feat(rbac): role-based access control module (#14310)
This commit is contained in:
Carlos R. L. Rodrigues
committed by
GitHub
GitHub
parent
d6d7d14a6a
commit
1bfde8dc57
@@ -0,0 +1,285 @@
|
||||
import { medusaIntegrationTestRunner } from "@medusajs/test-utils"
|
||||
import {
|
||||
adminHeaders,
|
||||
createAdminUser,
|
||||
} from "../../../../helpers/create-admin-user"
|
||||
|
||||
jest.setTimeout(60000)
|
||||
|
||||
medusaIntegrationTestRunner({
|
||||
testSuite: ({ dbConnection, api, getContainer }) => {
|
||||
let container
|
||||
|
||||
beforeEach(async () => {
|
||||
container = getContainer()
|
||||
await createAdminUser(dbConnection, adminHeaders, container)
|
||||
})
|
||||
|
||||
describe("RBAC Policies - Admin API", () => {
|
||||
describe("POST /admin/rbac/policies", () => {
|
||||
it("should create a policy", async () => {
|
||||
const response = await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "read:products",
|
||||
resource: "product",
|
||||
operation: "read",
|
||||
name: "Read Products",
|
||||
description: "Permission to read products",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.policy).toEqual(
|
||||
expect.objectContaining({
|
||||
id: expect.any(String),
|
||||
key: "read:products",
|
||||
resource: "product",
|
||||
operation: "read",
|
||||
name: "Read Products",
|
||||
description: "Permission to read products",
|
||||
})
|
||||
)
|
||||
})
|
||||
|
||||
it("should create a policy with metadata", async () => {
|
||||
const response = await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "write:orders",
|
||||
resource: "order",
|
||||
operation: "write",
|
||||
name: "Write Orders",
|
||||
metadata: { category: "order_management" },
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.policy).toEqual(
|
||||
expect.objectContaining({
|
||||
key: "write:orders",
|
||||
resource: "order",
|
||||
operation: "write",
|
||||
metadata: { category: "order_management" },
|
||||
})
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe("GET /admin/rbac/policies", () => {
|
||||
beforeEach(async () => {
|
||||
await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "read:products",
|
||||
resource: "product",
|
||||
operation: "read",
|
||||
name: "Read Products",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "write:products",
|
||||
resource: "product",
|
||||
operation: "write",
|
||||
name: "Write Products",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "read:orders",
|
||||
resource: "order",
|
||||
operation: "read",
|
||||
name: "Read Orders",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
})
|
||||
|
||||
it("should list all policies", async () => {
|
||||
const response = await api.get("/admin/rbac/policies", adminHeaders)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.count).toEqual(3)
|
||||
expect(response.data.policies).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({
|
||||
key: "read:products",
|
||||
resource: "product",
|
||||
operation: "read",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
key: "write:products",
|
||||
resource: "product",
|
||||
operation: "write",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
key: "read:orders",
|
||||
resource: "order",
|
||||
operation: "read",
|
||||
}),
|
||||
])
|
||||
)
|
||||
})
|
||||
|
||||
it("should filter policies by resource", async () => {
|
||||
const response = await api.get(
|
||||
"/admin/rbac/policies?resource=product",
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.count).toEqual(2)
|
||||
expect(response.data.policies).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({
|
||||
key: "read:products",
|
||||
resource: "product",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
key: "write:products",
|
||||
resource: "product",
|
||||
}),
|
||||
])
|
||||
)
|
||||
})
|
||||
|
||||
it("should filter policies by operation", async () => {
|
||||
const response = await api.get(
|
||||
"/admin/rbac/policies?operation=read",
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.count).toEqual(2)
|
