unleash-server 5.4.3 → 5.5.0

package/dist/test/e2e/services/access-service.e2e.test.js

@@ -28,7 +28,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const database_init_1 = __importDefault(require("../helpers/database-init"));
 const no_logger_1 = __importDefault(require("../../fixtures/no-logger"));
-// eslint-disable-next-line import/no-unresolved
 const access_service_1 = require("../../../lib/services/access-service");
 const permissions = __importStar(require("../../../lib/types/permissions"));
 const model_1 = require("../../../lib/types/model");
@@ -41,6 +40,7 @@ const segment_service_1 = require("../../../lib/services/segment-service");
 const group_service_1 = require("../../../lib/services/group-service");
 const services_1 = require("../../../lib/services");
 const sql_change_request_access_read_model_1 = require("../../../lib/features/change-request-access-service/sql-change-request-access-read-model");
+const createPrivateProjectChecker_1 = require("../../../lib/features/private-project/createPrivateProjectChecker");
 let db;
 let stores;
 let accessService;
@@ -49,27 +49,38 @@ let featureToggleService;
 let favoritesService;
 let projectService;
 let editorUser;
-let superUser;
 let editorRole;
 let adminRole;
 let readRole;
-const createUserEditorAccess = async (name, email) => {
+let userIndex = 0;
+const createUser = async (role) => {
+    const name = `User ${userIndex}`;
+    const email = `user-${userIndex}@getunleash.io`;
+    userIndex++;
     const { userStore } = stores;
     const user = await userStore.insert({ name, email });
-    await accessService.addUserToRole(user.id, editorRole.id, 'default');
+    if (role)
+        await accessService.addUserToRole(user.id, role, role === readRole.id ? constants_1.ALL_PROJECTS : project_1.DEFAULT_PROJECT);
     return user;
 };
-const createUserViewerAccess = async (name, email) => {
-    const { userStore } = stores;
-    const user = await userStore.insert({ name, email });
-    await accessService.addUserToRole(user.id, readRole.id, constants_1.ALL_PROJECTS);
-    return user;
+let groupIndex = 0;
+const createGroup = async ({ users, role, }) => {
+    const { groupStore } = stores;
+    const group = await stores.groupStore.create({
+        name: `Group ${groupIndex}`,
+        rootRole: role,
+    });
+    if (users)
+        await groupStore.addUsersToGroup(group.id, users, 'Admin');
+    return group;
 };
-const createUserAdminAccess = async (name, email) => {
-    const { userStore } = stores;
-    const user = await userStore.insert({ name, email });
-    await accessService.addUserToRole(user.id, adminRole.id, 'default');
-    return user;
+let roleIndex = 0;
+const createRole = async (rolePermissions) => {
+    return accessService.createRole({
+        name: `Role ${roleIndex}`,
+        description: `Role ${roleIndex++} description`,
+        permissions: rolePermissions,
+    });
 };
 const hasCommonProjectAccess = async (user, projectName, condition) => {
     const defaultEnv = 'default';
@@ -100,15 +111,6 @@ const hasFullProjectAccess = async (user, projectName, condition) => {
     expect(await accessService.hasPermission(user, MOVE_FEATURE_TOGGLE, projectName));
     await hasCommonProjectAccess(user, projectName, condition);
 };
-const createSuperUser = async () => {
-    const { userStore } = stores;
-    const user = await userStore.insert({
-        name: 'Alice Admin',
-        email: 'admin@getunleash.io',
-    });
-    await accessService.addUserToRole(user.id, adminRole.id, constants_1.ALL_PROJECTS);
-    return user;
-};
 beforeAll(async () => {
     db = await (0, database_init_1.default)('access_service_serial', no_logger_1.default);
     stores = db.stores;
@@ -125,11 +127,22 @@ beforeAll(async () => {
     adminRole = roles.find((r) => r.name === model_1.RoleName.ADMIN);
     readRole = roles.find((r) => r.name === model_1.RoleName.VIEWER);
     const changeRequestAccessReadModel = new sql_change_request_access_read_model_1.ChangeRequestAccessReadModel(db.rawDatabase, accessService);
-    featureToggleService = new feature_toggle_service_1.default(stores, config, new segment_service_1.SegmentService(stores, changeRequestAccessReadModel, config), accessService, changeRequestAccessReadModel);
