Moritz
05c71132e4
Use Application.compile_env for release-safety. Config only set in test.exs (defaults to false).
52 lines
1.8 KiB
Elixir
52 lines
1.8 KiB
Elixir
defmodule Mv.Authorization.Checks.NoActorTest do
|
|
@moduledoc """
|
|
Tests for the NoActor Ash Policy Check.
|
|
|
|
This check allows actions without an actor ONLY in test environment.
|
|
In production/dev, all operations without an actor are denied.
|
|
"""
|
|
use ExUnit.Case, async: true
|
|
|
|
alias Mv.Authorization.Checks.NoActor
|
|
|
|
describe "match?/3" do
|
|
test "returns true when actor is nil in test environment" do
|
|
# In test environment (config :allow_no_actor_bypass = true), NoActor allows operations
|
|
result = NoActor.match?(nil, %{}, [])
|
|
assert result == true
|
|
end
|
|
|
|
test "returns false when actor is present" do
|
|
actor = %{id: "user-123"}
|
|
result = NoActor.match?(actor, %{}, [])
|
|
assert result == false
|
|
end
|
|
|
|
test "uses compile-time config (not runtime Mix.env)" do
|
|
# The @allow_no_actor_bypass is set via Application.compile_env at compile time
|
|
# In test.exs: config :mv, :allow_no_actor_bypass, true
|
|
# In prod/dev: not set (defaults to false)
|
|
# This ensures the check is release-safe (no runtime Mix.env dependency)
|
|
result = NoActor.match?(nil, %{}, [])
|
|
|
|
# In test environment (as compiled), should allow
|
|
assert result == true
|
|
|
|
# Note: We cannot test "production mode" here because the flag is compile-time.
|
|
# Production safety is guaranteed by:
|
|
# 1. Config only set in test.exs
|
|
# 2. Default is false (fail-closed)
|
|
# 3. No runtime environment checks
|
|
end
|
|
end
|
|
|
|
describe "describe/1" do
|
|
test "returns description based on compile-time config" do
|
|
description = NoActor.describe([])
|
|
assert is_binary(description)
|
|
|
|
# In test environment (compiled with :allow_no_actor_bypass = true)
|
|
assert description =~ "test environment"
|
|
end
|
|
end
|
|
end
|