unleash.unleash/src/lib/middleware/rbac-middleware.test.ts

import rbacMiddleware from './rbac-middleware';
import User from '../types/user';
import * as perms from '../types/permissions';
import { IUnleashConfig } from '../types/option';
import { createTestConfig } from '../../test/config/test-config';
import ApiUser from '../types/api-user';
import { IFeatureToggleStore } from '../types/stores/feature-toggle-store';
import FakeFeatureToggleStore from '../../test/fixtures/fake-feature-toggle-store';
import { ApiTokenType } from '../types/models/api-token';

let config: IUnleashConfig;
let featureToggleStore: IFeatureToggleStore;

beforeEach(() => {
    featureToggleStore = new FakeFeatureToggleStore();
    config = createTestConfig();
});

test('should add checkRbac to request', () => {
    const accessService = {
        hasPermission: jest.fn(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = jest.fn();

    const req = jest.fn();

    func(req, undefined, cb);

    // @ts-ignore
    expect(req.checkRbac).toBeTruthy();
    // @ts-ignore
    expect(typeof req.checkRbac).toBe('function');
});

test('should give api-user ADMIN permission', async () => {
    const accessService = {
        hasPermission: jest.fn(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = jest.fn();
    const req: any = {
        user: new ApiUser({
            tokenName: 'api',
            permissions: [perms.ADMIN],
            project: '*',
            environment: '*',
            type: ApiTokenType.ADMIN,
            secret: 'a',
        }),
    };

    func(req, undefined, cb);

    const hasAccess = await req.checkRbac(perms.ADMIN);

    expect(hasAccess).toBe(true);
});

test('should not give api-user ADMIN permission', async () => {
    const accessService = {
        hasPermission: jest.fn(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = jest.fn();
    const req: any = {
        user: new ApiUser({
            tokenName: 'api',
            permissions: [perms.CLIENT],
            project: '*',
            environment: '*',
            type: ApiTokenType.CLIENT,
            secret: 'a',
        }),
    };

    func(req, undefined, cb);

    const hasAccess = await req.checkRbac(perms.ADMIN);

    expect(hasAccess).toBe(false);
    expect(accessService.hasPermission).toHaveBeenCalledTimes(0);
});

test('should not allow user to miss userId', async () => {
    jest.spyOn(global.console, 'error').mockImplementation(() => jest.fn());
    const accessService = {
        hasPermission: jest.fn(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = jest.fn();
    const req: any = {
        user: {
            username: 'user',
        },
    };

    func(req, undefined, cb);

    const hasAccess = await req.checkRbac(perms.ADMIN);

    expect(hasAccess).toBe(false);
});

test('should return false for missing user', async () => {
    jest.spyOn(global.console, 'error').mockImplementation(() => jest.fn());
    const accessService = {
        hasPermission: jest.fn(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = jest.fn();
    const req: any = {};

    func(req, undefined, cb);

    const hasAccess = await req.checkRbac(perms.ADMIN);

    expect(hasAccess).toBe(false);
    expect(accessService.hasPermission).toHaveBeenCalledTimes(0);
});

test('should verify permission for root resource', async () => {
    const accessService = {
        hasPermission: jest.fn(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = jest.fn();
    const req: any = {
        user: new User({
            username: 'user',
            id: 1,
        }),
        params: {},
    };

    func(req, undefined, cb);

    await req.checkRbac(perms.ADMIN);

    expect(accessService.hasPermission).toHaveBeenCalledTimes(1);
    expect(accessService.hasPermission).toHaveBeenCalledWith(
        req.user,
        perms.ADMIN,
        undefined,
        undefined,
    );
});

test('should lookup projectId from params', async () => {
    const accessService = {
        hasPermission: jest.fn(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = jest.fn();
    const req: any = {
        user: new User({
            username: 'user',
            id: 1,
        }),
        params: {
            projectId: 'some-proj',
        },
    };

    func(req, undefined, cb);

    await req.checkRbac(perms.UPDATE_PROJECT);

    expect(accessService.hasPermission).toHaveBeenCalledWith(
        req.user,
        perms.UPDATE_PROJECT,
        req.params.projectId,
        undefined,
    );
});

test('should lookup projectId from feature toggle', async () => {
    const projectId = 'some-project-33';
    const featureName = 'some-feature-toggle';

    const accessService = {
        hasPermission: jest.fn(),
    };

    featureToggleStore.getProjectId = jest.fn().mockReturnValue(projectId);