+    const privateProjectChecker = (0, createPrivateProjectChecker_1.createPrivateProjectChecker)(db.rawDatabase, config);
+    featureToggleService = new feature_toggle_service_1.default(stores, config, new segment_service_1.SegmentService(stores, changeRequestAccessReadModel, config, privateProjectChecker), accessService, changeRequestAccessReadModel, privateProjectChecker);
     favoritesService = new services_1.FavoritesService(stores, config);
-    projectService = new project_service_1.default(stores, config, accessService, featureToggleService, groupService, favoritesService);
-    editorUser = await createUserEditorAccess('Bob Test', 'bob@getunleash.io');
-    superUser = await createSuperUser();
+    projectService = new project_service_1.default(stores, config, accessService, featureToggleService, groupService, favoritesService, privateProjectChecker);
+    editorUser = await createUser(editorRole.id);
+    const testAdmin = await createUser(adminRole.id);
+    await projectService.createProject({
+        id: 'some-project',
+        name: 'Some project',
+        description: 'Used in the test',
+    }, testAdmin);
+    await projectService.createProject({
+        id: 'unusedprojectname',
+        name: 'Another project not used',
+        description: 'Also used in the test',
+    }, testAdmin);
 });
 afterAll(async () => {
     await db.destroy();
@@ -195,12 +208,17 @@ test('should remove CREATE_FEATURE on default environment', async () => {
     const user = editorUser;
     const editRole = await accessService.getRoleByName(model_1.RoleName.EDITOR);
     await accessService.addPermissionToRole(editRole.id, permissions.CREATE_FEATURE, '*');
+    // TODO: to validate the remove works, we should make sure that we had permission before removing it
+    // this currently does not work, just keeping the comment here for future reference
+    // expect(
+    //     await accessService.hasPermission(user, CREATE_FEATURE, 'some-project'),
+    // ).toBe(true);
     await accessService.removePermissionFromRole(editRole.id, permissions.CREATE_FEATURE, '*');
     expect(await accessService.hasPermission(user, CREATE_FEATURE, 'some-project')).toBe(false);
 });
 test('admin should be admin', async () => {
     const { DELETE_PROJECT, UPDATE_PROJECT, CREATE_FEATURE, UPDATE_FEATURE, DELETE_FEATURE, ADMIN, } = permissions;
-    const user = superUser;
+    const user = await createUser(adminRole.id);
     expect(await accessService.hasPermission(user, DELETE_PROJECT, 'default')).toBe(true);
     expect(await accessService.hasPermission(user, UPDATE_PROJECT, 'default')).toBe(true);
     expect(await accessService.hasPermission(user, CREATE_FEATURE, 'default')).toBe(true);
@@ -224,7 +242,7 @@ test('should grant user access to project', async () => {
     const { DELETE_PROJECT, UPDATE_PROJECT } = permissions;
     const project = 'another-project';
     const user = editorUser;
-    const sUser = await createUserViewerAccess('Some Random', 'random@getunleash.io');
+    const sUser = await createUser(readRole.id);
     await accessService.createDefaultProjectRoles(user, project);
     const projectRole = await accessService.getRoleByName(model_1.RoleName.MEMBER);
     await accessService.addUserToRole(sUser.id, projectRole.id, project);
@@ -237,7 +255,7 @@ test('should grant user access to project', async () => {
 test('should not get access if not specifying project', async () => {
     const project = 'another-project-2';
     const user = editorUser;
-    const sUser = await createUserViewerAccess('Some Random', 'random22@getunleash.io');
+    const sUser = await createUser(readRole.id);
     await accessService.createDefaultProjectRoles(user, project);
     const projectRole = await accessService.getRoleByName(model_1.RoleName.MEMBER);
     await accessService.addUserToRole(sUser.id, projectRole.id, project);
@@ -355,7 +373,7 @@ test('should support permission with "ALL" environment requirement', async () =>
         description: 'Grants access to modify all environments',
     });
     const { CREATE_FEATURE_STRATEGY } = permissions;
-    await accessStore.addPermissionsToRole(customRole.id, [CREATE_FEATURE_STRATEGY], 'production');
+    await accessStore.addPermissionsToRole(customRole.id, [{ name: CREATE_FEATURE_STRATEGY }], 'production');