||||
expect(response.data.policies).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({
|
||||
key: "read:products",
|
||||
operation: "read",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
key: "read:orders",
|
||||
operation: "read",
|
||||
}),
|
||||
])
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe("GET /admin/rbac/policies/:id", () => {
|
||||
it("should retrieve a policy by id", async () => {
|
||||
const createResponse = await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "delete:users",
|
||||
resource: "user",
|
||||
operation: "delete",
|
||||
name: "Delete Users",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
const policyId = createResponse.data.policy.id
|
||||
|
||||
const response = await api.get(
|
||||
`/admin/rbac/policies/${policyId}`,
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.policy).toEqual(
|
||||
expect.objectContaining({
|
||||
id: policyId,
|
||||
key: "delete:users",
|
||||
resource: "user",
|
||||
operation: "delete",
|
||||
name: "Delete Users",
|
||||
})
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe("POST /admin/rbac/policies/:id", () => {
|
||||
it("should update a policy", async () => {
|
||||
const createResponse = await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "admin:system",
|
||||
resource: "system",
|
||||
operation: "admin",
|
||||
name: "System Admin",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
const policyId = createResponse.data.policy.id
|
||||
|
||||
const response = await api.post(
|
||||
`/admin/rbac/policies/${policyId}`,
|
||||
{
|
||||
name: "System Administrator",
|
||||
description: "Full system access",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.policy).toEqual(
|
||||
expect.objectContaining({
|
||||
id: policyId,
|
||||
key: "admin:system",
|
||||
name: "System Administrator",
|
||||
description: "Full system access",
|
||||
})
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe("DELETE /admin/rbac/policies/:id", () => {
|
||||
it("should delete a policy", async () => {
|
||||
const createResponse = await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "test:delete",
|
||||
resource: "test",
|
||||
operation: "delete",
|
||||
name: "Test Delete",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
const policyId = createResponse.data.policy.id
|
||||
|
||||
const deleteResponse = await api.delete(
|
||||
`/admin/rbac/policies/${policyId}`,
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(deleteResponse.status).toEqual(200)
|
||||
expect(deleteResponse.data).toEqual({
|
||||
id: policyId,
|
||||
object: "rbac_policy",
|
||||
deleted: true,
|
||||
})
|
||||
|
||||
const listResponse = await api.get(
|
||||
"/admin/rbac/policies",
|
||||
adminHeaders
|
||||
)
|
||||
expect(
|
||||
listResponse.data.policies.find((p) => p.id === policyId)
|
||||
).toBeUndefined()
|
||||
})
|
||||
})
|
||||
})
|
||||
},
|
||||
})
|
||||
384
integration-tests/http/__tests__/rbac/admin/rbac-roles.spec.ts
Normal file
384
integration-tests/http/__tests__/rbac/admin/rbac-roles.spec.ts
Normal file
@@ -0,0 +1,384 @@
|
||||
import { medusaIntegrationTestRunner } from "@medusajs/test-utils"
|
||||
import {
|
||||
adminHeaders,
|
||||
createAdminUser,
|
||||
} from "../../../../helpers/create-admin-user"
|
||||
|
||||
jest.setTimeout(60000)
|
||||
|
||||
medusaIntegrationTestRunner({
|
||||
testSuite: ({ dbConnection, api, getContainer }) => {
|
||||
let container
|
||||
|
||||
beforeEach(async () => {
|
||||
container = getContainer()
|
||||
await createAdminUser(dbConnection, adminHeaders, container)
|
||||
})
|
||||
|
||||
describe("RBAC Roles - Admin API", () => {
|
||||
describe("POST /admin/rbac/roles", () => {
|
||||
it("should create a role", async () => {
|
||||
const response = await api.post(
|
||||
"/admin/rbac/roles",
|
||||
{
|
||||
name: "Viewer",
|
||||
description: "Can view resources",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.role).toEqual(
|
||||
expect.objectContaining({
|
||||
id: expect.any(String),
|
||||
name: "Viewer",
|
