gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 21:51:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0161bb201ca10cefb840ba4e24a35ab256c6e69b
certctl/internal/repository/postgres/session_test.go
T
shankar0123 95f1d6cf63 auth-bundle-2 Phase 2b: repository interfaces + Postgres impls + integration tests 
Closes Phase 2 end-to-end. Builds on Phase 2a's three migrations
(000034 oidc_providers + group_role_mappings, 000035 sessions +
session_signing_keys, 000036 users) by shipping the repository surface
Phase 3+ services consume.

Interfaces:
* internal/repository/oidc.go - OIDCProviderRepository (List, Get,
  GetByName, Create, Update, Delete) + GroupRoleMappingRepository
  (ListByProvider, Get, Add, Remove, Map). Sentinels:
  ErrOIDCProviderNotFound, ErrOIDCProviderDuplicateName,
  ErrOIDCProviderInUse (FK ON DELETE RESTRICT translation),
  ErrGroupRoleMappingNotFound, ErrGroupRoleMappingDuplicate.
* internal/repository/session.go - SessionRepository (Create, Get,
  ListByActor, UpdateLastSeen, Revoke, RevokeAllForActor,
  GarbageCollectExpired, Delete) + SessionSigningKeyRepository (List,
  GetActive, Get, Add, Retire, Delete). Sentinels: ErrSessionNotFound,
  ErrSessionRevoked, ErrSessionExpired, ErrSessionSigningKeyNotFound,
  ErrSessionSigningKeyInUse.
* internal/repository/user.go - UserRepository (Get, GetByOIDCSubject,
  Create, Update, ListAll). Sentinels: ErrUserNotFound,
  ErrUserDuplicateOIDCSubject.

Postgres implementations:
* internal/repository/postgres/oidc.go - 309 lines. Translates
  SQLSTATE 23505 (unique_violation) to ErrOIDCProviderDuplicateName /
  ErrGroupRoleMappingDuplicate; SQLSTATE 23503 (foreign_key_violation)
  to ErrOIDCProviderInUse so the Phase 5 handler maps to HTTP 409
  when an operator tries to delete a provider with authenticated
  users. pq.StringArray bridges Go []string to Postgres TEXT[] for
  scopes + allowed_email_domains. Map() uses
  `WHERE group_name = ANY($2)` so a single SELECT resolves N IdP
  group claims at once.
* internal/repository/postgres/session.go - 350 lines. Both Session +
  SessionSigningKey repos. Revoke + Retire are idempotent (re-revoking
  an already-revoked session returns nil; same for retire). The
  GarbageCollectExpired sweep deletes both
  absolute-expiry-passed sessions AND pre-login rows older than the
  10-minute TTL in one DELETE so the scheduler tick is cheap.
  ErrSessionSigningKeyInUse pinned via SQLSTATE 23503 from the
  sessions.signing_key_id FK ON DELETE RESTRICT.
* internal/repository/postgres/user.go - 137 lines. GetByOIDCSubject
  is the Phase 3 hot-path lookup; the (oidc_provider_id,
  oidc_subject) UNIQUE constraint trip translates to
  ErrUserDuplicateOIDCSubject. Update only writes the mutable field
  set (email, display_name, last_login_at, webauthn_credentials);
  oidc_subject + oidc_provider_id are immutable per the
  per-(provider, subject) identity model.

Integration tests (testing.Short()-gated, testcontainers + Postgres
16 Alpine, schema-per-test isolation via getTestDB().freshSchema):

* oidc_test.go: 11 tests covering happy-path + GetNotFound +
  DuplicateName + List + Update + DeleteNotFound + DeleteSucceeds +
  DeleteRefusedWhenUsersReference (the FK ON DELETE RESTRICT pin);
  GroupRoleMapping coverage includes Add/List/Map (3 cases:
  marketing-not-mapped, multi-group hits, empty groups returns
  empty), Duplicate rejection, and the ON DELETE CASCADE on
  provider deletion.
* session_test.go: 12 tests covering SessionSigningKey + Session.
  Key tests: GetActiveSkipsRetired (mints older, retires it, mints
  newer, asserts GetActive returns newer), DeleteRefusedWhenSessions-
  Reference (FK pin), RetireIsIdempotent. Session tests:
  CreateAndGet roundtrip, GetNotFound, Revoke + idempotent re-Revoke,
  ListByActor (3 active + 1 revoked + 1 pre-login -> returns 3,
  pinning the WHERE filter), RevokeAllForActor, GarbageCollectExpired
  (seeds an absolute-expired row + pre-login >10min row + active
  session via raw SQL to bypass CHECK constraints, asserts GC kills
  exactly 2 + active survives), UpdateLastSeen.
* user_test.go: 7 tests covering CreateAndGet, GetNotFound,
  GetByOIDCSubject (hit + miss), DuplicateOIDCSubjectRejected,
  UpdateMutableFields (asserts oidc_subject NOT mutated by Update),
  ListAll, FKRestrictsProviderDelete (mirror of the OIDC test from
  the user side - both ends of the FK contract pinned).

