npm - @jmruthers/pace-core - Versions diffs - 0.5.3 → 0.5.5 - Mend

@jmruthers/pace-core 0.5.3 → 0.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/src/rbac/api.test.ts CHANGED Viewed

@@ -30,6 +30,18 @@ vi.mock('./cache', () => ({
     invalidate: vi.fn(),
     get: vi.fn(),
     set: vi.fn()
+  },
+  RBACCache: {
+    generatePermissionKey: vi.fn(({ userId, organisationId, eventId, appId, permission }) =>
+      `permission:${userId}:${organisationId}:${eventId || 'null'}:${appId || 'null'}:${permission}`
+    )
+  },
+  CACHE_PATTERNS: {
+    PERMISSION: vi.fn((userId, organisationId) => `permission:${userId}:${organisationId}:*`),
+    USER: vi.fn((userId) => `permission:${userId}:*`),
+    ORGANISATION: vi.fn((organisationId) => `permission:*:${organisationId}:*`),
+    EVENT: vi.fn((eventId) => `permission:*:*:${eventId}:*`),
+    APP: vi.fn((appId) => `permission:*:*:*:${appId}`)
   }
 }));
@@ -438,4 +450,503 @@ describe('RBAC API', () => {
       }).not.toThrow();
     });
   });
+  describe('Permission Functions', () => {
+    let mockEngine: any;
+    beforeEach(() => {
+      mockEngine = {
+        getAccessLevel: vi.fn(),
+        getPermissionMap: vi.fn(),
+        isPermitted: vi.fn(),
+        checkSuperAdmin: vi.fn(),
+        getAppConfig: vi.fn()
+      };
+      mockCreateRBACEngine.mockReturnValue(mockEngine);
+      mockCreateAuditManager.mockReturnValue({} as any);
+      mockGetRBACLogger.mockReturnValue({
+        info: vi.fn(),
+        warn: vi.fn(),
+        error: vi.fn(),
+        debug: vi.fn()
+      });
+      setupRBAC(mockSupabase as any);
+    });
+    describe('getAccessLevel', () => {
+      it('returns access level for user', async () => {
+        const { getAccessLevel } = await import('./api');
+        const mockAccessLevel = 'admin';
+        mockEngine.getAccessLevel.mockResolvedValue(mockAccessLevel);
+        const result = await getAccessLevel({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' }
+        });
+        expect(result).toBe(mockAccessLevel);
+        expect(mockEngine.getAccessLevel).toHaveBeenCalledWith({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' }
+        });
+      });
+      it('handles engine errors', async () => {
+        const { getAccessLevel } = await import('./api');
+        const error = new Error('Engine error');
+        mockEngine.getAccessLevel.mockRejectedValue(error);
+        await expect(getAccessLevel({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' }
+        })).rejects.toThrow('Engine error');
+      });
+    });
+    describe('getPermissionMap', () => {
+      it('returns permission map for user', async () => {
+        const { getPermissionMap } = await import('./api');
+        const mockPermissionMap = {
+          'read:users': true,
+          'write:users': false
+        };
+        mockEngine.getPermissionMap.mockResolvedValue(mockPermissionMap);
+        const result = await getPermissionMap({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' }
+        });
+        expect(result).toEqual(mockPermissionMap);
+        expect(mockEngine.getPermissionMap).toHaveBeenCalledWith({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' }
+        });
+      });
+      it('handles engine errors', async () => {
+        const { getPermissionMap } = await import('./api');
+        const error = new Error('Engine error');
+        mockEngine.getPermissionMap.mockRejectedValue(error);
+        await expect(getPermissionMap({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' }
+        })).rejects.toThrow('Engine error');
+      });
+    });
+    describe('isPermitted', () => {
+      it('returns permission result', async () => {
+        const { isPermitted } = await import('./api');
+        mockEngine.isPermitted.mockResolvedValue(true);
+        const result = await isPermitted({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permission: 'read:users',
+          pageId: 'page-789'
+        });
+        expect(result).toBe(true);
+        expect(mockEngine.isPermitted).toHaveBeenCalledWith({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permission: 'read:users',
+          pageId: 'page-789'
+        });
+      });
+      it('handles engine errors', async () => {
+        const { isPermitted } = await import('./api');
+        const error = new Error('Engine error');
+        mockEngine.isPermitted.mockRejectedValue(error);
+        await expect(isPermitted({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permission: 'read:users'
+        })).rejects.toThrow('Engine error');
+      });
+    });
+    describe('isPermittedCached', () => {
+      it('returns cached result when available', async () => {
+        const { isPermittedCached } = await import('./api');
+        const cacheKey = 'permission:user-123:org-456:null:null:read:users';
+        rbacCache.get.mockReturnValue(true);
+        const result = await isPermittedCached({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permission: 'read:users',
+          pageId: 'page-789'
+        });
+        expect(result).toBe(true);
+        expect(rbacCache.get).toHaveBeenCalledWith(cacheKey);
+        expect(mockEngine.isPermitted).not.toHaveBeenCalled();
+      });
