mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-09-22 06:00:56 +02:00
66bd419baa
WIP: pre-granular-permissions commit
feat: Add category and support contact fields to Agent schema and UI components
Revert "feat: Add category and support contact fields to Agent schema and UI components"
This reverts commit c43a52b4c9.
Fix: Update import for renderHook in useAgentCategories.spec.tsx
fix: Update icon rendering in AgentCategoryDisplay tests to use empty spans
refactor: Improve category synchronization logic and clean up AgentConfig component
refactor: Remove unused UI flow translations from translation.json
feat: agent marketplace features
🔐 feat: Granular Role-based Permissions + Entra ID Group Discovery (#7804)
251 lines
7.7 KiB
JavaScript
251 lines
7.7 KiB
JavaScript
const mongoose = require('mongoose');
|
|
const { MongoMemoryServer } = require('mongodb-memory-server');
|
|
const { checkAccess, generateCheckAccess } = require('./access');
|
|
const { PermissionTypes, Permissions } = require('librechat-data-provider');
|
|
const { Role } = require('~/db/models');
|
|
|
|
// Mock only the logger
|
|
jest.mock('~/config', () => ({
|
|
logger: {
|
|
warn: jest.fn(),
|
|
error: jest.fn(),
|
|
},
|
|
}));
|
|
|
|
describe('Access Middleware', () => {
|
|
let mongoServer;
|
|
let req, res, next;
|
|
|
|
beforeAll(async () => {
|
|
mongoServer = await MongoMemoryServer.create();
|
|
const mongoUri = mongoServer.getUri();
|
|
await mongoose.connect(mongoUri);
|
|
});
|
|
|
|
afterAll(async () => {
|
|
await mongoose.disconnect();
|
|
await mongoServer.stop();
|
|
});
|
|
|
|
beforeEach(async () => {
|
|
await mongoose.connection.dropDatabase();
|
|
|
|
// Create test roles
|
|
await Role.create({
|
|
name: 'user',
|
|
permissions: {
|
|
[PermissionTypes.AGENTS]: {
|
|
[Permissions.USE]: true,
|
|
[Permissions.CREATE]: false,
|
|
[Permissions.SHARED_GLOBAL]: false,
|
|
},
|
|
},
|
|
});
|
|
|
|
await Role.create({
|
|
name: 'admin',
|
|
permissions: {
|
|
[PermissionTypes.AGENTS]: {
|
|
[Permissions.USE]: true,
|
|
[Permissions.CREATE]: true,
|
|
[Permissions.SHARED_GLOBAL]: true,
|
|
},
|
|
},
|
|
});
|
|
|
|
req = {
|
|
user: { id: 'user123', role: 'user' },
|
|
body: {},
|
|
};
|
|
res = {
|
|
status: jest.fn().mockReturnThis(),
|
|
json: jest.fn(),
|
|
};
|
|
next = jest.fn();
|
|
jest.clearAllMocks();
|
|
});
|
|
|
|
describe('checkAccess', () => {
|
|
test('should return false if user is not provided', async () => {
|
|
const result = await checkAccess(null, PermissionTypes.AGENTS, [Permissions.USE]);
|
|
expect(result).toBe(false);
|
|
});
|
|
|
|
test('should return true if user has required permission', async () => {
|
|
const result = await checkAccess(req.user, PermissionTypes.AGENTS, [Permissions.USE]);
|
|
expect(result).toBe(true);
|
|
});
|
|
|
|
test('should return false if user lacks required permission', async () => {
|
|
const result = await checkAccess(req.user, PermissionTypes.AGENTS, [Permissions.CREATE]);
|
|
expect(result).toBe(false);
|
|
});
|
|
|
|
test('should return true if user has any of multiple permissions', async () => {
|
|
const result = await checkAccess(req.user, PermissionTypes.AGENTS, [
|
|
Permissions.USE,
|
|
Permissions.CREATE,
|
|
]);
|
|
expect(result).toBe(true);
|
|
});
|
|
|
|
test('should check body properties when permission is not directly granted', async () => {
|
|
// User role doesn't have CREATE permission, but bodyProps allows it
|
|
const bodyProps = {
|
|
[Permissions.CREATE]: ['agentId', 'name'],
|
|
};
|
|
|
|
const checkObject = { agentId: 'agent123' };
|
|
|
|
const result = await checkAccess(
|
|
req.user,
|
|
PermissionTypes.AGENTS,
|
|
[Permissions.CREATE],
|
|
bodyProps,
|
|
checkObject,
|
|
);
|
|
expect(result).toBe(true);
|
|
});
|
|
|
|
test('should return false if role is not found', async () => {
|
|
req.user.role = 'nonexistent';
|
|
const result = await checkAccess(req.user, PermissionTypes.AGENTS, [Permissions.USE]);
|
|
expect(result).toBe(false);
|
|
});
|
|
|
|
test('should return false if role has no permissions for the requested type', async () => {
