cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

Add RBAC integration tests for endpoint authorization #43

New Issue
Open
opened 2026-03-14 12:38:59 +01:00 by claude · 0 comments
claude commented 2026-03-14 12:38:59 +01:00
Owner
Copy Link

Context

RBAC endpoint rules are defined in SecurityConfig (a4de2a7) but lack dedicated integration tests verifying that role enforcement works end-to-end.

Test Cases

  • VIEWER token: can GET search/executions/diagrams/agents (200), cannot POST commands (403), cannot access admin endpoints (403), cannot POST to data endpoints (403)
  • OPERATOR token: can do everything VIEWER can, plus POST commands (200), still cannot access admin endpoints (403)
  • ADMIN token: can do everything, including admin endpoints (200)
  • AGENT token: can POST to data/heartbeat/SSE/ack endpoints (200), cannot access search POST (403), cannot access admin (403), cannot send commands (403)
  • No token: public endpoints return 200, protected endpoints return 401

Implementation

Extend or create a new SecurityFilterIT that creates tokens with specific roles via JwtService.createAccessToken(subject, group, roles) and verifies HTTP status codes for each endpoint category.

## Context RBAC endpoint rules are defined in SecurityConfig (a4de2a7) but lack dedicated integration tests verifying that role enforcement works end-to-end. ## Test Cases - **VIEWER token**: can GET search/executions/diagrams/agents (200), cannot POST commands (403), cannot access admin endpoints (403), cannot POST to data endpoints (403) - **OPERATOR token**: can do everything VIEWER can, plus POST commands (200), still cannot access admin endpoints (403) - **ADMIN token**: can do everything, including admin endpoints (200) - **AGENT token**: can POST to data/heartbeat/SSE/ack endpoints (200), cannot access search POST (403), cannot access admin (403), cannot send commands (403) - **No token**: public endpoints return 200, protected endpoints return 401 ## Implementation Extend or create a new `SecurityFilterIT` that creates tokens with specific roles via `JwtService.createAccessToken(subject, group, roles)` and verifies HTTP status codes for each endpoint category.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
Accessibility (a11y) improvements
 bug
Something isn't working correctly
 cleanup
Code cleanup, dead code removal, refactoring
 epic
Epic: groups related issues
 feature
New functionality
 pmf
Product-market fit: critical for first market offer
 route-diagram
Route diagram page and execution overlay
 security
Authentication, authorization, RBAC
 ui
Frontend / React UI
 ux
UX/usability improvements
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claude
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: cameleer/cameleer-server#43
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?