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = jest.fn();
    const req: any = {
        user: new User({
            username: 'user',
            id: 1,
        }),
        params: {
            featureName,
        },
    };

    func(req, undefined, cb);

    await req.checkRbac(perms.UPDATE_FEATURE);

    expect(accessService.hasPermission).toHaveBeenCalledWith(
        req.user,
        perms.UPDATE_FEATURE,
        projectId,
        undefined,
    );
});

test('should lookup projectId from data', async () => {
    const projectId = 'some-project-33';
    const featureName = 'some-feature-toggle';

    const accessService = {
        hasPermission: jest.fn(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = jest.fn();
    const req: any = {
        user: new User({
            username: 'user',
            id: 1,
        }),
        params: {},
        body: {
            featureName,
            project: projectId,
        },
    };

    func(req, undefined, cb);

    await req.checkRbac(perms.CREATE_FEATURE);

    expect(accessService.hasPermission).toHaveBeenCalledWith(
        req.user,
        perms.CREATE_FEATURE,
        projectId,
        undefined,
    );
});

test('Does not double check permission if not changing project when updating toggle', async () => {
    const oldProjectId = 'some-project-34';
    const featureName = 'some-feature-toggle';
    const accessService = {
        hasPermission: jest.fn().mockReturnValue(true),
    };
    featureToggleStore.getProjectId = jest.fn().mockReturnValue(oldProjectId);

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);
    const cb = jest.fn();
    const req: any = {
        user: new User({ username: 'user', id: 1 }),
        params: { featureName },
        body: { featureName, project: oldProjectId },
    };
    func(req, undefined, cb);

    await req.checkRbac(perms.UPDATE_FEATURE);
    expect(accessService.hasPermission).toHaveBeenCalledTimes(1);
    expect(accessService.hasPermission).toHaveBeenCalledWith(
        req.user,
        perms.UPDATE_FEATURE,
        oldProjectId,
        undefined,
    );
});

test('UPDATE_TAG_TYPE does not need projectId', async () => {
    const accessService = {
        hasPermission: jest.fn().mockReturnValue(true),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);
    const cb = jest.fn();
    const req: any = {
        user: new User({ username: 'user', id: 1 }),
        params: {},
        body: { name: 'new-tag-type', description: 'New tag type for testing' },
    };
    func(req, undefined, cb);

    await req.checkRbac(perms.UPDATE_TAG_TYPE);
    expect(accessService.hasPermission).toHaveBeenCalledTimes(1);
    expect(accessService.hasPermission).toHaveBeenCalledWith(
        req.user,
        perms.UPDATE_TAG_TYPE,
        undefined,
        undefined,
    );
});

test('DELETE_TAG_TYPE does not need projectId', async () => {
    const accessService = {
        hasPermission: jest.fn().mockReturnValue(true),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);
    const cb = jest.fn();
    const req: any = {
        user: new User({ username: 'user', id: 1 }),
        params: {},
        body: { name: 'new-tag-type', description: 'New tag type for testing' },
    };
    func(req, undefined, cb);

    await req.checkRbac(perms.DELETE_TAG_TYPE);
    expect(accessService.hasPermission).toHaveBeenCalledTimes(1);
    expect(accessService.hasPermission).toHaveBeenCalledWith(
        req.user,
        perms.DELETE_TAG_TYPE,
        undefined,
        undefined,
    );
});

test('should not expect featureName for UPDATE_FEATURE when projectId specified', async () => {
    const projectId = 'some-project-33';

    const accessService = {
        hasPermission: jest.fn(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = jest.fn();
    const req: any = {
        user: new User({
            username: 'user',
            id: 1,
        }),
        params: {},
        body: {
            project: projectId,
        },
    };

    func(req, undefined, cb);

    await req.checkRbac(perms.UPDATE_FEATURE);

    expect(accessService.hasPermission).toHaveBeenCalledWith(
        req.user,
        perms.UPDATE_FEATURE,
        projectId,
        undefined,
    );
});