d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
184 lines
6.4 KiB
TypeScript
184 lines
6.4 KiB
TypeScript
/**
|
|
* @vitest-environment node
|
|
*/
|
|
import { beforeEach, describe, expect, it, vi } from 'vitest'
|
|
import type { AccessControlConfig } from '@/lib/auth/access-control'
|
|
|
|
const { mockFetch, envRef, flagRef } = vi.hoisted(() => ({
|
|
mockFetch: vi.fn(),
|
|
envRef: {
|
|
APPCONFIG_APPLICATION: 'sim-staging' as string | undefined,
|
|
APPCONFIG_ENVIRONMENT: 'staging' as string | undefined,
|
|
BLOCKED_SIGNUP_DOMAINS: undefined as string | undefined,
|
|
BLOCKED_EMAILS: undefined as string | undefined,
|
|
ALLOWED_LOGIN_EMAILS: undefined as string | undefined,
|
|
ALLOWED_LOGIN_DOMAINS: undefined as string | undefined,
|
|
BLOCKED_EMAIL_MX_HOSTS: undefined as string | undefined,
|
|
},
|
|
flagRef: { isAppConfigEnabled: false },
|
|
}))
|
|
|
|
vi.mock('@/lib/core/config/appconfig', () => ({
|
|
fetchAppConfigProfile: mockFetch,
|
|
}))
|
|
|
|
vi.mock('@/lib/core/config/env', () => ({
|
|
get env() {
|
|
return envRef
|
|
},
|
|
}))
|
|
|
|
vi.mock('@/lib/core/config/env-flags', () => ({
|
|
get isAppConfigEnabled() {
|
|
return flagRef.isAppConfigEnabled
|
|
},
|
|
}))
|
|
|
|
import {
|
|
getAccessControlConfig,
|
|
isEmailBlockedByAccessControl,
|
|
isEmailInDenylist,
|
|
} from '@/lib/auth/access-control'
|
|
|
|
const empty: AccessControlConfig = {
|
|
blockedSignupDomains: [],
|
|
blockedEmails: [],
|
|
allowedLoginEmails: [],
|
|
allowedLoginDomains: [],
|
|
blockedEmailMxHosts: [],
|
|
}
|
|
|
|
describe('getAccessControlConfig', () => {
|
|
beforeEach(() => {
|
|
vi.clearAllMocks()
|
|
flagRef.isAppConfigEnabled = false
|
|
Object.assign(envRef, {
|
|
BLOCKED_SIGNUP_DOMAINS: undefined,
|
|
BLOCKED_EMAILS: undefined,
|
|
ALLOWED_LOGIN_EMAILS: undefined,
|
|
ALLOWED_LOGIN_DOMAINS: undefined,
|
|
BLOCKED_EMAIL_MX_HOSTS: undefined,
|
|
})
|
|
})
|
|
|
|
describe('env fallback (AppConfig disabled)', () => {
|
|
it('returns empty lists when nothing is set', async () => {
|
|
expect(await getAccessControlConfig()).toEqual(empty)
|
|
expect(mockFetch).not.toHaveBeenCalled()
|
|
})
|
|
|
|
it('parses, trims, lowercases, and dedupes csv env vars', async () => {
|
|
envRef.BLOCKED_SIGNUP_DOMAINS = 'Gmail.com, yahoo.com ,gmail.com,'
|
|
envRef.BLOCKED_EMAILS = 'Spam@Evil.com, spam@evil.com'
|
|
envRef.ALLOWED_LOGIN_DOMAINS = 'Sim.ai'
|
|
const result = await getAccessControlConfig()
|
|
expect(result.blockedSignupDomains).toEqual(['gmail.com', 'yahoo.com'])
|
|
expect(result.blockedEmails).toEqual(['spam@evil.com'])
|
|
expect(result.allowedLoginDomains).toEqual(['sim.ai'])
|
|
expect(mockFetch).not.toHaveBeenCalled()
|
|
})
|
|
})
|
|
|
|
describe('AppConfig source (enabled)', () => {
|
|
beforeEach(() => {
|
|
flagRef.isAppConfigEnabled = true
|
|
})
|
|
|
|
it('reads the access-control profile and normalizes the payload', async () => {
|
|
mockFetch.mockImplementation((_ids, parse) =>
|
|
Promise.resolve(
|
|
parse({
|
|
blockedSignupDomains: ['X.com'],
|
|
allowedLoginDomains: ['sim.ai'],
|
|
blockedEmailMxHosts: 'not-an-array',
|
|
})
|
|
)
|
|
)
|
|
|
|
const result = await getAccessControlConfig()
|
|
expect(result.blockedSignupDomains).toEqual(['x.com'])
|
|
expect(result.allowedLoginDomains).toEqual(['sim.ai'])
|
|
expect(result.blockedEmailMxHosts).toEqual([])
|
|
expect(mockFetch).toHaveBeenCalledWith(
|
|
