OneAuth/tests/role_test.go

package tests

import (
	"testing"
)

func TestRoleCRUD(t *testing.T) {
	ensureUsers(t)

	var roleID string

	// Test 1: List Roles (as admin)
	t.Run("List Roles", func(t *testing.T) {
		resp := doRequest(t, "GET", "/api/roles", nil, AdminToken)
		assertStatus(t, resp, 200)

		var data struct {
			Items []struct {
				ID   string `json:"id"`
				Code string `json:"code"`
				Name string `json:"name"`
			} `json:"items"`
		}
		decodeResponse(t, resp, &data)
		t.Logf("Total roles: %d", len(data.Items))

		if len(data.Items) == 0 {
			t.Errorf("Expected some roles, got 0")
		}
	})

	// Test 2: Create Role
	t.Run("Create Role", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/roles", map[string]string{
			"code":        "test_role",
			"name":        "Test Role",
			"description": "Role created for testing",
		}, AdminToken)
		assertStatus(t, resp, 200)

		var data struct {
			ID string `json:"id"`
		}
		decodeResponse(t, resp, &data)
		roleID = data.ID
		t.Logf("Created role: %s", roleID)
	})

	if roleID == "" {
		t.Fatal("Failed to create role, skipping remaining tests")
	}

	// Test 3: Get Role Details
	t.Run("Get Role Details", func(t *testing.T) {
		resp := doRequest(t, "GET", "/api/roles/"+roleID, nil, AdminToken)
		assertStatus(t, resp, 200)

		var data struct {
			Code string `json:"code"`
			Name string `json:"name"`
		}
		decodeResponse(t, resp, &data)

		if data.Code != "test_role" {
			t.Errorf("Expected code 'test_role', got '%s'", data.Code)
		}
		if data.Name != "Test Role" {
			t.Errorf("Expected name 'Test Role', got '%s'", data.Name)
		}
	})

	// Test 4: Update Role
	t.Run("Update Role", func(t *testing.T) {
		resp := doRequest(t, "PATCH", "/api/roles/"+roleID, map[string]string{
			"name":        "Updated Test Role",
			"description": "Updated description",
		}, AdminToken)
		assertStatus(t, resp, 200)

		// Verify update
		resp = doRequest(t, "GET", "/api/roles/"+roleID, nil, AdminToken)
		assertStatus(t, resp, 200)

		var data struct {
			Name string `json:"name"`
		}
		decodeResponse(t, resp, &data)

		if data.Name != "Updated Test Role" {
			t.Errorf("Expected name 'Updated Test Role', got '%s'", data.Name)
		}
	})

	// Test 5: Get Role Permissions
	t.Run("Get Role Permissions", func(t *testing.T) {
		resp := doRequest(t, "GET", "/api/roles/"+roleID+"/permissions", nil, AdminToken)
		assertStatus(t, resp, 200)

		// Returns array directly
		var data []struct {
			ID string `json:"id"`
		}
		decodeResponse(t, resp, &data)
		t.Logf("Role permissions count: %d", len(data))
	})

	// Test 6: Update Role Permissions
	t.Run("Update Role Permissions", func(t *testing.T) {
		// First, get available permissions
		resp := doRequest(t, "GET", "/api/roles", nil, AdminToken)
		assertStatus(t, resp, 200)

		// Try to update with an empty permission list first
		resp = doRequest(t, "PUT", "/api/roles/"+roleID+"/permissions", map[string]interface{}{
			"permission_ids": []string{},
		}, AdminToken)
		assertStatus(t, resp, 200)
		t.Logf("Updated role permissions to empty")
	})

	// Test 7: Delete Role
	t.Run("Delete Role", func(t *testing.T) {
		resp := doRequest(t, "DELETE", "/api/roles/"+roleID, nil, AdminToken)
		assertStatus(t, resp, 200)

		// Verify deletion
		resp = doRequest(t, "GET", "/api/roles/"+roleID, nil, AdminToken)
		if resp.Code == 200 {
			t.Errorf("Expected role to be deleted, but got 200")
		} else {
			t.Logf("Role deleted successfully, got code: %d", resp.Code)
		}
	})
}

// Test role access control
func TestRoleAccessControl(t *testing.T) {
	ensureUsers(t)

	// Regular user tries to access role endpoints - should fail (admin only)
	t.Run("Regular User List Roles", func(t *testing.T) {
		resp := doRequest(t, "GET", "/api/roles", nil, User1Token)
		// Should fail - role:read requires admin permission
		if resp.Code == 200 {
			t.Errorf("Expected regular user to be denied, got 200")
		} else {
			t.Logf("Regular user correctly denied list roles, code: %d", resp.Code)
		}
	})

	t.Run("Regular User Create Role", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/roles", map[string]string{
			"code":        "illegal_role",
			"name":        "Should Fail",
			"description": "Should not be created",
		}, User1Token)
		// Should fail - needs role:create permission
		if resp.Code == 200 {
			t.Errorf("Expected regular user to be denied, got 200")
		} else {
			t.Logf("Regular user correctly denied create role, code: %d", resp.Code)
		}
	})
}

