Hugging Face's logo

Darochin
/
openskynet

English
Spanish
agent
autonomy
research
typescript
nodejs
llm
Model card Files
xet
 Community
openskynet / src /plugin-sdk /group-access.test.ts
Darochin's picture
Darochin
Mirror OpenSkyNet workspace snapshot from Git HEAD
fc93158 verified
raw
history blame contribute delete
6.73 kB
import { describe, expect, it } from "vitest";
import {
 evaluateGroupRouteAccessForPolicy,
 evaluateMatchedGroupAccessForPolicy,
 evaluateSenderGroupAccess,
 evaluateSenderGroupAccessForPolicy,
 resolveSenderScopedGroupPolicy,
} from "./group-access.js";
describe("resolveSenderScopedGroupPolicy", () => {
 it("preserves disabled policy", () => {
 expect(
 resolveSenderScopedGroupPolicy({
 groupPolicy: "disabled",
 groupAllowFrom: ["a"],
 }),
 ).toBe("disabled");
 });
it("maps open/allowlist based on effective sender allowlist", () => {
 expect(
 resolveSenderScopedGroupPolicy({
 groupPolicy: "allowlist",
 groupAllowFrom: ["a"],
 }),
 ).toBe("allowlist");
 expect(
 resolveSenderScopedGroupPolicy({
 groupPolicy: "allowlist",
 groupAllowFrom: [],
 }),
 ).toBe("open");
 });
});
describe("evaluateSenderGroupAccessForPolicy", () => {
 it("blocks disabled policy", () => {
 const decision = evaluateSenderGroupAccessForPolicy({
 groupPolicy: "disabled",
 groupAllowFrom: ["123"],
 senderId: "123",
 isSenderAllowed: () => true,
 });
expect(decision).toMatchObject({ allowed: false, reason: "disabled", groupPolicy: "disabled" });
 });
it("blocks allowlist with empty list", () => {
 const decision = evaluateSenderGroupAccessForPolicy({
 groupPolicy: "allowlist",
 groupAllowFrom: [],
 senderId: "123",
 isSenderAllowed: () => true,
 });
expect(decision).toMatchObject({
 allowed: false,
 reason: "empty_allowlist",
 groupPolicy: "allowlist",
 });
 });
});
describe("evaluateGroupRouteAccessForPolicy", () => {
 it("blocks disabled policy", () => {
 expect(
 evaluateGroupRouteAccessForPolicy({
 groupPolicy: "disabled",
 routeAllowlistConfigured: true,
 routeMatched: true,
 routeEnabled: true,
 }),
 ).toEqual({
 allowed: false,
 groupPolicy: "disabled",
 reason: "disabled",
 });
 });
it("blocks allowlist without configured routes", () => {
 expect(
 evaluateGroupRouteAccessForPolicy({
 groupPolicy: "allowlist",
 routeAllowlistConfigured: false,
 routeMatched: false,
 }),
 ).toEqual({
 allowed: false,
 groupPolicy: "allowlist",
 reason: "empty_allowlist",
 });
 });
it("blocks unmatched allowlist route", () => {
 expect(
 evaluateGroupRouteAccessForPolicy({
 groupPolicy: "allowlist",
 routeAllowlistConfigured: true,
 routeMatched: false,
 }),
 ).toEqual({
 allowed: false,
 groupPolicy: "allowlist",
 reason: "route_not_allowlisted",
 });
 });
it("blocks disabled matched route even when group policy is open", () => {
 expect(
 evaluateGroupRouteAccessForPolicy({
 groupPolicy: "open",
 routeAllowlistConfigured: true,
 routeMatched: true,
 routeEnabled: false,
 }),
 ).toEqual({
 allowed: false,
 groupPolicy: "open",
 reason: "route_disabled",
 });
 });
});
describe("evaluateMatchedGroupAccessForPolicy", () => {
 it("blocks disabled policy", () => {
 expect(
 evaluateMatchedGroupAccessForPolicy({
 groupPolicy: "disabled",
 allowlistConfigured: true,
 allowlistMatched: true,
 }),
 ).toEqual({
 allowed: false,
 groupPolicy: "disabled",
 reason: "disabled",
 });
 });
it("blocks allowlist without configured entries", () => {
 expect(
 evaluateMatchedGroupAccessForPolicy({
 groupPolicy: "allowlist",
 allowlistConfigured: false,
 allowlistMatched: false,
 }),
 ).toEqual({
 allowed: false,
 groupPolicy: "allowlist",
 reason: "empty_allowlist",
 });
 });
it("blocks allowlist when required match input is missing", () => {
 expect(
 evaluateMatchedGroupAccessForPolicy({
 groupPolicy: "allowlist",
 requireMatchInput: true,
 hasMatchInput: false,
 allowlistConfigured: true,
 allowlistMatched: false,
 }),
 ).toEqual({
 allowed: false,
 groupPolicy: "allowlist",
 reason: "missing_match_input",
 });
 });
it("blocks unmatched allowlist sender", () => {
 expect(
 evaluateMatchedGroupAccessForPolicy({
 groupPolicy: "allowlist",
 allowlistConfigured: true,
 allowlistMatched: false,
 }),
 ).toEqual({
 allowed: false,
 groupPolicy: "allowlist",
 reason: "not_allowlisted",
 });
 });
it("allows open policy", () => {
 expect(
 evaluateMatchedGroupAccessForPolicy({
 groupPolicy: "open",
 allowlistConfigured: false,
 allowlistMatched: false,
 }),
 ).toEqual({
 allowed: true,
 groupPolicy: "open",
 reason: "allowed",
 });
 });
});
describe("evaluateSenderGroupAccess", () => {
 it("defaults missing provider config to allowlist", () => {
 const decision = evaluateSenderGroupAccess({
 providerConfigPresent: false,
 configuredGroupPolicy: undefined,
 defaultGroupPolicy: "open",
 groupAllowFrom: ["123"],
 senderId: "123",
 isSenderAllowed: () => true,
 });
expect(decision).toEqual({
 allowed: true,
 groupPolicy: "allowlist",
 providerMissingFallbackApplied: true,
 reason: "allowed",
 });
 });
it("blocks disabled policy", () => {
 const decision = evaluateSenderGroupAccess({
 providerConfigPresent: true,
 configuredGroupPolicy: "disabled",
 defaultGroupPolicy: "open",
 groupAllowFrom: ["123"],
 senderId: "123",
 isSenderAllowed: () => true,
 });
expect(decision).toMatchObject({ allowed: false, reason: "disabled", groupPolicy: "disabled" });
 });
it("blocks allowlist with empty list", () => {
 const decision = evaluateSenderGroupAccess({
 providerConfigPresent: true,
 configuredGroupPolicy: "allowlist",
 defaultGroupPolicy: "open",
 groupAllowFrom: [],
 senderId: "123",
 isSenderAllowed: () => true,
 });
expect(decision).toMatchObject({
 allowed: false,
 reason: "empty_allowlist",
 groupPolicy: "allowlist",
 });
 });
it("blocks sender not allowlisted", () => {
 const decision = evaluateSenderGroupAccess({
 providerConfigPresent: true,
 configuredGroupPolicy: "allowlist",
 defaultGroupPolicy: "open",
 groupAllowFrom: ["123"],
 senderId: "999",
 isSenderAllowed: () => false,
 });
expect(decision).toMatchObject({
 allowed: false,
 reason: "sender_not_allowlisted",
 groupPolicy: "allowlist",
 });
 });
});