rpcchannel/test/accesscontrol.spec.ts

Easy RPC with permission controls

import { expect } from 'chai'
import {
  AllowAccessController,
  DenyAccessController,
  FunctionAccessController,
  MultistringAddress,
  AccessPolicy,
  ChainedAccessController,
  LegacyAccessController,
  FunctionLookupAccessController,
  RpcChannel,
  AutoFunctionAccessController,
  RequiresPermissions,
  CanCallFunction,
  OptAccessPolicy,
  RequirePermissions,
  SetCanCallFunc
} from '../src/index'

describe('[accesscontrol.ts] RequirePermissions', () => {
  it('sets RequiresPermissions on member function', () => {
    class Test {
      @RequirePermissions(['hello', 'world'])
      member(): number {
        return 1
      }
    }
    expect((new Test().member as any)[RequiresPermissions]).to.be.deep.equal(
      ['hello', 'world']
    )
  })
  it('throws error when applied to non-function', () => {
    expect(() => {
      const myobj = {}
      RequirePermissions([])(
        myobj,
        'test',
        {
          configurable: true,
          enumerable: false,
          value: 'hi',
          writable: true,
          get(): string {
            return 'hi'
          },
          set(v: any): void {
            throw new Error('Should not happen')
          }
        }
      )
    }).to.throw('Cannot require permissions for non-function')
  })
})
describe('[accesscontrol.ts] SetCanCallFunc', () => {
  it('sets CanCallFunction on member function', () => {
    const func = () => AccessPolicy.ALLOW
    class Test {
      @SetCanCallFunc(func)
      member(): number {
        return 1
      }
    }
    expect((new Test().member as any)[CanCallFunction]).to.be.equal(func)
  })
  it('throws error when applied to non-function', () => {
    expect(() => {
      const myobj = {}
      SetCanCallFunc(() => undefined)(
        myobj,
        'test',
        {
          configurable: true,
          enumerable: false,
          value: 'hi',
          writable: true,
          get(): string {
            return 'hi'
          },
          set(v: any): void {
            throw new Error('Should not happen')
          }
        }
      )
    }).to.throw('Cannot set access controller func on non-function')
  })
})

const default_opts = {
  args: [{}, Symbol(), 'hi'],
  wc: [],
  channel: new RpcChannel(() => undefined),
  func: () => undefined
}

describe('[accesscontrol.ts] AllowAccessController', () => {
  it('always returns true', () => {
    expect(new AllowAccessController().can()).to.be.true
  })
})
describe('[accesscontrol.ts] DenyAccessController', () => {
  it('always returns false', () => {
    expect(new DenyAccessController().can()).to.be.false
  })
})
describe('[accesscontrol.ts] DenyAccessController', () => {
  it('always calls function', () => {
    const addr = ['net', 'kb1rd', 'test']
    expect(new FunctionAccessController(
      (a: MultistringAddress, opts) => {
        expect(a).to.be.equal(addr)
        expect(opts).to.be.equal(default_opts)
        return true
      }
    ).can(addr, default_opts)).to.be.true
  })
})
describe('[accesscontrol.ts] ChainedAccessController', () => {
  it('default works', () => {
    expect(
      new ChainedAccessController(AccessPolicy.ALLOW).can([], default_opts)
    ).to.be.equal(AccessPolicy.ALLOW)
  })
  it('calls in order with same data, stopping when value provided', () => {
    const addr = ['net', 'kb1rd', 'test']
    const data = [{}, Symbol(), 'hi']
    const ac = new ChainedAccessController(AccessPolicy.ALLOW)
    const calls: number[] = []
    ac.access_chain.push(new FunctionAccessController((a, o) => {
      expect(a).to.be.equal(addr)
      expect(o).to.be.equal(default_opts)
      calls.push(1)
      return undefined
    }))
    ac.access_chain.push(new FunctionAccessController(() => {
      calls.push(2)
      return AccessPolicy.DENY
    }))
    ac.access_chain.push(new FunctionAccessController(() => {
      calls.push(3)
      return undefined
    }))
    expect(ac.can(addr, default_opts)).to.be.equal(AccessPolicy.DENY)
    expect(calls).to.be.deep.equal([1, 2])
  })
})
describe('[accesscontrol.ts] LegacyAccessController', () => {
  it('matches (assumes AddressMap works)', () => {
    const ac = new LegacyAccessController()
    ac.map.put(['net', 'kb1rd', undefined], AccessPolicy.ALLOW)
    