{ application: 'sim-staging', environment: 'staging', profile: 'access-control' },
|
|
expect.any(Function)
|
|
)
|
|
})
|
|
|
|
it('falls back to env vars when the fetch yields null', async () => {
|
|
envRef.BLOCKED_SIGNUP_DOMAINS = 'spam.example'
|
|
mockFetch.mockResolvedValue(null)
|
|
const result = await getAccessControlConfig()
|
|
expect(result.blockedSignupDomains).toEqual(['spam.example'])
|
|
})
|
|
})
|
|
})
|
|
|
|
describe('isEmailInDenylist', () => {
|
|
it('returns false when denylist is null, empty, or email is missing', () => {
|
|
expect(isEmailInDenylist('a@example.com', null)).toBe(false)
|
|
expect(isEmailInDenylist('a@example.com', [])).toBe(false)
|
|
expect(isEmailInDenylist(null, ['example.com'])).toBe(false)
|
|
expect(isEmailInDenylist(undefined, ['example.com'])).toBe(false)
|
|
expect(isEmailInDenylist('', ['example.com'])).toBe(false)
|
|
})
|
|
|
|
it('returns false when email has no @', () => {
|
|
expect(isEmailInDenylist('not-an-email', ['example.com'])).toBe(false)
|
|
})
|
|
|
|
it('matches exact domain', () => {
|
|
expect(isEmailInDenylist('user@dpdns.org', ['dpdns.org'])).toBe(true)
|
|
expect(isEmailInDenylist('user@DPDNS.ORG', ['dpdns.org'])).toBe(true)
|
|
})
|
|
|
|
it('matches arbitrary-depth subdomains of a listed parent zone', () => {
|
|
expect(isEmailInDenylist('user@xx.lucky04.dpdns.org', ['dpdns.org'])).toBe(true)
|
|
expect(isEmailInDenylist('user@a.b.c.qzz.io', ['qzz.io'])).toBe(true)
|
|
})
|
|
|
|
it('does not match look-alike domains', () => {
|
|
expect(isEmailInDenylist('user@xdpdns.org', ['dpdns.org'])).toBe(false)
|
|
expect(isEmailInDenylist('user@notdpdns.org', ['dpdns.org'])).toBe(false)
|
|
})
|
|
|
|
it('does not match disallowed domains', () => {
|
|
expect(isEmailInDenylist('user@gmail.com', ['dpdns.org', 'qzz.io'])).toBe(false)
|
|
expect(isEmailInDenylist('user@example.com', ['dpdns.org'])).toBe(false)
|
|
})
|
|
|
|
it('handles multiple denylist entries', () => {
|
|
const denylist = ['dpdns.org', 'qzz.io', 'cc.cd']
|
|
expect(isEmailInDenylist('user@foo.dpdns.org', denylist)).toBe(true)
|
|
expect(isEmailInDenylist('user@bar.qzz.io', denylist)).toBe(true)
|
|
expect(isEmailInDenylist('user@baz.cc.cd', denylist)).toBe(true)
|
|
expect(isEmailInDenylist('user@example.com', denylist)).toBe(false)
|
|
})
|
|
})
|
|
|
|
describe('isEmailBlockedByAccessControl', () => {
|
|
const config: AccessControlConfig = {
|
|
...empty,
|
|
blockedSignupDomains: ['bad.com'],
|
|
blockedEmails: ['spam@evil.com'],
|
|
}
|
|
|
|
it('matches individually blocked emails case-insensitively', () => {
|
|
expect(isEmailBlockedByAccessControl('spam@evil.com', config)).toBe(true)
|
|
expect(isEmailBlockedByAccessControl(' Spam@Evil.com ', config)).toBe(true)
|
|
expect(isEmailBlockedByAccessControl('other@evil.com', config)).toBe(false)
|
|
})
|
|
|
|
it('matches blocked domains and subdomains', () => {
|
|
expect(isEmailBlockedByAccessControl('a@bad.com', config)).toBe(true)
|
|
expect(isEmailBlockedByAccessControl('a@mail.bad.com', config)).toBe(true)
|
|
expect(isEmailBlockedByAccessControl('a@good.com', config)).toBe(false)
|
|
})
|
|
|
|
it('returns false for missing emails and empty config', () => {
|
|
expect(isEmailBlockedByAccessControl(null, config)).toBe(false)
|
|
expect(isEmailBlockedByAccessControl(undefined, config)).toBe(false)
|
|
expect(isEmailBlockedByAccessControl('a@bad.com', empty)).toBe(false)
|
|
})
|
|
})
|