strapi-plugin-keycloak-realm-users 1.0.0

package/__tests__/services/permission.test.mjs

@@ -0,0 +1,374 @@
+/**
+ * @fileoverview Unit tests for the permission service.
+ * @module __tests__/services/permission
+ */
+
+import permissionService from '../../server/src/services/permission.js';
+import {
+  createMockStrapi,
+  createMockStrapiUser,
+  createMockRealmConfig,
+  createMockRealmAdmin,
+} from '../mocks/strapi.mjs';
+import { CONTENT_TYPES, DEFAULT_REALM_PERMISSIONS } from '../../server/src/constants.js';
+
+describe('Permission Service', () => {
+  let strapi;
+  let service;
+
+  beforeEach(() => {
+    strapi = createMockStrapi();
+    service = permissionService({ strapi });
+  });
+
+  describe('isSuperAdmin', () => {
+    it('should return true for super admin users', () => {
+      const user = createMockStrapiUser({ isSuperAdmin: true });
+
+      expect(service.isSuperAdmin(user)).toBe(true);
+    });
+
+    it('should return false for regular users', () => {
+      const user = createMockStrapiUser({ isSuperAdmin: false });
+
+      expect(service.isSuperAdmin(user)).toBe(false);
+    });
+
+    it('should return false for null user', () => {
+      expect(service.isSuperAdmin(null)).toBe(false);
+    });
+
+    it('should return false for user without roles', () => {
+      const user = { id: 1, email: 'test@test.com' };
+
+      expect(service.isSuperAdmin(user)).toBe(false);
+    });
+
+    it('should return false for user with empty roles array', () => {
+      const user = createMockStrapiUser();
+      user.roles = [];
+
+      expect(service.isSuperAdmin(user)).toBe(false);
+    });
+  });
+
+  describe('getRealmAdminAssignment', () => {
+    it('should return assignment when found', async () => {
+      const assignment = createMockRealmAdmin();
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([assignment]),
+      });
+
+      const result = await service.getRealmAdminAssignment(1, 'realm-doc-123');
+
+      expect(result).toEqual(assignment);
+      expect(strapi.documents).toHaveBeenCalledWith(CONTENT_TYPES.REALM_ADMIN);
+    });
+
+    it('should return null when no assignment exists', async () => {
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([]),
+      });
+
+      const result = await service.getRealmAdminAssignment(1, 'realm-doc-123');
+
+      expect(result).toBeNull();
+    });
+
+    it('should query with correct filters', async () => {
+      const findManyMock = jest.fn().mockResolvedValue([]);
+      strapi.documents.mockReturnValue({ findMany: findManyMock });
+
+      await service.getRealmAdminAssignment(42, 'realm-xyz');
+
+      expect(findManyMock).toHaveBeenCalledWith({
+        filters: {
+          strapiUserId: 42,
+          realmConfig: { documentId: 'realm-xyz' },
+        },
+        populate: ['realmConfig'],
+      });
+    });
+  });
+
+  describe('canAccessRealm', () => {
+    it('should return true for super admin regardless of assignment', async () => {
+      const user = createMockStrapiUser({ isSuperAdmin: true });
+
+      const result = await service.canAccessRealm(user, 'any-realm', 'canDelete');
+
+      expect(result).toBe(true);
+      // Should not even query for assignments
+      expect(strapi.documents).not.toHaveBeenCalled();
+    });
+
+    it('should return true when user has the required permission', async () => {
+      const user = createMockStrapiUser();
+      const assignment = createMockRealmAdmin({
+        permissions: { canRead: true, canCreate: true },
+      });
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([assignment]),
+      });
+
+      const result = await service.canAccessRealm(user, 'realm-123', 'canCreate');
+
+      expect(result).toBe(true);
+    });
+
+    it('should return false when user lacks the required permission', async () => {
+      const user = createMockStrapiUser();
+      const assignment = createMockRealmAdmin({
+        permissions: { canRead: true, canCreate: false },
+      });
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([assignment]),
+      });
+
+      const result = await service.canAccessRealm(user, 'realm-123', 'canCreate');
+
+      expect(result).toBe(false);
+    });
+
+    it('should return false when user has no assignment', async () => {
+      const user = createMockStrapiUser();
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([]),
+      });
+
+      const result = await service.canAccessRealm(user, 'realm-123', 'canRead');
+
+      expect(result).toBe(false);
+    });
+
+    it('should default to canRead permission', async () => {
+      const user = createMockStrapiUser();
+      const assignment = createMockRealmAdmin({
+        permissions: { canRead: true },
+      });
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([assignment]),
+      });
+
+      const result = await service.canAccessRealm(user, 'realm-123');
+
+      expect(result).toBe(true);
+    });
+
+    it('should use default permissions when assignment has none', async () => {
+      const user = createMockStrapiUser();
+      const assignment = createMockRealmAdmin({ permissions: null });
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([assignment]),
+      });
+
+      const result = await service.canAccessRealm(user, 'realm-123', 'canRead');
+
+      expect(result).toBe(DEFAULT_REALM_PERMISSIONS.canRead);
+    });
+  });
+
+  describe('getAccessibleRealms', () => {
+    it('should return all enabled realms with full permissions for super admin', async () => {
+      const user = createMockStrapiUser({ isSuperAdmin: true });
+      const realms = [
+        createMockRealmConfig({ name: 'realm-1' }),
+        createMockRealmConfig({ name: 'realm-2' }),
+      ];
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue(realms),
+      });
+
+      const result = await service.getAccessibleRealms(user);
+
+      expect(result).toHaveLength(2);
+      result.forEach((realm) => {
+        expect(realm.permissions).toEqual({
+          canRead: true,