     await accessStore.addUserToRole(user.id, customRole.id, constants_1.ALL_PROJECTS);
     const hasAccess = await accessService.hasPermission(user, CREATE_FEATURE_STRATEGY, 'default', 'production');
     expect(hasAccess).toBe(true);
@@ -399,26 +417,16 @@ test('Should be denied access to delete a role that is in use', async () => {
         name: 'CustomProjectMember',
         email: 'custom@getunleash.io',
     });
-    const customRole = await accessService.createRole({
-        name: 'RoleInUse',
-        description: '',
-        permissions: [
-            {
-                id: 2,
-                name: 'CREATE_FEATURE',
-                environment: undefined,
-                displayName: 'Create Feature Toggles',
-                type: 'project',
-            },
-            {
-                id: 8,
-                name: 'DELETE_FEATURE',
-                environment: undefined,
-                displayName: 'Delete Feature Toggles',
-                type: 'project',
-            },
-        ],
-    });
+    const customRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
     await projectService.addUser(project.id, customRole.id, projectMember.id);
     try {
         await accessService.deleteRole(customRole.id);
@@ -429,7 +437,7 @@ test('Should be denied access to delete a role that is in use', async () => {
 });
 test('Should be denied move feature toggle to project where the user does not have access', async () => {
     const user = editorUser;
-    const editorUser2 = await createUserEditorAccess('seconduser', 'bob2@gmail.com');
+    const editorUser2 = await createUser(editorRole.id);
     const projectOrigin = {
         id: 'projectOrigin',
         name: 'New project',
@@ -526,14 +534,11 @@ test('Should be allowed move feature toggle to project when given access through
         id: 'yet-another-project1',
         name: 'yet-another-project1',
     };
-    const groupStore = stores.groupStore;
-    const viewerUser = await createUserViewerAccess('Victoria Viewer', 'vickyv@getunleash.io');
+    const viewerUser = await createUser(readRole.id);
     await projectService.createProject(project, editorUser);
-    const groupWithProjectAccess = await groupStore.create({
-        name: 'Project Editors',
-        description: '',
+    const groupWithProjectAccess = await createGroup({
+        users: [{ user: viewerUser }],
     });
-    await groupStore.addUsersToGroup(groupWithProjectAccess.id, [{ user: viewerUser }], 'Admin');
     const projectRole = await accessService.getRoleByName(model_1.RoleName.MEMBER);
     await hasCommonProjectAccess(viewerUser, project.id, false);
     await accessService.addGroupToRole(groupWithProjectAccess.id, projectRole.id, 'SomeAdminUser', project.id);
@@ -545,14 +550,10 @@ test('Should not lose user role access when given permissions from a group', asy
         name: 'yet-another-project-lose',
     };
     const user = editorUser;
-    const groupStore = stores.groupStore;
     await projectService.createProject(project, user);
-    // await accessService.createDefaultProjectRoles(user, project.id);
-    const groupWithNoAccess = await groupStore.create({
-        name: 'ViewersOnly',
-        description: '',
+    const groupWithNoAccess = await createGroup({
+        users: [{ user }],
     });
-    await groupStore.addUsersToGroup(groupWithNoAccess.id, [{ user: user }], 'Admin');
     const viewerRole = await accessService.getRoleByName(model_1.RoleName.VIEWER);
     await accessService.addGroupToRole(groupWithNoAccess.id, viewerRole.id, 'SomeAdminUser', project.id);
     await hasFullProjectAccess(user, project.id, true);
@@ -568,46 +569,27 @@ test('Should allow user to take multiple group roles and have expected permissio
         name: 'project-that-should-have-delete-toggle-permission',
         description: 'Blah',
     };
-    const groupStore = stores.groupStore;
-    const viewerUser = await createUserViewerAccess('Victor Viewer', 'victore@getunleash.io');
+    const viewerUser = await createUser(readRole.id);
     await projectService.createProject(projectForCreate, editorUser);
     await projectService.createProject(projectForDelete, editorUser);
-    const groupWithCreateAccess = await groupStore.create({
