rs_tenant/

engine.rs

use crate::cache::{Cache, NoCache};
use crate::error::{Error, Result};
use crate::permission::{Permission, permission_matches, resource_matches};
use crate::store::{ScopeStore, Store};
use crate::types::{PrincipalId, ResourceName, RoleId, ScopePath, TenantId};
use std::collections::HashSet;

const CACHE_SIGNATURE_PREFIX: &str = "__rs_tenant_cache_sig__=";

/// Authorization decision.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Decision {
    /// Permission is granted.
    Allow,
    /// Permission is denied.
    Deny,
}

/// Scope result for resource filtering.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum Scope {
    /// No access to the resource.
    None,
    /// Access limited to a tenant.
    TenantOnly { tenant: TenantId },
}

/// RBAC engine with pluggable store and optional cache.
#[derive(Debug)]
pub struct Engine<S, C = NoCache> {
    store: S,
    cache: C,
    cache_signature_marker: Permission,
    enable_role_hierarchy: bool,
    enable_wildcard: bool,
    enable_super_admin: bool,
    max_inherit_depth: usize,
    permission_normalize: bool,
}

/// Builder for [`Engine`].
pub struct EngineBuilder<S, C = NoCache> {
    store: S,
    cache: C,
    enable_role_hierarchy: bool,
    enable_wildcard: bool,
    enable_super_admin: bool,
    max_inherit_depth: usize,
    permission_normalize: bool,
}

impl<S> EngineBuilder<S, NoCache> {
    /// Creates a new builder with default configuration.
    pub fn new(store: S) -> Self {
        Self {
            store,
            cache: NoCache,
            enable_role_hierarchy: false,
            enable_wildcard: false,
            enable_super_admin: false,
            max_inherit_depth: 16,
            permission_normalize: true,
        }
    }
}

impl<S, C> EngineBuilder<S, C> {
    /// Enables or disables role inheritance.
    pub fn enable_role_hierarchy(mut self, on: bool) -> Self {
        self.enable_role_hierarchy = on;
        self
    }

    /// Enables or disables wildcard permission matching.
    pub fn enable_wildcard(mut self, on: bool) -> Self {
        self.enable_wildcard = on;
        self
    }

    /// Enables or disables super-admin short-circuit checks.
    pub fn enable_super_admin(mut self, on: bool) -> Self {
        self.enable_super_admin = on;
        self
    }

    /// Sets maximum inheritance depth.
    pub fn max_inherit_depth(mut self, depth: usize) -> Self {
        self.max_inherit_depth = depth;
        self
    }

    /// Enables or disables permission normalization for matching.
    pub fn permission_normalize(mut self, on: bool) -> Self {
        self.permission_normalize = on;
        self
    }

    /// Sets the cache implementation.
    pub fn cache<C2: Cache>(self, cache: C2) -> EngineBuilder<S, C2> {
        EngineBuilder {
            store: self.store,
            cache,
            enable_role_hierarchy: self.enable_role_hierarchy,
            enable_wildcard: self.enable_wildcard,
            enable_super_admin: self.enable_super_admin,
            max_inherit_depth: self.max_inherit_depth,
            permission_normalize: self.permission_normalize,
        }
    }

    /// Builds the engine.
    pub fn build(self) -> Engine<S, C> {
        let cache_signature_marker = Permission::from_string(format!(
            "{CACHE_SIGNATURE_PREFIX}rh:{};wc:{};sa:{};depth:{};norm:{}",
            u8::from(self.enable_role_hierarchy),
            u8::from(self.enable_wildcard),
            u8::from(self.enable_super_admin),
            self.max_inherit_depth,
            u8::from(self.permission_normalize),
        ));

        Engine {
            store: self.store,
            cache: self.cache,
            cache_signature_marker,
            enable_role_hierarchy: self.enable_role_hierarchy,
            enable_wildcard: self.enable_wildcard,
            enable_super_admin: self.enable_super_admin,
            max_inherit_depth: self.max_inherit_depth,
            permission_normalize: self.permission_normalize,
        }
    }
}

impl<S, C> Engine<S, C>
where
    S: Store,
    C: Cache,
{
    /// Authorizes a principal for a permission within a tenant.
    pub async fn authorize(
        &self,
        tenant: TenantId,
        principal: PrincipalId,
        permission: Permission,
    ) -> Result<Decision> {
        self.authorize_ref(&tenant, &principal, &permission).await
    }

