From fa7807537029dbf8d047cf2257c9bbda6d46e6e7 Mon Sep 17 00:00:00 2001 From: Enmanuel Date: Thu, 9 Apr 2026 22:39:07 +0000 Subject: [PATCH] test: tests ACL para father-bot deny-by-default y multi-admin Agrega dos tests nuevos al paquete pkg/security que verifican escenarios especificos de father-bot: - TestResolveACL_FatherBotDenyByDefault: cuando el grupo admins esta vacio, nadie puede interactuar con father-bot (deny-by-default) - TestResolveACL_FatherBotMultipleAdmins: cuando hay multiples admins configurados, todos pueden interactuar; usuarios fuera del grupo no pueden Estos tests complementan el existente TestResolveACL_PrivilegedVsGeneral que ya cubria el caso basico de admin vs non-admin. Issue: 0043 --- pkg/security/security_test.go | 86 ++++++++++++++++++++++++++++++++++- 1 file changed, 85 insertions(+), 1 deletion(-) diff --git a/pkg/security/security_test.go b/pkg/security/security_test.go index d1c81ed..446fd58 100644 --- a/pkg/security/security_test.go +++ b/pkg/security/security_test.go @@ -194,7 +194,91 @@ func TestResolveACL_PrivilegedVsGeneral(t *testing.T) { } } -// 2.8 — agente referenciado directamente por ID en AgentPolicy.AgentGroup → recibe permisos +// 2.8 — father-bot deny-by-default: admin group empty → no one can interact +func TestResolveACL_FatherBotDenyByDefault(t *testing.T) { + p := makePolicy( + []security.UserGroup{ + {Name: "admins", Members: []string{}}, // empty admin group + {Name: "everyone", Members: []string{"*"}}, + }, + []security.AgentGroup{ + {Name: "privileged", Agents: []string{"father-bot"}}, + {Name: "general", Agents: []string{"assistant-bot"}}, + }, + []security.AgentPolicy{ + { + AgentGroup: "privileged", + Permissions: []security.Permission{{UserGroup: "admins", Actions: []string{"*"}}}, + }, + { + AgentGroup: "general", + Permissions: []security.Permission{ + {UserGroup: "everyone", Actions: []string{"*"}}, + }, + }, + }, + ) + + // father-bot: admin group empty → nobody can interact + fatherACL := security.ResolveACL("father-bot", p) + if fatherACL.Empty() { + t.Fatal("father-bot ACL should not be empty (it has a policy, just no members)") + } + if fatherACL.CanDo("@admin:matrix.example.com", "ask") { + t.Fatal("no one should be able to interact with father-bot when admin group is empty") + } + if fatherACL.CanDo("@random:matrix.example.com", "ask") { + t.Fatal("non-admin should NOT be able to interact with father-bot") + } + + // assistant-bot: still accessible to everyone + assistantACL := security.ResolveACL("assistant-bot", p) + if !assistantACL.CanDo("@random:matrix.example.com", "ask") { + t.Fatal("everyone should still be able to interact with assistant-bot") + } +} + +// 2.9 — father-bot: multiple admins, only they can interact +func TestResolveACL_FatherBotMultipleAdmins(t *testing.T) { + p := makePolicy( + []security.UserGroup{ + {Name: "admins", Members: []string{ + "@admin:matrix-af2f3d.organic-machine.com", + "@dev2:matrix-af2f3d.organic-machine.com", + }}, + {Name: "everyone", Members: []string{"*"}}, + }, + []security.AgentGroup{ + {Name: "privileged", Agents: []string{"father-bot"}}, + }, + []security.AgentPolicy{ + { + AgentGroup: "privileged", + Permissions: []security.Permission{{UserGroup: "admins", Actions: []string{"*"}}}, + }, + }, + ) + + fatherACL := security.ResolveACL("father-bot", p) + + // Both admins can interact + if !fatherACL.CanDo("@admin:matrix-af2f3d.organic-machine.com", "ask") { + t.Fatal("first admin should be able to interact with father-bot") + } + if !fatherACL.CanDo("@dev2:matrix-af2f3d.organic-machine.com", "ask") { + t.Fatal("second admin should be able to interact with father-bot") + } + + // Non-admin cannot + if fatherACL.CanDo("@random:matrix.example.com", "ask") { + t.Fatal("non-admin should NOT be able to interact with father-bot") + } + if fatherACL.CanDo("@hacker:evil.com", "ask") { + t.Fatal("unknown user should NOT be able to interact with father-bot") + } +} + +// 2.10 — agente referenciado directamente por ID en AgentPolicy.AgentGroup → recibe permisos func TestResolveACL_DirectAgentID(t *testing.T) { p := makePolicy( []security.UserGroup{{Name: "admins", Members: []string{"@alice:matrix.org"}}},