mirror of
https://github.com/Unleash/unleash.git
synced 2024-10-23 20:07:40 +02:00
0c78980502
* wip: environment for permissions * fix: add migration for roles * fix: connect environment with access service * feat: add tests * chore: Implement scaffolding for new rbac * fix: add fake store * feat: Add api endpoints for roles and permissions list * feat: Add ability to provide permissions when creating a role and rename environmentName to name in the list permissions datastructure * fix: Make project roles resolve correctly against new environments permissions structure * fix: Patch migration to also populate permission names * fix: Make permissions actually work with new environments * fix: Add back to get permissions working for editor role * fix: Removed ability to set role type through api during creation - it's now always custom * feat: Return permissions on get role endpoint * feat: Add in support for updating roles * fix: Get a bunch of tests working and delete a few that make no sense anymore * chore: A few small cleanups - remove logging and restore default on dev server config * chore: Refactor role/access stores into more logical domains * feat: Add in validation for roles * feat: Patch db migration to handle old stucture * fix: migration for project roles * fix: patch a few broken tests * fix: add permissions to editor * fix: update test name * fix: update user permission mapping * fix: create new user * fix: update root role test * fix: update tests * feat: Validation now works when updating a role * fix: Add in very barebones down migration for rbac so that tests work * fix: Improve responses from role resolution - getting a non existant role will throw a NotFound error * fix: remove unused permissions * fix: add test for connecting roles and deleting project * fix: add test for adding a project member with a custom role * fix: add test for changing user role * fix: add guard for deleting role if the role is in use * fix: alter migration * chore: Minor code cleanups * chore: Small code cleanups * chore: More minor cleanups of code * chore: Trim some dead code to make the linter happy * feat: Schema validation for roles * fix: setup permission for variant * fix: remove unused import * feat: Add cascading delete for role_permissions when deleting a role * feat: add configuration option for disabling legacy api * chore: update frontend to beta version * 4.6.0-beta.0 * fix: export default project constant * fix: update snapshot * fix: module pattern ../../lib * fix: move DEFAULT_PROJECT to types * fix: remove debug logging * fix: remove debug log state * fix: Change permission descriptions * fix: roles should have unique name * fix: root roles should be connected to the default project * fix: typo in role-schema.ts * fix: Role permission empty string for non environment type * feat: new permission for moving project * fix: add event for changeProject * fix: Removing a user from a project will now check to see if that project has an owner, rather than checking if any project has an owner * fix: add tests for move project * fix: Add in missing create/delete tag permissions * fix: Removed duplicate impl caused by multiple good samaritans putting it back in! * fix: Trim out add tag permissions, for now at least * chore: Trim out new add and delete tag permissions - we're going with update feature instead * chore: update frontend * 4.6.0-beta.1 * feat: Prevent editing of built in roles * fix: Patch an issue where permissions for variants/environments didn't match the front end * fix: lint Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com>
778 lines
23 KiB
TypeScript
778 lines
23 KiB
TypeScript
