From 49e82d491bdd421e1a087d3e0f351a2146a2fa18 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Fri, 11 Aug 2023 14:46:37 +0200
Subject: [PATCH] policies: test for the new GraphQL/MAS scopes

---
 policies/authorization_grant_test.rego | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/policies/authorization_grant_test.rego b/policies/authorization_grant_test.rego
index f852c5d76..924f97a86 100644
--- a/policies/authorization_grant_test.rego
+++ b/policies/authorization_grant_test.rego
@@ -3,6 +3,9 @@ package authorization_grant
 user := {"username": "john"}
 
 test_standard_scopes {
+	allow with input.user as user
+		with input.authorization_grant as {"scope": ""}
+
 	allow with input.user as user
 		with input.authorization_grant as {"scope": "openid"}
 
@@ -61,3 +64,16 @@ test_synapse_admin_scopes {
 		with data.admin_users as []
 		with input.authorization_grant as {"scope": "urn:synapse:admin:*"}
 }
+
+test_mas_scopes {
+	allow with input.user as user
+		with input.authorization_grant as {"scope": "urn:mas:graphql:*"}
+
+	allow with input.user as user
+		with data.admin_users as ["john"]
+		with input.authorization_grant as {"scope": "urn:mas:admin"}
+
+	not allow with input.user as user
+		with data.admin_users as []
+		with input.authorization_grant as {"scope": "urn:mas:admin"}
+}