mirror of
https://github.com/openclaw/openclaw.git
synced 2026-04-30 22:20:23 +00:00
ef95975411
Merged via squash.
Prepared head SHA: a6d7ca90d7
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
31 lines
1.3 KiB
TypeScript
31 lines
1.3 KiB
TypeScript
import { describe, expect, test } from "vitest";
|
|
import {
|
|
isRoleAuthorizedForMethod,
|
|
parseGatewayRole,
|
|
roleCanSkipDeviceIdentity,
|
|
} from "./role-policy.js";
|
|
|
|
describe("gateway role policy", () => {
|
|
test("parses supported roles", () => {
|
|
expect(parseGatewayRole("operator")).toBe("operator");
|
|
expect(parseGatewayRole("node")).toBe("node");
|
|
expect(parseGatewayRole("admin")).toBeNull();
|
|
expect(parseGatewayRole(undefined)).toBeNull();
|
|
});
|
|
|
|
test("allows device-less bypass only for operator + shared auth", () => {
|
|
expect(roleCanSkipDeviceIdentity("operator", true)).toBe(true);
|
|
expect(roleCanSkipDeviceIdentity("operator", false)).toBe(false);
|
|
expect(roleCanSkipDeviceIdentity("node", true)).toBe(false);
|
|
});
|
|
|
|
test("authorizes roles against node vs operator methods", () => {
|
|
expect(isRoleAuthorizedForMethod("node", "node.event")).toBe(true);
|
|
expect(isRoleAuthorizedForMethod("node", "node.pending.drain")).toBe(true);
|
|
expect(isRoleAuthorizedForMethod("node", "status")).toBe(false);
|
|
expect(isRoleAuthorizedForMethod("operator", "status")).toBe(true);
|
|
expect(isRoleAuthorizedForMethod("operator", "node.pending.drain")).toBe(false);
|
|
expect(isRoleAuthorizedForMethod("operator", "node.event")).toBe(false);
|
|
});
|
|
});
|