||||
description: "Can view resources",
|
||||
})
|
||||
)
|
||||
})
|
||||
|
||||
it("should create a role with metadata", async () => {
|
||||
const response = await api.post(
|
||||
"/admin/rbac/roles",
|
||||
{
|
||||
name: "Editor",
|
||||
description: "Can edit resources",
|
||||
metadata: { department: "sales" },
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.role).toEqual(
|
||||
expect.objectContaining({
|
||||
name: "Editor",
|
||||
metadata: { department: "sales" },
|
||||
})
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe("GET /admin/rbac/roles", () => {
|
||||
beforeEach(async () => {
|
||||
await api.post(
|
||||
"/admin/rbac/roles",
|
||||
{
|
||||
name: "Viewer",
|
||||
description: "Can view resources",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
await api.post(
|
||||
"/admin/rbac/roles",
|
||||
{
|
||||
name: "Editor",
|
||||
description: "Can edit resources",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
await api.post(
|
||||
"/admin/rbac/roles",
|
||||
{
|
||||
name: "Admin",
|
||||
description: "Full access",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
})
|
||||
|
||||
it("should list all roles", async () => {
|
||||
const response = await api.get("/admin/rbac/roles", adminHeaders)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.count).toEqual(3)
|
||||
expect(response.data.roles).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({
|
||||
name: "Viewer",
|
||||
description: "Can view resources",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
name: "Editor",
|
||||
description: "Can edit resources",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
name: "Admin",
|
||||
description: "Full access",
|
||||
}),
|
||||
])
|
||||
)
|
||||
})
|
||||
|
||||
it("should filter roles by name", async () => {
|
||||
const response = await api.get(
|
||||
"/admin/rbac/roles?name=Viewer",
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.count).toEqual(1)
|
||||
expect(response.data.roles[0]).toEqual(
|
||||
expect.objectContaining({
|
||||
name: "Viewer",
|
||||
})
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe("GET /admin/rbac/roles/:id", () => {
|
||||
it("should retrieve a role by id", async () => {
|
||||
const createResponse = await api.post(
|
||||
"/admin/rbac/roles",
|
||||
{
|
||||
name: "Manager",
|
||||
description: "Can manage resources",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
const roleId = createResponse.data.role.id
|
||||
|
||||
const response = await api.get(
|
||||
`/admin/rbac/roles/${roleId}`,
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.role).toEqual(
|
||||
expect.objectContaining({
|
||||
id: roleId,
|
||||
name: "Manager",
|
||||
description: "Can manage resources",
|
||||
})
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe("POST /admin/rbac/roles/:id", () => {
|
||||
it("should update a role", async () => {
|
||||
const createResponse = await api.post(
|
||||
"/admin/rbac/roles",
|
||||
{
|
||||
name: "Support",
|
||||
description: "Support team",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
const roleId = createResponse.data.role.id
|
||||
|
||||
const response = await api.post(
|
||||
`/admin/rbac/roles/${roleId}`,
|
||||
{
|
||||
name: "Customer Support",
|
||||
description: "Customer support team with limited access",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.role).toEqual(
|
||||
expect.objectContaining({
|
||||
id: roleId,
|
||||
name: "Customer Support",
|
||||
description: "Customer support team with limited access",
|
||||
})
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe("DELETE /admin/rbac/roles/:id", () => {
|
||||
it("should delete a role", async () => {
|
||||
const createResponse = await api.post(
|
||||
"/admin/rbac/roles",
|
||||
{
|
||||
name: "Temporary",
|
||||
description: "Temporary role",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
const roleId = createResponse.data.role.id
|
||||
|
||||
const deleteResponse = await api.delete(
|
||||
`/admin/rbac/roles/${roleId}`,
