npm - @objectstack/plugin-security - Versions diffs - 3.2.2 → 3.2.4 - Mend

@objectstack/plugin-security 3.2.2 → 3.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/.turbo/turbo-build.log +6 -6
package/CHANGELOG.md +14 -0
package/package.json +3 -3
package/src/security-plugin.test.ts +285 -0

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,5 +1,5 @@
-> @objectstack/plugin-security@3.2.2 build /home/runner/work/spec/spec/packages/plugins/plugin-security
+> @objectstack/plugin-security@3.2.4 build /home/runner/work/spec/spec/packages/plugins/plugin-security
 > tsup --config ../../../tsup.config.ts
 [34mCLI[39m Building entry: src/index.ts
@@ -10,13 +10,13 @@
 [34mCLI[39m Cleaning output folder
 [34mESM[39m Build start
 [34mCJS[39m Build start
-[32mCJS[39m [1mdist/index.js     [22m[32m10.89 KB[39m
-[32mCJS[39m [1mdist/index.js.map [22m[32m21.59 KB[39m
-[32mCJS[39m ⚡️ Build success in 63ms
 [32mESM[39m [1mdist/index.mjs     [22m[32m9.76 KB[39m
 [32mESM[39m [1mdist/index.mjs.map [22m[32m21.06 KB[39m
-[32mESM[39m ⚡️ Build success in 67ms
+[32mESM[39m ⚡️ Build success in 83ms
+[32mCJS[39m [1mdist/index.js     [22m[32m10.89 KB[39m
+[32mCJS[39m [1mdist/index.js.map [22m[32m21.59 KB[39m
+[32mCJS[39m ⚡️ Build success in 87ms
 [34mDTS[39m Build start
-[32mDTS[39m ⚡️ Build success in 8622ms
+[32mDTS[39m ⚡️ Build success in 15342ms
 [32mDTS[39m [1mdist/index.d.mts [22m[32m4.30 KB[39m
 [32mDTS[39m [1mdist/index.d.ts  [22m[32m4.30 KB[39m

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,19 @@
 # @objectstack/plugin-security
+## 3.2.4
+### Patch Changes
+- @objectstack/spec@3.2.4
+- @objectstack/core@3.2.4
+## 3.2.3
+### Patch Changes
+- @objectstack/spec@3.2.3
+- @objectstack/core@3.2.3
 ## 3.2.2
 ### Patch Changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@objectstack/plugin-security",
-  "version": "3.2.2",
+  "version": "3.2.4",
   "license": "Apache-2.0",
   "description": "Security Plugin for ObjectStack — RBAC, RLS, and Field-Level Security Runtime",
   "main": "dist/index.js",
@@ -13,8 +13,8 @@
     }
   },
   "dependencies": {
-    "@objectstack/core": "3.2.2",
-    "@objectstack/spec": "3.2.2"
+    "@objectstack/core": "3.2.4",
+    "@objectstack/spec": "3.2.4"
   },
   "devDependencies": {
     "@types/node": "^25.3.5",

package/src/security-plugin.test.ts ADDED Viewed

@@ -0,0 +1,285 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+import { describe, it, expect, vi } from 'vitest';
+import { SecurityPlugin } from './security-plugin.js';
+import { PermissionEvaluator } from './permission-evaluator.js';
+import { FieldMasker } from './field-masker.js';
+import { RLSCompiler } from './rls-compiler.js';
+import type { PermissionSet } from '@objectstack/spec/security';
+// ---------------------------------------------------------------------------
+// SecurityPlugin – basic metadata
+// ---------------------------------------------------------------------------
+describe('SecurityPlugin', () => {
+  it('should have correct metadata', () => {
+    const plugin = new SecurityPlugin();
+    expect(plugin.name).toBe('com.objectstack.security');
+    expect(plugin.type).toBe('standard');
+    expect(plugin.version).toBe('1.0.0');
+    expect(plugin.dependencies).toContain('com.objectstack.engine.objectql');
+  });
+  it('should register services during init', async () => {
+    const plugin = new SecurityPlugin();
+    const ctx: any = {
+      logger: { info: vi.fn(), warn: vi.fn() },
+      registerService: vi.fn(),
+      getService: vi.fn(),
+    };
+    await plugin.init(ctx);
+    expect(ctx.registerService).toHaveBeenCalledWith('security.permissions', expect.any(PermissionEvaluator));
+    expect(ctx.registerService).toHaveBeenCalledWith('security.rls', expect.any(RLSCompiler));
