feat: add JWT permission template expansion with cartesian product for multi-value tags

2026-02-23 04:33:45 -05:00
parent a406832bfa
commit d0af741eb8
2 changed files with 222 additions and 0 deletions
--- a/tests/NATS.Server.Tests/PermissionTemplateTests.cs
+++ b/tests/NATS.Server.Tests/PermissionTemplateTests.cs
@@ -0,0 +1,99 @@
+namespace NATS.Server.Tests;
+
+using NATS.Server.Auth.Jwt;
+
+public class PermissionTemplateTests
+{
+    [Fact]
+    public void Expand_name_template()
+    {
+        var result = PermissionTemplates.Expand("user.{{name()}}.>",
+            name: "alice", subject: "UABC", accountName: "acct", accountSubject: "AABC",
+            userTags: [], accountTags: []);
+        result.ShouldBe(["user.alice.>"]);
+    }
+
+    [Fact]
+    public void Expand_subject_template()
+    {
+        var result = PermissionTemplates.Expand("inbox.{{subject()}}.>",
+            name: "alice", subject: "UABC123", accountName: "acct", accountSubject: "AABC",
+            userTags: [], accountTags: []);
+        result.ShouldBe(["inbox.UABC123.>"]);
+    }
+
+    [Fact]
+    public void Expand_account_name_template()
+    {
+        var result = PermissionTemplates.Expand("acct.{{account-name()}}.>",
+            name: "alice", subject: "UABC", accountName: "myaccount", accountSubject: "AABC",
+            userTags: [], accountTags: []);
+        result.ShouldBe(["acct.myaccount.>"]);
+    }
+
+    [Fact]
+    public void Expand_account_subject_template()
+    {
+        var result = PermissionTemplates.Expand("acct.{{account-subject()}}.>",
+            name: "alice", subject: "UABC", accountName: "acct", accountSubject: "AABC456",
+            userTags: [], accountTags: []);
+        result.ShouldBe(["acct.AABC456.>"]);
+    }
+
+    [Fact]
+    public void Expand_tag_template_single_value()
+    {
+        var result = PermissionTemplates.Expand("dept.{{tag(dept)}}.>",
+            name: "alice", subject: "UABC", accountName: "acct", accountSubject: "AABC",
+            userTags: ["dept:engineering"], accountTags: []);
+        result.ShouldBe(["dept.engineering.>"]);
+    }
+
+    [Fact]
+    public void Expand_tag_template_multi_value_cartesian()
+    {
+        var result = PermissionTemplates.Expand("dept.{{tag(dept)}}.>",
+            name: "alice", subject: "UABC", accountName: "acct", accountSubject: "AABC",
+            userTags: ["dept:eng", "dept:sales"], accountTags: []);
+        result.Count.ShouldBe(2);
+        result.ShouldContain("dept.eng.>");
+        result.ShouldContain("dept.sales.>");
+    }
+
+    [Fact]
+    public void Expand_account_tag_template()
+    {
+        var result = PermissionTemplates.Expand("region.{{account-tag(region)}}.>",
+            name: "alice", subject: "UABC", accountName: "acct", accountSubject: "AABC",
+            userTags: [], accountTags: ["region:us-east"]);
+        result.ShouldBe(["region.us-east.>"]);
+    }
+
+    [Fact]
+    public void Expand_no_templates_returns_original()
+    {
+        var result = PermissionTemplates.Expand("foo.bar.>",
+            name: "alice", subject: "UABC", accountName: "acct", accountSubject: "AABC",
+            userTags: [], accountTags: []);
+        result.ShouldBe(["foo.bar.>"]);
+    }
+
+    [Fact]
+    public void Expand_unknown_tag_returns_empty()
+    {
+        var result = PermissionTemplates.Expand("dept.{{tag(missing)}}.>",
+            name: "alice", subject: "UABC", accountName: "acct", accountSubject: "AABC",
+            userTags: ["dept:eng"], accountTags: []);
+        result.ShouldBeEmpty();
+    }
+
+    [Fact]
+    public void ExpandAll_expands_array_of_subjects()
+    {
+        var subjects = new[] { "user.{{name()}}.>", "inbox.{{subject()}}.>" };
+        var result = PermissionTemplates.ExpandAll(subjects,
+            name: "alice", subject: "UABC", accountName: "acct", accountSubject: "AABC",
+            userTags: [], accountTags: []);
+        result.ShouldBe(["user.alice.>", "inbox.UABC.>"]);
+    }
+}