UNPKG

@eang/core

Version:

eang - model driven enterprise event processing

165 lines 6.34 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
import { describe, it, expect } from 'vitest'; import { Authorizer, RuleEffect, AuthzAction } from '../src/authorizer.js'; import { OrganizationObj, PersonObj } from '../eang-core.js'; describe('Validate Default Policy', () => { //setup state const authz = new Authorizer(); const anonymous = new PersonObj({ key: 'anonymous', username: 'anonymous' }); const policyRuleChain = [ { effect: RuleEffect.allow, matcher: (accessRequest) => { const { subject, action, entity } = accessRequest; return (subject.key === 'anonymous' && action.type === AuthzAction.read().type && entity.typeOf === 'Organization'); } // mapper: (entity: OrganizationObj) => { // entity.name = 'Anonymous Organization' // return entity // Modify the entity for anonymous users // } } ]; it('anonymous should be denied', () => { const request = { subject: anonymous, action: AuthzAction.read(), entity: new OrganizationObj({ name: 'Organization 1' }) }; const result = authz.authorize(request, policyRuleChain); expect(result.effect).toBe(RuleEffect.deny); }); }); // describe('Authorization for ABAC', () => { // const user = { // anonymous: null, // admin: { // name: 'Admin', // connectionsTo: { // memberOf: [{ key: 'group::modeadmin', type: 'organization' }] // } // }, // payrollManager: { // connections: { memberOf: [{ key: 'group::payroll' }] } // } // } // const accessRequest: AccessRequest = { // subject: user.admin, // action: { type: 'read' }, // resource: { // type: 'person', // firstname: 'John', // lastname: 'Doe', // ssn: '123456789' // } // } // it('should match with contains', () => { // const authz = new Authorizer() // let ar = authz.enforce(accessRequest, [ // { // effect: 'allow', // matcher: ({ subject }, a) => // a.contains(subject, ['connectionsTo', 'memberOf'], { // key: 'group::modeadmin' // }) // } // ]) // expect(ar.effect).toEqual('allow') // ar = authz.enforce(accessRequest, [ // { // effect: 'allow', // matcher: ({ subject }, a) => a.contains(subject, 'name', 'Admin') // } // ]) // expect(ar.effect).toEqual('allow') // ar = authz.enforce(accessRequest, [ // { // effect: 'allow', // matcher: ({ subject }, a) => a.contains(subject, ['name'], 'Not the name') // } // ]) // expect(ar.effect).toEqual('deny') // }) // it('anonymous should only see last 4 digits of SSN', () => { // const authz = new Authorizer() // const ar = authz.enforce(accessRequest, [ // { // effect: 'allow', // filter: (rt) => rt === 'person', // mapper: (resource) => { // if (resource.ssn) { // resource.ssn = resource.ssn.substr(resource.ssn.length - 4) // } // return resource // } // } // ]) // expect(ar.resource.ssn).toEqual('6789') // }) // it('should not match', () => { // const defaultRule: AccessRule = { // effect: 'allow', // matcher: ({ resource }) => resource.firstname === 'Doe' // } // const authz = new Authorizer([defaultRule]) // const ar = authz.enforce(accessRequest) // expect(ar.effect).toEqual(RuleEffect.deny) // }) // it('should match', () => { // const defaultRule: AccessRule = { // effect: 'allow', // matcher: ({ resource }) => resource.firstname === 'John' // } // const authz = new Authorizer([defaultRule]) // const ar = authz.enforce(accessRequest) // expect(ar.effect).toEqual(RuleEffect.allow) // }) // it('should filter', () => { // const defaultRule: AccessRule = { effect: 'allow', filter: (_, at) => at === 'read' } // const authz = new Authorizer([defaultRule]) // const writeRule: AccessRule = { effect: 'allow', filter: (_, at) => at === 'write' } // let ar = authz.enforce(accessRequest, [writeRule]) // expect(ar.matchedRule).toEqual(defaultRule) // ar = authz.enforce({ action: { type: 'write' }, resource: {} } as AccessRequest, [ // writeRule // ]) // expect(ar.matchedRule).toEqual(writeRule) // }) // it('should apply default policy chain', () => { // const authz = new Authorizer([{ effect: 'allow' }]) // const ar = authz.enforce(accessRequest, [{ effect: 'deny' }]) // expect(ar.effect).toEqual(RuleEffect.allow) // }) // it('should allow with various allow defaults', () => { // const authz = new Authorizer() // let ar = authz.enforce(accessRequest, [{ effect: 'allow' }]) // expect(ar.effect).toEqual(RuleEffect.allow) // ar = authz.enforce(accessRequest, [{ effect: 'allow', filter: () => true }]) // expect(ar.effect).toEqual(RuleEffect.allow) // ar = authz.enforce(accessRequest, [ // { effect: 'allow', filter: () => true, matcher: () => true } // ]) // expect(ar.effect).toEqual(RuleEffect.allow) // }) // it('should deny with various allow defaults', () => { // const authz = new Authorizer() // let ar = authz.enforce(accessRequest, [{ effect: 'deny' }]) // expect(ar.effect).toEqual(RuleEffect.deny) // ar = authz.enforce(accessRequest, [{ effect: 'deny', filter: () => true }]) // expect(ar.effect).toEqual(RuleEffect.deny) // ar = authz.enforce(accessRequest, [ // { effect: 'deny', filter: () => true, matcher: () => true } // ]) // expect(ar.effect).toEqual(RuleEffect.deny) // }) // it('should deny any request if no policies are provided', () => { // const authz = new Authorizer() // const accessResponse1 = authz.enforce(accessRequest) // expect(accessResponse1.effect).toEqual(RuleEffect.deny) // const accessResponse2 = authz.enforce(accessRequest, []) // expect(accessResponse2.effect).toEqual(RuleEffect.deny) // const accessResponse3 = authz.enforce(accessRequest, null) // expect(accessResponse3.effect).toEqual(RuleEffect.deny) // }) // }) //# sourceMappingURL=authorizer.test.js.map