+    expect(ctx.registerService).toHaveBeenCalledWith('security.fieldMasker', expect.any(FieldMasker));
+  });
+  it('should warn and return when objectql service is missing', async () => {
+    const plugin = new SecurityPlugin();
+    const ctx: any = {
+      logger: { info: vi.fn(), warn: vi.fn() },
+      registerService: vi.fn(),
+      getService: vi.fn().mockImplementation(() => { throw new Error('not found'); }),
+    };
+    await plugin.init(ctx);
+    await plugin.start(ctx);
+    expect(ctx.logger.warn).toHaveBeenCalled();
+  });
+  it('should warn when objectql does not support middleware', async () => {
+    const plugin = new SecurityPlugin();
+    const ctx: any = {
+      logger: { info: vi.fn(), warn: vi.fn() },
+      registerService: vi.fn(),
+      getService: vi.fn().mockReturnValue({}), // no registerMiddleware
+    };
+    await plugin.init(ctx);
+    await plugin.start(ctx);
+    expect(ctx.logger.warn).toHaveBeenCalled();
+  });
+  it('should register middleware when objectql supports it', async () => {
+    const plugin = new SecurityPlugin();
+    const registerMiddleware = vi.fn();
+    const ctx: any = {
+      logger: { info: vi.fn(), warn: vi.fn() },
+      registerService: vi.fn(),
+      getService: vi.fn().mockReturnValue({ registerMiddleware }),
+    };
+    await plugin.init(ctx);
+    await plugin.start(ctx);
+    expect(registerMiddleware).toHaveBeenCalledWith(expect.any(Function));
+  });
+  it('should destroy without error', async () => {
+    const plugin = new SecurityPlugin();
+    await expect(plugin.destroy()).resolves.toBeUndefined();
+  });
+});
+// ---------------------------------------------------------------------------
+// PermissionEvaluator
+// ---------------------------------------------------------------------------
+describe('PermissionEvaluator', () => {
+  const makePermSet = (
+    name: string,
+    objects: PermissionSet['objects'] = {},
+    fields: PermissionSet['fields'] = {}
+  ): PermissionSet => ({ name, objects, fields });
+  it('should allow read when allowRead is true', () => {
+    const evaluator = new PermissionEvaluator();
+    const ps = makePermSet('admin', { contact: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false } });
+    expect(evaluator.checkObjectPermission('find', 'contact', [ps])).toBe(true);
+    expect(evaluator.checkObjectPermission('findOne', 'contact', [ps])).toBe(true);
+    expect(evaluator.checkObjectPermission('count', 'contact', [ps])).toBe(true);
+  });
+  it('should deny when no permission set matches', () => {
+    const evaluator = new PermissionEvaluator();
+    const ps = makePermSet('readonly', { contact: { allowRead: false, allowCreate: false, allowEdit: false, allowDelete: false } });
+    expect(evaluator.checkObjectPermission('insert', 'contact', [ps])).toBe(false);
+  });
+  it('should allow unknown operations by default', () => {
+    const evaluator = new PermissionEvaluator();
+    expect(evaluator.checkObjectPermission('unknownOp', 'contact', [])).toBe(true);
+  });
+  it('should allow via viewAllRecords', () => {
+    const evaluator = new PermissionEvaluator();
+    const ps = makePermSet('viewer', { task: { allowRead: false, allowCreate: false, allowEdit: false, allowDelete: false, viewAllRecords: true } });
+    expect(evaluator.checkObjectPermission('find', 'task', [ps])).toBe(true);
+  });
+  it('should allow edit/delete via modifyAllRecords', () => {
+    const evaluator = new PermissionEvaluator();
+    const ps = makePermSet('manager', { task: { allowRead: false, allowCreate: false, allowEdit: false, allowDelete: false, modifyAllRecords: true } });
+    expect(evaluator.checkObjectPermission('update', 'task', [ps])).toBe(true);
+    expect(evaluator.checkObjectPermission('delete', 'task', [ps])).toBe(true);
