gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 13:31:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
certctl/internal/api/handler/demo_residual_test.go
T
shankar0123 a923cf697c harden(auth): demo-mode residual-grants detector + cleanup endpoint + CI guard (A-8) 
Audit 2026-05-11 A-8 closure. Closes the deferred Phase 2 leg of the
2026-05-10 HIGH-12 closure (2e97cc1) — production-startup observability
for actor-demo-anon residual grants + CI guard banning new synthetic-
admin code paths.

What this changes:

* cmd/server/preflight_demo_residual.go (new) runs after the DB pool +
  audit service are constructed and before the HTTPS listener starts.
  Under any non-'none' auth type it queries actor_roles for the
  synthetic actor-demo-anon and emits a WARN log + a categorized audit
  row (auth.demo_residual_grants_detected) listing every grant
  present. Migration 000029 unconditionally seeds the ar-demo-anon-admin
  row at install time, so EVERY production deploy will see this WARN
  on first boot; the intended cutover workflow is cleanup-once at
  production handover.

* CERTCTL_DEMO_MODE_RESIDUAL_STRICT (new env var on AuthConfig,
  default false) pivots the WARN to fail-closed startup refusal for
  operators who want a paranoid posture against re-seeding.

* POST /api/v1/auth/demo-residual/cleanup (new handler at
  internal/api/handler/demo_residual.go) is an admin-class
  (auth.role.assign) endpoint that removes every actor-demo-anon row
  from actor_roles and returns {removed: int64}. Idempotent; refuses
  503 under Auth.Type=none (deleting the row would break the demo
  path); audit-logs every invocation including no-op zero-removed
  calls so the admin's action is always recorded.

* scripts/ci-guards/no-new-synthetic-admin.sh pins the 17-entry
  allowlist of source files that legitimately reference the
  actor-demo-anon literal. New runtime code paths that resolve to the
  synthetic actor (the same pattern that produced the original CRIT
  class) are rejected at PR time. CI workflow auto-picks the script
  via the existing scripts/ci-guards/*.sh loop in .github/workflows/
  ci.yml; no workflow edit needed.

Regression matrix:

* cmd/server/preflight_demo_residual_test.go — 7 tests covering the
  4 main behaviour branches (testcontainers-backed, testing.Short()-
  skipped: DemoModeActive_Skips, NoResidue_Passes, HasResidue_LogsAnd
  Audits, StrictMode_RefusesStartup, DeleteDemoAnonResidue_Idempotent)
  plus 3 pure-Go stdlib unit tests for the row-string formatter +
  nil-safety contracts on both helpers.

* internal/api/handler/demo_residual_test.go — 7 stdlib+httptest
  cases: HappyPath, Idempotent_ReturnsZero, RejectsInDemoMode (503),
  CleanupError_Surfaces500, NilCleanupFn (defensive 500),
  NilAuditWriter_DoesNotPanic, MissingActorContext (falls back to
  'unknown' actor in the audit row).

* internal/api/router/openapi_parity_test.go — new
  POST /api/v1/auth/demo-residual/cleanup entry plus 6 pre-existing
  pre-A-8 entries (oidc/test, jwks-status, users CRUD, runtime-config)
  that had drifted out of SpecParityExceptions; the parity test was
  red on dev/auth-bundle-2 before my work; this commit returns it to
  green with full per-entry justifications + parity-debt notes.

Docs:

* docs/operator/security.md — new 'Demo-to-production cutover (Audit
  2026-05-11 A-8)' section explaining the WARN message, the cleanup
  curl one-liner, the equivalent SQL, the strict-mode env var, and
  the CI guard.

* docs/operator/rbac.md — Last-reviewed bump + pointer to the new
  env var + the security.md section.

* cowork/auth-bundles-audit-2026-05-10.md — HIGH-12 row gains an
  'A-8 follow-on CLOSED 2026-05-11' annotation describing the
  deferred Phase 2 leg now landed.

* CHANGELOG.md — Unreleased ### Security entry summarizing the four
  legs (detector + cleanup + strict-mode flag + CI guard) and the
  acquisition-readiness narrative this closes.

Operator-facing impact: this closes a credibility gap, not an
exploitable vulnerability. The residue requires a regression
elsewhere in the middleware chain to be exploitable. After this
fix, the canonical narrative ('RBAC primitive with no synthetic-
admin fallback') is fully true.