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(deleteResponse.status).toEqual(200)
|
||||
expect(deleteResponse.data).toEqual({
|
||||
id: roleId,
|
||||
object: "rbac_role",
|
||||
deleted: true,
|
||||
})
|
||||
|
||||
const listResponse = await api.get("/admin/rbac/roles", adminHeaders)
|
||||
expect(
|
||||
listResponse.data.roles.find((r) => r.id === roleId)
|
||||
).toBeUndefined()
|
||||
})
|
||||
})
|
||||
|
||||
describe("Role Policies", () => {
|
||||
let policies
|
||||
let viewerRole
|
||||
let editorRole
|
||||
|
||||
beforeEach(async () => {
|
||||
const policy1 = await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "read:products",
|
||||
resource: "product",
|
||||
operation: "read",
|
||||
name: "Read Products",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
const policy2 = await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "write:products",
|
||||
resource: "product",
|
||||
operation: "write",
|
||||
name: "Write Products",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
const policy3 = await api.post(
|
||||
"/admin/rbac/policies",
|
||||
{
|
||||
key: "delete:products",
|
||||
resource: "product",
|
||||
operation: "delete",
|
||||
name: "Delete Products",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
policies = [
|
||||
policy1.data.policy,
|
||||
policy2.data.policy,
|
||||
policy3.data.policy,
|
||||
]
|
||||
|
||||
const viewer = await api.post(
|
||||
"/admin/rbac/roles",
|
||||
{
|
||||
name: "Product Viewer",
|
||||
description: "Can view products",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
viewerRole = viewer.data.role
|
||||
|
||||
const editor = await api.post(
|
||||
"/admin/rbac/roles",
|
||||
{
|
||||
name: "Product Editor",
|
||||
description: "Can edit products",
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
editorRole = editor.data.role
|
||||
})
|
||||
|
||||
it("should create role-policy associations", async () => {
|
||||
const response = await api.post(
|
||||
"/admin/rbac/role-policies",
|
||||
{
|
||||
role_id: viewerRole.id,
|
||||
scope_id: policies[0].id,
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.role_policy).toEqual(
|
||||
expect.objectContaining({
|
||||
role_id: viewerRole.id,
|
||||
scope_id: policies[0].id,
|
||||
})
|
||||
)
|
||||
})
|
||||
|
||||
it("should list role-policies for a specific role", async () => {
|
||||
await api.post(
|
||||
"/admin/rbac/role-policies",
|
||||
{
|
||||
role_id: viewerRole.id,
|
||||
scope_id: policies[0].id,
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
await api.post(
|
||||
"/admin/rbac/role-policies",
|
||||
{
|
||||
role_id: viewerRole.id,
|
||||
scope_id: policies[1].id,
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
const response = await api.get(
|
||||
`/admin/rbac/role-policies?role_id=${viewerRole.id}`,
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(response.status).toEqual(200)
|
||||
expect(response.data.count).toEqual(2)
|
||||
expect(response.data.role_policies).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({
|
||||
role_id: viewerRole.id,
|
||||
scope_id: policies[0].id,
|
||||
}),
|
||||
expect.objectContaining({
|
||||
role_id: viewerRole.id,
|
||||
scope_id: policies[1].id,
|
||||
}),
|
||||
])
|
||||
)
|
||||
})
|
||||
|
||||
it("should delete a role-policy association", async () => {
|
||||
const createResponse = await api.post(
|
||||
"/admin/rbac/role-policies",
|
||||
{
|
||||
role_id: editorRole.id,
|
||||
scope_id: policies[2].id,
|
||||
},
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
const rolePolicyId = createResponse.data.role_policy.id
|
||||
|
||||
const deleteResponse = await api.delete(
|
||||
`/admin/rbac/role-policies/${rolePolicyId}`,
|
||||
adminHeaders
|
||||
)
|
||||
|
||||
expect(deleteResponse.status).toEqual(200)
|
||||
expect(deleteResponse.data).toEqual({
|
||||
id: rolePolicyId,
|
||||
object: "rbac_role_policy",
|
||||
deleted: true,
|
||||
})
|
||||
|
||||
const listResponse = await api.get(
|
||||
`/admin/rbac/role-policies?role_id=${editorRole.id}`,
