859db6ccb2
Adds API filter registry, style theme registry, SW bitmask cache clear, KV namespacing, session expiry checks, accessibility improvements, and expanded test coverage. Co-authored-by: Cursor <cursoragent@cursor.com>
53 lines
1.6 KiB
JavaScript
53 lines
1.6 KiB
JavaScript
import { describe, test } from 'node:test';
|
|
import assert from 'node:assert';
|
|
import { ApiSecurityPolicy } from '../src/security/policy/ApiSecurityPolicy.js';
|
|
import { Permit, Session, User } from '../src/security/model/index.js';
|
|
import { SECURITY_RIGHTS } from '../src/security/model/rights.js';
|
|
|
|
describe('ApiSecurityPolicy permit evaluation', () => {
|
|
test('evaluateSync matches permits by principal, not path alone', () => {
|
|
const policy = new ApiSecurityPolicy({});
|
|
policy.cache.user = new User({ id: 'user-1', role_ids: ['role-a'] });
|
|
policy.cache.session = new Session({ jwt_token: 'jwt-test' });
|
|
|
|
policy.cache.permits = [
|
|
new Permit({
|
|
principal_type: 'user',
|
|
principal_id: 'other-user',
|
|
resource_path: '/app',
|
|
effect: 'allow',
|
|
rights: SECURITY_RIGHTS.read
|
|
})
|
|
];
|
|
|
|
const denied = policy.evaluateSync('user-1', 'read', '/app');
|
|
assert.strictEqual(denied.allowed, false);
|
|
|
|
policy.cache.permits = [
|
|
new Permit({
|
|
principal_type: 'user',
|
|
principal_id: 'user-1',
|
|
resource_path: '/app',
|
|
effect: 'allow',
|
|
rights: SECURITY_RIGHTS.read
|
|
})
|
|
];
|
|
|
|
const allowed = policy.evaluateSync('user-1', 'read', '/app');
|
|
assert.strictEqual(allowed.allowed, true);
|
|
|
|
policy.cache.permits = [
|
|
new Permit({
|
|
principal_type: 'role',
|
|
principal_id: 'role-a',
|
|
resource_path: '/app',
|
|
effect: 'allow',
|
|
rights: SECURITY_RIGHTS.read
|
|
})
|
|
];
|
|
|
|
const roleAllowed = policy.evaluateSync('user-1', 'read', '/app');
|
|
assert.strictEqual(roleAllowed.allowed, true);
|
|
});
|
|
});
|