnValue({
+      can: true,
+      isLoading: false,
+      error: null
+    });
+  });
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+  describe('Rendering', () => {
+    it('renders children when permission is granted', async () => {
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+        expect(screen.getByText('Protected Content')).toBeInTheDocument();
+      });
+    });
+    it('renders fallback when permission is denied', async () => {
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+        expect(screen.queryByTestId('test-component')).not.toBeInTheDocument();
+      });
+    });
+    it('shows loading state during permission check', () => {
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: true,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          loading={<TestLoading />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      expect(screen.getByTestId('test-loading')).toBeInTheDocument();
+      expect(screen.queryByTestId('test-component')).not.toBeInTheDocument();
+    });
+    it('uses default fallback when none provided', async () => {
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByText('Access Denied')).toBeInTheDocument();
+        expect(screen.getByText('You don\'t have permission to perform this operation.')).toBeInTheDocument();
+      });
+    });
+    it('uses default loading when none provided', () => {
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: true,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      expect(screen.getByText('Checking permissions...')).toBeInTheDocument();
+    });
+  });
+  describe('Permission Checking', () => {
+    it('enforces single permission correctly', async () => {
+      const singlePermission = ['read:events'] as const;
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={singlePermission}
+          operation={mockOperation}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:events',
+        undefined,
+        true
+      );
+    });
+    it('enforces multiple permissions with AND logic', async () => {
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          requireAll={true}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      // Should check the first permission as representative
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:events',
+        undefined,
+        true
+      );
+    });
+    it('handles permission checking errors gracefully', async () => {
+      const error = new Error('Permission check failed');
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+    });
+    it('handles empty permissions array', async () => {
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={[]}
+          operation={mockOperation}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+    });
+  });
+  describe('Scope Resolution', () => {
+    it('uses provided scope when available', async () => {
+      const customScope = {
+        organisationId: 'custom-org',
+        eventId: 'custom-event',
+        appId: 'custom-app'
+      };
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          scope={customScope}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        customScope,
+        'read:events',
+        undefined,
+        true
+      );
+    });
+    it('resolves scope from organisation and event context', async () => {
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:events',
+        undefined,
+        true
+      );
+    });
+    it('resolves scope from organisation only', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        selectedOrganisationId: 'org-123',
+        selectedEventId: null,
+        supabase: {} as any
+      });
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: undefined
+        }),
+        'read:events',
+        undefined,
+        true
+      );
+    });
+    it('resolves scope from event context when organisation not available', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        selectedOrganisationId: null,
+        selectedEventId: 'event-123',
+        supabase: {} as any
+      });
+      mockCreateScopeFromEvent.mockResolvedValue({
+        organisationId: 'resolved-org',
+        eventId: 'event-123',
+        appId: 'resolved-app'
+      });
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockCreateScopeFromEvent).toHaveBeenCalledWith({}, 'event-123');
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'resolved-org',
+          eventId: 'event-123'
+        }),
+        'read:events',
+        undefined,
+        true
+      );
+    });
+    it('handles scope resolution errors', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        selectedOrganisationId: null,
+        selectedEventId: 'event-123',
+        supabase: {} as any
+      });
+      const error = new Error('Could not resolve organisation from event');
+      mockCreateScopeFromEvent.mockRejectedValue(error);
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+    });
+    it('handles missing context gracefully', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        selectedOrganisationId: null,
+        selectedEventId: null,
+        supabase: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+    });
+  });
+  describe('Security Features', () => {
+    it('prevents bypassing in strict mode', async () => {
+      const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          strictMode={true}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining('STRICT MODE VIOLATION'),
+        expect.objectContaining({
+          permissions: mockPermissions,
+          operation: mockOperation,
+          userId: 'user-123'
+        })
+      );
+      consoleSpy.mockRestore();
+    });
+    it('logs security violations for audit', async () => {
+      const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          auditLog={true}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining('Permission check attempt'),
+        expect.objectContaining({
+          permissions: mockPermissions,
+          operation: mockOperation,
+          userId: 'user-123',
+          allowed: false
+        })
+      );
+      consoleSpy.mockRestore();
+    });
+    it('calls onDenied callback when access is denied', async () => {
+      const onDeniedSpy = vi.fn();
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          onDenied={onDeniedSpy}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(onDeniedSpy).toHaveBeenCalledWith(mockPermissions, mockOperation);
+    });
+    it('does not call onDenied when access is granted', async () => {
+      const onDeniedSpy = vi.fn();
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          onDenied={onDeniedSpy}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(onDeniedSpy).not.toHaveBeenCalled();
+    });
+  });
+  describe('Configuration Options', () => {
+    it('respects strictMode setting', async () => {
+      const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          strictMode={false}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(consoleSpy).not.toHaveBeenCalledWith(
+        expect.stringContaining('STRICT MODE VIOLATION')
+      );
+      consoleSpy.mockRestore();
+    });
+    it('respects auditLog setting', async () => {
+      const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          auditLog={false}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(consoleSpy).not.toHaveBeenCalledWith(
+        expect.stringContaining('Permission check attempt')
+      );
+      consoleSpy.mockRestore();
+    });
+    it('respects requireAll setting', async () => {
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          requireAll={false}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      // Should still check the first permission as representative
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:events',
+        undefined,
+        true
+      );
+    });
+  });
+  describe('Error Handling', () => {
+    it('handles missing user gracefully', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: null,
+        selectedOrganisationId: 'org-123',
+        selectedEventId: 'event-123',
+        supabase: {} as any
+      });
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        '',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:events',
+        undefined,
+        true
+      );
+    });
+    it('handles permission check errors', async () => {
+      const error = new Error('Database connection failed');
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error
+      });
+      render(
+        <PermissionEnforcer
+          permissions={mockPermissions}
+          operation={mockOperation}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Protected Content</TestComponent>
+        </PermissionEnforcer>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+    });
+  });
+});