|
|
await Role.create({
|
|
name: 'limited',
|
|
permissions: {
|
|
// Explicitly set AGENTS permissions to false
|
|
[PermissionTypes.AGENTS]: {
|
|
[Permissions.USE]: false,
|
|
[Permissions.CREATE]: false,
|
|
[Permissions.SHARED_GLOBAL]: false,
|
|
},
|
|
// Has permissions for other types
|
|
[PermissionTypes.PROMPTS]: {
|
|
[Permissions.USE]: true,
|
|
},
|
|
},
|
|
});
|
|
req.user.role = 'limited';
|
|
|
|
const result = await checkAccess(req.user, PermissionTypes.AGENTS, [Permissions.USE]);
|
|
expect(result).toBe(false);
|
|
});
|
|
|
|
test('should handle admin role with all permissions', async () => {
|
|
req.user.role = 'admin';
|
|
|
|
const createResult = await checkAccess(req.user, PermissionTypes.AGENTS, [
|
|
Permissions.CREATE,
|
|
]);
|
|
expect(createResult).toBe(true);
|
|
|
|
const shareResult = await checkAccess(req.user, PermissionTypes.AGENTS, [
|
|
Permissions.SHARED_GLOBAL,
|
|
]);
|
|
expect(shareResult).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('generateCheckAccess', () => {
|
|
test('should call next() when user has required permission', async () => {
|
|
const middleware = generateCheckAccess(PermissionTypes.AGENTS, [Permissions.USE]);
|
|
await middleware(req, res, next);
|
|
|
|
expect(next).toHaveBeenCalled();
|
|
expect(res.status).not.toHaveBeenCalled();
|
|
});
|
|
|
|
test('should return 403 when user lacks permission', async () => {
|
|
const middleware = generateCheckAccess(PermissionTypes.AGENTS, [Permissions.CREATE]);
|
|
await middleware(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(403);
|
|
expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
|
|
});
|
|
|
|
test('should check body properties when configured', async () => {
|
|
req.body = { agentId: 'agent123', description: 'test' };
|
|
|
|
const bodyProps = {
|
|
[Permissions.CREATE]: ['agentId'],
|
|
};
|
|
|
|
const middleware = generateCheckAccess(
|
|
PermissionTypes.AGENTS,
|
|
[Permissions.CREATE],
|
|
bodyProps,
|
|
);
|
|
await middleware(req, res, next);
|
|
|
|
expect(next).toHaveBeenCalled();
|
|
expect(res.status).not.toHaveBeenCalled();
|
|
});
|
|
|
|
test('should handle database errors gracefully', async () => {
|
|
// Create a user with an invalid role that will cause getRoleByName to fail
|
|
req.user.role = { invalid: 'object' }; // This will cause an error when querying
|
|
|
|
const middleware = generateCheckAccess(PermissionTypes.AGENTS, [Permissions.USE]);
|
|
await middleware(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(500);
|
|
expect(res.json).toHaveBeenCalledWith({
|
|
message: expect.stringContaining('Server error:'),
|
|
});
|
|
});
|
|
|
|
test('should work with multiple permission types', async () => {
|
|
req.user.role = 'admin';
|
|
|
|
const middleware = generateCheckAccess(PermissionTypes.AGENTS, [
|
|
Permissions.USE,
|
|
Permissions.CREATE,
|
|
Permissions.SHARED_GLOBAL,
|
|
]);
|
|
await middleware(req, res, next);
|
|
|
|
expect(next).toHaveBeenCalled();
|
|
});
|
|
|
|
test('should handle missing user gracefully', async () => {
|
|
req.user = null;
|
|
|
|
const middleware = generateCheckAccess(PermissionTypes.AGENTS, [Permissions.USE]);
|
|
await middleware(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(500);
|
|
expect(res.json).toHaveBeenCalledWith({
|
|
message: expect.stringContaining('Server error:'),
|
|
});
|
|
});
|
|
|
|
test('should handle role with no AGENTS permissions', async () => {
|
|
await Role.create({
|
|
name: 'noaccess',
|
|
permissions: {
|
|
// Explicitly set AGENTS with all permissions false
|
|
[PermissionTypes.AGENTS]: {
|
|
[Permissions.USE]: false,
|
|
[Permissions.CREATE]: false,
|
|
[Permissions.SHARED_GLOBAL]: false,
|
|
},
|
|
},
|
|
});
|
|
req.user.role = 'noaccess';
|
|
|
|
const middleware = generateCheckAccess(PermissionTypes.AGENTS, [Permissions.USE]);
|
|
await middleware(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(403);
|
|
expect(res.json).toHaveBeenCalledWith({ message: 'Forbidden: Insufficient permissions' });
|
|
});
|
|
});
|
|
});
|