import dbInit, { ITestDb } from '../helpers/database-init';
|
|
import getLogger from '../../fixtures/no-logger';
|
|
|
|
// eslint-disable-next-line import/no-unresolved
|
|
import {
|
|
AccessService,
|
|
ALL_PROJECTS,
|
|
} from '../../../lib/services/access-service';
|
|
|
|
import * as permissions from '../../../lib/types/permissions';
|
|
import { RoleName } from '../../../lib/types/model';
|
|
import { IUnleashStores } from '../../../lib/types';
|
|
import FeatureToggleService from '../../../lib/services/feature-toggle-service';
|
|
import ProjectService from '../../../lib/services/project-service';
|
|
import { createTestConfig } from '../../config/test-config';
|
|
|
|
let db: ITestDb;
|
|
let stores: IUnleashStores;
|
|
let accessService;
|
|
let featureToggleService;
|
|
let projectService;
|
|
let editorUser;
|
|
let superUser;
|
|
let editorRole;
|
|
let adminRole;
|
|
let readRole;
|
|
|
|
const createUserEditorAccess = async (name, email) => {
|
|
const { userStore } = stores;
|
|
const user = await userStore.insert({ name, email });
|
|
await accessService.addUserToRole(user.id, editorRole.id, 'default');
|
|
return user;
|
|
};
|
|
|
|
const createUserViewerAccess = async (name, email) => {
|
|
const { userStore } = stores;
|
|
const user = await userStore.insert({ name, email });
|
|
await accessService.addUserToRole(user.id, readRole.id, ALL_PROJECTS);
|
|
return user;
|
|
};
|
|
|
|
const hasCommonProjectAccess = async (user, projectName, condition) => {
|
|
const defaultEnv = 'default';
|
|
const developmentEnv = 'development';
|
|
const productionEnv = 'production';
|
|
|
|
const {
|
|
CREATE_FEATURE,
|
|
UPDATE_FEATURE,
|
|
DELETE_FEATURE,
|
|
CREATE_FEATURE_STRATEGY,
|
|
UPDATE_FEATURE_STRATEGY,
|
|
DELETE_FEATURE_STRATEGY,
|
|
UPDATE_FEATURE_ENVIRONMENT,
|
|
UPDATE_FEATURE_VARIANTS,
|
|
} = permissions;
|
|
expect(
|
|
await accessService.hasPermission(user, CREATE_FEATURE, projectName),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(user, UPDATE_FEATURE, projectName),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(user, DELETE_FEATURE, projectName),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
UPDATE_FEATURE_VARIANTS,
|
|
projectName,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
CREATE_FEATURE_STRATEGY,
|
|
projectName,
|
|
defaultEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
UPDATE_FEATURE_STRATEGY,
|
|
projectName,
|
|
defaultEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
DELETE_FEATURE_STRATEGY,
|
|
projectName,
|
|
defaultEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
UPDATE_FEATURE_ENVIRONMENT,
|
|
projectName,
|
|
defaultEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
CREATE_FEATURE_STRATEGY,
|
|
projectName,
|
|
developmentEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
UPDATE_FEATURE_STRATEGY,
|
|
projectName,
|
|
developmentEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
DELETE_FEATURE_STRATEGY,
|
|
projectName,
|
|
developmentEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
UPDATE_FEATURE_ENVIRONMENT,
|
|
projectName,
|
|
developmentEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
CREATE_FEATURE_STRATEGY,
|
|
projectName,
|
|
productionEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
UPDATE_FEATURE_STRATEGY,
|
|
projectName,
|
|
productionEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
DELETE_FEATURE_STRATEGY,
|
|
projectName,
|
|
productionEnv,
|
|
),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
UPDATE_FEATURE_ENVIRONMENT,
|
|
projectName,
|
|
productionEnv,
|
|
),
|
|
).toBe(condition);
|
|
};
|
|
|
|
const hasFullProjectAccess = async (user, projectName, condition) => {
|
|
