Spaces:
Sleeping
Sleeping
| import sys | |
| from pathlib import Path | |
| import pytest | |
| # Ensure backend package is importable | |
| backend_dir = Path(__file__).parent.parent | |
| sys.path.insert(0, str(backend_dir)) | |
| from mcp_server.common import access_control | |
| from mcp_server.common.utils import execute_tool | |
| async def test_execute_tool_denies_without_permission(): | |
| async def handler(context, payload): | |
| return {"ok": True} | |
| payload = { | |
| "tenant_id": "tenant123", | |
| "session_id": "s1", | |
| "role": "viewer", | |
| } | |
| result = await execute_tool("rag.ingest", payload, handler) | |
| assert result["status"] == "error" | |
| assert result["error_type"] == "validation_error" | |
| assert "not permitted" in result["message"] | |
| async def test_execute_tool_allows_authorized_role(): | |
| async def handler(context, payload): | |
| return {"ok": True} | |
| payload = { | |
| "tenant_id": "tenant123", | |
| "session_id": "s1", | |
| "role": "admin", | |
| } | |
| result = await execute_tool("rag.ingest", payload, handler) | |
| assert result["status"] == "ok" | |
| assert result["data"]["ok"] is True | |
| def test_normalize_role_defaults_to_viewer(): | |
| assert access_control.normalize_role(None) == "viewer" | |
| assert access_control.normalize_role("ADMIN") == "admin" | |
| assert access_control.normalize_role("unknown") == "viewer" | |
| def test_role_allows_matrix(): | |
| assert access_control.role_allows("owner", "manage_rules") | |
| assert not access_control.role_allows("viewer", "manage_rules") | |