RBAC/Policy Tester
Comprehensive testing for role-based access control.
Permission Test Matrix
type Role = 'ADMIN' | 'MANAGER' | 'USER' | 'GUEST';
type Action = 'create' | 'read' | 'update' | 'delete';
type Resource = 'users' | 'orders' | 'reports';
const permissionMatrix: Record<Role, Record<Resource, Action[]>> = {
ADMIN: {
users: ['create', 'read', 'update', 'delete'],
orders: ['create', 'read', 'update', 'delete'],
reports: ['create', 'read', 'update', 'delete'],
},
MANAGER: {
users: ['read', 'update'],
orders: ['create', 'read', 'update'],
reports: ['read', 'update'],
},
USER: {
users: ['read'], // Only own profile
orders: ['create', 'read'], // Only own orders
reports: ['read'],
},
GUEST: {
users: [],
orders: [],
reports: ['read'],
},
};
describe('RBAC Tests', () => {
Object.entries(permissionMatrix).forEach(([role, resources]) => {
describe(\`Role: \${role}\`, () => {
Object.entries(resources).forEach(([resource, actions]) => {
actions.forEach(action => {
it(\`should allow \${action} on \${resource}\`, async () => {
const token = generateToken({ role });
await request(app)
.post(\`/api/\${resource}/\${action}\`)
.set('Authorization', \`Bearer \${token}\`)
.expect(200);
});
});
// Test forbidden actions
const allActions: Action[] = ['create', 'read', 'update', 'delete'];
const forbidden = allActions.filter(a => !actions.includes(a));
forbidden.forEach(action => {
it(\`should deny \${action} on \${resource}\`, async () => {
const token = generateToken({ role });
await request(app)
.post(\`/api/\${resource}/\${action}\`)
.set('Authorization', \`Bearer \${token}\`)
.expect(403);
});
});
});
});
});
});
Output Checklist
- [ ] Permission matrix defined
- [ ] Test suite for all roles
- [ ] Positive and negative tests
- [ ] CI gating enabled
- [ ] Coverage monitoring ENDFILE