+  });
+  it('should merge field permissions (most permissive)', () => {
+    const evaluator = new PermissionEvaluator();
+    const ps1 = makePermSet('ps1', {}, { 'contact.email': { readable: true, editable: false } });
+    const ps2 = makePermSet('ps2', {}, { 'contact.email': { readable: false, editable: true } });
+    const result = evaluator.getFieldPermissions('contact', [ps1, ps2]);
+    expect(result['email']).toEqual({ readable: true, editable: true });
+  });
+  it('should filter field permissions to the correct object', () => {
+    const evaluator = new PermissionEvaluator();
+    const ps = makePermSet('ps', {}, {
+      'contact.email': { readable: true, editable: false },
+      'task.title': { readable: true, editable: true },
+    });
+    const result = evaluator.getFieldPermissions('contact', [ps]);
+    expect(result['email']).toBeDefined();
+    expect(result['title']).toBeUndefined();
+  });
+  it('should resolve permission sets from metadata service by role name', () => {
+    const evaluator = new PermissionEvaluator();
+    const ps1 = { name: 'admin' };
+    const ps2 = { name: 'viewer' };
+    const metadata = { list: vi.fn().mockReturnValue([ps1, ps2]) };
+    const result = evaluator.resolvePermissionSets(['admin'], metadata);
+    expect(result).toEqual([ps1]);
+  });
+  it('should return empty array when metadata has no permission sets', () => {
+    const evaluator = new PermissionEvaluator();
+    const metadata = { list: vi.fn().mockReturnValue([]) };
+    expect(evaluator.resolvePermissionSets(['admin'], metadata)).toEqual([]);
+  });
+});
+// ---------------------------------------------------------------------------
+// FieldMasker
+// ---------------------------------------------------------------------------
+describe('FieldMasker', () => {
+  it('should return results unchanged when no field permissions', () => {
+    const masker = new FieldMasker();
+    const records = [{ id: '1', name: 'Alice', email: 'alice@example.com' }];
+    expect(masker.maskResults(records, {}, 'contact')).toEqual(records);
+  });
+  it('should remove non-readable fields from records', () => {
+    const masker = new FieldMasker();
+    const records = [{ id: '1', name: 'Alice', email: 'alice@example.com' }];
+    const perms = { email: { readable: false, editable: false } };
+    const result = masker.maskResults(records, perms, 'contact') as any[];
+    expect(result[0].email).toBeUndefined();
+    expect(result[0].name).toBe('Alice');
+  });
+  it('should handle single record (non-array)', () => {
+    const masker = new FieldMasker();
+    const record = { id: '1', ssn: '123-45-6789', name: 'Bob' };
+    const perms = { ssn: { readable: false, editable: false } };
+    const result = masker.maskResults(record, perms, 'person') as any;
+    expect(result.ssn).toBeUndefined();
+    expect(result.name).toBe('Bob');
+  });
+  it('should preserve readable fields', () => {
+    const masker = new FieldMasker();
+    const record = { id: '1', name: 'Carol', secret: 'x' };
+    const perms = {
+      name: { readable: true, editable: true },
+      secret: { readable: false, editable: false },
+    };
+    const result = masker.maskResults(record, perms, 'user') as any;
+    expect(result.name).toBe('Carol');
+    expect(result.secret).toBeUndefined();
+  });
+  it('should return non-editable fields', () => {
+    const masker = new FieldMasker();
+    const perms = {
+      email: { readable: true, editable: false },
+      name: { readable: true, editable: true },
+    };
+    const nonEditable = masker.getNonEditableFields(perms);
+    expect(nonEditable).toContain('email');
+    expect(nonEditable).not.toContain('name');
+  });
+  it('should strip non-editable fields from write data', () => {
