dataforge/agents_and_robots
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

test: tests para privileged ACL y isSpecialConfig

Browse Source 
- TestResolveACL_PrivilegedVsGeneral: verifica que father-bot solo
  es accesible por admins y que agentes generales son accesibles
  por todos. Reproduce la config real de produccion.
- TestIsSpecialConfig_*: 3 tests para la funcion que detecta
  configs de SpecialConfig ya cargados (orchestrator) y los salta
  en el loop de discovery normal del launcher.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enmanuel
2026-04-09 22:05:41 +00:00
parent db1a93c3fe
commit a6100b5154
2 changed files with 111 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/security/security_test.go
+55 -1
View File
@@ -140,7 +140,61 @@ func TestResolveACL_AccumulatedPermissions(t *testing.T) {
}
}
// 2.7 — agente referenciado directamente por ID en AgentPolicy.AgentGroup → recibe permisos
// 2.7 — privileged vs general: father-bot admin-only, general open to everyone
func TestResolveACL_PrivilegedVsGeneral(t *testing.T) {
p := makePolicy(
[]security.UserGroup{
{Name: "admins", Members: []string{"@admin:matrix.example.com"}},
{Name: "everyone", Members: []string{"*"}},
},
[]security.AgentGroup{
{Name: "privileged", Agents: []string{"father-bot"}},
{Name: "general", Agents: []string{"assistant-bot", "test-bot"}},
},
[]security.AgentPolicy{
{
AgentGroup: "privileged",
Permissions: []security.Permission{{UserGroup: "admins", Actions: []string{"*"}}},
},
{
AgentGroup: "general",
Permissions: []security.Permission{
{UserGroup: "admins", Actions: []string{"*"}},
{UserGroup: "everyone", Actions: []string{"*"}},
},
},
},
)
// father-bot: admin can interact, regular user cannot
fatherACL := security.ResolveACL("father-bot", p)
if fatherACL.Empty() {
t.Fatal("father-bot ACL should not be empty")
}
if !fatherACL.CanDo("@admin:matrix.example.com", "ask") {
t.Fatal("admin should be able to interact with father-bot")
}
if fatherACL.CanDo("@random:matrix.example.com", "ask") {
t.Fatal("non-admin should NOT be able to interact with father-bot")
}
// assistant-bot: everyone can interact
assistantACL := security.ResolveACL("assistant-bot", p)
if assistantACL.Empty() {
t.Fatal("assistant-bot ACL should not be empty")
}
if !assistantACL.CanDo("@random:matrix.example.com", "ask") {
t.Fatal("everyone should be able to interact with assistant-bot")
}
// unknown-bot: not in any group → empty ACL (open access)
unknownACL := security.ResolveACL("unknown-bot", p)
if !unknownACL.Empty() {
t.Fatal("unknown-bot should have empty ACL (open access)")
}
}
// 2.8 — agente referenciado directamente por ID en AgentPolicy.AgentGroup → recibe permisos
func TestResolveACL_DirectAgentID(t *testing.T) {
p := makePolicy(
[]security.UserGroup{{Name: "admins", Members: []string{"@alice:matrix.org"}}},