refactor: restructure permission handling and enhance Guard functionality

- Introduced a new `createGuard` function to streamline the creation of Guard instances with permissions and roles. - Updated tests in `authorize.spec.ts` to reflect changes in permission checks, ensuring they now return undefined for denied permissions. - Added new `Permission` and `Policy` classes to improve type safety and flexibility in permission management. - Refactored middleware and controller files to utilize the updated permission structure, including context handling for permissions. - Created a new `SystemController.spec.ts` file to test the integration of the new permission system within the SystemController. - Removed legacy permission handling from core security files, consolidating permission logic within the new structure.
2026-03-16 04:27:21 +00:00 · 2025-10-13 18:20:46 +02:00
parent b784e1c1c4
commit 2f88c2216c
26 changed files with 954 additions and 367 deletions
--- a/app/test/auth/authorize/authorize.spec.ts
+++ b/app/test/auth/authorize/authorize.spec.ts
@@ -1,13 +1,36 @@
 import { describe, expect, test } from "bun:test";
-import { Guard } from "auth/authorize/Guard";
-import { Permission } from "core/security/Permission";
+import { Guard, type GuardConfig } from "auth/authorize/Guard";
+import { Permission } from "auth/authorize/Permission";
+import { Role } from "auth/authorize/Role";
+import { objectTransform } from "bknd/utils";
+
+function createGuard(
+   permissionNames: string[],
+   roles?: Record<
+      string,
+      {
+         permissions?: string[];
+         is_default?: boolean;
+         implicit_allow?: boolean;
+      }
+   >,
+   config?: GuardConfig,
+) {
+   const _roles = roles
+      ? objectTransform(roles, ({ permissions = [], is_default, implicit_allow }, name) => {
+           return Role.create({ name, permissions, is_default, implicit_allow });
+        })
+      : {};
+   const _permissions = permissionNames.map((name) => new Permission(name));
+   return new Guard(_permissions, Object.values(_roles), config);
+}

 describe("authorize", () => {
   const read = new Permission("read");
   const write = new Permission("write");

   test("basic", async () => {
-      const guard = Guard.create(
+      const guard = createGuard(
         ["read", "write"],
         {
            admin: {
@@ -20,14 +43,14 @@ describe("authorize", () => {
         role: "admin",
      };

-      expect(guard.granted(read, user)).toBe(true);
-      expect(guard.granted(write, user)).toBe(true);
+      expect(guard.granted(read, user)).toBeUndefined();
+      expect(guard.granted(write, user)).toBeUndefined();

-      expect(() => guard.granted(new Permission("something"))).toThrow();
+      expect(() => guard.granted(new Permission("something"), {})).toThrow();
   });

   test("with default", async () => {
-      const guard = Guard.create(
+      const guard = createGuard(
         ["read", "write"],
         {
            admin: {
@@ -41,26 +64,26 @@ describe("authorize", () => {
         { enabled: true },
      );

-      expect(guard.granted(read)).toBe(true);
-      expect(guard.granted(write)).toBe(false);
+      expect(guard.granted(read, {})).toBeUndefined();
+      expect(() => guard.granted(write, {})).toThrow();

      const user = {
         role: "admin",
      };

-      expect(guard.granted(read, user)).toBe(true);
-      expect(guard.granted(write, user)).toBe(true);
+      expect(guard.granted(read, user)).toBeUndefined();
+      expect(guard.granted(write, user)).toBeUndefined();
   });

   test("guard implicit allow", async () => {
-      const guard = Guard.create([], {}, { enabled: false });
+      const guard = createGuard([], {}, { enabled: false });

-      expect(guard.granted(read)).toBe(true);
-      expect(guard.granted(write)).toBe(true);
+      expect(guard.granted(read, {})).toBeUndefined();
+      expect(guard.granted(write, {})).toBeUndefined();
   });

   test("role implicit allow", async () => {
-      const guard = Guard.create(["read", "write"], {
+      const guard = createGuard(["read", "write"], {
         admin: {
            implicit_allow: true,
         },
@@ -70,12 +93,12 @@ describe("authorize", () => {
         role: "admin",
      };

-      expect(guard.granted(read, user)).toBe(true);
-      expect(guard.granted(write, user)).toBe(true);
+      expect(guard.granted(read, user)).toBeUndefined();
+      expect(guard.granted(write, user)).toBeUndefined();
   });

   test("guard with guest role implicit allow", async () => {
-      const guard = Guard.create(["read", "write"], {
+      const guard = createGuard(["read", "write"], {
         guest: {
            implicit_allow: true,
            is_default: true,
@@ -83,7 +106,7 @@ describe("authorize", () => {
      });

      expect(guard.getUserRole()?.name).toBe("guest");
-      expect(guard.granted(read)).toBe(true);
-      expect(guard.granted(write)).toBe(true);
+      expect(guard.granted(read, {})).toBeUndefined();
+      expect(guard.granted(write, {})).toBeUndefined();
   });
 });