DEV Community

Cover image for πŸ” Permission Testing Toolkit β€” Build, Validate, and Ship Secure Authorization with Permit.io
Dmytro Werner
Dmytro Werner

Posted on

πŸ” Permission Testing Toolkit β€” Build, Validate, and Ship Secure Authorization with Permit.io

#devchallenge #permitchallenge #webdev #security

This is a submission for the Permit.io Authorization Challenge: Permissions Redefined

What I Built

Permission Testing Toolkit is a CLI utility built with TypeScript that allows teams to validate, simulate, and test their fine-grained access control logic using Permit.io.

βœ… It supports both manual test cases via JSON and dynamic test generation using your live Permit.io schema.

βœ… It’s perfect for CI pipelines or security-conscious teams that want to "test their policies before they break production."

βœ… Oh β€” and it looks nice in your terminal too. 🎨

You write the rules. This CLI makes sure they're followed.

Demo 

$ npm start

  ____                            ____ _               _    
 |  _ \ ___ _ __ _ __ ___        / ___| |__   ___  ___| | __
 | |_) / _ \ '__| '_ ` _ \ _____| |   | '_ \ / _ \/ __| |/ /
 |  __/  __/ |  | | | | | |_____| |___| | | |  __/ (__|   < 
 |_|   \___|_|  |_| |_| |_|      \____|_| |_|\___|\___|_|\_\

Running tests from config: test-cases/perm-config.json

πŸ“ Permission Test Report:
========================================
1. Viewer can read a post
   ➀ User: viewer
   ➀ Resource: post
   ➀ Action: read
   ➀ Expected: allow, Actual: allow
   ➀ βœ… PASS

2. Editor cannot delete a post
   ➀ User: editor
   ➀ Resource: post
   ➀ Action: delete
   ➀ Expected: deny, Actual: deny
   ➀ βœ… PASS

βœ”οΈ  2/2 tests passed.
Enter fullscreen mode Exit fullscreen mode

perm-config.json:

{
  "tests": [
    {
      "user": "admin",
      "resource": "post",
      "action": "delete",
      "expected": "allow"
    },
    {
      "user": "editor",
      "resource": "post",
      "action": "delete",
      "expected": "deny"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Output example:

...
Check delete for viewer
   ➀ User: Sam Smith
   ➀ Resource: Document_number_1
   ➀ Action: delete
   ➀ Expected: allow, Actual: deny
   ➀ ❌ FAIL
...
Summary:
βœ” Passed: 4
✘ Failed: 4
Total: 8
Enter fullscreen mode Exit fullscreen mode

Global CLI installation:

npm install -g .
perm-check --config path/to/perm-config.json
Enter fullscreen mode Exit fullscreen mode

Project Repo

GitHub logo Yordaniss / permission-testing-toolkit

🚦 Permission Testing Toolkit

Permission Testing Toolkit is a blazing-fast CLI tool that helps developers automatically test access rules (RBAC/ABAC) configured in Permit.io across multiple users, resources, and actions β€” using both custom test cases and live schema introspection.

βœ… Built with performance, automation, and CI/CD integration in mind β€” no UI needed.

πŸ“¦ Features

  • βœ… Custom Permission Tests β€” Define explicit test cases for users, actions, and expected results.
  • πŸš€ Live Schema Introspection β€” Auto-generate permission tests based on your Permit.io policy schema.
  • 🧠 Role Coverage Testing β€” Dynamically test every role against every action on every resource.
  • πŸ’₯ CI/CD Friendly β€” Easily integrate into pipelines to prevent policy regressions.
  • πŸ› οΈ Developer-First β€” CLI-only experience, blazing-fast, fully written in TypeScript.

πŸ“Έ Demo Output

$ npm start
  ____                            ____ _               _    
 |  _ \ ___ _ __ _ __ ___        / ___| |__   ___  ___| | __
…
Enter fullscreen mode Exit fullscreen mode
View on GitHub

The README walks you through setup, usage, .env configuration, live schema fetching, and creating your own test cases.

You can even install the CLI globally using npm install -g . to run perm-check from anywhere.

My Journey

When I started, my goal was to not just use Permit.io for auth, but to test and trust my auth.

Highlights:

  • Built a CLI using commander + chalk for clean UX.
  • Added support for:
    • .json config file tests (great for version control)
    • Live schema inspection via @permit.io/sdk (dynamic users/actions/resources)
  • Created a readable, colorful terminal test report πŸ“Š
  • Packaged everything into a globally installable CLI

Challenges & Lessons:

  • Learned how the Permit.io API & SDK expose actions/resources
  • Discovered the value of β€œfailing fast” in access control testing

Using Permit.io for Authorization

This CLI interacts with Permit.io in two major ways:

  1. Static Testing:

    Load test cases from a .json config and check allow/deny against Permit.io’s PDP (Policy Decision Point) via REST.

  2. Dynamic Schema Testing:

    Use the SDK to fetch all defined users, resources, and actions in your Permit.io project. Then simulate permission checks across the board.

πŸ“¦ Future Potential
This project is not just a utility β€” it’s the foundation for a permission validation library that could:

  • Be published as an NPM package
  • Integrate into CI pipelines (e.g., GitHub Actions)
  • Visualize permission coverage

πŸ™Œ Team or Solo
This was a solo project.

Huge thanks to Permit.io and DEV.to for organizing this challenge and providing excellent documentation and tooling.
This experience was both rewarding and empowering β€” it not only deepened my understanding of modern authorization workflows but also inspired me to build something perhaps useful for the developer community.

Top comments (2)

Collapse
 
aidityasadhakim profile image
Aidityas Adhakim

Bro, have you tried the Permit CLI? I have a hard times working with the CLI, your idea is a good way to contribute to Permit CLI, nice content!

Collapse
 
york profile image
Dmytro Werner

Thanks a lot, that’s kind of you! πŸ™Œ I really just wanted to build something simple, useful, and easy to pick up β€” especially if someone has problems with the CLI ;-)