|
| 1 | +// Copyright (c) 2026 ObjectStack. Licensed under the Apache-2.0 license. |
| 2 | +// ADR-0090 D6 — access-matrix snapshot: pure build + semantic diff. |
| 3 | + |
| 4 | +import { describe, it, expect } from 'vitest'; |
| 5 | +import { buildAccessMatrix, diffAccessMatrix } from './build-access-matrix.js'; |
| 6 | + |
| 7 | +const STACK = { |
| 8 | + objects: [ |
| 9 | + { name: 'crm_lead', sharingModel: 'private' }, |
| 10 | + { name: 'crm_account', sharingModel: 'public_read' }, |
| 11 | + ], |
| 12 | + permissions: [ |
| 13 | + { |
| 14 | + name: 'sales_user', |
| 15 | + objects: { |
| 16 | + crm_lead: { allowRead: true, allowCreate: true, allowEdit: true, readScope: 'unit' }, |
| 17 | + crm_account: { allowRead: true }, |
| 18 | + }, |
| 19 | + }, |
| 20 | + { |
| 21 | + name: 'crm_admin', |
| 22 | + objects: { |
| 23 | + crm_lead: { allowRead: true, allowCreate: true, allowEdit: true, allowDelete: true, viewAllRecords: true }, |
| 24 | + }, |
| 25 | + }, |
| 26 | + ], |
| 27 | +}; |
| 28 | + |
| 29 | +describe('buildAccessMatrix (ADR-0090 D6)', () => { |
| 30 | + it('derives one sorted row per (set × object) with OWD context', () => { |
| 31 | + const m = buildAccessMatrix(STACK); |
| 32 | + expect(m.version).toBe(1); |
| 33 | + expect(m.entries.map((e) => `${e.permissionSet}/${e.object}`)).toEqual([ |
| 34 | + 'crm_admin/crm_lead', |
| 35 | + 'sales_user/crm_account', |
| 36 | + 'sales_user/crm_lead', |
| 37 | + ]); |
| 38 | + const lead = m.entries.find((e) => e.permissionSet === 'sales_user' && e.object === 'crm_lead')!; |
| 39 | + expect(lead).toMatchObject({ create: true, read: true, edit: true, delete: false, readScope: 'unit', sharingModel: 'private' }); |
| 40 | + // VAMA implies the read bit even without allowRead. |
| 41 | + const admin = m.entries.find((e) => e.permissionSet === 'crm_admin')!; |
| 42 | + expect(admin.viewAllRecords).toBe(true); |
| 43 | + expect(admin.read).toBe(true); |
| 44 | + }); |
| 45 | + |
| 46 | + it('is deterministic (same input → identical JSON)', () => { |
| 47 | + expect(JSON.stringify(buildAccessMatrix(STACK))).toBe(JSON.stringify(buildAccessMatrix(STACK))); |
| 48 | + }); |
| 49 | +}); |
| 50 | + |
| 51 | +describe('diffAccessMatrix (semantic review lines)', () => { |
| 52 | + it('identical matrices produce no lines', () => { |
| 53 | + expect(diffAccessMatrix(buildAccessMatrix(STACK), buildAccessMatrix(STACK))).toEqual([]); |
| 54 | + }); |
| 55 | + |
| 56 | + it('reports gained bits by name — the crm_admin-gains-delete shape', () => { |
| 57 | + const before = buildAccessMatrix(STACK); |
| 58 | + const after = buildAccessMatrix(JSON.parse(JSON.stringify(STACK))); |
| 59 | + const sales = (after.entries as any[]).find((e) => e.permissionSet === 'sales_user' && e.object === 'crm_lead'); |
| 60 | + sales.delete = true; |
| 61 | + const lines = diffAccessMatrix(before, after); |
| 62 | + expect(lines).toEqual(["'sales_user' gains delete on 'crm_lead'"]); |
| 63 | + }); |
| 64 | + |
| 65 | + it('reports depth changes, entry additions/removals, and OWD swings', () => { |
| 66 | + const before = buildAccessMatrix(STACK); |
| 67 | + const mutated = JSON.parse(JSON.stringify(STACK)); |
| 68 | + mutated.permissions[0].objects.crm_lead.readScope = 'org'; // depth widened |
| 69 | + delete mutated.permissions[0].objects.crm_account; // entry removed |
| 70 | + mutated.permissions[1].objects.crm_account = { allowRead: true }; // entry added |
| 71 | + mutated.objects[0].sharingModel = 'public_read_write'; // OWD swing |
| 72 | + const lines = diffAccessMatrix(before, buildAccessMatrix(mutated)); |
| 73 | + expect(lines.some((l) => l.includes("read depth on 'crm_lead': unit → org"))).toBe(true); |
| 74 | + expect(lines.some((l) => l.includes("'sales_user' loses ALL access to 'crm_account'"))).toBe(true); |
| 75 | + expect(lines.some((l) => l.includes("'crm_admin' gains access to 'crm_account'"))).toBe(true); |
| 76 | + expect(lines.some((l) => l.includes('record baseline (OWD): private → public_read_write'))).toBe(true); |
| 77 | + }); |
| 78 | +}); |
0 commit comments