-        name: 'ViewersOnly',
-        description: '',
-    });
-    const groupWithDeleteAccess = await groupStore.create({
-        name: 'ViewersOnly',
-        description: '',
-    });
-    await groupStore.addUsersToGroup(groupWithCreateAccess.id, [{ user: viewerUser }], 'Admin');
-    await groupStore.addUsersToGroup(groupWithDeleteAccess.id, [{ user: viewerUser }], 'Admin');
-    const createFeatureRole = await accessService.createRole({
-        name: 'CreateRole',
-        description: '',
-        permissions: [
-            {
-                id: 2,
-                name: 'CREATE_FEATURE',
-                environment: undefined,
-                displayName: 'Create Feature Toggles',
-                type: 'project',
-            },
-        ],
+    const groupWithCreateAccess = await createGroup({
+        users: [{ user: viewerUser }],
     });
-    const deleteFeatureRole = await accessService.createRole({
-        name: 'DeleteRole',
-        description: '',
-        permissions: [
-            {
-                id: 8,
-                name: 'DELETE_FEATURE',
-                environment: undefined,
-                displayName: 'Delete Feature Toggles',
-                type: 'project',
-            },
-        ],
+    const groupWithDeleteAccess = await createGroup({
+        users: [{ user: viewerUser }],
     });
+    const createFeatureRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+    ]);
+    const deleteFeatureRole = await createRole([
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
     await accessService.addGroupToRole(groupWithCreateAccess.id, deleteFeatureRole.id, 'SomeAdminUser', projectForDelete.id);
     await accessService.addGroupToRole(groupWithDeleteAccess.id, createFeatureRole.id, 'SomeAdminUser', projectForCreate.id);
     expect(await accessService.hasPermission(viewerUser, permissions.CREATE_FEATURE, projectForCreate.id)).toBe(true);
@@ -616,43 +598,34 @@ test('Should allow user to take multiple group roles and have expected permissio
     expect(await accessService.hasPermission(viewerUser, permissions.DELETE_FEATURE, projectForDelete.id)).toBe(true);
 });
 test('Should allow user to take on root role through a group that has a root role defined', async () => {
-    const groupStore = stores.groupStore;
-    const viewerUser = await createUserViewerAccess('Vincent Viewer', 'vincent@getunleash.io');
-    const groupWithRootAdminRole = await groupStore.create({
-        name: 'GroupThatGrantsAdminRights',
-        description: '',
-        rootRole: adminRole.id,
+    const viewerUser = await createUser(readRole.id);
+    await createGroup({
+        role: adminRole.id,
+        users: [{ user: viewerUser }],
     });
-    await groupStore.addUsersToGroup(groupWithRootAdminRole.id, [{ user: viewerUser }], 'Admin');
     expect(await accessService.hasPermission(viewerUser, permissions.ADMIN)).toBe(true);
 });
 test('Should not elevate permissions for a user that is not present in a root role group', async () => {
-    const groupStore = stores.groupStore;
-    const viewerUser = await createUserViewerAccess('Violet Viewer', 'violet@getunleash.io');
-    const viewerUserNotInGroup = await createUserViewerAccess('Veronica Viewer', 'veronica@getunleash.io');
-    const groupWithRootAdminRole = await groupStore.create({
-        name: 'GroupThatGrantsAdminRights',
-        description: '',
-        rootRole: adminRole.id,
+    const viewerUser = await createUser(readRole.id);
+    const viewerUserNotInGroup = await createUser(readRole.id);
+    await createGroup({
+        role: adminRole.id,
+        users: [{ user: viewerUser }],
     });
-    await groupStore.addUsersToGroup(groupWithRootAdminRole.id, [{ user: viewerUser }], 'Admin');
     expect(await accessService.hasPermission(viewerUser, permissions.ADMIN)).toBe(true);
     expect(await accessService.hasPermission(viewerUserNotInGroup, permissions.ADMIN)).toBe(false);
 });
 test('Should not reduce permissions for an admin user that enters an editor group', async () => {
-    const groupStore = stores.groupStore;
-    const adminUser = await createUserAdminAccess('Austin Admin', 'austin@getunleash.io');
-    const groupWithRootEditorRole = await groupStore.create({
-        name: 'GroupThatGrantsEditorRights',