Refs cowork/auth-bundles-fixes-2026-05-11/08-high-demo-mode-residual-
cleanup.md.
2026-05-11 11:45:54 +00:00

230 lines
8.0 KiB
Go
Raw Permalink Blame History

package handler
import (
"context"
"encoding/json"
"errors"
"net/http"
"net/http/httptest"
"strings"
"sync/atomic"
"testing"
"github.com/certctl-io/certctl/internal/auth"
"github.com/certctl-io/certctl/internal/domain"
)
// Audit 2026-05-11 A-8 — DemoResidualHandler regression coverage.
// Uses fake closures for the cleanup + authType deps so the test
// stays stdlib + httptest only (no DB needed). DB-shape coverage
// lives in cmd/server/preflight_demo_residual_test.go.
func fakeAuthType(s string) func() string { return func() string { return s } }
// fakeAuditWriter captures the last RecordEventWithCategory invocation.
type fakeAuditWriter struct {
called atomic.Bool
lastCall struct {
actor, action, category, resourceType, resourceID string
details map[string]interface{}
}
}
func (f *fakeAuditWriter) RecordEventWithCategory(
ctx context.Context, actor string, actorType domain.ActorType,
action, eventCategory, resourceType, resourceID string,
details map[string]interface{},
) error {
f.called.Store(true)
f.lastCall.actor = actor
f.lastCall.action = action
f.lastCall.category = eventCategory
f.lastCall.resourceType = resourceType
f.lastCall.resourceID = resourceID
f.lastCall.details = details
return nil
}
func authCtxReq(method, path string, actor string) *http.Request {
req := httptest.NewRequest(method, path, nil)
ctx := context.WithValue(req.Context(), auth.ActorIDKey{}, actor)
ctx = context.WithValue(ctx, auth.ActorTypeKey{}, string(domain.ActorTypeAPIKey))
return req.WithContext(ctx)
}
// TestDemoResidualCleanup_HappyPath — fake cleanup returns 3 rows
// removed; handler emits 200 + JSON body {removed:3} + audit row.
func TestDemoResidualCleanup_HappyPath(t *testing.T) {
audit := &fakeAuditWriter{}
h := NewDemoResidualHandler(
func(ctx context.Context) (int64, error) { return 3, nil },
fakeAuthType("api-key"),
audit,
)
rec := httptest.NewRecorder()
h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
if rec.Code != http.StatusOK {
t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
}
var body demoResidualCleanupResponse
if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil {
t.Fatalf("decode body: %v", err)
}
if body.Removed != 3 {
t.Errorf("removed = %d, want 3", body.Removed)
}
// Audit row must be emitted with the right category + caller actor.
if !audit.called.Load() {
t.Fatal("expected audit RecordEventWithCategory to be called")
}
if audit.lastCall.action != "auth.demo_residual_grants_cleaned" {
t.Errorf("audit action = %q, want auth.demo_residual_grants_cleaned", audit.lastCall.action)
}
if audit.lastCall.category != domain.EventCategoryAuth {
t.Errorf("audit category = %q, want %q", audit.lastCall.category, domain.EventCategoryAuth)
}
if audit.lastCall.actor != "k-admin" {
t.Errorf("audit actor = %q, want k-admin", audit.lastCall.actor)
}
if audit.lastCall.resourceID != "actor-demo-anon" {
t.Errorf("audit resource_id = %q, want actor-demo-anon", audit.lastCall.resourceID)
}
if got, ok := audit.lastCall.details["removed"].(int64); !ok || got != 3 {
t.Errorf("audit details.removed = %v, want 3", audit.lastCall.details["removed"])
}
}
// TestDemoResidualCleanup_Idempotent_ReturnsZero — fake cleanup returns
// (0, nil); the handler still emits 200 + body {removed:0} + audit.
func TestDemoResidualCleanup_Idempotent_ReturnsZero(t *testing.T) {
audit := &fakeAuditWriter{}
h := NewDemoResidualHandler(
func(ctx context.Context) (int64, error) { return 0, nil },
fakeAuthType("api-key"),
audit,
)
rec := httptest.NewRecorder()
h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
if rec.Code != http.StatusOK {
t.Fatalf("status = %d, want 200", rec.Code)
}
var body demoResidualCleanupResponse
if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil {
