From 094a52944f2ba581af3f0ab1b99cc58d4304ff78 Mon Sep 17 00:00:00 2001
From: zeevdr <zeevdr@users.noreply.github.com>
Date: Thu, 14 May 2026 20:43:12 +0300
Subject: [PATCH] test(auth): add unit tests for RequireSuperAdmin,
 RequireAdminOrAbove, IsSuperAdmin

These access helpers had no direct tests. The table-driven tests cover
all three role levels (superadmin, admin, user) plus the no-claims
permissive path for each function.

Co-Authored-By: Claude <noreply@anthropic.com>
Closes #301
---
 internal/auth/access_test.go | 63 ++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/internal/auth/access_test.go b/internal/auth/access_test.go
index ff42033..8d5536c 100644
--- a/internal/auth/access_test.go
+++ b/internal/auth/access_test.go
@@ -84,3 +84,66 @@ func TestMustHaveClaims_WithClaims(t *testing.T) {
 	ctx := ContextWithClaims(context.Background(), &Claims{Role: RoleSuperAdmin})
 	assert.NoError(t, MustHaveClaims(ctx))
 }
+
+func TestRequireSuperAdmin(t *testing.T) {
+	tests := []struct {
+		name    string
+		claims  *Claims
+		wantErr codes.Code
+	}{
+		{"no claims — permissive", nil, codes.OK},
+		{"superadmin — allowed", &Claims{Role: RoleSuperAdmin}, codes.OK},
+		{"admin — denied", &Claims{Role: RoleAdmin}, codes.PermissionDenied},
+		{"user — denied", &Claims{Role: RoleUser}, codes.PermissionDenied},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := context.Background()
+			if tc.claims != nil {
+				ctx = ContextWithClaims(ctx, tc.claims)
+			}
+			err := RequireSuperAdmin(ctx)
+			if tc.wantErr == codes.OK {
+				assert.NoError(t, err)
+			} else {
+				require.Error(t, err)
+				assert.Equal(t, tc.wantErr, status.Code(err))
+			}
+		})
+	}
+}
+
+func TestRequireAdminOrAbove(t *testing.T) {
+	tests := []struct {
+		name    string
+		claims  *Claims
+		wantErr codes.Code
+	}{
+		{"no claims — permissive", nil, codes.OK},
+		{"superadmin — allowed", &Claims{Role: RoleSuperAdmin}, codes.OK},
+		{"admin — allowed", &Claims{Role: RoleAdmin}, codes.OK},
+		{"user — denied", &Claims{Role: RoleUser}, codes.PermissionDenied},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := context.Background()
+			if tc.claims != nil {
+				ctx = ContextWithClaims(ctx, tc.claims)
+			}
+			err := RequireAdminOrAbove(ctx)
+			if tc.wantErr == codes.OK {
+				assert.NoError(t, err)
+			} else {
+				require.Error(t, err)
+				assert.Equal(t, tc.wantErr, status.Code(err))
+			}
+		})
+	}
+}
+
+func TestIsSuperAdmin(t *testing.T) {
+	assert.True(t, IsSuperAdmin(context.Background()), "no claims — permissive")
+	assert.True(t, IsSuperAdmin(ContextWithClaims(context.Background(), &Claims{Role: RoleSuperAdmin})))
+	assert.False(t, IsSuperAdmin(ContextWithClaims(context.Background(), &Claims{Role: RoleAdmin})))
+	assert.False(t, IsSuperAdmin(ContextWithClaims(context.Background(), &Claims{Role: RoleUser})))
+}