Files
CyberStrikeAI/internal/multiagent/rbac_tool_middleware_test.go
T
2026-07-10 18:56:33 +08:00

23 lines
913 B
Go

package multiagent
import (
"context"
"testing"
"cyberstrike-ai/internal/authctx"
)
func TestLocalToolPermissionIsSeparateFromAgentExecution(t *testing.T) {
agentOnly := authctx.WithPrincipal(context.Background(), authctx.NewPrincipal("robot:u1", "robot", "own", map[string]bool{"agent:execute": true}))
if !localToolPermissionDenied(agentOnly, "execute") || !localToolPermissionDenied(agentOnly, "read_file") {
t.Fatal("agent:execute alone authorized local privileged tools")
}
local := authctx.WithPrincipal(context.Background(), authctx.NewPrincipal("u1", "user", "assigned", map[string]bool{"agent:local-execute": true}))
if localToolPermissionDenied(local, "execute") || localToolPermissionDenied(local, "write_file") {
t.Fatal("agent:local-execute was not honored")
}
if localToolPermissionDenied(agentOnly, "record_vulnerability") {
t.Fatal("non-local tool was incorrectly denied")
}
}