ultisuite-backend/internal/permission/permission_test.go

package permission

import "testing"

func TestHasRole(t *testing.T) {
	tests := []struct {
		groups []string
		role   Role
		want   bool
	}{
		{[]string{"role:admin"}, RoleAdmin, true},
		{[]string{"admin"}, RoleAdmin, true},
		{[]string{"role:user"}, RoleAdmin, false},
		{[]string{" role:service "}, RoleService, true},
	}

	for _, tt := range tests {
		if got := HasRole(tt.groups, tt.role); got != tt.want {
			t.Fatalf("HasRole(%v, %q) = %v, want %v", tt.groups, tt.role, got, tt.want)
		}
	}
}

func TestHasPermissionHierarchy(t *testing.T) {
	groups := []string{"drive:write"}

	if !HasPermission(groups, ResourceDrive, LevelRead) {
		t.Fatal("write should satisfy read")
	}
	if !HasPermission(groups, ResourceDrive, LevelWrite) {
		t.Fatal("write should satisfy write")
	}
	if HasPermission(groups, ResourceDrive, LevelAdmin) {
		t.Fatal("write should not satisfy admin")
	}
}

func TestHasPermissionAdminBypass(t *testing.T) {
	groups := []string{"role:admin"}

	if !HasPermission(groups, ResourcePhotos, LevelAdmin) {
		t.Fatal("platform admin should bypass resource checks")
	}
}

func TestHasPermissionResourceAdmin(t *testing.T) {
	groups := []string{"calendar:admin"}

	if !HasPermission(groups, ResourceCalendar, LevelRead) {
		t.Fatal("resource admin should satisfy read")
	}
	if !HasPermission(groups, ResourceCalendar, LevelWrite) {
		t.Fatal("resource admin should satisfy write")
	}
	if !HasPermission(groups, ResourceCalendar, LevelAdmin) {
		t.Fatal("resource admin should satisfy admin")
	}
}

func TestHasPermissionIsolation(t *testing.T) {
	groups := []string{"contacts:read"}

	if !HasPermission(groups, ResourceContacts, LevelRead) {
		t.Fatal("expected contacts read")
	}
	if HasPermission(groups, ResourceDrive, LevelRead) {
		t.Fatal("contacts permission must not grant drive access")
	}
}