From 097c0f074ca2b2106459f312a6df7154a397e7ae Mon Sep 17 00:00:00 2001 From: Alexander Borg Date: Sat, 13 Sep 2025 14:15:45 +0200 Subject: [PATCH] Fix jwt-token --- server/test-rbac.js | 327 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 327 insertions(+) diff --git a/server/test-rbac.js b/server/test-rbac.js index e69de29..19e4358 100644 --- a/server/test-rbac.js +++ b/server/test-rbac.js @@ -0,0 +1,327 @@ +/** + * Comprehensive RBAC System Test Suite + * Tests granular permissions for all roles and provides detailed analysis + */ + +const { hasPermission, ROLES, PERMISSIONS } = require('./middleware/rbac'); + +// Mock users with different roles +const testUsers = { + admin: { + id: 1, + username: 'super_admin', + role: 'admin' + }, + user_admin: { + id: 2, + username: 'user_manager', + role: 'user_admin' + }, + security_admin: { + id: 3, + username: 'security_manager', + role: 'security_admin' + }, + branding_admin: { + id: 4, + username: 'branding_manager', + role: 'branding_admin' + }, + operator: { + id: 5, + username: 'device_operator', + role: 'operator' + }, + viewer: { + id: 6, + username: 'read_only_user', + role: 'viewer' + } +}; + +// Comprehensive test scenarios for each role +const testScenarios = [ + { + name: 'Admin - Full System Access', + user: testUsers.admin, + description: 'Should have access to all system functions', + tests: [ + { permission: 'tenant.view', expected: true, category: 'Tenant' }, + { permission: 'tenant.edit', expected: true, category: 'Tenant' }, + { permission: 'branding.view', expected: true, category: 'Branding' }, + { permission: 'branding.edit', expected: true, category: 'Branding' }, + { permission: 'security.view', expected: true, category: 'Security' }, + { permission: 'security.edit', expected: true, category: 'Security' }, + { permission: 'users.view', expected: true, category: 'Users' }, + { permission: 'users.create', expected: true, category: 'Users' }, + { permission: 'users.edit', expected: true, category: 'Users' }, + { permission: 'users.delete', expected: true, category: 'Users' }, + { permission: 'users.manage_roles', expected: true, category: 'Users' }, + { permission: 'auth.view', expected: true, category: 'Authentication' }, + { permission: 'auth.edit', expected: true, category: 'Authentication' }, + { permission: 'devices.manage', expected: true, category: 'Devices' }, + { permission: 'debug.access', expected: true, category: 'Debug' } + ] + }, + { + name: 'User Admin - User Management Specialist', + user: testUsers.user_admin, + description: 'Should only manage users, not system settings', + tests: [ + { permission: 'tenant.view', expected: true, category: 'Tenant' }, + { permission: 'tenant.edit', expected: false, category: 'Tenant' }, + { permission: 'branding.view', expected: false, category: 'Branding' }, + { permission: 'branding.edit', expected: false, category: 'Branding' }, + { permission: 'security.view', expected: false, category: 'Security' }, + { permission: 'security.edit', expected: false, category: 'Security' }, + { permission: 'users.view', expected: true, category: 'Users' }, + { permission: 'users.create', expected: true, category: 'Users' }, + { permission: 'users.edit', expected: true, category: 'Users' }, + { permission: 'users.delete', expected: true, category: 'Users' }, + { permission: 'users.manage_roles', expected: true, category: 'Users' }, + { permission: 'auth.view', expected: false, category: 'Authentication' }, + { permission: 'auth.edit', expected: false, category: 'Authentication' }, + { permission: 'devices.manage', expected: false, category: 'Devices' }, + { permission: 'debug.access', expected: false, category: 'Debug' } + ] + }, + { + name: 'Security Admin - Security Specialist', + user: testUsers.security_admin, + description: 'Should only manage security and authentication settings', + tests: [ + { permission: 'tenant.view', expected: true, category: 'Tenant' }, + { permission: 'tenant.edit', expected: false, category: 'Tenant' }, + { permission: 'branding.view', expected: false, category: 'Branding' }, + { permission: 'branding.edit', expected: false, category: 'Branding' }, + { permission: 'security.view', expected: true, category: 'Security' }, + { permission: 'security.edit', expected: true, category: 'Security' }, + { permission: 'users.view', expected: true, category: 'Users' }, + { permission: 'users.create', expected: false, category: 'Users' }, + { permission: 'users.edit', expected: false, category: 'Users' }, + { permission: 'users.delete', expected: false, category: 'Users' }, + { permission: 'users.manage_roles', expected: false, category: 'Users' }, + { permission: 'auth.view', expected: true, category: 'Authentication' }, + { permission: 'auth.edit', expected: true, category: 'Authentication' }, + { permission: 'devices.manage', expected: false, category: 'Devices' }, + { permission: 'debug.access', expected: false, category: 'Debug' } + ] + }, + { + name: 'Branding Admin - Branding Specialist', + user: testUsers.branding_admin, + description: 'Should only manage branding and visual customization', + tests: [ + { permission: 'tenant.view', expected: true, category: 'Tenant' }, + { permission: 'tenant.edit', expected: false, category: 'Tenant' }, + { permission: 'branding.view', expected: true, category: 'Branding' }, + { permission: 'branding.edit', expected: true, category: 'Branding' }, + { permission: 'security.view', expected: false, category: 'Security' }, + { permission: 'security.edit', expected: false, category: 'Security' }, + { permission: 'users.view', expected: false, category: 'Users' }, + { permission: 'users.create', expected: false, category: 'Users' }, + { permission: 'users.edit', expected: false, category: 'Users' }, + { permission: 'users.delete', expected: false, category: 'Users' }, + { permission: 'users.manage_roles', expected: false, category: 'Users' }, + { permission: 'auth.view', expected: false, category: 'Authentication' }, + { permission: 'auth.edit', expected: false, category: 'Authentication' }, + { permission: 'devices.manage', expected: false, category: 'Devices' }, + { permission: 'debug.access', expected: false, category: 'Debug' } + ] + }, + { + name: 'Operator - Limited Operational Access', + user: testUsers.operator, + description: 'Should have basic operational access without admin privileges', + tests: [ + { permission: 'tenant.view', expected: true, category: 'Tenant' }, + { permission: 'tenant.edit', expected: false, category: 'Tenant' }, + { permission: 'branding.view', expected: false, category: 'Branding' }, + { permission: 'branding.edit', expected: false, category: 'Branding' }, + { permission: 'security.view', expected: false, category: 'Security' }, + { permission: 'security.edit', expected: false, category: 'Security' }, + { permission: 'users.view', expected: false, category: 'Users' }, + { permission: 'users.create', expected: false, category: 'Users' }, + { permission: 'users.edit', expected: false, category: 'Users' }, + { permission: 'users.delete', expected: false, category: 'Users' }, + { permission: 'users.manage_roles', expected: false, category: 'Users' }, + { permission: 'auth.view', expected: false, category: 'Authentication' }, + { permission: 'auth.edit', expected: false, category: 'Authentication' }, + { permission: 'devices.manage', expected: true, category: 'Devices' }, + { permission: 'debug.access', expected: false, category: 'Debug' } + ] + }, + { + name: 'Viewer - Read-Only Access', + user: testUsers.viewer, + description: 'Should only have read access to basic information', + tests: [ + { permission: 'tenant.view', expected: false, category: 'Tenant' }, + { permission: 'tenant.edit', expected: false, category: 'Tenant' }, + { permission: 'branding.view', expected: false, category: 'Branding' }, + { permission: 'branding.edit', expected: false, category: 'Branding' }, + { permission: 'security.view', expected: false, category: 'Security' }, + { permission: 'security.edit', expected: false, category: 'Security' }, + { permission: 'users.view', expected: false, category: 'Users' }, + { permission: 'users.create', expected: false, category: 'Users' }, + { permission: 'users.edit', expected: false, category: 'Users' }, + { permission: 'users.delete', expected: false, category: 'Users' }, + { permission: 'users.manage_roles', expected: false, category: 'Users' }, + { permission: 'auth.view', expected: false, category: 'Authentication' }, + { permission: 'auth.edit', expected: false, category: 'Authentication' }, + { permission: 'devices.manage', expected: false, category: 'Devices' }, + { permission: 'debug.access', expected: false, category: 'Debug' } + ] + } +]; + +// Console formatting helpers +const colors = { + reset: '\x1b[0m', + bright: '\x1b[1m', + red: '\x1b[31m', + green: '\x1b[32m', + yellow: '\x1b[33m', + blue: '\x1b[34m', + magenta: '\x1b[35m', + cyan: '\x1b[36m' +}; + +function colorText(text, color) { + return `${colors[color]}${text}${colors.reset}`; +} + +// Main test execution +console.log(colorText('๐Ÿงช COMPREHENSIVE RBAC SYSTEM TEST SUITE', 'bright')); +console.log(colorText('=' .repeat(60), 'cyan')); +console.log(); + +// Display system overview +console.log(colorText('๐Ÿ“‹ RBAC System Overview:', 'blue')); +console.log(); + +console.log(colorText('Available Roles:', 'cyan')); +Object.entries(ROLES).forEach(([role, permissions]) => { + console.log(` ${colorText('โ—', 'green')} ${colorText(role, 'bright')}: ${permissions.length} permissions`); + console.log(` ${permissions.slice(0, 5).join(', ')}${permissions.length > 5 ? '...' : ''}`); +}); + +console.log(); +console.log(colorText('Available Permissions:', 'cyan')); +const permissionsByCategory = {}; +Object.keys(PERMISSIONS).forEach(permission => { + const category = permission.split('.')