+    const masker = new FieldMasker();
+    const data = { name: 'Dave', email: 'dave@example.com', createdAt: '2024' };
+    const perms = {
+      email: { readable: true, editable: false },
+      createdAt: { readable: true, editable: false },
+      name: { readable: true, editable: true },
+    };
+    const result = masker.stripNonEditableFields(data, perms);
+    expect(result.name).toBe('Dave');
+    expect(result.email).toBeUndefined();
+    expect(result.createdAt).toBeUndefined();
+  });
+});
+// ---------------------------------------------------------------------------
+// RLSCompiler
+// ---------------------------------------------------------------------------
+describe('RLSCompiler', () => {
+  it('should return null for empty policies', () => {
+    const compiler = new RLSCompiler();
+    expect(compiler.compileFilter([])).toBeNull();
+  });
+  it('should compile equality expression with current_user property', () => {
+    const compiler = new RLSCompiler();
+    const policy: any = { object: 'task', operation: 'select', using: 'owner_id = current_user.id' };
+    const ctx: any = { userId: 'user-42', tenantId: 'tenant-1', roles: [] };
+    const filter = compiler.compileFilter([policy], ctx);
+    expect(filter).toEqual({ owner_id: 'user-42' });
+  });
+  it('should compile literal equality expression', () => {
+    const compiler = new RLSCompiler();
+    const policy: any = { object: 'doc', operation: 'select', using: "status = 'published'" };
+    const filter = compiler.compileFilter([policy]);
+    expect(filter).toEqual({ status: 'published' });
+  });
+  it('should compile IN expression with array property', () => {
+    const compiler = new RLSCompiler();
+    const policy: any = { object: 'project', operation: 'select', using: 'id IN (current_user.roles)' };
+    const ctx: any = { userId: 'u1', tenantId: 't1', roles: ['role-a', 'role-b'] };
+    const filter = compiler.compileFilter([policy], ctx);
+    expect(filter).toEqual({ id: { $in: ['role-a', 'role-b'] } });
+  });
+  it('should OR-combine multiple policies', () => {
+    const compiler = new RLSCompiler();
+    const p1: any = { object: 'task', operation: 'select', using: 'owner_id = current_user.id' };
+    const p2: any = { object: 'task', operation: 'select', using: "status = 'public'" };
+    const ctx: any = { userId: 'u99', tenantId: 't1', roles: [] };
+    const filter = compiler.compileFilter([p1, p2], ctx);
+    expect(filter).toEqual({ $or: [{ owner_id: 'u99' }, { status: 'public' }] });
+  });
+  it('should return null for unsupported expression', () => {
+    const compiler = new RLSCompiler();
+    const policy: any = { object: 'x', operation: 'select', using: 'complex expression WITH unsupported syntax' };
+    const filter = compiler.compileFilter([policy]);
+    expect(filter).toBeNull();
+  });
+  it('should get applicable policies for object and operation', () => {
+    const compiler = new RLSCompiler();
+    const policies: any[] = [
+      { object: 'task', operation: 'select', using: 'owner_id = current_user.id' },
+      { object: 'task', operation: 'insert', using: "status = 'open'" },
+      { object: 'contact', operation: 'all', using: 'tenant_id = current_user.tenant_id' },
+      { object: '*', operation: 'all', using: "active = 'true'" },
+    ];
+    const taskSelect = compiler.getApplicablePolicies('task', 'find', policies);
+    expect(taskSelect).toHaveLength(2); // task select + * all
+    const taskInsert = compiler.getApplicablePolicies('task', 'insert', policies);
+    expect(taskInsert).toHaveLength(2); // task insert + * all
+    const contactFind = compiler.getApplicablePolicies('contact', 'find', policies);
+    expect(contactFind).toHaveLength(2); // contact all + * all
+  });
+});