-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpolicy.test.ts
More file actions
55 lines (46 loc) · 2.46 KB
/
policy.test.ts
File metadata and controls
55 lines (46 loc) · 2.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
import fs from 'fs-extra';
import os from 'os';
import path from 'path';
import { readPolicy, resolveUpgradePolicy, assertPolicyAllowsAuth } from '../src/core/policy.js';
function tmpFile(name: string) {
return path.join(os.tmpdir(), `cloudsqlctl-${name}-${Date.now()}-${Math.random().toString(16).slice(2)}.json`);
}
describe('Policy Module', () => {
const originalEnv = process.env.CLOUDSQLCTL_POLICY_PATH;
afterEach(async () => {
if (originalEnv === undefined) {
delete process.env.CLOUDSQLCTL_POLICY_PATH;
} else {
process.env.CLOUDSQLCTL_POLICY_PATH = originalEnv;
}
});
it('returns null if policy does not exist', async () => {
process.env.CLOUDSQLCTL_POLICY_PATH = tmpFile('missing');
const policy = await readPolicy();
expect(policy).toBeNull();
});
it('throws if policy exists but is invalid json', async () => {
const p = tmpFile('invalid');
await fs.writeFile(p, '{not-json', 'utf8');
process.env.CLOUDSQLCTL_POLICY_PATH = p;
await expect(readPolicy()).rejects.toThrow(/Invalid policy\.json/);
await fs.remove(p);
});
it('enforces upgrades disabled', () => {
expect(() => resolveUpgradePolicy({ updates: { enabled: false } }, {})).toThrow(/Updates are disabled/);
});
it('enforces pinned version and channel restrictions', () => {
const policy = { updates: { channel: 'stable', pinnedVersion: '0.4.15' } };
expect(() => resolveUpgradePolicy(policy, { channel: 'beta' })).toThrow(/channel is restricted/i);
expect(() => resolveUpgradePolicy(policy, { pin: '0.4.16' })).toThrow(/Pin\/unpin is managed/i);
expect(() => resolveUpgradePolicy(policy, { version: '0.4.16' })).toThrow(/Target version is restricted/i);
expect(resolveUpgradePolicy(policy, {})).toEqual({ channel: 'stable', targetVersion: '0.4.15' });
expect(resolveUpgradePolicy(policy, { version: 'v0.4.15' })).toEqual({ channel: 'stable', targetVersion: '0.4.15' });
});
it('enforces auth guardrails', () => {
const policy = { auth: { allowUserLogin: false, allowedScopes: ['Machine'] as const } };
expect(() => assertPolicyAllowsAuth(policy, 'login')).toThrow(/disabled/i);
expect(() => assertPolicyAllowsAuth(policy, 'set-service-account', 'User')).toThrow(/not allowed/i);
expect(() => assertPolicyAllowsAuth(policy, 'set-service-account', 'Machine')).not.toThrow();
});
});