OIDC app creation with encrypted secrets and application roles
This commit is contained in:
Dan Milne
86
test/models/application_role_test.rb
Normal file
86
test/models/application_role_test.rb
Normal file
@@ -0,0 +1,86 @@
|
||||
require "test_helper"
|
||||
|
||||
class ApplicationRoleTest < ActiveSupport::TestCase
|
||||
def setup
|
||||
@application = applications(:kavita_app)
|
||||
@role = @application.application_roles.create!(
|
||||
name: "admin",
|
||||
display_name: "Administrator",
|
||||
description: "Full access to all features"
|
||||
)
|
||||
end
|
||||
|
||||
test "should be valid" do
|
||||
assert @role.valid?
|
||||
end
|
||||
|
||||
test "should require name" do
|
||||
@role.name = ""
|
||||
assert_not @role.valid?
|
||||
assert_includes @role.errors[:name], "can't be blank"
|
||||
end
|
||||
|
||||
test "should require display_name" do
|
||||
@role.display_name = ""
|
||||
assert_not @role.valid?
|
||||
assert_includes @role.errors[:display_name], "can't be blank"
|
||||
end
|
||||
|
||||
test "should enforce unique role name per application" do
|
||||
duplicate_role = @application.application_roles.build(
|
||||
name: @role.name,
|
||||
display_name: "Another Admin"
|
||||
)
|
||||
assert_not duplicate_role.valid?
|
||||
assert_includes duplicate_role.errors[:name], "has already been taken"
|
||||
end
|
||||
|
||||
test "should allow same role name in different applications" do
|
||||
other_app = Application.create!(
|
||||
name: "Other App",
|
||||
slug: "other-app",
|
||||
app_type: "oidc"
|
||||
)
|
||||
other_role = other_app.application_roles.build(
|
||||
name: @role.name,
|
||||
display_name: "Other Admin"
|
||||
)
|
||||
assert other_role.valid?
|
||||
end
|
||||
|
||||
test "should track user assignments" do
|
||||
user = users(:alice)
|
||||
assert_not @role.user_has_role?(user)
|
||||
|
||||
@role.assign_to_user!(user)
|
||||
assert @role.user_has_role?(user)
|
||||
assert @role.users.include?(user)
|
||||
end
|
||||
|
||||
test "should handle role removal" do
|
||||
user = users(:alice)
|
||||
@role.assign_to_user!(user)
|
||||
assert @role.user_has_role?(user)
|
||||
|
||||
@role.remove_from_user!(user)
|
||||
assert_not @role.user_has_role?(user)
|
||||
assert_not @role.users.include?(user)
|
||||
end
|
||||
|
||||
test "should default to active" do
|
||||
new_role = @application.application_roles.build(
|
||||
name: "member",
|
||||
display_name: "Member"
|
||||
)
|
||||
assert new_role.active?
|
||||
end
|
||||
|
||||
test "should support default permissions" do
|
||||
role_with_permissions = @application.application_roles.create!(
|
||||
name: "editor",
|
||||
display_name: "Editor",
|
||||
permissions: { "read" => true, "write" => true, "delete" => false }
|
||||
)
|
||||
assert_equal({ "read" => true, "write" => true, "delete" => false }, role_with_permissions.permissions)
|
||||
end
|
||||
end
|
||||
87
test/models/user_role_assignment_test.rb
Normal file
87
test/models/user_role_assignment_test.rb
Normal file
@@ -0,0 +1,87 @@
|
||||
require "test_helper"
|
||||
|
||||
class UserRoleAssignmentTest < ActiveSupport::TestCase
|
||||
def setup
|
||||
@application = applications(:kavita_app)
|
||||
@role = @application.application_roles.create!(
|
||||
name: "admin",
|
||||
display_name: "Administrator"
|
||||
)
|
||||
@user = users(:alice)
|
||||
@assignment = UserRoleAssignment.create!(
|
||||
user: @user,
|
||||
application_role: @role
|
||||
)
|
||||
end
|
||||
|
||||
test "should be valid" do
|
||||
assert @assignment.valid?
|
||||
end
|
||||
|
||||
test "should enforce unique user-role combination" do
|
||||
duplicate_assignment = UserRoleAssignment.new(
|
||||
user: @user,
|
||||
application_role: @role
|
||||
)
|
||||
assert_not duplicate_assignment.valid?
|
||||
assert_includes duplicate_assignment.errors[:user], "has already been taken"
|
||||
end
|
||||
|
||||
test "should allow same user with different roles" do
|
||||
other_role = @application.application_roles.create!(
|
||||
name: "editor",
|
||||
display_name: "Editor"
|
||||
)
|
||||
other_assignment = UserRoleAssignment.new(
|
||||
user: @user,
|
||||
application_role: other_role
|
||||
)
|
||||
assert other_assignment.valid?
|
||||
end
|
||||
|
||||
test "should allow same role for different users" do
|
||||
other_user = users(:bob)
|
||||
other_assignment = UserRoleAssignment.new(
|
||||
user: other_user,
|
||||
application_role: @role
|
||||
)
|
||||
assert other_assignment.valid?
|
||||
end
|
||||
|
||||
test "should validate source" do
|
||||
@assignment.source = "invalid_source"
|
||||
assert_not @assignment.valid?
|
||||
assert_includes @assignment.errors[:source], "is not included in the list"
|
||||
end
|
||||
|
||||
test "should support valid sources" do %w[oidc manual group_sync].each do |source|
|
||||
@assignment.source = source
|
||||
assert @assignment.valid?, "Source '#{source}' should be valid"
|
||||
end
|
||||
end
|
||||
|
||||
test "should default to oidc source" do
|
||||
new_assignment = UserRoleAssignment.new(
|
||||
user: @user,
|
||||
application_role: @role
|
||||
)
|
||||
assert_equal "oidc", new_assignment.source
|
||||
end
|
||||
|
||||
test "should support metadata" do
|
||||
metadata = { "synced_at" => Time.current, "external_source" => "authentik" }
|
||||
@assignment.metadata = metadata
|
||||
@assignment.save
|
||||
assert_equal metadata, @assignment.reload.metadata
|
||||
end
|
||||
|
||||
test "should identify oidc managed assignments" do
|
||||
@assignment.source = "oidc"
|
||||
assert @assignment.sync_from_oidc?
|
||||
end
|
||||
|
||||
test "should not identify manually managed assignments as oidc" do
|
||||
@assignment.source = "manual"
|
||||
assert_not @assignment.sync_from_oidc?
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user