    /// Authorizes a principal for a permission within a tenant.
    pub async fn authorize_ref(
        &self,
        tenant: &TenantId,
        principal: &PrincipalId,
        permission: &Permission,
    ) -> Result<Decision> {
        if !self.store.tenant_active_ref(tenant).await? {
            return Ok(Decision::Deny);
        }
        if self.enable_super_admin && self.store.is_super_admin_ref(principal).await? {
            return Ok(Decision::Allow);
        }
        if !self.store.principal_active_ref(tenant, principal).await? {
            return Ok(Decision::Deny);
        }

        let permissions = self.effective_permissions(tenant, principal).await?;
        let allowed = permissions.iter().any(|granted| {
            permission_matches(
                granted,
                permission,
                self.enable_wildcard,
                self.permission_normalize,
            )
        });

        Ok(if allowed {
            Decision::Allow
        } else {
            Decision::Deny
        })
    }

    /// Computes scope for a resource within a tenant.
    pub async fn scope(
        &self,
        tenant: TenantId,
        principal: PrincipalId,
        resource: ResourceName,
    ) -> Result<Scope> {
        self.scope_ref(&tenant, &principal, &resource).await
    }

    /// Computes scope for a resource within a tenant.
    pub async fn scope_ref(
        &self,
        tenant: &TenantId,
        principal: &PrincipalId,
        resource: &ResourceName,
    ) -> Result<Scope> {
        if !self.store.tenant_active_ref(tenant).await? {
            return Ok(Scope::None);
        }
        if self.enable_super_admin && self.store.is_super_admin_ref(principal).await? {
            return Ok(Scope::TenantOnly {
                tenant: tenant.clone(),
            });
        }
        if !self.store.principal_active_ref(tenant, principal).await? {
            return Ok(Scope::None);
        }

        let permissions = self.effective_permissions(tenant, principal).await?;
        let allowed = permissions.iter().any(|granted| {
            resource_matches(
                granted,
                resource,
                self.enable_wildcard,
                self.permission_normalize,
            )
        });

        Ok(if allowed {
            Scope::TenantOnly {
                tenant: tenant.clone(),
            }
        } else {
            Scope::None
        })
    }

    async fn effective_permissions(
        &self,
        tenant: &TenantId,
        principal: &PrincipalId,
    ) -> Result<Vec<Permission>> {
        if let Some(cached) = self.cache.get_permissions(tenant, principal).await
            && let Some(perms) = self.decode_cached_permissions(cached)
        {
            return Ok(perms);
        }

        let direct_roles = self.store.principal_roles_ref(tenant, principal).await?;
        let roles = if self.enable_role_hierarchy {
            self.expand_roles(tenant, direct_roles).await?
        } else {
            direct_roles
        };

        let mut permissions = HashSet::new();
        for role in roles {
            let role_permissions = self.store.role_permissions_ref(tenant, &role).await?;
            permissions.extend(role_permissions);
        }

        let global_roles = self.store.global_roles_ref(principal).await?;
        for role in global_roles {
            let global_permissions = self.store.global_role_permissions_ref(&role).await?;
            permissions.extend(global_permissions);
        }

        let perms: Vec<Permission> = permissions.into_iter().collect();
        let cached = self.encode_cached_permissions(perms.clone());
        self.cache.set_permissions(tenant, principal, cached).await;
        Ok(perms)
    }

    fn encode_cached_permissions(&self, perms: Vec<Permission>) -> Vec<Permission> {
        let mut cached = Vec::with_capacity(perms.len() + 1);
        cached.push(self.cache_signature_marker.clone());
        cached.extend(perms);
        cached
    }

    fn decode_cached_permissions(&self, cached: Vec<Permission>) -> Option<Vec<Permission>> {
        let mut iter = cached.into_iter();
        let marker = iter.next()?;
        if marker != self.cache_signature_marker {
            return None;
        }
        Some(iter.collect())
    }

    async fn expand_roles(&self, tenant: &TenantId, roles: Vec<RoleId>) -> Result<Vec<RoleId>> {
        let mut visited = HashSet::new();
        let mut visiting = HashSet::new();
        let mut output = Vec::new();

        for role in roles {
            if visited.contains(&role) {
                continue;
            }
            self.expand_from_role(tenant, role, &mut visited, &mut visiting, &mut output)
                .await?;
        }

