bunny-lab/Borealis-Github-Replica
1
0
Fork 0
mirror of https://github.com/bunny-lab-io/Borealis.git synced 2025-12-15 00:35:47 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
13f37f39b1bc326c8b987b0651f1bb810e0295ed
Borealis-Github-Replica/Data/Engine/tests/assemblies/test_permissions.py

123 lines
4.0 KiB
Python
Raw Blame History

# ======================================================
# Data\Engine\tests\assemblies\test_permissions.py
# Description: Verifies Assembly API domain guards and Dev Mode permissions.
#
# API Endpoints (if applicable): None
# ======================================================
from __future__ import annotations
import base64
from flask.testing import FlaskClient
from Data.Engine.assembly_management.models import AssemblyDomain
from Data.Engine.Unit_Tests.conftest import EngineTestHarness
def _script_document(name: str = "Permission Script") -> dict:
script = 'Write-Host "permissions"'
encoded = base64.b64encode(script.encode("utf-8")).decode("ascii")
return {
"version": 1,
"name": name,
"description": "Permission test script.",
"category": "script",
"type": "powershell",
"script": encoded,
"timeout_seconds": 60,
"sites": {"mode": "all", "values": []},
"variables": [],
"files": [],
"script_encoding": "base64",
}
def _user_client(harness: EngineTestHarness) -> FlaskClient:
client = harness.app.test_client()
with client.session_transaction() as sess:
sess["username"] = "operator"
sess["role"] = "User"
return client
def _admin_client(harness: EngineTestHarness) -> FlaskClient:
client = harness.app.test_client()
with client.session_transaction() as sess:
sess["username"] = "admin"
sess["role"] = "Admin"
return client
def test_non_admin_cannot_write_official_domain(engine_harness: EngineTestHarness) -> None:
client = _user_client(engine_harness)
response = client.post(
"/api/assemblies",
json={
"domain": AssemblyDomain.OFFICIAL.value,
"assembly_kind": "script",
"display_name": "User Attempt",
"summary": "Should fail",
"category": "script",
"assembly_type": "powershell",
"version": 1,
"metadata": {},
"payload": _script_document("User Attempt"),
},
)
assert response.status_code == 403
payload = response.get_json()
assert payload["error"] == "forbidden"
def test_admin_requires_dev_mode_for_official_mutation(engine_harness: EngineTestHarness) -> None:
client = _admin_client(engine_harness)
response = client.post(
"/api/assemblies",
json={
"domain": AssemblyDomain.OFFICIAL.value,
"assembly_kind": "script",
"display_name": "Dev Mode Required",
"summary": "Should request dev mode",
"category": "script",
"assembly_type": "powershell",
"version": 1,
"metadata": {},
"payload": _script_document("Dev Mode Required"),
},
)
assert response.status_code == 403
payload = response.get_json()
assert payload["error"] == "dev_mode_required"
def test_admin_with_dev_mode_can_mutate_official(engine_harness: EngineTestHarness) -> None:
client = _admin_client(engine_harness)
response = client.post("/api/assemblies/dev-mode/switch", json={"enabled": True})
assert response.status_code == 200
assert response.get_json()["dev_mode"] is True
create_response = client.post(
"/api/assemblies",
json={
"domain": AssemblyDomain.OFFICIAL.value,
"assembly_kind": "script",
"display_name": "Official Dev Mode Script",
"summary": "Created while Dev Mode enabled",
"category": "script",
"assembly_type": "powershell",
"version": 1,
"metadata": {},
"payload": _script_document("Official Dev Mode Script"),
},
)
assert create_response.status_code == 201
record = create_response.get_json()
assert record["source"] == AssemblyDomain.OFFICIAL.value
assert record["is_dirty"] is True
flush_response = client.post("/api/assemblies/dev-mode/write")
assert flush_response.status_code == 200
assert flush_response.get_json()["status"] == "flushed"
Reference in New Issue View Git Blame Copy Permalink