|
||||
adminHeaders
|
||||
)
|
||||
expect(
|
||||
listResponse.data.role_policies.find((rp) => rp.id === rolePolicyId)
|
||||
).toBeUndefined()
|
||||
})
|
||||
})
|
||||
})
|
||||
},
|
||||
})
|
||||
@@ -66,6 +66,9 @@ const modules = {
|
||||
resolve: "@medusajs/index",
|
||||
disable: process.env.ENABLE_INDEX_MODULE !== "true",
|
||||
},
|
||||
[Modules.RBAC]: {
|
||||
resolve: "@medusajs/rbac",
|
||||
},
|
||||
}
|
||||
|
||||
if (process.env.MEDUSA_FF_TRANSLATION === "true") {
|
||||
|
||||
516
integration-tests/modules/__tests__/rbac/rbac-workflows.spec.ts
Normal file
516
integration-tests/modules/__tests__/rbac/rbac-workflows.spec.ts
Normal file
@@ -0,0 +1,516 @@
|
||||
import {
|
||||
createRbacPoliciesWorkflow,
|
||||
createRbacRolesWorkflow,
|
||||
} from "@medusajs/core-flows"
|
||||
import { medusaIntegrationTestRunner } from "@medusajs/test-utils"
|
||||
import { IRbacModuleService, MedusaContainer } from "@medusajs/types"
|
||||
import { Modules } from "@medusajs/utils"
|
||||
|
||||
jest.setTimeout(50000)
|
||||
|
||||
medusaIntegrationTestRunner({
|
||||
env: {},
|
||||
testSuite: ({ getContainer }) => {
|
||||
describe("Workflows: RBAC", () => {
|
||||
let appContainer: MedusaContainer
|
||||
let rbacService: IRbacModuleService
|
||||
|
||||
beforeAll(async () => {
|
||||
appContainer = getContainer()
|
||||
rbacService = appContainer.resolve(Modules.RBAC)
|
||||
})
|
||||
|
||||
describe("Role Inheritance and Policy Management", () => {
|
||||
it("should create roles with inheritance and policies, then list all inherited policies", async () => {
|
||||
// Step 1: Create base policies
|
||||
const policiesWorkflow = createRbacPoliciesWorkflow(appContainer)
|
||||
const { result: createdPolicies } = await policiesWorkflow.run({
|
||||
input: {
|
||||
policies: [
|
||||
{
|
||||
key: "read:products",
|
||||
resource: "product",
|
||||
operation: "read",
|
||||
name: "Read Products",
|
||||
description: "Permission to read products",
|
||||
},
|
||||
{
|
||||
key: "write:products",
|
||||
resource: "product",
|
||||
operation: "write",
|
||||
name: "Write Products",
|
||||
description: "Permission to write products",
|
||||
},
|
||||
{
|
||||
key: "read:orders",
|
||||
resource: "order",
|
||||
operation: "read",
|
||||
name: "Read Orders",
|
||||
description: "Permission to read orders",
|
||||
},
|
||||
{
|
||||
key: "write:orders",
|
||||
resource: "order",
|
||||
operation: "write",
|
||||
name: "Write Orders",
|
||||
description: "Permission to write orders",
|
||||
},
|
||||
{
|
||||
key: "delete:users",
|
||||
resource: "user",
|
||||
operation: "delete",
|
||||
name: "Delete Users",
|
||||
description: "Permission to delete users",
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
|
||||
expect(createdPolicies).toHaveLength(5)
|
||||
|
||||
// Step 2: Create base roles with their policies
|
||||
const rolesWorkflow = createRbacRolesWorkflow(appContainer)
|
||||
|
||||
// Create "Viewer" role with read permissions
|
||||
const { result: viewerRoles } = await rolesWorkflow.run({
|
||||
input: {
|
||||
roles: [
|
||||
{
|
||||
name: "Viewer",
|
||||
description: "Can view products and orders",
|
||||
policy_ids: [
|
||||
createdPolicies[0].id, // read:products
|
||||
createdPolicies[2].id, // read:orders
|
||||
],
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
|
||||
expect(viewerRoles).toHaveLength(1)
|
||||
const viewerRole = viewerRoles[0]
|
||||
|
||||
// Create "Editor" role with write permissions
|
||||
const { result: editorRoles } = await rolesWorkflow.run({
|
||||
input: {
|
||||
roles: [
|
||||
{
|
||||
name: "Editor",
|
||||
description: "Can write products and orders",
|
||||
policy_ids: [
|
||||
createdPolicies[1].id, // write:products
|
||||
createdPolicies[3].id, // write:orders
|
||||
],
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
|
||||
expect(editorRoles).toHaveLength(1)
|
||||
const editorRole = editorRoles[0]
|
||||
|
||||
// Step 3: Create "Admin" role that inherits from both Viewer and Editor, plus additional permissions
