Files
simstudioai--sim/apps/sim/lib/auth/access-control.test.ts
T
wehub-resource-sync d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

184 lines
6.4 KiB
TypeScript

/**
* @vitest-environment node
*/
import { beforeEach, describe, expect, it, vi } from 'vitest'
import type { AccessControlConfig } from '@/lib/auth/access-control'
const { mockFetch, envRef, flagRef } = vi.hoisted(() => ({
mockFetch: vi.fn(),
envRef: {
APPCONFIG_APPLICATION: 'sim-staging' as string | undefined,
APPCONFIG_ENVIRONMENT: 'staging' as string | undefined,
BLOCKED_SIGNUP_DOMAINS: undefined as string | undefined,
BLOCKED_EMAILS: undefined as string | undefined,
ALLOWED_LOGIN_EMAILS: undefined as string | undefined,
ALLOWED_LOGIN_DOMAINS: undefined as string | undefined,
BLOCKED_EMAIL_MX_HOSTS: undefined as string | undefined,
},
flagRef: { isAppConfigEnabled: false },
}))
vi.mock('@/lib/core/config/appconfig', () => ({
fetchAppConfigProfile: mockFetch,
}))
vi.mock('@/lib/core/config/env', () => ({
get env() {
return envRef
},
}))
vi.mock('@/lib/core/config/env-flags', () => ({
get isAppConfigEnabled() {
return flagRef.isAppConfigEnabled
},
}))
import {
getAccessControlConfig,
isEmailBlockedByAccessControl,
isEmailInDenylist,
} from '@/lib/auth/access-control'
const empty: AccessControlConfig = {
blockedSignupDomains: [],
blockedEmails: [],
allowedLoginEmails: [],
allowedLoginDomains: [],
blockedEmailMxHosts: [],
}
describe('getAccessControlConfig', () => {
beforeEach(() => {
vi.clearAllMocks()
flagRef.isAppConfigEnabled = false
Object.assign(envRef, {
BLOCKED_SIGNUP_DOMAINS: undefined,
BLOCKED_EMAILS: undefined,
ALLOWED_LOGIN_EMAILS: undefined,
ALLOWED_LOGIN_DOMAINS: undefined,
BLOCKED_EMAIL_MX_HOSTS: undefined,
})
})
describe('env fallback (AppConfig disabled)', () => {
it('returns empty lists when nothing is set', async () => {
expect(await getAccessControlConfig()).toEqual(empty)
expect(mockFetch).not.toHaveBeenCalled()
})
it('parses, trims, lowercases, and dedupes csv env vars', async () => {
envRef.BLOCKED_SIGNUP_DOMAINS = 'Gmail.com, yahoo.com ,gmail.com,'
envRef.BLOCKED_EMAILS = 'Spam@Evil.com, spam@evil.com'
envRef.ALLOWED_LOGIN_DOMAINS = 'Sim.ai'
const result = await getAccessControlConfig()
expect(result.blockedSignupDomains).toEqual(['gmail.com', 'yahoo.com'])
expect(result.blockedEmails).toEqual(['spam@evil.com'])
expect(result.allowedLoginDomains).toEqual(['sim.ai'])
expect(mockFetch).not.toHaveBeenCalled()
})
})
describe('AppConfig source (enabled)', () => {
beforeEach(() => {
flagRef.isAppConfigEnabled = true
})
it('reads the access-control profile and normalizes the payload', async () => {
mockFetch.mockImplementation((_ids, parse) =>
Promise.resolve(
parse({
blockedSignupDomains: ['X.com'],
allowedLoginDomains: ['sim.ai'],
blockedEmailMxHosts: 'not-an-array',
})
)
)
const result = await getAccessControlConfig()
expect(result.blockedSignupDomains).toEqual(['x.com'])
expect(result.allowedLoginDomains).toEqual(['sim.ai'])
expect(result.blockedEmailMxHosts).toEqual([])
expect(mockFetch).toHaveBeenCalledWith(
{ application: 'sim-staging', environment: 'staging', profile: 'access-control' },
expect.any(Function)
)
})
it('falls back to env vars when the fetch yields null', async () => {
envRef.BLOCKED_SIGNUP_DOMAINS = 'spam.example'
mockFetch.mockResolvedValue(null)
const result = await getAccessControlConfig()
expect(result.blockedSignupDomains).toEqual(['spam.example'])
})
})
})
describe('isEmailInDenylist', () => {
it('returns false when denylist is null, empty, or email is missing', () => {
expect(isEmailInDenylist('a@example.com', null)).toBe(false)
expect(isEmailInDenylist('a@example.com', [])).toBe(false)
expect(isEmailInDenylist(null, ['example.com'])).toBe(false)
expect(isEmailInDenylist(undefined, ['example.com'])).toBe(false)
expect(isEmailInDenylist('', ['example.com'])).toBe(false)
})
it('returns false when email has no @', () => {
expect(isEmailInDenylist('not-an-email', ['example.com'])).toBe(false)
})
it('matches exact domain', () => {
expect(isEmailInDenylist('user@dpdns.org', ['dpdns.org'])).toBe(true)
expect(isEmailInDenylist('user@DPDNS.ORG', ['dpdns.org'])).toBe(true)
})
it('matches arbitrary-depth subdomains of a listed parent zone', () => {
expect(isEmailInDenylist('user@xx.lucky04.dpdns.org', ['dpdns.org'])).toBe(true)
expect(isEmailInDenylist('user@a.b.c.qzz.io', ['qzz.io'])).toBe(true)
})
it('does not match look-alike domains', () => {
expect(isEmailInDenylist('user@xdpdns.org', ['dpdns.org'])).toBe(false)
expect(isEmailInDenylist('user@notdpdns.org', ['dpdns.org'])).toBe(false)
})
it('does not match disallowed domains', () => {
expect(isEmailInDenylist('user@gmail.com', ['dpdns.org', 'qzz.io'])).toBe(false)
expect(isEmailInDenylist('user@example.com', ['dpdns.org'])).toBe(false)
})
it('handles multiple denylist entries', () => {
const denylist = ['dpdns.org', 'qzz.io', 'cc.cd']
expect(isEmailInDenylist('user@foo.dpdns.org', denylist)).toBe(true)
expect(isEmailInDenylist('user@bar.qzz.io', denylist)).toBe(true)
expect(isEmailInDenylist('user@baz.cc.cd', denylist)).toBe(true)
expect(isEmailInDenylist('user@example.com', denylist)).toBe(false)
})
})
describe('isEmailBlockedByAccessControl', () => {
const config: AccessControlConfig = {
...empty,
blockedSignupDomains: ['bad.com'],
blockedEmails: ['spam@evil.com'],
}
it('matches individually blocked emails case-insensitively', () => {
expect(isEmailBlockedByAccessControl('spam@evil.com', config)).toBe(true)
expect(isEmailBlockedByAccessControl(' Spam@Evil.com ', config)).toBe(true)
expect(isEmailBlockedByAccessControl('other@evil.com', config)).toBe(false)
})
it('matches blocked domains and subdomains', () => {
expect(isEmailBlockedByAccessControl('a@bad.com', config)).toBe(true)
expect(isEmailBlockedByAccessControl('a@mail.bad.com', config)).toBe(true)
expect(isEmailBlockedByAccessControl('a@good.com', config)).toBe(false)
})
it('returns false for missing emails and empty config', () => {
expect(isEmailBlockedByAccessControl(null, config)).toBe(false)
expect(isEmailBlockedByAccessControl(undefined, config)).toBe(false)
expect(isEmailBlockedByAccessControl('a@bad.com', empty)).toBe(false)
})
})