-        description: '',
-        rootRole: editorRole.id,
+    const adminUser = await createUser(adminRole.id);
+    await createGroup({
+        role: editorRole.id,
+        users: [{ user: adminUser }],
     });
-    await groupStore.addUsersToGroup(groupWithRootEditorRole.id, [{ user: adminUser }], 'Admin');
     expect(await accessService.hasPermission(adminUser, permissions.ADMIN)).toBe(true);
 });
 test('Should not change permissions for a user in a group without a root role', async () => {
     const groupStore = stores.groupStore;
-    const viewerUser = await createUserViewerAccess('Virgil Viewer', 'virgil@getunleash.io');
+    const viewerUser = await createUser(readRole.id);
     const groupWithoutRootRole = await groupStore.create({
         name: 'GroupWithNoRootRole',
         description: '',
@@ -665,12 +638,10 @@ test('Should not change permissions for a user in a group without a root role',
 });
 test('Should add permissions to user when a group is given a root role after the user has been added to the group', async () => {
     const groupStore = stores.groupStore;
-    const viewerUser = await createUserViewerAccess('Vera Viewer', 'vera@getunleash.io');
-    const groupWithoutRootRole = await groupStore.create({
-        name: 'GroupWithNoRootRole',
-        description: '',
+    const viewerUser = await createUser(readRole.id);
+    const groupWithoutRootRole = await createGroup({
+        users: [{ user: viewerUser }],
     });
-    await groupStore.addUsersToGroup(groupWithoutRootRole.id, [{ user: viewerUser }], 'Admin');
     expect(await accessService.hasPermission(viewerUser, permissions.ADMIN)).toBe(false);
     await groupStore.update({
         id: groupWithoutRootRole.id,
@@ -682,14 +653,457 @@ test('Should add permissions to user when a group is given a root role after the
 });
 test('Should give full project access to the default project to user in a group with an editor root role', async () => {
     const projectName = 'default';
-    const groupStore = stores.groupStore;
-    const viewerUser = await createUserViewerAccess('Vee viewer', 'vee@getunleash.io');
-    const groupWithRootEditorRole = await groupStore.create({
-        name: 'GroupThatGrantsEditorRights',
-        description: '',
-        rootRole: editorRole.id,
+    const viewerUser = await createUser(readRole.id);
+    await createGroup({
+        role: editorRole.id,
+        users: [{ user: viewerUser }],
     });
-    await groupStore.addUsersToGroup(groupWithRootEditorRole.id, [{ user: viewerUser }], 'Admin');
     await hasFullProjectAccess(viewerUser, projectName, true);
 });
+test('if user has two roles user has union of permissions from the two roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const firstRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
+    const secondRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 13,
+            name: 'UPDATE_PROJECT',
+        },
+    ]);
+    await accessService.setProjectRolesForUser(projectName, emptyUser.id, [
+        firstRole.id,
+        secondRole.id,
+    ]);
+    const assignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    const permissionNameSet = new Set(assignedPermissions.map((p) => p.permission));
+    expect(permissionNameSet.size).toBe(3);
+});
+test('calling set for user overwrites existing roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const firstRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
+    const secondRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 13,
+            name: 'UPDATE_PROJECT',
+        },
+    ]);
+    await accessService.setProjectRolesForUser(projectName, emptyUser.id, [
+        firstRole.id,
+        secondRole.id,
+    ]);
+    const assignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    const permissionNameSet = new Set(assignedPermissions.map((p) => p.permission));
+    expect(permissionNameSet.size).toBe(3);
+    await accessService.setProjectRolesForUser(projectName, emptyUser.id, [
+        firstRole.id,
+    ]);
+    const newAssignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(newAssignedPermissions.length).toBe(2);
+    expect(newAssignedPermissions).toContainEqual({
+        project: projectName,
+        permission: 'CREATE_FEATURE',
+    });