        Ok(output)
    }

    async fn expand_from_role(
        &self,
        tenant: &TenantId,
        role: RoleId,
        visited: &mut HashSet<RoleId>,
        visiting: &mut HashSet<RoleId>,
        output: &mut Vec<RoleId>,
    ) -> Result<()> {
        let parents = self.store.role_inherits_ref(tenant, &role).await?;
        visiting.insert(role.clone());
        output.push(role.clone());

        let mut stack: Vec<(RoleId, usize, std::vec::IntoIter<RoleId>)> =
            vec![(role, 0, parents.into_iter())];

        while let Some((current, depth, mut iter)) = stack.pop() {
            if let Some(parent) = iter.next() {
                stack.push((current.clone(), depth, iter));

                let next_depth = depth + 1;
                if next_depth > self.max_inherit_depth {
                    return Err(Error::RoleDepthExceeded {
                        tenant: tenant.clone(),
                        role: parent,
                        max_depth: self.max_inherit_depth,
                    });
                }
                if visiting.contains(&parent) {
                    return Err(Error::RoleCycleDetected {
                        tenant: tenant.clone(),
                        role: parent,
                    });
                }
                if visited.contains(&parent) {
                    continue;
                }

                let parents = self.store.role_inherits_ref(tenant, &parent).await?;
                visiting.insert(parent.clone());
                output.push(parent.clone());
                stack.push((parent, next_depth, parents.into_iter()));
                continue;
            }

            visiting.remove(&current);
            visited.insert(current);
        }

        Ok(())
    }
}

impl<S, C> Engine<S, C>
where
    S: Store + ScopeStore,
    C: Cache,
{
    /// Authorizes a principal for a permission and target scope within a tenant.
    pub async fn authorize_with_scope(
        &self,
        tenant: TenantId,
        principal: PrincipalId,
        permission: Permission,
        target_scope: ScopePath,
    ) -> Result<Decision> {
        self.authorize_with_scope_ref(&tenant, &principal, &permission, &target_scope)
            .await
    }

    /// Authorizes a principal for a permission and target scope within a tenant.
    pub async fn authorize_with_scope_ref(
        &self,
        tenant: &TenantId,
        principal: &PrincipalId,
        permission: &Permission,
        target_scope: &ScopePath,
    ) -> Result<Decision> {
        let decision = self.authorize_ref(tenant, principal, permission).await?;
        if decision == Decision::Deny {
            return Ok(Decision::Deny);
        }

        if self.enable_super_admin && self.store.is_super_admin_ref(principal).await? {
            return Ok(Decision::Allow);
        }

        let allowed = self
            .store
            .scope_allows_ref(tenant, principal, target_scope)
            .await?;
        Ok(if allowed {
            Decision::Allow
        } else {
            Decision::Deny
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::permission::Permission;
    use crate::store::{GlobalRoleStore, RoleStore, ScopeStore, TenantStore};
    use crate::types::{GlobalRoleId, PrincipalId, ResourceName, RoleId, ScopePath, TenantId};
    use async_trait::async_trait;
    use futures::executor::block_on;
    use std::collections::HashMap;

    #[derive(Default, Clone)]
    struct TestStore {
        tenant_active: bool,
        principal_active: bool,
        super_admin: bool,
        roles: Vec<RoleId>,
        role_permissions: HashMap<RoleId, Vec<Permission>>,
        role_inherits: HashMap<RoleId, Vec<RoleId>>,
        global_roles: HashMap<PrincipalId, Vec<GlobalRoleId>>,
        global_role_permissions: HashMap<GlobalRoleId, Vec<Permission>>,
        principal_scopes: HashMap<PrincipalId, ScopePath>,
    }

    fn active_store() -> TestStore {
        TestStore {
            tenant_active: true,
            principal_active: true,
            ..TestStore::default()
        }
    }

    fn principal(account_id: &str) -> PrincipalId {
        PrincipalId::try_from_parts("user", account_id).expect("principal id")
    }

    #[async_trait]
    impl TenantStore for TestStore {
        async fn tenant_active(
            &self,
            _tenant: TenantId,
        ) -> std::result::Result<bool, crate::StoreError> {
            Ok(self.tenant_active)
        }

        async fn principal_active(
            &self,
            _tenant: TenantId,
            _principal: PrincipalId,
        ) -> std::result::Result<bool, crate::StoreError> {
            Ok(self.principal_active)
        }
    }

