test: Fix abac tests

[KevLehman]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Tests
  • Improved test isolation and randomization of test fixtures.
  • Expanded test coverage with enhanced scenarios for edge cases and multi-attribute enforcement.
  • Enhanced test infrastructure for improved data consistency and scalability verification.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 19e3d1d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The changes modify two ABAC test files by randomizing user identifiers, adjusting test isolation mechanisms (removing global beforeEach cleanup), introducing dynamic room identifiers (rid), reorganizing test initialization order, and expanding test coverage with granular scenarios for user-auto-removal behavior including new key/value additions, multi-attribute enforcement, and idempotency cases.

Changes

Cohort / File(s)	Change Summary
Test fixture randomization ee/packages/abac/src/subject-attributes-validations.spec.ts	Replaces fixed user _id and username values with randomized strings; removes global users collection cleanup from beforeEach
Dynamic room IDs and expanded test coverage ee/packages/abac/src/user-auto-removal.spec.ts	Introduces dynamic room identifiers (rid) propagated through room documents; replaces hard-coded room/user relationships with explicit __rooms construction; adjusts test setup to insert init document after model registration; removes defsCol cleanup; adds granular test scenarios (new key/value, multi-attribute, idempotency, edge cases) with new test ID suffixes; adds extraRooms to population scenario

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–25 minutes

• Test isolation changes: Verify that removing global beforeEach cleanup doesn't cause test interdependencies or flakiness due to randomized identifiers
• Dynamic room ID propagation: Confirm rid is correctly threaded through room documents, insertRoom return values, and all test assertions
• New test scenarios: Validate that all new test cases (_newkey, _newval, _idem, _superset, _misskey, _multi suffixes) correctly cover intended behaviors and expectations align with logic being tested
• Test setup reordering: Ensure init document insertion after model registration doesn't affect test behavior or create race conditions

Possibly related PRs

• feat: Remove users from room when new attributes are added to the room #37172: Implements onRoomAttributesChanged and removal logic in AbacService corresponding to the dynamic rid and room-attribute-change test scenarios introduced here
• feat: Remove users from rooms when subject attributes no longer match #37506: Updates ABAC room-removal and subject-attributes validation tests targeting the same user attribute → room-removal behavior

Suggested reviewers

• tassoevan
• d-gubert

Poem

🐰 A rabbit hops through randomized test fields,
No static IDs, just chaos it yields!
Room IDs dance, new scenarios bloom—
Idempotent tests clear the gloom.
With fixtures freed and coverage wide,
ABAC's heart beats strong with pride! 🌱

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'test: Fix abac tests' is vague and generic, using the non-descriptive term 'Fix' without conveying specific information about the actual changes made.	Replace with a more specific title that describes the actual changes, such as 'test: Randomize fixtures and expand abac test coverage' or 'test: Refactor abac test setup and add comprehensive test scenarios'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch test/units

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	359MiB	347MiB	+12MiB
omnichannel-transcript-service	132MiB	132MiB	+11KiB
queue-worker-service	132MiB	132MiB	+12KiB
ddp-streamer-service	127MiB	127MiB	+9.5KiB
account-service	114MiB	114MiB	+8.1KiB
authorization-service	111MiB	111MiB	+60KiB
stream-hub-service	111MiB	111MiB	+7.7KiB
presence-service	111MiB	111MiB	+11KiB

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 15:59", "12/01 19:32 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 10 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37658
• Baseline: develop
• Timestamp: 2025-12-01 19:32:22 UTC
• Historical data points: 10

---

Updated: Mon, 01 Dec 2025 19:32:22 GMT

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (feat/abac@3726aff). Learn more about missing BASE report.

Additional details and impacted files

@@             Coverage Diff              @@
##             feat/abac   #37658   +/-   ##
============================================
  Coverage             ?   54.30%           
============================================
  Files                ?     2657           
  Lines                ?    50112           
  Branches             ?    11207           
============================================
  Hits                 ?    27212           
  Misses               ?    20727           
  Partials             ?     2173           

Flag	Coverage Δ
e2e	57.29% <ø> (?)
e2e-api	43.64% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

ee/packages/abac/src/subject-attributes-validations.spec.ts (1)

37-47: Randomized test user IDs/username look good; rely on overrides when needed

Using Math.random() in makeUser for _id and username is a reasonable way to avoid cross-test collisions now that you’re not globally clearing the users collection. Overrides still win, so scenarios like “no _id” remain testable. If you ever need fully deterministic runs across environments, consider swapping to a simple counter-based generator, but that’s a low‑priority refinement.

ee/packages/abac/src/user-auto-removal.spec.ts (1)

46-55: Dynamic rid and explicit __rooms wiring improve isolation; member flag now unused

insertRoom returning a dynamically generated rid and using it consistently (including in name) avoids hard‑coded IDs and cross‑test coupling, while __rooms: u.extraRooms || [] makes room membership explicit at the call site. Moving the abac_dummy_init insert after registerServiceModels also keeps the model registration order clean. The only minor nit is that the member?: boolean field in the insertUsers parameter type is no longer used; you could drop it (and the corresponding arguments) to avoid confusion, but it doesn’t affect correctness.

Also applies to: 75-76, 83-93

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3726aff and 19e3d1d.