+    expect(newAssignedPermissions).toContainEqual({
+        project: projectName,
+        permission: 'DELETE_FEATURE',
+    });
+});
+test('if group has two roles user has union of permissions from the two roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const emptyGroup = await createGroup({
+        users: [{ user: emptyUser }],
+    });
+    const firstRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
+    const secondRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 13,
+            name: 'UPDATE_PROJECT',
+        },
+    ]);
+    await accessService.setProjectRolesForGroup(projectName, emptyGroup.id, [firstRole.id, secondRole.id], 'testusr');
+    const assignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    const permissionNameSet = new Set(assignedPermissions.map((p) => p.permission));
+    expect(permissionNameSet.size).toBe(3);
+});
+test('calling set for group overwrites existing roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const emptyGroup = await createGroup({
+        users: [{ user: emptyUser }],
+    });
+    const firstRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
+    const secondRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 13,
+            name: 'UPDATE_PROJECT',
+        },
+    ]);
+    await accessService.setProjectRolesForGroup(projectName, emptyGroup.id, [firstRole.id, secondRole.id], 'testusr');
+    const assignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    const permissionNameSet = new Set(assignedPermissions.map((p) => p.permission));
+    expect(permissionNameSet.size).toBe(3);
+    await accessService.setProjectRolesForGroup(projectName, emptyGroup.id, [firstRole.id], 'testusr');
+    const newAssignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(newAssignedPermissions.length).toBe(2);
+    expect(newAssignedPermissions).toContainEqual({
+        project: projectName,
+        permission: 'CREATE_FEATURE',
+    });
+    expect(newAssignedPermissions).toContainEqual({
+        project: projectName,
+        permission: 'DELETE_FEATURE',
+    });
+});
+test('group with root role can be assigned a project specific role', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const emptyGroup = await createGroup({
+        role: readRole.id,
+        users: [{ user: emptyUser }],
+    });
+    const firstRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+    ]);
+    await accessService.setProjectRolesForGroup(projectName, emptyGroup.id, [firstRole.id], 'testusr');
+    const assignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(assignedPermissions).toContainEqual({
+        project: projectName,
+        permission: 'CREATE_FEATURE',
+    });
+});
+test('calling add access with invalid project role ids should not assign those roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const adminRootRole = await accessService.getRoleByName(model_1.RoleName.ADMIN);
+    accessService.addAccessToProject([adminRootRole.id, 9999], [], [emptyUser.id], projectName, 'some-admin-user');
+    const newAssignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(newAssignedPermissions.length).toBe(0);
+});
+test('calling set roles for user with invalid project role ids should not assign those roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const adminRootRole = await accessService.getRoleByName(model_1.RoleName.ADMIN);
+    accessService.setProjectRolesForUser(projectName, emptyUser.id, [
+        adminRootRole.id,
+        9999,
+    ]);
+    const newAssignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(newAssignedPermissions.length).toBe(0);
+});
+test('calling set roles for user with empty role array removes all roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const role = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+    ]);
+    await accessService.setProjectRolesForUser(projectName, emptyUser.id, [
+        role.id,
+    ]);
+    const assignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(assignedPermissions.length).toBe(1);
+    await accessService.setProjectRolesForUser(projectName, emptyUser.id, []);
+    const newAssignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(newAssignedPermissions.length).toBe(0);
+});
+test('calling set roles for user with empty role array should not remove root roles', async () => {
