mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-05 20:36:26 +02:00
Code Issues Projects Releases Wiki Activity
vault/ui/tests/unit/models/capabilities-test.js
Vault Automation 0c6c13dd38
license: update headers to IBM Corp. (#10229) (#10233) 
* license: update headers to IBM Corp.
* `make proto`
* update offset because source file changed

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2025-10-21 15:20:20 -06:00

155 lines
5.1 KiB
JavaScript
Raw Permalink Blame History

/**
* Copyright IBM Corp. 2016, 2025
* SPDX-License-Identifier: BUSL-1.1
*/
import { module, test } from 'qunit';
import { setupTest } from 'ember-qunit';
import { SUDO_PATHS, SUDO_PATH_PREFIXES } from 'vault/models/capabilities';
import { run } from '@ember/runloop';
const CAPABILITIES = {
canCreate: 'create',
canRead: 'read',
canUpdate: 'update',
canDelete: 'delete',
canList: 'list',
canPatch: 'patch',
};
module('Unit | Model | capabilities', function (hooks) {
setupTest(hooks);
test('it exists', function (assert) {
const model = run(() => this.owner.lookup('service:store').createRecord('capabilities'));
assert.ok(!!model);
});
test('it computes capabilities', function (assert) {
const model = run(() =>
this.owner.lookup('service:store').createRecord('capabilities', {
path: 'foo',
capabilities: ['list', 'read'],
})
);
assert.ok(model.get('canRead'));
assert.ok(model.get('canList'));
assert.notOk(model.get('canUpdate'));
assert.notOk(model.get('canDelete'));
});
for (const capability in CAPABILITIES) {
test(`it computes capability: ${capability}`, function (assert) {
const permission = CAPABILITIES[capability];
const model = run(() =>
this.owner.lookup('service:store').createRecord('capabilities', {
path: 'foo',
capabilities: [permission],
})
);
assert.true(model.get(capability), `${capability} is true`);
const falsyCapabilities = Object.keys(CAPABILITIES).filter((c) => c !== capability);
falsyCapabilities.forEach((c) => {
assert.false(model.get(c), `${c} is false`);
});
});
}
test('it allows everything if root is present', function (assert) {
const model = run(() =>
this.owner.lookup('service:store').createRecord('capabilities', {
path: 'foo',
capabilities: ['root', 'deny', 'read'],
})
);
Object.keys(CAPABILITIES).forEach((c) => {
assert.true(model.get(c), `${c} is true`);
});
});
test('it denies everything if deny is present', function (assert) {
const model = run(() =>
this.owner.lookup('service:store').createRecord('capabilities', {
path: 'foo',
capabilities: ['sudo', 'deny', 'read'],
})
);
Object.keys(CAPABILITIES).forEach((c) => {
assert.false(model.get(c), `${c} is false`);
});
});
test('it requires sudo on sudo paths', function (assert) {
const model = run(() =>
this.owner.lookup('service:store').createRecord('capabilities', {
path: SUDO_PATHS[0],
capabilities: ['sudo', 'read'],
})
);
assert.ok(model.get('canRead'));
assert.notOk(model.get('canCreate'), 'sudo requires the capability to be set as well');
assert.notOk(model.get('canUpdate'));
assert.notOk(model.get('canDelete'));
assert.notOk(model.get('canList'));
});
test('it requires sudo on sudo paths prefixes', function (assert) {
const model = run(() =>
this.owner.lookup('service:store').createRecord('capabilities', {
path: SUDO_PATH_PREFIXES[0] + '/foo',
capabilities: ['sudo', 'read'],
})
);
assert.ok(model.get('canRead'));
assert.notOk(model.get('canCreate'), 'sudo requires the capability to be set as well');
assert.notOk(model.get('canUpdate'));
assert.notOk(model.get('canDelete'));
assert.notOk(model.get('canList'));
});
test('it does not require sudo on sys/leases/revoke if update capability is present and path is not fully a sudo prefix', function (assert) {
const model = run(() =>
this.owner.lookup('service:store').createRecord('capabilities', {
path: 'sys/leases/revoke',
capabilities: ['update', 'read'],
})
);
assert.ok(model.get('canRead'));
assert.notOk(model.get('canCreate'), 'sudo requires the capability to be set as well');
assert.ok(model.get('canUpdate'), 'should not require sudo if it has update');
assert.notOk(model.get('canDelete'));
assert.notOk(model.get('canList'));
});
test('it requires sudo on prefix path even if capability is present', function (assert) {
const model = run(() =>
this.owner.lookup('service:store').createRecord('capabilities', {
path: SUDO_PATH_PREFIXES[0] + '/aws',
capabilities: ['update', 'read'],
})
);
assert.notOk(model.get('canRead'));
assert.notOk(model.get('canCreate'));
assert.notOk(model.get('canUpdate'), 'should still require sudo');
assert.notOk(model.get('canDelete'));
assert.notOk(model.get('canList'));
});
test('it does not require sudo on prefix path if both update and sudo capabilities are present', function (assert) {
const model = run(() =>
this.owner.lookup('service:store').createRecord('capabilities', {
path: SUDO_PATH_PREFIXES[0] + '/aws',
capabilities: ['sudo', 'update', 'read'],
})
);
assert.ok(model.get('canRead'));
assert.notOk(model.get('canCreate'));
assert.ok(model.get('canUpdate'), 'should not require sudo');
assert.notOk(model.get('canDelete'));
assert.notOk(model.get('canList'));
});
});
Reference in New Issue View Git Blame Copy Permalink