const { DELETE_PROJECT, UPDATE_PROJECT, MOVE_FEATURE_TOGGLE } = permissions;
|
|
|
|
expect(
|
|
await accessService.hasPermission(user, DELETE_PROJECT, projectName),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(user, UPDATE_PROJECT, projectName),
|
|
).toBe(condition);
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
MOVE_FEATURE_TOGGLE,
|
|
projectName,
|
|
),
|
|
);
|
|
hasCommonProjectAccess(user, projectName, condition);
|
|
};
|
|
|
|
const createSuperUser = async () => {
|
|
const { userStore } = stores;
|
|
const user = await userStore.insert({
|
|
name: 'Alice Admin',
|
|
email: 'admin@getunleash.io',
|
|
});
|
|
await accessService.addUserToRole(user.id, adminRole.id, ALL_PROJECTS);
|
|
return user;
|
|
};
|
|
|
|
beforeAll(async () => {
|
|
db = await dbInit('access_service_serial', getLogger);
|
|
stores = db.stores;
|
|
// projectStore = stores.projectStore;
|
|
const config = createTestConfig({
|
|
getLogger,
|
|
// @ts-ignore
|
|
experimental: { environments: { enabled: true } },
|
|
});
|
|
accessService = new AccessService(stores, { getLogger });
|
|
const roles = await accessService.getRootRoles();
|
|
editorRole = roles.find((r) => r.name === RoleName.EDITOR);
|
|
adminRole = roles.find((r) => r.name === RoleName.ADMIN);
|
|
readRole = roles.find((r) => r.name === RoleName.VIEWER);
|
|
featureToggleService = new FeatureToggleService(stores, config);
|
|
projectService = new ProjectService(
|
|
stores,
|
|
config,
|
|
accessService,
|
|
featureToggleService,
|
|
);
|
|
|
|
editorUser = await createUserEditorAccess('Bob Test', 'bob@getunleash.io');
|
|
superUser = await createSuperUser();
|
|
});
|
|
|
|
afterAll(async () => {
|
|
await db.destroy();
|
|
});
|
|
|
|
test('should have access to admin addons', async () => {
|
|
const { CREATE_ADDON, UPDATE_ADDON, DELETE_ADDON } = permissions;
|
|
const user = editorUser;
|
|
expect(await accessService.hasPermission(user, CREATE_ADDON)).toBe(true);
|
|
expect(await accessService.hasPermission(user, UPDATE_ADDON)).toBe(true);
|
|
expect(await accessService.hasPermission(user, DELETE_ADDON)).toBe(true);
|
|
});
|
|
|
|
test('should have access to admin strategies', async () => {
|
|
const { CREATE_STRATEGY, UPDATE_STRATEGY, DELETE_STRATEGY } = permissions;
|
|
const user = editorUser;
|
|
expect(await accessService.hasPermission(user, CREATE_STRATEGY)).toBe(true);
|
|
expect(await accessService.hasPermission(user, UPDATE_STRATEGY)).toBe(true);
|
|
expect(await accessService.hasPermission(user, DELETE_STRATEGY)).toBe(true);
|
|
});
|
|
|
|
test('should have access to admin contexts', async () => {
|
|
const { CREATE_CONTEXT_FIELD, UPDATE_CONTEXT_FIELD, DELETE_CONTEXT_FIELD } =
|
|
permissions;
|
|
const user = editorUser;
|
|
expect(await accessService.hasPermission(user, CREATE_CONTEXT_FIELD)).toBe(
|
|
true,
|
|
);
|
|
expect(await accessService.hasPermission(user, UPDATE_CONTEXT_FIELD)).toBe(
|
|
true,
|
|
);
|
|
expect(await accessService.hasPermission(user, DELETE_CONTEXT_FIELD)).toBe(
|
|
true,
|
|
);
|
|
});
|
|
|
|
test('should have access to create projects', async () => {
|
|
const { CREATE_PROJECT } = permissions;
|
|
const user = editorUser;
|
|
expect(await accessService.hasPermission(user, CREATE_PROJECT)).toBe(true);
|
|
});
|
|
|
|
test('should have access to update applications', async () => {
|
|
const { UPDATE_APPLICATION } = permissions;
|
|
const user = editorUser;
|
|
expect(await accessService.hasPermission(user, UPDATE_APPLICATION)).toBe(
|
|
true,
|
|
);
|
|
});
|
|
|
|
test('should not have admin permission', async () => {
|
|
const { ADMIN } = permissions;
|
|
const user = editorUser;
|
|
expect(await accessService.hasPermission(user, ADMIN)).toBe(false);
|
|
});
|