|
||||
const { result: adminRoles } = await rolesWorkflow.run({
|
||||
input: {
|
||||
roles: [
|
||||
{
|
||||
name: "Admin",
|
||||
description:
|
||||
"Inherits from Viewer and Editor, plus can delete users",
|
||||
inherited_role_ids: [viewerRole.id, editorRole.id],
|
||||
policy_ids: [
|
||||
createdPolicies[4].id, // delete:users
|
||||
],
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
|
||||
expect(adminRoles).toHaveLength(1)
|
||||
const adminRole = adminRoles[0]
|
||||
|
||||
// Step 4: Verify role inheritance was created
|
||||
const inheritances = await rbacService.listRbacRoleInheritances({
|
||||
role_id: adminRole.id,
|
||||
})
|
||||
|
||||
expect(inheritances).toHaveLength(2)
|
||||
expect(inheritances).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({
|
||||
role_id: adminRole.id,
|
||||
inherited_role_id: viewerRole.id,
|
||||
}),
|
||||
expect.objectContaining({
|
||||
role_id: adminRole.id,
|
||||
inherited_role_id: editorRole.id,
|
||||
}),
|
||||
])
|
||||
)
|
||||
|
||||
// Step 5: Verify direct policies for Admin role
|
||||
const adminDirectPolicies = await rbacService.listRbacRolePolicies({
|
||||
role_id: adminRole.id,
|
||||
})
|
||||
|
||||
expect(adminDirectPolicies).toHaveLength(1)
|
||||
expect(adminDirectPolicies[0]).toEqual(
|
||||
expect.objectContaining({
|
||||
role_id: adminRole.id,
|
||||
scope_id: createdPolicies[4].id, // delete:users
|
||||
})
|
||||
)
|
||||
|
||||
// Step 6: List ALL policies for Admin role (including inherited)
|
||||
const allAdminPolicies = await rbacService.listPoliciesForRole(
|
||||
adminRole.id
|
||||
)
|
||||
|
||||
// Admin should have:
|
||||
// - read:products (from Viewer)
|
||||
// - read:orders (from Viewer)
|
||||
// - write:products (from Editor)
|
||||
// - write:orders (from Editor)
|
||||
// - delete:users (direct)
|
||||
expect(allAdminPolicies).toHaveLength(5)
|
||||
|
||||
const policyKeys = allAdminPolicies.map((p) => p.key).sort()
|
||||
expect(policyKeys).toEqual([
|
||||
"delete:users",
|
||||
"read:orders",
|
||||
"read:products",
|
||||
"write:orders",
|
||||
"write:products",
|
||||
])
|
||||
|
||||
// Verify each policy has correct details
|
||||
expect(allAdminPolicies).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({
|
||||
key: "read:products",
|
||||
resource: "product",
|
||||
operation: "read",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
key: "write:products",
|
||||
resource: "product",
|
||||
operation: "write",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
key: "read:orders",
|
||||
resource: "order",
|
||||
operation: "read",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
key: "write:orders",
|
||||
resource: "order",
|
||||
operation: "write",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
key: "delete:users",
|
||||
resource: "user",
|
||||
operation: "delete",
|
||||
}),
|
||||
])
|
||||
)
|
||||
|
||||
// Step 7: Verify Viewer role only has its direct policies
|
||||
const viewerPolicies = await rbacService.listPoliciesForRole(
|
||||
viewerRole.id
|
||||
)
|
||||
|
||||
expect(viewerPolicies).toHaveLength(2)
|
||||
expect(viewerPolicies).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({
|
||||
key: "read:products",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
key: "read:orders",
|
||||
}),
|
||||
])
|
||||
)
|
||||
|
||||
// Step 8: Verify Editor role only has its direct policies
|
||||
const editorPolicies = await rbacService.listPoliciesForRole(
|
||||
editorRole.id
|
||||
)
|
||||
|
||||
expect(editorPolicies).toHaveLength(2)
|
||||
expect(editorPolicies).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({
|
||||
key: "write:products",
|
||||
}),
|
||||
expect.objectContaining({
|
||||
key: "write:orders",
|
||||
}),
|
||||
])
|
||||
)
|
||||
})
|
||||
|
||||
it("should handle multi-level role inheritance", async () => {
|
||||
// Create policies
|
||||
const policiesWorkflow = createRbacPoliciesWorkflow(appContainer)
|
||||
const { result: policies } = await policiesWorkflow.run({