+    const projectName = 'default';
+    const adminUser = await createUser(adminRole.id);
+    const firstRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
+    await accessService.setProjectRolesForUser(projectName, adminUser.id, [
+        firstRole.id,
+    ]);
+    const assignedPermissions = await accessService.getPermissionsForUser(adminUser);
+    expect(assignedPermissions.length).toBe(3);
+    await accessService.setProjectRolesForUser(projectName, adminUser.id, []);
+    const newAssignedPermissions = await accessService.getPermissionsForUser(adminUser);
+    expect(newAssignedPermissions.length).toBe(1);
+    expect(newAssignedPermissions[0].permission).toBe(permissions.ADMIN);
+});
+test('remove user access should remove all project roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const firstRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
+    const secondRole = await createRole([
+        {
+            id: 13,
+            name: 'UPDATE_PROJECT',
+        },
+    ]);
+    await accessService.setProjectRolesForUser(projectName, emptyUser.id, [
+        firstRole.id,
+        secondRole.id,
+    ]);
+    const assignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(assignedPermissions.length).toBe(3);
+    await accessService.removeUserAccess(projectName, emptyUser.id);
+    const newAssignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(newAssignedPermissions.length).toBe(0);
+});
+test('remove user access should remove all project roles, while leaving root roles untouched', async () => {
+    const projectName = 'default';
+    const adminUser = await createUser(adminRole.id);
+    const firstRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
+    const secondRole = await createRole([
+        {
+            id: 13,
+            name: 'UPDATE_PROJECT',
+        },
+    ]);
+    await accessService.setProjectRolesForUser(projectName, adminUser.id, [
+        firstRole.id,
+        secondRole.id,
+    ]);
+    const assignedPermissions = await accessService.getPermissionsForUser(adminUser);
+    expect(assignedPermissions.length).toBe(4);
+    await accessService.removeUserAccess(projectName, adminUser.id);
+    const newAssignedPermissions = await accessService.getPermissionsForUser(adminUser);
+    expect(newAssignedPermissions.length).toBe(1);
+    expect(newAssignedPermissions[0].permission).toBe(permissions.ADMIN);
+});
+test('calling set roles for group with invalid project role ids should not assign those roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const emptyGroup = await createGroup({
+        users: [{ user: emptyUser }],
+    });
+    const adminRootRole = await accessService.getRoleByName(model_1.RoleName.ADMIN);
+    accessService.setProjectRolesForGroup(projectName, emptyGroup.id, [adminRootRole.id, 9999], 'admin');
+    const newAssignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(newAssignedPermissions.length).toBe(0);
+});
+test('calling set roles for group with empty role array removes all roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const emptyGroup = await createGroup({
+        users: [{ user: emptyUser }],
+    });
+    const role = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+    ]);
+    await accessService.setProjectRolesForGroup(projectName, emptyGroup.id, [role.id], 'admin');
+    const assignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(assignedPermissions.length).toBe(1);
+    await accessService.setProjectRolesForGroup(projectName, emptyGroup.id, [], 'admin');
+    const newAssignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(newAssignedPermissions.length).toBe(0);
+});
+test('calling set roles for group with empty role array should not remove root roles', async () => {
+    const projectName = 'default';
+    const adminUser = await createUser(adminRole.id);
+    const group = await createGroup({
+        users: [{ user: adminUser }],
+    });
+    const role = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
+    await accessService.setProjectRolesForGroup(projectName, group.id, [role.id], 'admin');
+    const assignedPermissions = await accessService.getPermissionsForUser(adminUser);
+    expect(assignedPermissions.length).toBe(3);