    #[async_trait]
    impl RoleStore for TestStore {
        async fn principal_roles(
            &self,
            _tenant: TenantId,
            _principal: PrincipalId,
        ) -> std::result::Result<Vec<RoleId>, crate::StoreError> {
            Ok(self.roles.clone())
        }

        async fn role_permissions(
            &self,
            _tenant: TenantId,
            role: RoleId,
        ) -> std::result::Result<Vec<Permission>, crate::StoreError> {
            Ok(self
                .role_permissions
                .get(&role)
                .cloned()
                .unwrap_or_default())
        }

        async fn role_inherits(
            &self,
            _tenant: TenantId,
            role: RoleId,
        ) -> std::result::Result<Vec<RoleId>, crate::StoreError> {
            Ok(self.role_inherits.get(&role).cloned().unwrap_or_default())
        }
    }

    #[async_trait]
    impl GlobalRoleStore for TestStore {
        async fn global_roles(
            &self,
            principal: PrincipalId,
        ) -> std::result::Result<Vec<GlobalRoleId>, crate::StoreError> {
            Ok(self
                .global_roles
                .get(&principal)
                .cloned()
                .unwrap_or_default())
        }

        async fn global_role_permissions(
            &self,
            role: GlobalRoleId,
        ) -> std::result::Result<Vec<Permission>, crate::StoreError> {
            Ok(self
                .global_role_permissions
                .get(&role)
                .cloned()
                .unwrap_or_default())
        }

        async fn is_super_admin(
            &self,
            _principal: PrincipalId,
        ) -> std::result::Result<bool, crate::StoreError> {
            Ok(self.super_admin)
        }
    }

    #[async_trait]
    impl ScopeStore for TestStore {
        async fn principal_scope_path(
            &self,
            _tenant: TenantId,
            principal: PrincipalId,
        ) -> std::result::Result<Option<ScopePath>, crate::StoreError> {
            Ok(self.principal_scopes.get(&principal).cloned())
        }
    }

    #[test]
    fn authorize_should_allow_exact_permission() {
        let mut store = active_store();

        let role = RoleId::try_from("role_a").unwrap();
        store.roles = vec![role.clone()];
        store
            .role_permissions
            .insert(role, vec![Permission::try_from("invoice:read").unwrap()]);

        let engine = EngineBuilder::new(store).build();
        let decision = block_on(engine.authorize(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            Permission::try_from("invoice:read").unwrap(),
        ))
        .unwrap();

        assert_eq!(decision, Decision::Allow);
    }

    #[test]
    fn authorize_should_deny_when_tenant_inactive() {
        let store = TestStore {
            tenant_active: false,
            principal_active: true,
            ..TestStore::default()
        };

        let engine = EngineBuilder::new(store).build();
        let decision = block_on(engine.authorize(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            Permission::try_from("invoice:read").unwrap(),
        ))
        .unwrap();

        assert_eq!(decision, Decision::Deny);
    }

    #[test]
    fn authorize_should_allow_with_wildcard_when_enabled() {
        let mut store = active_store();

        let role = RoleId::try_from("role_a").unwrap();
        store.roles = vec![role.clone()];
        store
            .role_permissions
            .insert(role, vec![Permission::try_from("invoice:*").unwrap()]);

        let engine = EngineBuilder::new(store).enable_wildcard(true).build();
        let decision = block_on(engine.authorize(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            Permission::try_from("invoice:read").unwrap(),
        ))
        .unwrap();

        assert_eq!(decision, Decision::Allow);
    }

    #[test]
    fn authorize_should_deny_wildcard_when_disabled() {
        let mut store = active_store();

        let role = RoleId::try_from("role_a").unwrap();
        store.roles = vec![role.clone()];
        store
            .role_permissions
            .insert(role, vec![Permission::try_from("invoice:*").unwrap()]);

        let engine = EngineBuilder::new(store).build();
        let decision = block_on(engine.authorize(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            Permission::try_from("invoice:read").unwrap(),
        ))
        .unwrap();

        assert_eq!(decision, Decision::Deny);
    }

    #[test]
    fn authorize_should_allow_via_global_role() {
        let mut store = active_store();

        let principal = principal("user_1");
        let global_role = GlobalRoleId::try_from("global_admin").unwrap();
        store
            .global_roles
            .insert(principal.clone(), vec![global_role.clone()]);
        store.global_role_permissions.insert(
            global_role,
            vec![Permission::try_from("invoice:read").unwrap()],
        );

        let engine = EngineBuilder::new(store).build();
        let decision = block_on(engine.authorize(
            TenantId::try_from("tenant_1").unwrap(),
            principal,
            Permission::try_from("invoice:read").unwrap(),
        ))
        .unwrap();

        assert_eq!(decision, Decision::Allow);
    }

    #[test]
    fn authorize_with_scope_should_allow_when_scope_is_ancestor() {
        let mut store = active_store();

