dataforge/fn_registry
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

feat: rbac_check (pure), jwt_middleware, rbac_middleware

Browse Source 
Fase 5 del issue 0010 — RBAC y middlewares de auth.
- rbac_check es pura: solo recorre la matriz roles/permisos
- jwt_middleware extrae token del header Authorization: Bearer, valida e
  inyecta claims en el context con una key privada (jwtCtxKey struct{})
- rbac_middleware requiere jwt_middleware antes; lee role de claims.Custom
- Helper JWTClaimsFromContext para acceder a las claims desde handlers
- 401 claro si RBAC se usa sin JWT antes (code: no_claims)
This commit is contained in:
Egutierrez
2026-04-18 17:44:04 +02:00
parent 4601af88b5
commit f46fde3656
9 changed files with 489 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
functions/infra/rbac_check_test.go
+58
View File
@@ -0,0 +1,58 @@
package infra
import "testing"
func makeRoles() []Role {
return []Role{
{
Name: "admin",
Permissions: []Permission{
{Resource: "users", Action: "read"},
{Resource: "users", Action: "write"},
{Resource: "users", Action: "delete"},
},
},
{
Name: "viewer",
Permissions: []Permission{
{Resource: "users", Action: "read"},
},
},
}
}
func TestRBACCheck_Granted(t *testing.T) {
roles := makeRoles()
if !RBACCheck(roles, "admin", Permission{Resource: "users", Action: "delete"}) {
t.Fatal("admin deberia tener users/delete")
}
if !RBACCheck(roles, "viewer", Permission{Resource: "users", Action: "read"}) {
t.Fatal("viewer deberia tener users/read")
}
}
func TestRBACCheck_Denied(t *testing.T) {
roles := makeRoles()
if RBACCheck(roles, "viewer", Permission{Resource: "users", Action: "delete"}) {
t.Fatal("viewer NO deberia tener users/delete")
}
}
func TestRBACCheck_UnknownRole(t *testing.T) {
roles := makeRoles()
if RBACCheck(roles, "ghost", Permission{Resource: "users", Action: "read"}) {
t.Fatal("rol inexistente no deberia tener permisos")
}
}
func TestRBACCheck_ExactMatch(t *testing.T) {
roles := makeRoles()
// Resource distinto
if RBACCheck(roles, "admin", Permission{Resource: "billing", Action: "read"}) {
t.Fatal("admin no tiene billing/read")
}
// Action distinta
if RBACCheck(roles, "viewer", Permission{Resource: "users", Action: "write"}) {
t.Fatal("viewer no tiene users/write")
}
}