+    await accessService.setProjectRolesForGroup(projectName, group.id, [], 'admin');
+    const newAssignedPermissions = await accessService.getPermissionsForUser(adminUser);
+    expect(newAssignedPermissions.length).toBe(1);
+    expect(newAssignedPermissions[0].permission).toBe(permissions.ADMIN);
+});
+test('remove group access should remove all project roles', async () => {
+    const projectName = 'default';
+    const emptyUser = await createUser();
+    const group = await createGroup({
+        users: [{ user: emptyUser }],
+    });
+    const firstRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
+    const secondRole = await createRole([
+        {
+            id: 13,
+            name: 'UPDATE_PROJECT',
+        },
+    ]);
+    await accessService.setProjectRolesForGroup(projectName, group.id, [firstRole.id, secondRole.id], 'admin');
+    const assignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(assignedPermissions.length).toBe(3);
+    await accessService.removeGroupAccess(projectName, group.id);
+    const newAssignedPermissions = await accessService.getPermissionsForUser(emptyUser);
+    expect(newAssignedPermissions.length).toBe(0);
+});
+test('remove group access should remove all project roles, while leaving root roles untouched', async () => {
+    const projectName = 'default';
+    const adminUser = await createUser(adminRole.id);
+    const group = await createGroup({
+        users: [{ user: adminUser }],
+    });
+    const firstRole = await createRole([
+        {
+            id: 2,
+            name: 'CREATE_FEATURE',
+        },
+        {
+            id: 8,
+            name: 'DELETE_FEATURE',
+        },
+    ]);
+    const secondRole = await createRole([
+        {
+            id: 13,
+            name: 'UPDATE_PROJECT',
+        },
+    ]);
+    await accessService.setProjectRolesForGroup(projectName, group.id, [firstRole.id, secondRole.id], 'admin');
+    const assignedPermissions = await accessService.getPermissionsForUser(adminUser);
+    expect(assignedPermissions.length).toBe(4);
+    await accessService.removeGroupAccess(projectName, group.id);
+    const newAssignedPermissions = await accessService.getPermissionsForUser(adminUser);
+    expect(newAssignedPermissions.length).toBe(1);
+    expect(newAssignedPermissions[0].permission).toBe(permissions.ADMIN);
+});
+test('access overview should have admin access and default project for admin user', async () => {
+    const email = 'a-person@places.com';
+    const { userStore } = stores;
+    const user = await userStore.insert({
+        name: 'Some User',
+        email,
+    });
+    await accessService.setUserRootRole(user.id, adminRole.id);
+    const accessOverView = await accessService.getUserAccessOverview();
+    const userAccess = accessOverView.find((overviewRow) => overviewRow.userId == user.id);
+    expect(userAccess.userId).toBe(user.id);
+    expect(userAccess.rootRole).toBe('Admin');
+    expect(userAccess.accessibleProjects).toStrictEqual(['default']);
+});
+test('access overview should have group access for groups that they are in', async () => {
+    const email = 'a-nother-person@places.com';
+    const { userStore } = stores;
+    const user = await userStore.insert({
+        name: 'Some Other User',
+        email,
+    });
+    await accessService.setUserRootRole(user.id, adminRole.id);
+    const group = await stores.groupStore.create({
+        name: 'Test Group',
+    });
+    await stores.groupStore.addUsersToGroup(group.id, [
+        {
+            user: {
+                id: user.id,
+            },
+        },
+    ], 'Admin');
+    const someGroupRole = await createRole([
+        {
+            id: 13,
+            name: 'UPDATE_PROJECT',
+        },
+    ]);
+    await accessService.addGroupToRole(group.id, someGroupRole.id, 'creator', 'default');
+    const accessOverView = await accessService.getUserAccessOverview();
+    const userAccess = accessOverView.find((overviewRow) => overviewRow.userId == user.id);
+    expect(userAccess.userId).toBe(user.id);
+    expect(userAccess.rootRole).toBe('Admin');
+    expect(userAccess.groups).toStrictEqual(['Test Group']);
+    expect(userAccess.groupProjects).toStrictEqual(['default']);
+});
 //# sourceMappingURL=access-service.e2e.test.js.map