        let principal = principal("user_1");
        store.principal_scopes.insert(
            principal.clone(),
            ScopePath::new("agent/123").expect("scope path"),
        );

        let role = RoleId::try_from("role_a").unwrap();
        store.roles = vec![role.clone()];
        store
            .role_permissions
            .insert(role, vec![Permission::try_from("invoice:read").unwrap()]);

        let engine = EngineBuilder::new(store).build();
        let decision = block_on(engine.authorize_with_scope(
            TenantId::try_from("tenant_1").unwrap(),
            principal,
            Permission::try_from("invoice:read").unwrap(),
            ScopePath::new("agent/123/store/456").expect("scope path"),
        ))
        .unwrap();

        assert_eq!(decision, Decision::Allow);
    }

    #[test]
    fn authorize_with_scope_should_deny_when_scope_not_allowed() {
        let mut store = active_store();

        let principal = principal("user_1");
        store.principal_scopes.insert(
            principal.clone(),
            ScopePath::new("agent/123/store/111").expect("scope path"),
        );

        let role = RoleId::try_from("role_a").unwrap();
        store.roles = vec![role.clone()];
        store
            .role_permissions
            .insert(role, vec![Permission::try_from("invoice:read").unwrap()]);

        let engine = EngineBuilder::new(store).build();
        let decision = block_on(engine.authorize_with_scope(
            TenantId::try_from("tenant_1").unwrap(),
            principal,
            Permission::try_from("invoice:read").unwrap(),
            ScopePath::new("agent/123/store/456").expect("scope path"),
        ))
        .unwrap();

        assert_eq!(decision, Decision::Deny);
    }

    #[test]
    fn scope_should_return_tenant_only_when_resource_matches() {
        let mut store = active_store();

        let role = RoleId::try_from("role_a").unwrap();
        store.roles = vec![role.clone()];
        store
            .role_permissions
            .insert(role, vec![Permission::try_from("invoice:read").unwrap()]);

        let engine = EngineBuilder::new(store).build();
        let scope = block_on(engine.scope(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            ResourceName::try_from("invoice").unwrap(),
        ))
        .unwrap();

        assert!(matches!(scope, Scope::TenantOnly { .. }));
    }

    #[test]
    fn scope_should_return_none_when_resource_not_allowed() {
        let mut store = active_store();

        let role = RoleId::try_from("role_a").unwrap();
        store.roles = vec![role.clone()];
        store
            .role_permissions
            .insert(role, vec![Permission::try_from("invoice:read").unwrap()]);

        let engine = EngineBuilder::new(store).build();
        let scope = block_on(engine.scope(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            ResourceName::try_from("customer").unwrap(),
        ))
        .unwrap();

        assert_eq!(scope, Scope::None);
    }

    #[test]
    fn scope_should_ignore_wildcard_permission_when_disabled() {
        let mut store = active_store();

        let role = RoleId::try_from("role_a").unwrap();
        store.roles = vec![role.clone()];
        store
            .role_permissions
            .insert(role, vec![Permission::try_from("invoice:*").unwrap()]);

        let engine = EngineBuilder::new(store).build();
        let scope = block_on(engine.scope(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            ResourceName::try_from("invoice").unwrap(),
        ))
        .unwrap();

        assert_eq!(scope, Scope::None);
    }

    #[test]
    fn super_admin_should_allow_when_enabled_without_permissions() {
        let mut store = active_store();
        store.super_admin = true;
        store.principal_active = false;

        let engine = EngineBuilder::new(store).enable_super_admin(true).build();
        let decision = block_on(engine.authorize(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            Permission::try_from("invoice:delete").unwrap(),
        ))
        .unwrap();

        assert_eq!(decision, Decision::Allow);
    }

    #[test]
    fn super_admin_should_not_allow_when_disabled() {
        let mut store = active_store();
        store.super_admin = true;
        store.principal_active = false;

        let engine = EngineBuilder::new(store).build();
        let decision = block_on(engine.authorize(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            Permission::try_from("invoice:delete").unwrap(),
        ))
        .unwrap();

        assert_eq!(decision, Decision::Deny);
    }

    #[test]
    fn super_admin_scope_should_return_tenant_only_when_enabled() {
        let mut store = active_store();
        store.super_admin = true;
        store.principal_active = false;

        let engine = EngineBuilder::new(store).enable_super_admin(true).build();
        let scope = block_on(engine.scope(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            ResourceName::try_from("customer").unwrap(),
        ))
        .unwrap();