    expect(ac.can(['net', 'kb1rd', 'test'])).to.be.equal(AccessPolicy.ALLOW)
  })
})
describe('[accesscontrol.ts] FunctionLookupAccessController', () => {
  it('returns `OptAccessPolicy.NONE` if function undefined', () => {
    const ac = new FunctionLookupAccessController()
    ac.map.put(['net', 'kb1rd', undefined], () => AccessPolicy.ALLOW)
    
    expect(ac.can(['com', 'kb1rd', 'test'], default_opts))
      .to.be.equal(OptAccessPolicy.NONE)
  })
  it('lookup works', () => {
    const addr = ['net', 'kb1rd', 'test']
    const data = [{}, Symbol(), 'hi']
    const ac = new FunctionLookupAccessController()
    ac.map.put(['net', 'kb1rd', undefined], (a, o) => {
      expect(a).to.be.equal(addr)
      expect(o).to.be.equal(default_opts)
      return AccessPolicy.ALLOW
    })
    
    expect(ac.can(addr, default_opts)).to.be.equal(AccessPolicy.ALLOW)
  })
})
describe('[accesscontrol.ts] AutoFunctionAccessController', () => {
  it('defaults to none', () => {
    const ac = new AutoFunctionAccessController()

    expect(ac.can(['com', 'kb1rd', 'test'], default_opts))
      .to.be.equal(OptAccessPolicy.NONE)
  })
  it('denies if missing even one permission before calling func', () => {
    const ac = new AutoFunctionAccessController()
    ac.perms.add('net.kb1rd.teststuff')

    const opts = Object.assign(
      {},
      default_opts,
      {
        func: Object.assign(
          () => undefined,
          {
            [RequiresPermissions]: [
              'net.kb1rd.teststuff',
              'net.kb1rd.security'
            ],
            [CanCallFunction]: () => {
              throw new TypeError('This should never happen')
            }
          }
        )
      }
    )
    expect(ac.can(['com', 'kb1rd', 'test'], opts))
      .to.be.equal(AccessPolicy.DENY)
  })
  it('requesting perms in function has same effect', () => {
    const ac = new AutoFunctionAccessController()
    ac.perms.add('net.kb1rd.teststuff')

    const opts = Object.assign(
      {},
      default_opts,
      {
        func: Object.assign(
          () => undefined,
          {
            [CanCallFunction]: (
              to: MultistringAddress,
              { require }: { require: (s: string) => void }
            ) => {
              require('net.kb1rd.teststuff')
              require('net.kb1rd.security')
            }
          }
        )
      }
    )
    expect(ac.can(['com', 'kb1rd', 'test'], opts))
      .to.be.equal(AccessPolicy.DENY)
  })
  it('returns function value', () => {
    const ac = new AutoFunctionAccessController()
    ac.perms.add('net.kb1rd.teststuff')

    const opts = Object.assign(
      {},
      default_opts,
      {
        func: Object.assign(
          () => undefined,
          { [CanCallFunction]: () => AccessPolicy.ALLOW }
        )
      }
    )
    expect(ac.can(['com', 'kb1rd', 'test'], opts))
      .to.be.equal(AccessPolicy.ALLOW)
  })
  it('defaults to `OptAccessPolicy.NONE` when function returns', () => {
    const ac = new AutoFunctionAccessController()
    ac.perms.add('net.kb1rd.teststuff')

    const opts = Object.assign(
      {},
      default_opts,
      {
        func: Object.assign(
          () => undefined,
          { [CanCallFunction]: () => undefined }
        )
      }
    )
    expect(ac.can(['com', 'kb1rd', 'test'], opts))
      .to.be.equal(OptAccessPolicy.NONE)
  })
})