// Test system role protection
func TestSystemRoleProtection(t *testing.T) {
	ensureUsers(t)

	// Try to modify system role (admin)
	t.Run("Update System Role", func(t *testing.T) {
		resp := doRequest(t, "PATCH", "/api/roles/admin", map[string]string{
			"name": "Hacked Admin",
		}, AdminToken)
		// Should fail - system roles are protected
		if resp.Code == 200 {
			t.Errorf("Expected system role update to be denied, got 200")
		} else {
			t.Logf("System role correctly protected, code: %d", resp.Code)
		}
	})

	t.Run("Update System Role Permissions", func(t *testing.T) {
		resp := doRequest(t, "PUT", "/api/roles/admin/permissions", map[string]interface{}{
			"permission_ids": []string{},
		}, AdminToken)
		// Should fail - system roles are protected
		if resp.Code == 200 {
			t.Errorf("Expected system role permissions update to be denied, got 200")
		} else {
			t.Logf("System role permissions correctly protected, code: %d", resp.Code)
		}
	})

	t.Run("Delete System Role", func(t *testing.T) {
		resp := doRequest(t, "DELETE", "/api/roles/admin", nil, AdminToken)
		// Should fail - system roles cannot be deleted
		if resp.Code == 200 {
			t.Errorf("Expected system role deletion to be denied, got 200")
		} else {
			t.Logf("System role deletion correctly protected, code: %d", resp.Code)
		}
	})
}
test: Add integration tests for org, role and oauth client - Add OAuth client CRUD and access control tests - Add organization CRUD, tree and access control tests - Add role CRUD, access control and system role protection tests - Remove user:read permission from default user role 7 days ago			`package tests`

			`import (`
			`"testing"`
			`)`

			`func TestRoleCRUD(t *testing.T) {`
			`ensureUsers(t)`

			`var roleID string`

			`// Test 1: List Roles (as admin)`
			`t.Run("List Roles", func(t *testing.T) {`
			`resp := doRequest(t, "GET", "/api/roles", nil, AdminToken)`
			`assertStatus(t, resp, 200)`

			`var data struct {`
			`Items []struct {`
			ID string `json:"id"`
			Code string `json:"code"`
			Name string `json:"name"`
			} `json:"items"`
			`}`
			`decodeResponse(t, resp, &data)`
			`t.Logf("Total roles: %d", len(data.Items))`

			`if len(data.Items) == 0 {`
			`t.Errorf("Expected some roles, got 0")`
			`}`
			`})`

			`// Test 2: Create Role`
			`t.Run("Create Role", func(t *testing.T) {`
			`resp := doRequest(t, "POST", "/api/roles", map[string]string{`
			`"code": "test_role",`
			`"name": "Test Role",`
			`"description": "Role created for testing",`
			`}, AdminToken)`
			`assertStatus(t, resp, 200)`

			`var data struct {`
			ID string `json:"id"`
			`}`
			`decodeResponse(t, resp, &data)`
			`roleID = data.ID`
			`t.Logf("Created role: %s", roleID)`
			`})`

			`if roleID == "" {`
			`t.Fatal("Failed to create role, skipping remaining tests")`
			`}`

			`// Test 3: Get Role Details`
			`t.Run("Get Role Details", func(t *testing.T) {`
			`resp := doRequest(t, "GET", "/api/roles/"+roleID, nil, AdminToken)`
			`assertStatus(t, resp, 200)`

			`var data struct {`
			Code string `json:"code"`
			Name string `json:"name"`
			`}`
			`decodeResponse(t, resp, &data)`

			`if data.Code != "test_role" {`
			`t.Errorf("Expected code 'test_role', got '%s'", data.Code)`
			`}`
			`if data.Name != "Test Role" {`
			`t.Errorf("Expected name 'Test Role', got '%s'", data.Name)`
			`}`
			`})`

			`// Test 4: Update Role`
			`t.Run("Update Role", func(t *testing.T) {`
			`resp := doRequest(t, "PATCH", "/api/roles/"+roleID, map[string]string{`
			`"name": "Updated Test Role",`
			`"description": "Updated description",`
			`}, AdminToken)`
			`assertStatus(t, resp, 200)`

			`// Verify update`
			`resp = doRequest(t, "GET", "/api/roles/"+roleID, nil, AdminToken)`
			`assertStatus(t, resp, 200)`