+      it('checks permission and caches result when not cached', async () => {
+        const { isPermittedCached } = await import('./api');
+        rbacCache.get.mockReturnValue(null);
+        mockEngine.isPermitted.mockResolvedValue(true);
+        const result = await isPermittedCached({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permission: 'read:users',
+          pageId: 'page-789'
+        });
+        expect(result).toBe(true);
+        expect(mockEngine.isPermitted).toHaveBeenCalledWith({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permission: 'read:users',
+          pageId: 'page-789'
+        });
+        expect(rbacCache.set).toHaveBeenCalledWith(
+          expect.any(String),
+          true
+        );
+      });
+    });
+    describe('hasPermission', () => {
+      it('calls isPermitted', async () => {
+        const { hasPermission } = await import('./api');
+        mockEngine.isPermitted.mockResolvedValue(true);
+        const result = await hasPermission({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permission: 'read:users'
+        });
+        expect(result).toBe(true);
+        expect(mockEngine.isPermitted).toHaveBeenCalledWith({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permission: 'read:users'
+        });
+      });
+    });
+    describe('hasAnyPermission', () => {
+      it('returns true if user has any permission', async () => {
+        const { hasAnyPermission } = await import('./api');
+        mockEngine.isPermitted
+          .mockResolvedValueOnce(false) // First permission denied
+          .mockResolvedValueOnce(true); // Second permission granted
+        const result = await hasAnyPermission({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permissions: ['read:users', 'write:users']
+        });
+        expect(result).toBe(true);
+        expect(mockEngine.isPermitted).toHaveBeenCalledTimes(2);
+      });
+      it('returns false if user has no permissions', async () => {
+        const { hasAnyPermission } = await import('./api');
+        mockEngine.isPermitted.mockResolvedValue(false);
+        const result = await hasAnyPermission({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permissions: ['read:users', 'write:users']
+        });
+        expect(result).toBe(false);
+        expect(mockEngine.isPermitted).toHaveBeenCalledTimes(2);
+      });
+    });
+    describe('hasAllPermissions', () => {
+      it('returns true if user has all permissions', async () => {
+        const { hasAllPermissions } = await import('./api');
+        mockEngine.isPermitted.mockResolvedValue(true);
+        const result = await hasAllPermissions({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permissions: ['read:users', 'write:users']
+        });
+        expect(result).toBe(true);
+        expect(mockEngine.isPermitted).toHaveBeenCalledTimes(2);
+      });
+      it('returns false if user lacks any permission', async () => {
+        const { hasAllPermissions } = await import('./api');
+        mockEngine.isPermitted
+          .mockResolvedValueOnce(true) // First permission granted
+          .mockResolvedValueOnce(false); // Second permission denied
+        const result = await hasAllPermissions({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' },
+          permissions: ['read:users', 'write:users']
+        });
+        expect(result).toBe(false);
+        expect(mockEngine.isPermitted).toHaveBeenCalledTimes(2);
+      });
+    });
+    describe('isSuperAdmin', () => {
+      it('returns super admin status', async () => {
+        const { isSuperAdmin } = await import('./api');
+        mockEngine.checkSuperAdmin.mockResolvedValue(true);
+        const result = await isSuperAdmin('user-123');
+        expect(result).toBe(true);
+        expect(mockEngine.checkSuperAdmin).toHaveBeenCalledWith('user-123');
+      });
+      it('handles engine errors', async () => {
+        const { isSuperAdmin } = await import('./api');
+        const error = new Error('Engine error');
+        mockEngine.checkSuperAdmin.mockRejectedValue(error);
+        await expect(isSuperAdmin('user-123')).rejects.toThrow('Engine error');
+      });
+    });
+    describe('getAppConfig', () => {
+      it('returns app configuration', async () => {
+        const { getAppConfig } = await import('./api');
+        const mockConfig = { requires_event: true };
+        mockEngine.getAppConfig.mockResolvedValue(mockConfig);
+        const result = await getAppConfig('app-123');
+        expect(result).toEqual(mockConfig);
+        expect(mockEngine.getAppConfig).toHaveBeenCalledWith('app-123');
+      });
+      it('handles engine errors', async () => {
+        const { getAppConfig } = await import('./api');
+        const error = new Error('Engine error');
+        mockEngine.getAppConfig.mockRejectedValue(error);
+        await expect(getAppConfig('app-123')).rejects.toThrow('Engine error');
+      });
+    });
+    describe('isOrganisationAdmin', () => {
+      it('returns true for admin access level', async () => {
+        const { isOrganisationAdmin } = await import('./api');
+        mockEngine.getAccessLevel.mockResolvedValue('admin');
+        const result = await isOrganisationAdmin('user-123', 'org-456');
+        expect(result).toBe(true);