        assert!(matches!(scope, Scope::TenantOnly { .. }));
    }

    #[test]
    fn super_admin_should_still_deny_when_tenant_inactive() {
        let mut store = active_store();
        store.super_admin = true;
        store.tenant_active = false;

        let engine = EngineBuilder::new(store).enable_super_admin(true).build();
        let decision = block_on(engine.authorize(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            Permission::try_from("invoice:delete").unwrap(),
        ))
        .unwrap();

        assert_eq!(decision, Decision::Deny);
    }

    #[cfg(feature = "memory-cache")]
    #[test]
    fn shared_cache_should_isolate_different_engine_configs() {
        let mut store = active_store();

        let role = RoleId::try_from("role_a").unwrap();
        store.roles = vec![role.clone()];
        store
            .role_permissions
            .insert(role, vec![Permission::try_from("invoice:*").unwrap()]);

        let cache = crate::MemoryCache::new(8);
        let wildcard_engine = EngineBuilder::new(store.clone())
            .enable_wildcard(true)
            .cache(cache.clone())
            .build();
        let strict_engine = EngineBuilder::new(store).cache(cache).build();

        let tenant = TenantId::try_from("tenant_1").unwrap();
        let principal = principal("user_1");
        let required = Permission::try_from("invoice:read").unwrap();

        let wildcard_decision = block_on(wildcard_engine.authorize(
            tenant.clone(),
            principal.clone(),
            required.clone(),
        ))
        .unwrap();
        assert_eq!(wildcard_decision, Decision::Allow);

        let strict_decision =
            block_on(strict_engine.authorize(tenant, principal, required)).unwrap();
        assert_eq!(strict_decision, Decision::Deny);
    }

    #[cfg(feature = "memory-cache")]
    #[test]
    fn shared_cache_should_isolate_super_admin_flag() {
        let mut store = active_store();
        store.super_admin = true;

        let cache = crate::MemoryCache::new(8);
        let super_admin_engine = EngineBuilder::new(store.clone())
            .enable_super_admin(true)
            .cache(cache.clone())
            .build();
        let strict_engine = EngineBuilder::new(store).cache(cache).build();

        let tenant = TenantId::try_from("tenant_1").unwrap();
        let principal = principal("user_1");
        let required = Permission::try_from("invoice:delete").unwrap();

        let super_admin_decision = block_on(super_admin_engine.authorize(
            tenant.clone(),
            principal.clone(),
            required.clone(),
        ))
        .unwrap();
        assert_eq!(super_admin_decision, Decision::Allow);

        let strict_decision =
            block_on(strict_engine.authorize(tenant, principal, required)).unwrap();
        assert_eq!(strict_decision, Decision::Deny);
    }

    #[test]
    fn role_cycle_should_return_error() {
        let mut store = active_store();

        let role_a = RoleId::try_from("role_a").unwrap();
        let role_b = RoleId::try_from("role_b").unwrap();
        store.roles = vec![role_a.clone()];
        store.role_permissions.insert(
            role_a.clone(),
            vec![Permission::try_from("invoice:read").unwrap()],
        );
        store
            .role_inherits
            .insert(role_a.clone(), vec![role_b.clone()]);
        store.role_inherits.insert(role_b, vec![role_a.clone()]);

        let engine = EngineBuilder::new(store)
            .enable_role_hierarchy(true)
            .build();
        let result = block_on(engine.authorize(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            Permission::try_from("invoice:read").unwrap(),
        ));

        assert!(matches!(result, Err(Error::RoleCycleDetected { .. })));
    }

    #[test]
    fn role_depth_should_return_error_when_exceeded() {
        let mut store = active_store();

        let role_a = RoleId::try_from("role_a").unwrap();
        let role_b = RoleId::try_from("role_b").unwrap();
        let role_c = RoleId::try_from("role_c").unwrap();
        store.roles = vec![role_a.clone()];
        store
            .role_inherits
            .insert(role_a.clone(), vec![role_b.clone()]);
        store.role_inherits.insert(role_b, vec![role_c]);

        let engine = EngineBuilder::new(store)
            .enable_role_hierarchy(true)
            .max_inherit_depth(1)
            .build();
        let result = block_on(engine.authorize(
            TenantId::try_from("tenant_1").unwrap(),
            principal("user_1"),
            Permission::try_from("invoice:read").unwrap(),
        ));

        assert!(matches!(result, Err(Error::RoleDepthExceeded { .. })));
    }
}