|
|
|
test('should have project admin to default project as editor', async () => {
|
|
const projectName = 'default';
|
|
|
|
const user = editorUser;
|
|
hasFullProjectAccess(user, projectName, true);
|
|
});
|
|
|
|
test('should not have project admin to other projects as editor', async () => {
|
|
const projectName = 'unusedprojectname';
|
|
const user = editorUser;
|
|
hasFullProjectAccess(user, projectName, false);
|
|
});
|
|
|
|
test('cannot add CREATE_FEATURE without defining project', async () => {
|
|
await expect(async () => {
|
|
await accessService.addPermissionToRole(
|
|
editorRole.id,
|
|
permissions.CREATE_FEATURE,
|
|
);
|
|
}).rejects.toThrow(
|
|
new Error('ProjectId cannot be empty for permission=CREATE_FEATURE'),
|
|
);
|
|
});
|
|
|
|
test('cannot remove CREATE_FEATURE without defining project', async () => {
|
|
await expect(async () => {
|
|
await accessService.removePermissionFromRole(
|
|
editorRole.id,
|
|
permissions.CREATE_FEATURE,
|
|
);
|
|
}).rejects.toThrow(
|
|
new Error('ProjectId cannot be empty for permission=CREATE_FEATURE'),
|
|
);
|
|
});
|
|
|
|
test('should remove CREATE_FEATURE on default environment', async () => {
|
|
const { CREATE_FEATURE } = permissions;
|
|
const user = editorUser;
|
|
const editRole = await accessService.getRoleByName(RoleName.EDITOR);
|
|
|
|
await accessService.addPermissionToRole(
|
|
editRole.id,
|
|
permissions.CREATE_FEATURE,
|
|
'*',
|
|
);
|
|
|
|
await accessService.removePermissionFromRole(
|
|
editRole.id,
|
|
permissions.CREATE_FEATURE,
|
|
'*',
|
|
);
|
|
|
|
expect(
|
|
await accessService.hasPermission(user, CREATE_FEATURE, 'some-project'),
|
|
).toBe(false);
|
|
});
|
|
|
|
test('admin should be admin', async () => {
|
|
const {
|
|
DELETE_PROJECT,
|
|
UPDATE_PROJECT,
|
|
CREATE_FEATURE,
|
|
UPDATE_FEATURE,
|
|
DELETE_FEATURE,
|
|
ADMIN,
|
|
} = permissions;
|
|
const user = superUser;
|
|
expect(
|
|
await accessService.hasPermission(user, DELETE_PROJECT, 'default'),
|
|
).toBe(true);
|
|
expect(
|
|
await accessService.hasPermission(user, UPDATE_PROJECT, 'default'),
|
|
).toBe(true);
|
|
expect(
|
|
await accessService.hasPermission(user, CREATE_FEATURE, 'default'),
|
|
).toBe(true);
|
|
expect(
|
|
await accessService.hasPermission(user, UPDATE_FEATURE, 'default'),
|
|
).toBe(true);
|
|
expect(
|
|
await accessService.hasPermission(user, DELETE_FEATURE, 'default'),
|
|
).toBe(true);
|
|
expect(await accessService.hasPermission(user, ADMIN)).toBe(true);
|
|
});
|
|
|
|
test('should create default roles to project', async () => {
|
|
const project = 'some-project';
|
|
const user = editorUser;
|
|
await accessService.createDefaultProjectRoles(user, project);
|
|
hasFullProjectAccess(user, project, true);
|
|
});
|
|
|
|
test('should require name when create default roles to project', async () => {
|
|
await expect(async () => {
|
|
await accessService.createDefaultProjectRoles(editorUser);
|
|
}).rejects.toThrow(new Error('ProjectId cannot be empty'));
|
|
});
|
|
|
|
test('should grant user access to project', async () => {
|
|
const { DELETE_PROJECT, UPDATE_PROJECT } = permissions;
|
|
const project = 'another-project';
|
|
const user = editorUser;
|
|
const sUser = await createUserViewerAccess(
|
|
'Some Random',
|
|
'random@getunleash.io',
|
|
);
|
|
await accessService.createDefaultProjectRoles(user, project);
|
|
|
|
const projectRole = await accessService.getRoleByName(RoleName.MEMBER);
|
|
await accessService.addUserToRole(sUser.id, projectRole.id, project);
|
|
|
|
// // Should be able to update feature toggles inside the project
|
|
hasCommonProjectAccess(sUser, project, true);
|
|
|
|
// Should not be able to admin the project itself.