t.Fatalf("decode body: %v", err)
}
if body.Removed != 0 {
t.Errorf("removed = %d, want 0", body.Removed)
}
// Audit row should STILL fire on a no-op cleanup so the operator's
// action is recorded. This is intentional — the cleanup endpoint is
// admin-class and every invocation should leave a trail.
if !audit.called.Load() {
t.Error("audit row must fire even on no-op cleanup")
}
}
// TestDemoResidualCleanup_RejectsInDemoMode — Auth.Type=none returns 503.
func TestDemoResidualCleanup_RejectsInDemoMode(t *testing.T) {
audit := &fakeAuditWriter{}
var cleanupCalled atomic.Bool
h := NewDemoResidualHandler(
func(ctx context.Context) (int64, error) {
cleanupCalled.Store(true)
return 0, nil
},
fakeAuthType("none"),
audit,
)
rec := httptest.NewRecorder()
h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
if rec.Code != http.StatusServiceUnavailable {
t.Fatalf("status = %d, want 503; body=%s", rec.Code, rec.Body.String())
}
if !strings.Contains(rec.Body.String(), "demo mode") {
t.Errorf("body = %q, want mention of demo mode", rec.Body.String())
}
// The cleanup closure must NOT have been called.
if cleanupCalled.Load() {
t.Error("cleanup closure called despite demo-mode reject")
}
// No audit row should fire on rejection — the action didn't happen.
if audit.called.Load() {
t.Error("audit row fired on rejected cleanup; should not")
}
}
// TestDemoResidualCleanup_CleanupError_Surfaces500 — cleanup func
// returns an error; handler emits 500.
func TestDemoResidualCleanup_CleanupError_Surfaces500(t *testing.T) {
audit := &fakeAuditWriter{}
h := NewDemoResidualHandler(
func(ctx context.Context) (int64, error) { return 0, errors.New("boom") },
fakeAuthType("api-key"),
audit,
)
rec := httptest.NewRecorder()
h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
if rec.Code != http.StatusInternalServerError {
t.Fatalf("status = %d, want 500", rec.Code)
}
if audit.called.Load() {
t.Error("audit row fired on cleanup error; should not")
}
}
// TestDemoResidualCleanup_NilCleanupFn — handler with no wired
// cleanup returns 500 (defensive — should never happen in prod, but
// the contract should be observable).
func TestDemoResidualCleanup_NilCleanupFn(t *testing.T) {
h := DemoResidualHandler{cleanup: nil, authType: fakeAuthType("api-key")}
rec := httptest.NewRecorder()
h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
if rec.Code != http.StatusInternalServerError {
t.Fatalf("status = %d, want 500", rec.Code)
}
}
// TestDemoResidualCleanup_NilAuditWriter_DoesNotPanic — audit is
// optional (Bundle-2 wiring may set it nil in tests / minimal configs).
// Handler must still succeed with valid cleanup.
func TestDemoResidualCleanup_NilAuditWriter_DoesNotPanic(t *testing.T) {
h := NewDemoResidualHandler(
func(ctx context.Context) (int64, error) { return 1, nil },
fakeAuthType("api-key"),
nil,
)
rec := httptest.NewRecorder()
h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
if rec.Code != http.StatusOK {
t.Fatalf("status = %d, want 200", rec.Code)
}
}
// TestDemoResidualCleanup_MissingActorContext — caller without
// ActorIDKey gets "unknown" recorded; the cleanup still runs. The
// rbacGate at the router enforces that authenticated callers reach
// this point, so missing actor context is purely a test-shape thing.
func TestDemoResidualCleanup_MissingActorContext(t *testing.T) {
audit := &fakeAuditWriter{}
h := NewDemoResidualHandler(
func(ctx context.Context) (int64, error) { return 1, nil },
fakeAuthType("api-key"),
audit,
)
rec := httptest.NewRecorder()
// No auth context — bare httptest.NewRequest.
h.Cleanup(rec, httptest.NewRequest(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", nil))
if rec.Code != http.StatusOK {
t.Fatalf("status = %d, want 200", rec.Code)
}
if audit.lastCall.actor != "unknown" {
t.Errorf("audit actor = %q, want unknown for missing actor context", audit.lastCall.actor)
}
}
Reference in New Issue View Git Blame Copy Permalink