Coverage for netrun/rbac/__init_

1"""

2Netrun RBAC - Multi-tenant Role-Based Access Control with PostgreSQL RLS

4Extracted from Intirkast SaaS platform (85% code reuse, 12h time savings)

6Features:

7- Role hierarchy enforcement (owner > admin > member > viewer)

8- FastAPI dependency injection for route protection

9- PostgreSQL Row-Level Security (RLS) policy generators

10- Tenant context management

11- Resource ownership validation

12- Project-agnostic with placeholder configuration

13- Tenant isolation contract testing utilities (NEW in v2.1)

14- Escape path detection for CI/CD pipelines (NEW in v2.1)

16Usage:

17 from netrun.rbac import require_role, require_roles, TenantContext, RLSPolicyGenerator

19 @app.get("/api/admin/dashboard")

20 async def admin_dashboard(user: dict = Depends(require_role("admin"))):

21 return {"message": "Admin access granted"}

23Testing Tenant Isolation:

24 from netrun.rbac import (

25 assert_tenant_isolation,

26 TenantTestContext,

27 TenantEscapePathScanner,

28 )

30 # Assert query has tenant filter

31 query = select(Item).where(Item.tenant_id == tenant_id)

32 await assert_tenant_isolation(query)

34 # Test cross-tenant isolation

35 async with TenantTestContext(session) as ctx:

36 # Create data in tenant A, switch to B, verify isolation

37 await ctx.switch_to_tenant_b()

38 items = await session.execute(select(Item))

39 assert len(items.scalars().all()) == 0 # Must not see tenant A's data!

41 # Scan codebase for escape paths (CI/CD)

42 scanner = TenantEscapePathScanner()

43 findings = scanner.scan_directory("./src")

44 sys.exit(ci_fail_on_findings(findings))

45"""

47from .dependencies import (

48 require_role,

49 require_roles,

50 require_owner,

51 require_admin,

52 require_member,

53 check_resource_ownership,

54)

55from .models import Role, Permission, RoleHierarchy

56from .policies import RLSPolicyGenerator

57from .tenant import TenantContext, set_tenant_context, clear_tenant_context

58from .exceptions import (

59 RBACException,

60 InsufficientPermissionsError,

61 TenantIsolationError,

62 ResourceOwnershipError,

63)

65# Tenant Isolation Testing Utilities (v2.1)

66from .testing import (

67 # Core assertions

68 assert_tenant_isolation,

69 assert_tenant_isolation_sync,

70 # Test context management

71 TenantTestContext,

72 tenant_test_context,

73 # Background task handling

74 BackgroundTaskTenantContext,

75 preserve_tenant_context,

76 # Escape path detection

77 TenantEscapePathScanner,

78 EscapePathSeverity,

79 EscapePathFinding,

80 # CI/CD utilities

81 ci_fail_on_findings,

82 # Pytest integration

83 tenant_isolation_test,

84 # Compliance

85 get_compliance_documentation,

86 COMPLIANCE_MAPPING,

87)

89__version__ = "2.1.0"

90__all__ = [

91 # Dependencies

92 "require_role",

93 "require_roles",

94 "require_owner",

95 "require_admin",

96 "require_member",

97 "check_resource_ownership",

98 # Models

99 "Role",

100 "Permission",

101 "RoleHierarchy",

102 # Policies

103 "RLSPolicyGenerator",

104 # Tenant Context

105 "TenantContext",

106 "set_tenant_context",

107 "clear_tenant_context",

108 # Exceptions

109 "RBACException",

110 "InsufficientPermissionsError",

111 "TenantIsolationError",

112 "ResourceOwnershipError",

113 # Testing - Core Assertions

114 "assert_tenant_isolation",

115 "assert_tenant_isolation_sync",

116 # Testing - Context Management

117 "TenantTestContext",

118 "tenant_test_context",

119 # Testing - Background Tasks

120 "BackgroundTaskTenantContext",

121 "preserve_tenant_context",

122 # Testing - Escape Path Detection

123 "TenantEscapePathScanner",

124 "EscapePathSeverity",

125 "EscapePathFinding",

126 # Testing - CI/CD Integration

127 "ci_fail_on_findings",

128 "tenant_isolation_test",

129 # Testing - Compliance

130 "get_compliance_documentation",

131 "COMPLIANCE_MAPPING",

132]

Coverage for netrun / rbac / init.py: 100%

8 statements