|
||||
input: {
|
||||
policies: [
|
||||
{
|
||||
key: "read:catalog",
|
||||
resource: "catalog",
|
||||
operation: "read",
|
||||
name: "Read Catalog",
|
||||
},
|
||||
{
|
||||
key: "write:catalog",
|
||||
resource: "catalog",
|
||||
operation: "write",
|
||||
name: "Write Catalog",
|
||||
},
|
||||
{
|
||||
key: "admin:system",
|
||||
resource: "system",
|
||||
operation: "admin",
|
||||
name: "System Admin",
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
|
||||
// Create role hierarchy: Basic -> Manager -> SuperAdmin
|
||||
const rolesWorkflow = createRbacRolesWorkflow(appContainer)
|
||||
|
||||
// Level 1: Basic role
|
||||
const { result: basicRoles } = await rolesWorkflow.run({
|
||||
input: {
|
||||
roles: [
|
||||
{
|
||||
name: "Basic User",
|
||||
description: "Basic read access",
|
||||
policy_ids: [policies[0].id], // read:catalog
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
const basicRole = basicRoles[0]
|
||||
|
||||
// Level 2: Manager inherits from Basic
|
||||
const { result: managerRoles } = await rolesWorkflow.run({
|
||||
input: {
|
||||
roles: [
|
||||
{
|
||||
name: "Manager",
|
||||
description: "Manager with write access",
|
||||
inherited_role_ids: [basicRole.id],
|
||||
policy_ids: [policies[1].id], // write:catalog
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
const managerRole = managerRoles[0]
|
||||
|
||||
// Level 3: SuperAdmin inherits from Manager
|
||||
const { result: superAdminRoles } = await rolesWorkflow.run({
|
||||
input: {
|
||||
roles: [
|
||||
{
|
||||
name: "SuperAdmin",
|
||||
description: "Super admin with all access",
|
||||
inherited_role_ids: [managerRole.id],
|
||||
policy_ids: [policies[2].id], // admin:system
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
const superAdminRole = superAdminRoles[0]
|
||||
|
||||
// Verify SuperAdmin has all policies through inheritance chain
|
||||
const superAdminPolicies = await rbacService.listPoliciesForRole(
|
||||
superAdminRole.id
|
||||
)
|
||||
|
||||
expect(superAdminPolicies).toHaveLength(3)
|
||||
expect(superAdminPolicies.map((p) => p.key).sort()).toEqual([
|
||||
"admin:system",
|
||||
"read:catalog",
|
||||
"write:catalog",
|
||||
])
|
||||
|
||||
// Verify Manager has policies from Basic + its own
|
||||
const managerPolicies = await rbacService.listPoliciesForRole(
|
||||
managerRole.id
|
||||
)
|
||||
|
||||
expect(managerPolicies).toHaveLength(2)
|
||||
expect(managerPolicies.map((p) => p.key).sort()).toEqual([
|
||||
"read:catalog",
|
||||
"write:catalog",
|
||||
])
|
||||
|
||||
// Verify Basic only has its own policy
|
||||
const basicPolicies = await rbacService.listPoliciesForRole(
|
||||
basicRole.id
|
||||
)
|
||||
|
||||
expect(basicPolicies).toHaveLength(1)
|
||||
expect(basicPolicies[0].key).toBe("read:catalog")
|
||||
})
|
||||
|
||||
it("should propagate policy deletion from inherited role", async () => {
|
||||
// Create policies
|
||||
const policiesWorkflow = createRbacPoliciesWorkflow(appContainer)
|
||||
const { result: policies } = await policiesWorkflow.run({
|
||||
input: {
|
||||
policies: [
|
||||
{
|
||||
key: "read:inventory",
|
||||
resource: "inventory",
|
||||
operation: "read",
|
||||
name: "Read Inventory",
|
||||
},
|
||||
{
|
||||
key: "write:inventory",
|
||||
resource: "inventory",
|
||||
operation: "write",
|
||||
name: "Write Inventory",
|
||||
},
|
||||
{
|
||||
key: "admin:inventory",
|
||||
resource: "inventory",
|
||||
operation: "admin",
|
||||
name: "Admin Inventory",
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
|
||||
// Create role hierarchy: Basic -> Manager -> SuperAdmin
|
||||
const rolesWorkflow = createRbacRolesWorkflow(appContainer)
|
||||
|
||||
// Level 1: Basic role with read permission
|
||||
const { result: basicRoles } = await rolesWorkflow.run({
|
||||
input: {
|
||||
roles: [
|
||||
{
|
||||
name: "Basic Inventory User",
|
||||
description: "Basic inventory read access",
|
||||
policy_ids: [policies[0].id], // read:inventory
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
