diff --git a/pkg/security/security_test.go b/pkg/security/security_test.go index d1c81ed..446fd58 100644 --- a/pkg/security/security_test.go +++ b/pkg/security/security_test.go @@ -194,7 +194,91 @@ func TestResolveACL_PrivilegedVsGeneral(t *testing.T) { } } -// 2.8 — agente referenciado directamente por ID en AgentPolicy.AgentGroup → recibe permisos +// 2.8 — father-bot deny-by-default: admin group empty → no one can interact +func TestResolveACL_FatherBotDenyByDefault(t *testing.T) { + p := makePolicy( + []security.UserGroup{ + {Name: "admins", Members: []string{}}, // empty admin group + {Name: "everyone", Members: []string{"*"}}, + }, + []security.AgentGroup{ + {Name: "privileged", Agents: []string{"father-bot"}}, + {Name: "general", Agents: []string{"assistant-bot"}}, + }, + []security.AgentPolicy{ + { + AgentGroup: "privileged", + Permissions: []security.Permission{{UserGroup: "admins", Actions: []string{"*"}}}, + }, + { + AgentGroup: "general", + Permissions: []security.Permission{ + {UserGroup: "everyone", Actions: []string{"*"}}, + }, + }, + }, + ) + + // father-bot: admin group empty → nobody can interact + fatherACL := security.ResolveACL("father-bot", p) + if fatherACL.Empty() { + t.Fatal("father-bot ACL should not be empty (it has a policy, just no members)") + } + if fatherACL.CanDo("@admin:matrix.example.com", "ask") { + t.Fatal("no one should be able to interact with father-bot when admin group is empty") + } + if fatherACL.CanDo("@random:matrix.example.com", "ask") { + t.Fatal("non-admin should NOT be able to interact with father-bot") + } + + // assistant-bot: still accessible to everyone + assistantACL := security.ResolveACL("assistant-bot", p) + if !assistantACL.CanDo("@random:matrix.example.com", "ask") { + t.Fatal("everyone should still be able to interact with assistant-bot") + } +} + +// 2.9 — father-bot: multiple admins, only they can interact +func TestResolveACL_FatherBotMultipleAdmins(t *testing.T) { + p := makePolicy( + []security.UserGroup{ + {Name: "admins", Members: []string{ + "@admin:matrix-af2f3d.organic-machine.com", + "@dev2:matrix-af2f3d.organic-machine.com", + }}, + {Name: "everyone", Members: []string{"*"}}, + }, + []security.AgentGroup{ + {Name: "privileged", Agents: []string{"father-bot"}}, + }, + []security.AgentPolicy{ + { + AgentGroup: "privileged", + Permissions: []security.Permission{{UserGroup: "admins", Actions: []string{"*"}}}, + }, + }, + ) + + fatherACL := security.ResolveACL("father-bot", p) + + // Both admins can interact + if !fatherACL.CanDo("@admin:matrix-af2f3d.organic-machine.com", "ask") { + t.Fatal("first admin should be able to interact with father-bot") + } + if !fatherACL.CanDo("@dev2:matrix-af2f3d.organic-machine.com", "ask") { + t.Fatal("second admin should be able to interact with father-bot") + } + + // Non-admin cannot + if fatherACL.CanDo("@random:matrix.example.com", "ask") { + t.Fatal("non-admin should NOT be able to interact with father-bot") + } + if fatherACL.CanDo("@hacker:evil.com", "ask") { + t.Fatal("unknown user should NOT be able to interact with father-bot") + } +} + +// 2.10 — agente referenciado directamente por ID en AgentPolicy.AgentGroup → recibe permisos func TestResolveACL_DirectAgentID(t *testing.T) { p := makePolicy( []security.UserGroup{{Name: "admins", Members: []string{"@alice:matrix.org"}}},