+        expect(mockEngine.getAccessLevel).toHaveBeenCalledWith({
+          userId: 'user-123',
+          scope: { organisationId: 'org-456' }
+        });
+      });
+      it('returns true for super access level', async () => {
+        const { isOrganisationAdmin } = await import('./api');
+        mockEngine.getAccessLevel.mockResolvedValue('super');
+        const result = await isOrganisationAdmin('user-123', 'org-456');
+        expect(result).toBe(true);
+      });
+      it('returns false for other access levels', async () => {
+        const { isOrganisationAdmin } = await import('./api');
+        mockEngine.getAccessLevel.mockResolvedValue('user');
+        const result = await isOrganisationAdmin('user-123', 'org-456');
+        expect(result).toBe(false);
+      });
+    });
+    describe('isEventAdmin', () => {
+      it('returns true for admin access level', async () => {
+        const { isEventAdmin } = await import('./api');
+        mockEngine.getAccessLevel.mockResolvedValue('admin');
+        const result = await isEventAdmin('user-123', {
+          organisationId: 'org-456',
+          eventId: 'event-789',
+          appId: 'app-101'
+        });
+        expect(result).toBe(true);
+        expect(mockEngine.getAccessLevel).toHaveBeenCalledWith({
+          userId: 'user-123',
+          scope: {
+            organisationId: 'org-456',
+            eventId: 'event-789',
+            appId: 'app-101'
+          }
+        });
+      });
+      it('returns false when eventId is missing', async () => {
+        const { isEventAdmin } = await import('./api');
+        const result = await isEventAdmin('user-123', {
+          organisationId: 'org-456',
+          eventId: undefined,
+          appId: 'app-101'
+        });
+        expect(result).toBe(false);
+        expect(mockEngine.getAccessLevel).not.toHaveBeenCalled();
+      });
+      it('returns false when appId is missing', async () => {
+        const { isEventAdmin } = await import('./api');
+        const result = await isEventAdmin('user-123', {
+          organisationId: 'org-456',
+          eventId: 'event-789',
+          appId: undefined
+        });
+        expect(result).toBe(false);
+        expect(mockEngine.getAccessLevel).not.toHaveBeenCalled();
+      });
+    });
+  });
+  describe('Cache Management', () => {
+    beforeEach(() => {
+      const mockEngine = {
+        getAccessLevel: vi.fn(),
+        getPermissionMap: vi.fn(),
+        isPermitted: vi.fn(),
+        checkSuperAdmin: vi.fn(),
+        getAppConfig: vi.fn()
+      };
+      mockCreateRBACEngine.mockReturnValue(mockEngine);
+      mockCreateAuditManager.mockReturnValue({} as any);
+      mockGetRBACLogger.mockReturnValue({
+        info: vi.fn(),
+        warn: vi.fn(),
+        error: vi.fn(),
+        debug: vi.fn()
+      });
+      setupRBAC(mockSupabase as any);
+    });
+    describe('invalidateUserCache', () => {
+      it('invalidates user cache with organisation', async () => {
+        const { invalidateUserCache } = await import('./api');
+        invalidateUserCache('user-123', 'org-456');
+        expect(rbacCache.invalidate).toHaveBeenCalledWith(
+          expect.stringContaining('user-123')
+        );
+      });
+      it('invalidates user cache without organisation', async () => {
+        const { invalidateUserCache } = await import('./api');
+        invalidateUserCache('user-123');
+        expect(rbacCache.invalidate).toHaveBeenCalledWith(
+          expect.stringContaining('user-123')
+        );
+      });
+    });
+    describe('invalidateOrganisationCache', () => {
+      it('invalidates organisation cache', async () => {
+        const { invalidateOrganisationCache } = await import('./api');
+        invalidateOrganisationCache('org-456');
+        expect(rbacCache.invalidate).toHaveBeenCalledWith(
+          expect.stringContaining('org-456')
+        );
+      });
+    });
+    describe('invalidateEventCache', () => {
+      it('invalidates event cache', async () => {
+        const { invalidateEventCache } = await import('./api');
+        invalidateEventCache('event-789');
+        expect(rbacCache.invalidate).toHaveBeenCalledWith(
+          expect.stringContaining('event-789')
+        );
+      });
+    });
+    describe('invalidateAppCache', () => {
+      it('invalidates app cache', async () => {
+        const { invalidateAppCache } = await import('./api');
+        invalidateAppCache('app-101');
+        expect(rbacCache.invalidate).toHaveBeenCalledWith(
+          expect.stringContaining('app-101')
+        );
+      });
+    });
+    describe('clearCache', () => {
+      it('clears all cache', async () => {
+        const { clearCache } = await import('./api');
+        clearCache();
+        expect(rbacCache.clear).toHaveBeenCalled();
+      });
+    });
+  });
+  describe('Error Handling', () => {
+    it('throws RBACNotInitializedError when engine not available', async () => {
+      // Reset global engine by clearing the module cache
+      vi.resetModules();
+      const { getAccessLevel } = await import('./api');
+      await expect(getAccessLevel({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456' }
+      })).rejects.toThrow('RBAC system not initialized');
+    });
+  });
 });