|
|
expect(
|
|
await accessService.hasPermission(sUser, UPDATE_PROJECT, project),
|
|
).toBe(false);
|
|
expect(
|
|
await accessService.hasPermission(sUser, DELETE_PROJECT, project),
|
|
).toBe(false);
|
|
});
|
|
|
|
test('should not get access if not specifying project', async () => {
|
|
const project = 'another-project-2';
|
|
const user = editorUser;
|
|
const sUser = await createUserViewerAccess(
|
|
'Some Random',
|
|
'random22@getunleash.io',
|
|
);
|
|
await accessService.createDefaultProjectRoles(user, project);
|
|
|
|
const projectRole = await accessService.getRoleByName(RoleName.MEMBER);
|
|
|
|
await accessService.addUserToRole(sUser.id, projectRole.id, project);
|
|
|
|
// Should not be able to update feature toggles outside project
|
|
hasCommonProjectAccess(sUser, undefined, false);
|
|
});
|
|
|
|
test('should remove user from role', async () => {
|
|
const { userStore } = stores;
|
|
const user = await userStore.insert({
|
|
name: 'Some User',
|
|
email: 'random123@getunleash.io',
|
|
});
|
|
|
|
await accessService.addUserToRole(user.id, editorRole.id, 'default');
|
|
|
|
// check user has one role
|
|
const userRoles = await accessService.getRolesForUser(user.id);
|
|
expect(userRoles.length).toBe(1);
|
|
expect(userRoles[0].name).toBe(RoleName.EDITOR);
|
|
|
|
await accessService.removeUserFromRole(user.id, editorRole.id, 'default');
|
|
const userRolesAfterRemove = await accessService.getRolesForUser(user.id);
|
|
expect(userRolesAfterRemove.length).toBe(0);
|
|
});
|
|
|
|
test('should return role with users', async () => {
|
|
const { userStore } = stores;
|
|
const user = await userStore.insert({
|
|
name: 'Some User',
|
|
email: 'random2223@getunleash.io',
|
|
});
|
|
|
|
await accessService.addUserToRole(user.id, editorRole.id, 'default');
|
|
|
|
const roleWithUsers = await accessService.getRoleData(editorRole.id);
|
|
expect(roleWithUsers.role.name).toBe(RoleName.EDITOR);
|
|
expect(roleWithUsers.users.length >= 2).toBe(true);
|
|
expect(roleWithUsers.users.find((u) => u.id === user.id)).toBeTruthy();
|
|
expect(
|
|
roleWithUsers.users.find((u) => u.email === user.email),
|
|
).toBeTruthy();
|
|
});
|
|
|
|
test('should return role with permissions and users', async () => {
|
|
const { userStore } = stores;
|
|
const user = await userStore.insert({
|
|
name: 'Some User',
|
|
email: 'random2244@getunleash.io',
|
|
});
|
|
|
|
await accessService.addUserToRole(user.id, editorRole.id, 'default');
|
|
|
|
const roleWithPermission = await accessService.getRoleData(editorRole.id);
|
|
|
|
expect(roleWithPermission.role.name).toBe(RoleName.EDITOR);
|
|
expect(roleWithPermission.permissions.length > 2).toBe(true);
|
|
expect(
|
|
roleWithPermission.permissions.find(
|
|
(p) => p.name === permissions.CREATE_PROJECT,
|
|
),
|
|
).toBeTruthy();
|
|
//This assert requires other tests to have run in this pack before length > 2 resolves to true
|
|
// I've set this to be > 1, which allows us to run the test alone and should still satisfy the logic requirement
|
|
expect(roleWithPermission.users.length > 1).toBe(true);
|
|
});
|
|
|
|
test('should set root role for user', async () => {
|
|
const { userStore } = stores;
|
|
const user = await userStore.insert({
|
|
name: 'Some User',
|
|
email: 'random2255@getunleash.io',
|
|
});
|
|
|
|
await accessService.setUserRootRole(user.id, editorRole.id);
|
|
|
|
const roles = await accessService.getRolesForUser(user.id);
|
|
//To have duplicated roles like this may not may not be a hack. Needs some thought
|
|
expect(roles[0].name).toBe(RoleName.EDITOR);
|
|
|
|
expect(roles.length).toBe(1);
|
|
});
|
|
|
|