[0]; + if (!permissionsByCategory[category]) { + permissionsByCategory[category] = []; + } + permissionsByCategory[category].push(permission); +}); + +Object.entries(permissionsByCategory).forEach(([category, permissions]) => { + console.log(` ${colorText('โ—', 'yellow')} ${colorText(category.toUpperCase(), 'bright')}: ${permissions.join(', ')}`); +}); + +console.log(); +console.log(colorText('๐Ÿ” RUNNING PERMISSION TESTS:', 'blue')); +console.log(colorText('=' .repeat(60), 'cyan')); + +// Test execution +let totalTests = 0; +let passedTests = 0; +const results = {}; + +testScenarios.forEach(scenario => { + console.log(); + console.log(colorText(`๐Ÿ‘ค ${scenario.name}`, 'bright')); + console.log(colorText(` ${scenario.description}`, 'yellow')); + console.log(colorText('โ”€'.repeat(60), 'cyan')); + + results[scenario.user.role] = { + passed: 0, + failed: 0, + details: {} + }; + + // Group tests by category for better organization + const testsByCategory = {}; + scenario.tests.forEach(test => { + if (!testsByCategory[test.category]) { + testsByCategory[test.category] = []; + } + testsByCategory[test.category].push(test); + }); + + Object.entries(testsByCategory).forEach(([category, tests]) => { + console.log(colorText(` ๐Ÿ“ ${category}:`, 'magenta')); + + tests.forEach(test => { + totalTests++; + const result = hasPermission(scenario.user, test.permission); + const passed = result === test.expected; + + if (passed) { + passedTests++; + results[scenario.user.role].passed++; + } else { + results[scenario.user.role].failed++; + } + + const status = passed ? colorText('โœ…', 'green') : colorText('โŒ', 'red'); + const expectedText = test.expected ? colorText('ALLOW', 'green') : colorText('DENY', 'red'); + const actualText = result ? colorText('ALLOW', 'green') : colorText('DENY', 'red'); + + console.log(` ${status} ${test.permission}: Expected ${expectedText}, Got ${actualText}`); + + if (!results[scenario.user.role].details[category]) { + results[scenario.user.role].details[category] = { passed: 0, failed: 0 }; + } + results[scenario.user.role].details[category][passed ? 'passed' : 'failed']++; + }); + }); +}); + +console.log(); +console.log(colorText('๐Ÿ“Š DETAILED TEST RESULTS:', 'blue')); +console.log(colorText('=' .repeat(60), 'cyan')); + +// Display detailed results +Object.entries(results).forEach(([role, result]) => { + const total = result.passed + result.failed; + const successRate = Math.round((result.passed / total) * 100); + const statusColor = successRate === 100 ? 'green' : successRate >= 80 ? 'yellow' : 'red'; + + console.log(); + console.log(colorText(`๐Ÿ” ${role.toUpperCase()}:`, 'bright')); + console.log(` Overall: ${colorText(result.passed, 'green')}/${total} (${colorText(successRate + '%', statusColor)})`); + + Object.entries(result.details).forEach(([category, details]) => { + const categoryTotal = details.passed + details.failed; + const categoryRate = Math.round((details.passed / categoryTotal) * 100); + const categoryColor = categoryRate === 100 ? 'green' : categoryRate >= 80 ? 'yellow' : 'red'; + console.log(` ${category}: ${colorText(details.passed, 'green')}/${categoryTotal} (${colorText(categoryRate + '%', categoryColor)})`); + }); +}); + +console.log(); +console.log(colorText('๐Ÿ“ˆ SUMMARY:', 'blue')); +console.log(colorText('โ”€'.repeat(30), 'cyan')); +console.log(`Total Tests: ${totalTests}`); +console.log(`Passed: ${colorText(passedTests, 'green')}`); +console.log(`Failed: ${colorText(totalTests - passedTests, totalTests > passedTests ? 'red' : 'green')}`); +console.log(`Success Rate: ${colorText(Math.round((passedTests/totalTests) * 100) + '%', passedTests === totalTests ? 'green' : 'yellow')}`); + +console.log(); +if (passedTests === totalTests) { + console.log(colorText('๐ŸŽ‰ ALL TESTS PASSED! RBAC system is working correctly.', 'green')); + console.log(colorText('โœ“ Role separation is properly enforced', 'green')); + console.log(colorText('โœ“ Granular permissions are functioning as expected', 'green')); + console.log(colorText('โœ“ Security boundaries are maintained', 'green')); +} else { + console.log(colorText('โš ๏ธ SOME TESTS FAILED!', 'red')); + console.log(colorText('Please review the RBAC configuration and role definitions.', 'yellow')); + console.log(colorText('Failed tests indicate potential security vulnerabilities.', 'red')); +} + +console.log(); +console.log(colorText('๐Ÿ” Security Validation Complete', 'cyan')); +console.log(colorText('=' .repeat(60), 'cyan'));