const basicRole = basicRoles[0]
|
||||
|
||||
// Level 2: Manager inherits from Basic + write permission
|
||||
const { result: managerRoles } = await rolesWorkflow.run({
|
||||
input: {
|
||||
roles: [
|
||||
{
|
||||
name: "Inventory Manager",
|
||||
description: "Manager with write access",
|
||||
inherited_role_ids: [basicRole.id],
|
||||
policy_ids: [policies[1].id], // write:inventory
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
const managerRole = managerRoles[0]
|
||||
|
||||
// Level 3: SuperAdmin inherits from Manager + admin permission
|
||||
const { result: superAdminRoles } = await rolesWorkflow.run({
|
||||
input: {
|
||||
roles: [
|
||||
{
|
||||
name: "Inventory SuperAdmin",
|
||||
description: "Super admin with all access",
|
||||
inherited_role_ids: [managerRole.id],
|
||||
policy_ids: [policies[2].id], // admin:inventory
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
const superAdminRole = superAdminRoles[0]
|
||||
|
||||
// Verify initial state: SuperAdmin has all 3 policies
|
||||
let superAdminPolicies = await rbacService.listPoliciesForRole(
|
||||
superAdminRole.id
|
||||
)
|
||||
expect(superAdminPolicies).toHaveLength(3)
|
||||
expect(superAdminPolicies.map((p) => p.key).sort()).toEqual([
|
||||
"admin:inventory",
|
||||
"read:inventory",
|
||||
"write:inventory",
|
||||
])
|
||||
|
||||
// Verify Manager has 2 policies (Basic's + its own)
|
||||
let managerPolicies = await rbacService.listPoliciesForRole(
|
||||
managerRole.id
|
||||
)
|
||||
expect(managerPolicies).toHaveLength(2)
|
||||
expect(managerPolicies.map((p) => p.key).sort()).toEqual([
|
||||
"read:inventory",
|
||||
"write:inventory",
|
||||
])
|
||||
|
||||
// Delete the read:inventory policy from Basic role
|
||||
const basicRolePolicies = await rbacService.listRbacRolePolicies({
|
||||
role_id: basicRole.id,
|
||||
})
|
||||
const readPolicyAssociation = basicRolePolicies.find(
|
||||
(rp) => rp.scope_id === policies[0].id
|
||||
)
|
||||
await rbacService.deleteRbacRolePolicies([readPolicyAssociation!.id])
|
||||
|
||||
// Verify Basic role no longer has the read policy
|
||||
const basicPoliciesAfterDelete =
|
||||
await rbacService.listPoliciesForRole(basicRole.id)
|
||||
expect(basicPoliciesAfterDelete).toHaveLength(0)
|
||||
|
||||
// Verify Manager role no longer inherits the read policy
|
||||
managerPolicies = await rbacService.listPoliciesForRole(
|
||||
managerRole.id
|
||||
)
|
||||
expect(managerPolicies).toHaveLength(1)
|
||||
expect(managerPolicies[0].key).toBe("write:inventory")
|
||||
|
||||
// Verify SuperAdmin role also lost the read policy through inheritance chain
|
||||
superAdminPolicies = await rbacService.listPoliciesForRole(
|
||||
superAdminRole.id
|
||||
)
|
||||
expect(superAdminPolicies).toHaveLength(2)
|
||||
expect(superAdminPolicies.map((p) => p.key).sort()).toEqual([
|
||||
"admin:inventory",
|
||||
"write:inventory",
|
||||
])
|
||||
})
|
||||
|
||||
it("should handle role with no inherited roles or policies", async () => {
|
||||
const rolesWorkflow = createRbacRolesWorkflow(appContainer)
|
||||
|
||||
const { result: emptyRoles } = await rolesWorkflow.run({
|
||||
input: {
|
||||
roles: [
|
||||
{
|
||||
name: "Empty Role",
|
||||
description: "Role with no permissions",
|
||||
},
|
||||
],
|
||||
},
|
||||
})
|
||||
|
||||
const emptyRole = emptyRoles[0]
|
||||
|
||||
// Verify no policies
|
||||
const policies = await rbacService.listPoliciesForRole(emptyRole.id)
|
||||
expect(policies).toHaveLength(0)
|
||||
|
||||
// Verify no inheritance
|
||||
const inheritances = await rbacService.listRbacRoleInheritances({
|
||||
role_id: emptyRole.id,
|
||||
})
|
||||
expect(inheritances).toHaveLength(0)
|
||||
})
|
||||
})
|
||||
})
|
||||
},
|
||||
})
|
||||
@@ -189,5 +189,9 @@ module.exports = defineConfig({
|
||||
key: "brand",
|
||||
resolve: "src/modules/brand",
|
||||
},
|
||||
{
|
||||
key: Modules.RBAC,
|
||||
resolve: "@medusajs/rbac",
|
||||
},
|
||||
],
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user