test('should switch root role for user', async () => {
|
|
const { userStore } = stores;
|
|
const user = await userStore.insert({
|
|
name: 'Some User',
|
|
email: 'random22Read@getunleash.io',
|
|
});
|
|
|
|
await accessService.setUserRootRole(user.id, editorRole.id);
|
|
await accessService.setUserRootRole(user.id, readRole.id);
|
|
|
|
const roles = await accessService.getRolesForUser(user.id);
|
|
|
|
expect(roles.length).toBe(1);
|
|
expect(roles[0].name).toBe(RoleName.VIEWER);
|
|
});
|
|
|
|
test('should not crash if user does not have permission', async () => {
|
|
const { userStore } = stores;
|
|
|
|
const user = await userStore.insert({
|
|
name: 'Some User',
|
|
email: 'random55Read@getunleash.io',
|
|
});
|
|
|
|
await accessService.setUserRootRole(user.id, readRole.id);
|
|
|
|
const { UPDATE_CONTEXT_FIELD } = permissions;
|
|
const hasAccess = await accessService.hasPermission(
|
|
user,
|
|
UPDATE_CONTEXT_FIELD,
|
|
);
|
|
|
|
expect(hasAccess).toBe(false);
|
|
});
|
|
|
|
test('should support permission with "ALL" environment requirement', async () => {
|
|
const { userStore, roleStore, accessStore } = stores;
|
|
|
|
const user = await userStore.insert({
|
|
name: 'Some User',
|
|
email: 'randomEnv1@getunleash.io',
|
|
});
|
|
|
|
await accessService.setUserRootRole(user.id, readRole.id);
|
|
|
|
const customRole = await roleStore.create({
|
|
name: 'Power user',
|
|
roleType: 'custom',
|
|
description: 'Grants access to modify all environments',
|
|
});
|
|
|
|
const { CREATE_FEATURE_STRATEGY } = permissions;
|
|
await accessStore.addPermissionsToRole(
|
|
customRole.id,
|
|
[CREATE_FEATURE_STRATEGY],
|
|
'production',
|
|
);
|
|
await accessStore.addUserToRole(user.id, customRole.id, ALL_PROJECTS);
|
|
|
|
const hasAccess = await accessService.hasPermission(
|
|
user,
|
|
CREATE_FEATURE_STRATEGY,
|
|
'default',
|
|
'production',
|
|
);
|
|
|
|
expect(hasAccess).toBe(true);
|
|
|
|
const hasNotAccess = await accessService.hasPermission(
|
|
user,
|
|
CREATE_FEATURE_STRATEGY,
|
|
'default',
|
|
'development',
|
|
);
|
|
expect(hasNotAccess).toBe(false);
|
|
});
|
|
|
|
test('Should have access to create a strategy in an environment', async () => {
|
|
const { CREATE_FEATURE_STRATEGY } = permissions;
|
|
const user = editorUser;
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
CREATE_FEATURE_STRATEGY,
|
|
'default',
|
|
'development',
|
|
),
|
|
).toBe(true);
|
|
});
|
|
|
|
test('Should be denied access to create a strategy in an environment the user does not have access to', async () => {
|
|
const { CREATE_FEATURE_STRATEGY } = permissions;
|
|
const user = editorUser;
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
CREATE_FEATURE_STRATEGY,
|
|
'default',
|
|
'noaccess',
|
|
),
|
|
).toBe(false);
|
|
});
|
|
|
|
test('Should have access to edit a strategy in an environment', async () => {
|
|
const { UPDATE_FEATURE_STRATEGY } = permissions;
|
|
const user = editorUser;
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
UPDATE_FEATURE_STRATEGY,
|
|
'default',
|
|
'development',
|
|
),
|
|
).toBe(true);
|
|
});
|
|
|
|
test('Should have access to delete a strategy in an environment', async () => {
|
|
const { DELETE_FEATURE_STRATEGY } = permissions;
|
|
const user = editorUser;
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
DELETE_FEATURE_STRATEGY,
|
|
'default',
|
|
'development',
|
|
),
|
|
).toBe(true);
|
|
});
|
|
|
|
test('Should be denied access to delete a strategy in an environment the user does not have access to', async () => {
|
|
const { DELETE_FEATURE_STRATEGY } = permissions;
|
|
const user = editorUser;
|
|
expect(
|
|
await accessService.hasPermission(
