alkdev/operations
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ac28c9308cd1f3fc9f59ecc24bdb73bec5148c82
operations/test/call.test.ts
glm-5.1 ac28c9308c fix(checkAccess): deny access when resourceType set but identity.resources undefined 
The resource access check in checkAccess() was bypassed when identity.resources
was undefined because the condition  evaluated to false, falling through to .

Changed to  with an explicit
 check inside the block, implementing
default-deny semantics per ADR-006.

Added 7 test cases covering:
- undefined resources with resourceType set (denied)
- empty resources with resourceType set (denied)
- non-matching resource type (denied)
- matching type but wrong action (denied)
- matching type and action (granted)
- no resourceType/resourceAction set (granted)
- matching resources with extra scopes (granted)
2026-05-11 01:50:12 +00:00

255 lines
7.2 KiB
TypeScript
Raw Blame History

import { describe, it, expect } from "vitest";
import { PendingRequestMap, buildCallHandler } from "../src/call.js";
import { CallError, InfrastructureErrorCode } from "../src/error.js";
import { OperationRegistry } from "../src/registry.js";
import { Type } from "@alkdev/typebox";
import { OperationType } from "../src/types.js";
import type { Identity } from "../src/types.js";
describe("PendingRequestMap", () => {
it("creates instance without event target", () => {
const map = new PendingRequestMap();
expect(map.getPendingCount()).toBe(0);
});
it("creates instance with event target", () => {
const target = new EventTarget();
const map = new PendingRequestMap(target);
expect(map.getPendingCount()).toBe(0);
});
it("call() resolves when respond() is called", async () => {
const map = new PendingRequestMap();
const callPromise = map.call("test.op", { value: "hello" });
setTimeout(() => {
const requestId = [...map["requests"].keys()][0];
map.respond(requestId, { result: "world" });
}, 10);
const result = await callPromise;
expect(result).toEqual({ result: "world" });
});
it("call() rejects when emitError() is called", async () => {
const map = new PendingRequestMap();
const callPromise = map.call("test.op", { value: "hello" });
setTimeout(() => {
const requestId = [...map["requests"].keys()][0];
map.emitError(requestId, "CUSTOM_ERROR", "Something went wrong");
}, 10);
await expect(callPromise).rejects.toThrow("Something went wrong");
await expect(callPromise).rejects.toBeInstanceOf(CallError);
});
it("abort() rejects the pending call", async () => {
const map = new PendingRequestMap();
const callPromise = map.call("test.op", { value: "hello" });
setTimeout(() => {
const requestId = [...map["requests"].keys()][0];
map.abort(requestId);
}, 10);
await expect(callPromise).rejects.toThrow("was aborted");
await expect(callPromise).rejects.toBeInstanceOf(CallError);
});
it("call() with deadline times out", async () => {
const map = new PendingRequestMap();
const deadline = Date.now() + 50;
const callPromise = map.call("test.op", { value: "hello" }, { deadline });
await expect(callPromise).rejects.toThrow("timed out");
await expect(callPromise).rejects.toBeInstanceOf(CallError);
});
it("tracks pending requests", () => {
const map = new PendingRequestMap();
map.call("test.op1", {});
map.call("test.op2", {});
expect(map.getPendingCount()).toBe(2);
});
it("cleans up after call resolves", async () => {
const map = new PendingRequestMap();
const callPromise = map.call("test.op", { value: "hello" });
expect(map.getPendingCount()).toBe(1);
const requestId = [...map["requests"].keys()][0];
map.respond(requestId, { result: "done" });
await callPromise;
expect(map.getPendingCount()).toBe(0);
});
});
describe("checkAccess resource access control", () => {
function makeRegistry(accessControlOverrides: Record<string, unknown> = {}) {
const registry = new OperationRegistry();
registry.register({
name: "guarded",
namespace: "test",
version: "1.0.0",
type: OperationType.QUERY,
description: "guarded op",
inputSchema: Type.Object({}),
outputSchema: Type.Object({ ok: Type.Boolean() }),
accessControl: {
requiredScopes: [],
resourceType: "project",
resourceAction: "read",
...accessControlOverrides,
},
handler: async () => ({ ok: true }),
});
registry.register({
name: "open",
namespace: "test",
version: "1.0.0",
type: OperationType.QUERY,
description: "open op",
inputSchema: Type.Object({}),
outputSchema: Type.Object({ ok: Type.Boolean() }),
accessControl: {
requiredScopes: [],
},
handler: async () => ({ ok: true }),
});
return registry;
}
it("denies access when resourceType/resourceAction are set and identity.resources is undefined", async () => {
const registry = makeRegistry();
const handler = buildCallHandler({ registry });
const identity: Identity = { id: "user1", scopes: [] };
await expect(
handler({
requestId: "r1",
operationId: "test.guarded",
input: {},
identity,
}),
).rejects.toThrow("Access denied");
});
it("denies access when resourceType/resourceAction are set and identity.resources is empty", async () => {
const registry = makeRegistry();
const handler = buildCallHandler({ registry });
const identity: Identity = { id: "user1", scopes: [], resources: {} };
await expect(
handler({
requestId: "r1",
operationId: "test.guarded",
input: {},
identity,
}),
).rejects.toThrow("Access denied");
});
it("denies access when identity.resources has no matching resource type", async () => {
const registry = makeRegistry();
const handler = buildCallHandler({ registry });
const identity: Identity = {
id: "user1",
scopes: [],
resources: { "document:abc": ["read"] },
};
await expect(
handler({
requestId: "r1",
operationId: "test.guarded",
input: {},
identity,
}),
).rejects.toThrow("Access denied");
});
it("denies access when identity.resources has matching type but wrong action", async () => {
const registry = makeRegistry();
const handler = buildCallHandler({ registry });
const identity: Identity = {
id: "user1",
scopes: [],
resources: { "project:abc": ["write"] },
};
await expect(
handler({
requestId: "r1",
operationId: "test.guarded",
input: {},
identity,
}),
).rejects.toThrow("Access denied");
});
it("grants access when identity.resources has matching type and action", async () => {
const registry = makeRegistry();
const handler = buildCallHandler({ registry });
const identity: Identity = {
id: "user1",
scopes: [],
resources: { "project:abc": ["read"] },
};
await expect(
handler({
requestId: "r1",
operationId: "test.guarded",
input: {},
identity,
}),
).resolves.toBeUndefined();
});
it("grants access when neither resourceType nor resourceAction are set", async () => {
const registry = makeRegistry();
const handler = buildCallHandler({ registry });
const identity: Identity = { id: "user1", scopes: [] };
await expect(
handler({
requestId: "r1",
operationId: "test.open",
input: {},
identity,
}),
).resolves.toBeUndefined();
});
it("grants access when identity.resources matches and identity has no scopes required", async () => {
const registry = makeRegistry();
const handler = buildCallHandler({ registry });
const identity: Identity = {
id: "user1",
scopes: ["some:scope"],
resources: { "project:xyz": ["read", "write"] },
};
await expect(
handler({
requestId: "r1",
operationId: "test.guarded",
input: {},
identity,
}),
).resolves.toBeUndefined();
});
});
Reference in New Issue View Git Blame Copy Permalink