90 lines
2.3 KiB
TypeScript
90 lines
2.3 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import { roleScopesAllow } from "./operator-scope-compat.js";
|
|
|
|
describe("roleScopesAllow", () => {
|
|
it("treats operator.read as satisfied by read/write/admin scopes", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.read"],
|
|
allowedScopes: ["operator.read"],
|
|
}),
|
|
).toBe(true);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.read"],
|
|
allowedScopes: ["operator.write"],
|
|
}),
|
|
).toBe(true);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.read"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(true);
|
|
});
|
|
|
|
it("treats operator.write as satisfied by write/admin scopes", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.write"],
|
|
allowedScopes: ["operator.write"],
|
|
}),
|
|
).toBe(true);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.write"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(true);
|
|
});
|
|
|
|
it("treats operator.approvals/operator.pairing as satisfied by operator.admin", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.approvals"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(true);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.pairing"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(true);
|
|
});
|
|
|
|
it("does not treat operator.admin as satisfying non-operator scopes", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["system.run"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(false);
|
|
});
|
|
|
|
it("uses strict matching for non-operator roles", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "node",
|
|
requestedScopes: ["system.run"],
|
|
allowedScopes: ["operator.admin", "system.run"],
|
|
}),
|
|
).toBe(true);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "node",
|
|
requestedScopes: ["system.run"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(false);
|
|
});
|
|
});
|