📒 Files selected for processing (2)

• ee/packages/abac/src/subject-attributes-validations.spec.ts (1 hunks)
• ee/packages/abac/src/user-auto-removal.spec.ts (9 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• ee/packages/abac/src/subject-attributes-validations.spec.ts
• ee/packages/abac/src/user-auto-removal.spec.ts

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

• ee/packages/abac/src/subject-attributes-validations.spec.ts
• ee/packages/abac/src/user-auto-removal.spec.ts

🧠 Learnings (13)

📓 Common learnings

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts

Applied to files:

• ee/packages/abac/src/subject-attributes-validations.spec.ts
• ee/packages/abac/src/user-auto-removal.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Maintain test isolation between test cases in Playwright tests

Applied to files:

• ee/packages/abac/src/subject-attributes-validations.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure clean state for each test execution in Playwright tests

Applied to files:

• ee/packages/abac/src/subject-attributes-validations.spec.ts
• ee/packages/abac/src/user-auto-removal.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (`test`, `page`, `expect`) for consistency in test files

Applied to files:

• ee/packages/abac/src/subject-attributes-validations.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Group related tests in the same file

Applied to files:

• ee/packages/abac/src/subject-attributes-validations.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `expect` matchers for assertions (`toEqual`, `toContain`, `toBeTruthy`, `toHaveLength`, etc.) instead of `assert` statements in Playwright tests

Applied to files:

• ee/packages/abac/src/subject-attributes-validations.spec.ts

📚 Learning: 2025-11-27T17:56:26.050Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Applied to files:

• ee/packages/abac/src/user-auto-removal.spec.ts

📚 Learning: 2025-10-27T14:38:46.994Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Applied to files:

• ee/packages/abac/src/user-auto-removal.spec.ts

📚 Learning: 2025-10-28T16:53:42.761Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37205
File: ee/packages/federation-matrix/src/FederationMatrix.ts:296-301
Timestamp: 2025-10-28T16:53:42.761Z
Learning: In the Rocket.Chat federation-matrix integration (ee/packages/federation-matrix/), the createRoom method from rocket.chat/federation-sdk will support a 4-argument signature (userId, roomName, visibility, displayName) in newer versions. Code using this 4-argument call is forward-compatible with planned library updates and should not be flagged as an error.

Applied to files:

• ee/packages/abac/src/user-auto-removal.spec.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings (mapping subscription documents to room IDs), never undefined, even when user has no room subscriptions.

Applied to files:

• ee/packages/abac/src/user-auto-removal.spec.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings by mapping subscription documents to room IDs, never undefined, even when user has no room subscriptions.

Applied to files:

• ee/packages/abac/src/user-auto-removal.spec.ts

📚 Learning: 2025-10-24T17:32:05.348Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Applied to files:

• ee/packages/abac/src/user-auto-removal.spec.ts

🔇 Additional comments (7)

ee/packages/abac/src/user-auto-removal.spec.ts (7)

112-124: “New key addition” scenario reads well and validates all expected user outcomes

The setRoomAbacAttributes “new key addition” test now uses a per-test rid and extraRooms: [rid] to seed membership, and the audited/remaining sets (u2_newkey, u3_newkey removed; u1_newkey, u4_newkey kept; u5_newkey ignored as non‑member) match the described semantics for adding a new required key/value set. The spy on onRoomAttributesChanged also validates that the hook sees the correct room document. This is solid coverage.

Also applies to: 135-151

---

153-160: Duplicate room attribute values test correctly guards set semantics

The “duplicate values” test around setRoomAbacAttributes with ['eng', 'eng', 'sales'] nicely asserts that duplicates don’t change behavior: only u2_dupvals (missing sales) is audited and removed, while u1_dupvals stays in __rooms. The expectations on auditSpy and the per‑user __rooms projections line up with the intended set‑based evaluation.

Also applies to: 166-175

---

178-188: New‑value vs removal‑only paths are clearly distinguished

The updateRoomAbacAttributeValues tests cleanly separate:

• adding a new required value (['eng'] → ['eng', 'sales']), where u2_newval is correctly audited and removed while superset users remain; and
• removal‑only updates (['eng', 'sales'] → ['eng']), where auditSpy is not called and both u1_rmval/u2_rmval keep their rid membership.

This gives good signal that the implementation only triggers reevaluation/user removals on “growth” of requirements, not on relaxations.

Also applies to: 193-205, 207-227

---

230-288: Multi‑attribute (AND) enforcement scenario is comprehensive

The multi‑attribute setRoomAbacAttributes test covers:

• a user becoming compliant after expansion (u1_multi),
• missing secondary key (u2_multi),
• missing primary key (u3_multi),
• full superset (u4_multi),
• and partial mismatch (u5_multi).

The assertions on auditSpy (exactly u2_multi, u3_multi, u5_multi) and the memberships map (only u1_multi and u4_multi retaining rid) provide strong coverage for AND semantics across multiple keys.

Also applies to: 291-298, 299-307

---

311-345: Idempotency test correctly proves no extra removals or logs on repeated calls

The idempotency test demonstrates the intended behavior well: first call to setRoomAbacAttributes audits and removes only u2_idem, and the second identical call produces no new Audit.actionPerformed calls and leaves __rooms unchanged. Clearing the spies between calls keeps the expectations sharp. This is a good guard against accidental non‑idempotent logic in onRoomAttributesChanged.

---

348-371: Superset and missing‑key edge cases are covered cleanly

The “superset” test confirms that a user with exactly the required values plus extras (u1_superset) remains while a user missing one required value (u2_superset) is audited and removed. The “missing attribute key” test then exercises users with a different key (dept), no ABAC attributes at all, and a correct region, asserting that only u2_misskey and u3_misskey are audited/removed and u1_misskey stays. Together these cover both value‑subset and key‑presence edge conditions.

Also applies to: 373-402

---

405-441: Large population test is a good lightweight performance and correctness sanity check

The “large member set” test with 300 users (half compliant, half missing a value) is a nice balance between realism and runtime: it validates that exactly 150 users are audited and removed, specific odd/even IDs behave as expected, and usersCol.countDocuments({ __rooms: rid }) returns 150. This should help catch regressions in both correctness and any obvious O(N²) behavior without being too heavy for the test suite.