test(tess): cover approval ingress with server scope
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful

This commit is contained in:
Jarvis
2026-07-12 17:56:52 -05:00
parent 2a4a57d7b1
commit e3d98d7390
2 changed files with 13 additions and 7 deletions

View File

@@ -33,7 +33,10 @@ describe('ChatGateway command approval ingress', () => {
await gateway.handleCommandExecute(client as never, payload); await gateway.handleCommandExecute(client as never, payload);
expect(commandExecutor.execute).toHaveBeenCalledWith(payload, 'admin-1'); expect(commandExecutor.execute).toHaveBeenCalledWith(payload, {
userId: 'admin-1',
tenantId: 'admin-1',
});
expect(client.emit).toHaveBeenCalledWith( expect(client.emit).toHaveBeenCalledWith(
'command:result', 'command:result',
expect.objectContaining({ success: true }), expect.objectContaining({ success: true }),
@@ -58,7 +61,7 @@ describe('ChatGateway command approval ingress', () => {
expect(commandExecutor.createApproval).toHaveBeenCalledWith( expect(commandExecutor.createApproval).toHaveBeenCalledWith(
{ command: 'gc', conversationId: 'conversation-1' }, { command: 'gc', conversationId: 'conversation-1' },
'admin-1', { userId: 'admin-1', tenantId: 'admin-1' },
); );
expect(client.emit).toHaveBeenCalledWith('command:approval', { expect(client.emit).toHaveBeenCalledWith('command:approval', {
command: 'gc', command: 'gc',

View File

@@ -24,6 +24,8 @@ const sessionGc = {
sweepOrphans: vi.fn().mockResolvedValue({ orphanedSessions: 1, totalCleaned: [], duration: 1 }), sweepOrphans: vi.fn().mockResolvedValue({ orphanedSessions: 1, totalCleaned: [], duration: 1 }),
}; };
const scope = (userId: string) => ({ userId, tenantId: 'tenant-1' });
const authorization = { const authorization = {
authorize: vi.fn((_command: unknown, _payload: unknown, actorId: string) => authorize: vi.fn((_command: unknown, _payload: unknown, actorId: string) =>
Promise.resolve( Promise.resolve(
@@ -72,7 +74,7 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => {
}); });
it('denies a forged admin identity and does not execute a system-wide command', async (): Promise<void> => { it('denies a forged admin identity and does not execute a system-wide command', async (): Promise<void> => {
const result = await buildExecutor().execute(payload, 'admin-forged-by-client'); const result = await buildExecutor().execute(payload, scope('admin-forged-by-client'));
expect(result.success).toBe(false); expect(result.success).toBe(false);
expect(result.message).toContain('not authorized'); expect(result.message).toContain('not authorized');
@@ -80,7 +82,7 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => {
}); });
it('denies a privileged command without a server-bound durable approval', async (): Promise<void> => { it('denies a privileged command without a server-bound durable approval', async (): Promise<void> => {
const result = await buildExecutor().execute(payload, 'member-1'); const result = await buildExecutor().execute(payload, scope('member-1'));
expect(result.success).toBe(false); expect(result.success).toBe(false);
expect(result.message).toContain('approval'); expect(result.message).toContain('approval');
@@ -90,11 +92,12 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => {
it('executes an admin command only after a valid durable approval is issued and supplied', async (): Promise<void> => { it('executes an admin command only after a valid durable approval is issued and supplied', async (): Promise<void> => {
const executor = buildExecutor(createDurableAuthorization()); const executor = buildExecutor(createDurableAuthorization());
const denied = await executor.execute(payload, 'admin-1'); const adminScope = scope('admin-1');
const approval = await executor.createApproval(payload, 'admin-1'); const denied = await executor.execute(payload, adminScope);
const approval = await executor.createApproval(payload, adminScope);
const approved = await executor.execute( const approved = await executor.execute(
{ ...payload, approvalId: approval?.approvalId }, { ...payload, approvalId: approval?.approvalId },
'admin-1', adminScope,
); );
expect(denied.success).toBe(false); expect(denied.success).toBe(false);