			`var data struct {`
			Name string `json:"name"`
			`}`
			`decodeResponse(t, resp, &data)`

			`if data.Name != "Updated Test Role" {`
			`t.Errorf("Expected name 'Updated Test Role', got '%s'", data.Name)`
			`}`
			`})`

			`// Test 5: Get Role Permissions`
			`t.Run("Get Role Permissions", func(t *testing.T) {`
			`resp := doRequest(t, "GET", "/api/roles/"+roleID+"/permissions", nil, AdminToken)`
			`assertStatus(t, resp, 200)`

			`// Returns array directly`
			`var data []struct {`
			ID string `json:"id"`
			`}`
			`decodeResponse(t, resp, &data)`
			`t.Logf("Role permissions count: %d", len(data))`
			`})`

			`// Test 6: Update Role Permissions`
			`t.Run("Update Role Permissions", func(t *testing.T) {`
			`// First, get available permissions`
			`resp := doRequest(t, "GET", "/api/roles", nil, AdminToken)`
			`assertStatus(t, resp, 200)`

			`// Try to update with an empty permission list first`
			`resp = doRequest(t, "PUT", "/api/roles/"+roleID+"/permissions", map[string]interface{}{`
			`"permission_ids": []string{},`
			`}, AdminToken)`
			`assertStatus(t, resp, 200)`
			`t.Logf("Updated role permissions to empty")`
			`})`

			`// Test 7: Delete Role`
			`t.Run("Delete Role", func(t *testing.T) {`
			`resp := doRequest(t, "DELETE", "/api/roles/"+roleID, nil, AdminToken)`
			`assertStatus(t, resp, 200)`

			`// Verify deletion`
			`resp = doRequest(t, "GET", "/api/roles/"+roleID, nil, AdminToken)`
			`if resp.Code == 200 {`
			`t.Errorf("Expected role to be deleted, but got 200")`
			`} else {`
			`t.Logf("Role deleted successfully, got code: %d", resp.Code)`
			`}`
			`})`
			`}`

			`// Test role access control`
			`func TestRoleAccessControl(t *testing.T) {`
			`ensureUsers(t)`

			`// Regular user tries to access role endpoints - should fail (admin only)`
			`t.Run("Regular User List Roles", func(t *testing.T) {`
			`resp := doRequest(t, "GET", "/api/roles", nil, User1Token)`
			`// Should fail - role:read requires admin permission`
			`if resp.Code == 200 {`
			`t.Errorf("Expected regular user to be denied, got 200")`
			`} else {`
			`t.Logf("Regular user correctly denied list roles, code: %d", resp.Code)`
			`}`
			`})`

			`t.Run("Regular User Create Role", func(t *testing.T) {`
			`resp := doRequest(t, "POST", "/api/roles", map[string]string{`
			`"code": "illegal_role",`
			`"name": "Should Fail",`
			`"description": "Should not be created",`
			`}, User1Token)`
			`// Should fail - needs role:create permission`
			`if resp.Code == 200 {`
			`t.Errorf("Expected regular user to be denied, got 200")`
			`} else {`
			`t.Logf("Regular user correctly denied create role, code: %d", resp.Code)`
			`}`
			`})`
			`}`

			`// Test system role protection`
			`func TestSystemRoleProtection(t *testing.T) {`
			`ensureUsers(t)`

			`// Try to modify system role (admin)`
			`t.Run("Update System Role", func(t *testing.T) {`
			`resp := doRequest(t, "PATCH", "/api/roles/admin", map[string]string{`
			`"name": "Hacked Admin",`
			`}, AdminToken)`
			`// Should fail - system roles are protected`
			`if resp.Code == 200 {`
			`t.Errorf("Expected system role update to be denied, got 200")`
			`} else {`
			`t.Logf("System role correctly protected, code: %d", resp.Code)`
			`}`
			`})`

			`t.Run("Update System Role Permissions", func(t *testing.T) {`
			`resp := doRequest(t, "PUT", "/api/roles/admin/permissions", map[string]interface{}{`
			`"permission_ids": []string{},`
			`}, AdminToken)`
			`// Should fail - system roles are protected`
			`if resp.Code == 200 {`
			`t.Errorf("Expected system role permissions update to be denied, got 200")`
			`} else {`
			`t.Logf("System role permissions correctly protected, code: %d", resp.Code)`
			`}`
			`})`

			`t.Run("Delete System Role", func(t *testing.T) {`
			`resp := doRequest(t, "DELETE", "/api/roles/admin", nil, AdminToken)`
			`// Should fail - system roles cannot be deleted`
			`if resp.Code == 200 {`
			`t.Errorf("Expected system role deletion to be denied, got 200")`
			`} else {`
			`t.Logf("System role deletion correctly protected, code: %d", resp.Code)`
			`}`
			`})`
			`}`