test(tess): cover approval ingress with server scope
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
This commit is contained in:
@@ -33,7 +33,10 @@ describe('ChatGateway command approval ingress', () => {
|
|||||||
|
|
||||||
await gateway.handleCommandExecute(client as never, payload);
|
await gateway.handleCommandExecute(client as never, payload);
|
||||||
|
|
||||||
expect(commandExecutor.execute).toHaveBeenCalledWith(payload, 'admin-1');
|
expect(commandExecutor.execute).toHaveBeenCalledWith(payload, {
|
||||||
|
userId: 'admin-1',
|
||||||
|
tenantId: 'admin-1',
|
||||||
|
});
|
||||||
expect(client.emit).toHaveBeenCalledWith(
|
expect(client.emit).toHaveBeenCalledWith(
|
||||||
'command:result',
|
'command:result',
|
||||||
expect.objectContaining({ success: true }),
|
expect.objectContaining({ success: true }),
|
||||||
@@ -58,7 +61,7 @@ describe('ChatGateway command approval ingress', () => {
|
|||||||
|
|
||||||
expect(commandExecutor.createApproval).toHaveBeenCalledWith(
|
expect(commandExecutor.createApproval).toHaveBeenCalledWith(
|
||||||
{ command: 'gc', conversationId: 'conversation-1' },
|
{ command: 'gc', conversationId: 'conversation-1' },
|
||||||
'admin-1',
|
{ userId: 'admin-1', tenantId: 'admin-1' },
|
||||||
);
|
);
|
||||||
expect(client.emit).toHaveBeenCalledWith('command:approval', {
|
expect(client.emit).toHaveBeenCalledWith('command:approval', {
|
||||||
command: 'gc',
|
command: 'gc',
|
||||||
|
|||||||
@@ -24,6 +24,8 @@ const sessionGc = {
|
|||||||
sweepOrphans: vi.fn().mockResolvedValue({ orphanedSessions: 1, totalCleaned: [], duration: 1 }),
|
sweepOrphans: vi.fn().mockResolvedValue({ orphanedSessions: 1, totalCleaned: [], duration: 1 }),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
const scope = (userId: string) => ({ userId, tenantId: 'tenant-1' });
|
||||||
|
|
||||||
const authorization = {
|
const authorization = {
|
||||||
authorize: vi.fn((_command: unknown, _payload: unknown, actorId: string) =>
|
authorize: vi.fn((_command: unknown, _payload: unknown, actorId: string) =>
|
||||||
Promise.resolve(
|
Promise.resolve(
|
||||||
@@ -72,7 +74,7 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('denies a forged admin identity and does not execute a system-wide command', async (): Promise<void> => {
|
it('denies a forged admin identity and does not execute a system-wide command', async (): Promise<void> => {
|
||||||
const result = await buildExecutor().execute(payload, 'admin-forged-by-client');
|
const result = await buildExecutor().execute(payload, scope('admin-forged-by-client'));
|
||||||
|
|
||||||
expect(result.success).toBe(false);
|
expect(result.success).toBe(false);
|
||||||
expect(result.message).toContain('not authorized');
|
expect(result.message).toContain('not authorized');
|
||||||
@@ -80,7 +82,7 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
it('denies a privileged command without a server-bound durable approval', async (): Promise<void> => {
|
it('denies a privileged command without a server-bound durable approval', async (): Promise<void> => {
|
||||||
const result = await buildExecutor().execute(payload, 'member-1');
|
const result = await buildExecutor().execute(payload, scope('member-1'));
|
||||||
|
|
||||||
expect(result.success).toBe(false);
|
expect(result.success).toBe(false);
|
||||||
expect(result.message).toContain('approval');
|
expect(result.message).toContain('approval');
|
||||||
@@ -90,11 +92,12 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => {
|
|||||||
it('executes an admin command only after a valid durable approval is issued and supplied', async (): Promise<void> => {
|
it('executes an admin command only after a valid durable approval is issued and supplied', async (): Promise<void> => {
|
||||||
const executor = buildExecutor(createDurableAuthorization());
|
const executor = buildExecutor(createDurableAuthorization());
|
||||||
|
|
||||||
const denied = await executor.execute(payload, 'admin-1');
|
const adminScope = scope('admin-1');
|
||||||
const approval = await executor.createApproval(payload, 'admin-1');
|
const denied = await executor.execute(payload, adminScope);
|
||||||
|
const approval = await executor.createApproval(payload, adminScope);
|
||||||
const approved = await executor.execute(
|
const approved = await executor.execute(
|
||||||
{ ...payload, approvalId: approval?.approvalId },
|
{ ...payload, approvalId: approval?.approvalId },
|
||||||
'admin-1',
|
adminScope,
|
||||||
);
|
);
|
||||||
|
|
||||||
expect(denied.success).toBe(false);
|
expect(denied.success).toBe(false);
|
||||||
|
|||||||
Reference in New Issue
Block a user