Mercurial Mercurial > prosody > prosody / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
spec/util_roles_spec.lua
author Kim Alvefur <zash@zash.se>
Sun, 24 Mar 2024 21:32:00 +0100
changeset 13468 2dbc169aae6a
parent 12758 a92ca737d05f
permissions -rw-r--r--
util.startup: Abort before initialization of logging when started as root Prevents creation of log files owned by the root user which could be inaccessible once started correctly.

describe("util.roles", function ()
	randomize(false);
	local roles;
	it("can be loaded", function ()
		roles = require "util.roles";
	end);
	local test_role;
	it("can create a new role", function ()
		test_role = roles.new();
		assert.is_not_nil(test_role);
		assert.is_truthy(roles.is_role(test_role));
	end);
	describe("role object", function ()
		it("can be initialized with permissions", function ()
			local test_role_2 = roles.new({
				permissions = {
					perm1 = true;
					perm2 = false;
				};
			});
			assert.truthy(test_role_2:may("perm1"));
			assert.falsy(test_role_2:may("perm2"));
		end);
		it("has a sensible tostring", function ()
			local test_role_2 = roles.new({
				id = "test-role-2";
				name = "Test Role 2";
			});
			assert.truthy(tostring(test_role_2):find(test_role_2.id, 1, true));
			assert.truthy(tostring(test_role_2):find("Test Role 2", 1, true));
		end);
		it("is restrictive by default", function ()
			assert.falsy(test_role:may("my-permission"));
		end);
		it("allows you to set permissions", function ()
			test_role:set_permission("my-permission", true);
			assert.truthy(test_role:may("my-permission"));
		end);
		it("allows you to set negative permissions", function ()
			test_role:set_permission("my-other-permission", false);
			assert.falsy(test_role:may("my-other-permission"));
		end);
		it("does not allows you to override previously set permissions by default", function ()
			local ok, err = test_role:set_permission("my-permission", false);
			assert.falsy(ok);
			assert.is_equal("policy-already-exists", err);
			-- Confirm old permission still in place
			assert.truthy(test_role:may("my-permission"));
		end);
		it("allows you to explicitly override previously set permissions", function ()
			assert.truthy(test_role:set_permission("my-permission", false, true));
			assert.falsy(test_role:may("my-permission"));
		end);
		describe("inheritance", function ()
			local child_role;
			it("works", function ()
				test_role:set_permission("inherited-permission", true);
				child_role = roles.new({
					inherits = { test_role };
				});
				assert.truthy(child_role:may("inherited-permission"));
				assert.falsy(child_role:may("my-permission"));
			end);
			it("allows listing policies", function ()
				local expected = {
					["my-permission"] = false;
					["my-other-permission"] = false;
					["inherited-permission"] = true;
				};
				local received = {};
				for permission_name, permission_policy in child_role:policies() do
					received[permission_name] = permission_policy;
				end
				assert.same(expected, received);
			end);
			it("supports multiple depths of inheritance", function ()
				local grandchild_role = roles.new({
					inherits = { child_role };
				});
				assert.truthy(grandchild_role:may("inherited-permission"));
			end);
			describe("supports ordered inheritance from multiple roles", function ()
				local parent_role = roles.new();
				local final_role = roles.new({
					-- Yes, the names are getting confusing.
					-- btw, test_role is inherited through child_role.
					inherits = { parent_role, child_role };
				});

				local test_cases = {
					-- { <final_role policy>, <parent_role policy>, <test_role policy> }
					{ true,   nil, false, result = true };
					{  nil, false,  true, result = false };
					{  nil,  true, false, result = true };
					{  nil,  nil,  false, result = false };
					{  nil,  nil,   true, result = true };
				};

				for n, test_case in ipairs(test_cases) do
					it("(case "..n..")", function ()
						local perm_name = ("multi-inheritance-perm-%d"):format(n);
						assert.truthy(final_role:set_permission(perm_name, test_case[1]));
						assert.truthy(parent_role:set_permission(perm_name, test_case[2]));
						assert.truthy(test_role:set_permission(perm_name, test_case[3]));
						assert.equal(test_case.result, final_role:may(perm_name));
					end);
				end
			end);
			it("updates child roles when parent roles change", function ()
				assert.truthy(child_role:may("inherited-permission"));
				assert.truthy(test_role:set_permission("inherited-permission", false, true));
				assert.falsy(child_role:may("inherited-permission"));
			end);
		end);
		describe("cloning", function ()
			local cloned_role;
			it("works", function ()
				assert.truthy(test_role:set_permission("perm-1", true));
				cloned_role = test_role:clone();
				assert.truthy(cloned_role:may("perm-1"));
			end);
			it("isolates changes", function ()
				-- After cloning, changes in either the original or the clone
				-- should not appear in the other.
				assert.truthy(test_role:set_permission("perm-1", false, true));
				assert.truthy(test_role:set_permission("perm-2", true));
				assert.truthy(cloned_role:set_permission("perm-3", true));
				assert.truthy(cloned_role:may("perm-1"));
				assert.falsy(cloned_role:may("perm-2"));
				assert.falsy(test_role:may("perm-3"));
			end);
		end);
	end);
end);
prosody