+          canCreate: true,
+          canUpdate: true,
+          canDelete: true,
+          canManageRoles: true,
+          canResetPassword: true,
+        });
+      });
+    });
+
+    it('should return only assigned realms for regular users', async () => {
+      const user = createMockStrapiUser();
+      const assignments = [
+        createMockRealmAdmin({
+          realmConfig: createMockRealmConfig({ name: 'assigned-realm' }),
+          permissions: { canRead: true, canCreate: true },
+        }),
+      ];
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue(assignments),
+      });
+
+      const result = await service.getAccessibleRealms(user);
+
+      expect(result).toHaveLength(1);
+      expect(result[0].name).toBe('assigned-realm');
+      expect(result[0].permissions.canRead).toBe(true);
+      expect(result[0].permissions.canCreate).toBe(true);
+    });
+
+    it('should filter out assignments without realmConfig', async () => {
+      const user = createMockStrapiUser();
+      const assignments = [
+        createMockRealmAdmin({ realmConfig: null }),
+        createMockRealmAdmin({
+          realmConfig: createMockRealmConfig({ name: 'valid-realm' }),
+        }),
+      ];
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue(assignments),
+      });
+
+      const result = await service.getAccessibleRealms(user);
+
+      expect(result).toHaveLength(1);
+      expect(result[0].name).toBe('valid-realm');
+    });
+  });
+
+  describe('getRealmPermissions', () => {
+    it('should return full permissions for super admin', async () => {
+      const user = createMockStrapiUser({ isSuperAdmin: true });
+
+      const result = await service.getRealmPermissions(user, 'any-realm');
+
+      expect(result).toEqual({
+        canRead: true,
+        canCreate: true,
+        canUpdate: true,
+        canDelete: true,
+        canManageRoles: true,
+        canResetPassword: true,
+      });
+    });
+
+    it('should return assignment permissions for regular user', async () => {
+      const user = createMockStrapiUser();
+      const permissions = { canRead: true, canUpdate: true };
+      const assignment = createMockRealmAdmin({ permissions });
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([assignment]),
+      });
+
+      const result = await service.getRealmPermissions(user, 'realm-123');
+
+      expect(result).toEqual(permissions);
+    });
+
+    it('should return null when user has no assignment', async () => {
+      const user = createMockStrapiUser();
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([]),
+      });
+
+      const result = await service.getRealmPermissions(user, 'realm-123');
+
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('assignUserToRealm', () => {
+    it('should create new assignment when none exists', async () => {
+      const createMock = jest.fn().mockResolvedValue({ documentId: 'new-assignment' });
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([]),
+        create: createMock,
+      });
+
+      await service.assignUserToRealm(1, 'user@test.com', 'realm-123', { canCreate: true });
+
+      expect(createMock).toHaveBeenCalledWith({
+        data: {
+          strapiUserId: 1,
+          strapiUserEmail: 'user@test.com',
+          realmConfig: 'realm-123',
+          permissions: expect.objectContaining({ canCreate: true }),
+        },
+      });
+    });
+
+    it('should update existing assignment', async () => {
+      const existing = createMockRealmAdmin();
+      const updateMock = jest.fn().mockResolvedValue({ documentId: existing.documentId });
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([existing]),
+        update: updateMock,
+      });
+
+      await service.assignUserToRealm(1, 'user@test.com', 'realm-123', { canDelete: true });
+
+      expect(updateMock).toHaveBeenCalledWith({
+        documentId: existing.documentId,
+        data: {
+          permissions: expect.objectContaining({ canDelete: true }),
+        },
+      });
+    });
+
+    it('should merge with default permissions', async () => {
+      const createMock = jest.fn().mockResolvedValue({ documentId: 'new' });
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([]),
+        create: createMock,
+      });
+
+      await service.assignUserToRealm(1, 'user@test.com', 'realm-123', { canCreate: true });
+
+      const calledWith = createMock.mock.calls[0][0];
+      expect(calledWith.data.permissions.canRead).toBe(true); // from defaults
+      expect(calledWith.data.permissions.canCreate).toBe(true); // from override
+    });
+  });
+
+  describe('removeUserFromRealm', () => {
+    it('should delete assignment when it exists', async () => {
+      const assignment = createMockRealmAdmin();
+      const deleteMock = jest.fn().mockResolvedValue({});
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([assignment]),
+        delete: deleteMock,
+      });
+
+      const result = await service.removeUserFromRealm(1, 'realm-123');
+
+      expect(result).toBe(true);
+      expect(deleteMock).toHaveBeenCalledWith({
+        documentId: assignment.documentId,
+      });
+    });
+
+    it('should return false when no assignment exists', async () => {
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue([]),
+      });
+
+      const result = await service.removeUserFromRealm(1, 'realm-123');
+
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('getRealmAdmins', () => {
+    it('should return all admin assignments for a realm', async () => {
+      const assignments = [
+        createMockRealmAdmin({ strapiUserId: 1 }),
+        createMockRealmAdmin({ strapiUserId: 2 }),
+      ];
+      strapi.documents.mockReturnValue({
+        findMany: jest.fn().mockResolvedValue(assignments),
+      });
+
+      const result = await service.getRealmAdmins('realm-123');
+
+      expect(result).toHaveLength(2);
+      expect(strapi.documents).toHaveBeenCalledWith(CONTENT_TYPES.REALM_ADMIN);
+    });
+  });
+});