|
|
user,
|
|
DELETE_FEATURE_STRATEGY,
|
|
'default',
|
|
'noaccess',
|
|
),
|
|
).toBe(false);
|
|
});
|
|
|
|
test('Should be denied access to delete a role that is in use', async () => {
|
|
const user = editorUser;
|
|
|
|
const project = {
|
|
id: 'projectToUseRole',
|
|
name: 'New project',
|
|
description: 'Blah',
|
|
};
|
|
await projectService.createProject(project, user.id);
|
|
|
|
const projectMember = await stores.userStore.insert({
|
|
name: 'CustomProjectMember',
|
|
email: 'custom@getunleash.io',
|
|
});
|
|
|
|
const customRole = await accessService.createRole({
|
|
name: 'RoleInUse',
|
|
description: '',
|
|
permissions: [
|
|
{
|
|
id: 2,
|
|
name: 'CREATE_FEATURE',
|
|
environment: null,
|
|
displayName: 'Create Feature Toggles',
|
|
type: 'project',
|
|
},
|
|
{
|
|
id: 8,
|
|
name: 'DELETE_FEATURE',
|
|
environment: null,
|
|
displayName: 'Delete Feature Toggles',
|
|
type: 'project',
|
|
},
|
|
],
|
|
});
|
|
|
|
await projectService.addUser(project.id, customRole.id, projectMember.id);
|
|
|
|
try {
|
|
await accessService.deleteRole(customRole.id);
|
|
} catch (e) {
|
|
expect(e.toString()).toBe(
|
|
'RoleInUseError: Role is in use by more than one user. You cannot delete a role that is in use without first removing the role from the users.',
|
|
);
|
|
}
|
|
});
|
|
|
|
test('Should be denied move feature toggle to project where the user does not have access', async () => {
|
|
const user = editorUser;
|
|
const editorUser2 = await createUserEditorAccess(
|
|
'seconduser',
|
|
'bob2@gmail.com',
|
|
);
|
|
|
|
const projectOrigin = {
|
|
id: 'projectOrigin',
|
|
name: 'New project',
|
|
description: 'Blah',
|
|
};
|
|
const projectDest = {
|
|
id: 'projectDest',
|
|
name: 'New project',
|
|
description: 'Blah',
|
|
};
|
|
await projectService.createProject(projectOrigin, user.id);
|
|
await projectService.createProject(projectDest, editorUser2.id);
|
|
|
|
const featureToggle = { name: 'moveableToggle' };
|
|
|
|
await featureToggleService.createFeatureToggle(
|
|
projectOrigin.id,
|
|
featureToggle,
|
|
user.username,
|
|
);
|
|
|
|
try {
|
|
await projectService.changeProject(
|
|
projectDest.id,
|
|
featureToggle.name,
|
|
user,
|
|
projectOrigin.id,
|
|
);
|
|
} catch (e) {
|
|
expect(e.toString()).toBe(
|
|
'NoAccessError: You need permission=MOVE_FEATURE_TOGGLE to perform this action',
|
|
);
|
|
}
|
|
});
|
|
|
|
test('Should be allowed move feature toggle to project when the user has access', async () => {
|
|
const user = editorUser;
|
|
|
|
const projectOrigin = {
|
|
id: 'projectOrigin1',
|
|
name: 'New project',
|
|
description: 'Blah',
|
|
};
|
|
const projectDest = {
|
|
id: 'projectDest2',
|
|
name: 'New project',
|
|
description: 'Blah',
|
|
};
|
|
await projectService.createProject(projectOrigin, user);
|
|
await projectService.createProject(projectDest, user);
|
|
|
|
const featureToggle = { name: 'moveableToggle2' };
|
|
|
|
await featureToggleService.createFeatureToggle(
|
|
projectOrigin.id,
|
|
featureToggle,
|
|
user.username,
|
|
);
|
|
|
|
await projectService.changeProject(
|
|
projectDest.id,
|
|
featureToggle.name,
|
|
user,
|
|
projectOrigin.id,
|
|
);
|
|
});
|
|
|
|
test('Should not be allowed to edit a built in role', async () => {
|
|
expect.assertions(1);
|
|
|
|
const editRole = await accessService.getRoleByName(RoleName.EDITOR);
|
|
const roleUpdate = {
|
|
id: editRole.id,
|
|
name: 'NoLongerTheEditor',
|
|
description: 'Ha!',
|
|
};
|
|
|
|
try {
|
|
await accessService.updateRole(roleUpdate);
|
|
} catch (e) {
|
|
expect(e.toString()).toBe(
|
|
'InvalidOperationError: You can not change built in roles.',
|
|
);
|
|
}
|
|
});
|