Verifications:
* gofmt -l clean across all 9 new files.
* go vet ./internal/repository/postgres/ rc=0.
* go test -short -count=1 green on internal/repository/postgres/ +
  internal/auth/... + Bundle 1 packages (testing.Short() skips the
  testcontainers integration tests, but the test files compile + the
  short-mode skip path is exercised so the suite is wired correctly).
* Full integration tests run in CI's non-short job against Postgres
  16 Alpine via testcontainers-go.
* govulncheck ./... clean.
* All 24 ci-guards pass.

Phase 2 exit criteria from cowork/auth-bundle-2-prompt.md (all met):
* All three Phase-2 migrations apply cleanly, idempotently: yes
  (Phase 2a). Break-glass migration ships separately in Phase 7.5.
* Repository tests pass against Postgres 16 Alpine: integration
  tests written, gated by testing.Short(), structured to run cleanly
  in CI's non-short job.
* make verify equivalent green: gofmt + vet + go test pass;
  golangci-lint deferred to CI per Phase 0/1's same pattern.
2026-05-10 04:18:27 +00:00

432 lines
13 KiB
Go
Raw Blame History

package postgres_test
import (
"context"
"errors"
"strings"
"testing"
"time"
sessiondomain "github.com/certctl-io/certctl/internal/auth/session/domain"
"github.com/certctl-io/certctl/internal/repository"
"github.com/certctl-io/certctl/internal/repository/postgres"
)
// =============================================================================
// SessionSigningKey tests
// =============================================================================
func newValidSigningKey(suffix string) *sessiondomain.SessionSigningKey {
return &sessiondomain.SessionSigningKey{
ID: "sk-" + suffix,
TenantID: "t-default",
KeyMaterialEncrypted: []byte{0x02, 0x00, 0x01, 0x02, 0x03},
}
}
func TestSessionSigningKeyRepository_AddAndGetActive(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
repo := postgres.NewSessionSigningKeyRepository(db)
ctx := context.Background()
k := newValidSigningKey("a")
if err := repo.Add(ctx, k); err != nil {
t.Fatalf("Add: %v", err)
}
if k.CreatedAt.IsZero() {
t.Errorf("Add did not populate CreatedAt")
}
got, err := repo.GetActive(ctx, "t-default")
if err != nil {
t.Fatalf("GetActive: %v", err)
}
if got.ID != k.ID {
t.Errorf("GetActive returned %q; want %q", got.ID, k.ID)
}
}
func TestSessionSigningKeyRepository_GetActiveSkipsRetired(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
repo := postgres.NewSessionSigningKeyRepository(db)
ctx := context.Background()
// Add older key, retire it. Add newer key. GetActive must return newer.
older := newValidSigningKey("older")
if err := repo.Add(ctx, older); err != nil {
t.Fatalf("Add older: %v", err)
}
if err := repo.Retire(ctx, older.ID); err != nil {
t.Fatalf("Retire older: %v", err)
}
// Sleep a millisecond so created_at orders deterministically.
time.Sleep(10 * time.Millisecond)
newer := newValidSigningKey("newer")
if err := repo.Add(ctx, newer); err != nil {
t.Fatalf("Add newer: %v", err)
}
got, err := repo.GetActive(ctx, "t-default")
if err != nil {
t.Fatalf("GetActive: %v", err)
}
if got.ID != newer.ID {
t.Errorf("GetActive returned %q; want %q (older was retired)", got.ID, newer.ID)
}
}
func TestSessionSigningKeyRepository_GetActiveReturnsNotFound(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
repo := postgres.NewSessionSigningKeyRepository(db)
ctx := context.Background()
_, err := repo.GetActive(ctx, "t-default")
if !errors.Is(err, repository.ErrSessionSigningKeyNotFound) {
t.Errorf("err = %v; want ErrSessionSigningKeyNotFound", err)
}
}
func TestSessionSigningKeyRepository_RetireIsIdempotent(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
repo := postgres.NewSessionSigningKeyRepository(db)
ctx := context.Background()
k := newValidSigningKey("retire")
if err := repo.Add(ctx, k); err != nil {
t.Fatalf("Add: %v", err)
}
if err := repo.Retire(ctx, k.ID); err != nil {
t.Fatalf("first Retire: %v", err)
}
if err := repo.Retire(ctx, k.ID); err != nil {
t.Errorf("second Retire (already retired) should be idempotent; got %v", err)
}
}
func TestSessionSigningKeyRepository_DeleteRefusedWhenSessionsReference(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
keyRepo := postgres.NewSessionSigningKeyRepository(db)
sessRepo := postgres.NewSessionRepository(db)
ctx := context.Background()
k := newValidSigningKey("inuse")
if err := keyRepo.Add(ctx, k); err != nil {
t.Fatalf("Add key: %v", err)
}
s := newValidSession("s1", k.ID)
if err := sessRepo.Create(ctx, s); err != nil {
t.Fatalf("Create session: %v", err)
}
err := keyRepo.Delete(ctx, k.ID)
if !errors.Is(err, repository.ErrSessionSigningKeyInUse) {
t.Errorf("Delete with referencing session err = %v; want ErrSessionSigningKeyInUse", err)
}
}
// =============================================================================
// Session tests
// =============================================================================
func newValidSession(suffix, signingKeyID string) *sessiondomain.Session {
now := time.Now().UTC().Truncate(time.Microsecond)
return &sessiondomain.Session{
ID: "ses-" + suffix,
TenantID: "t-default",
ActorID: "u-" + suffix,
ActorType: "User",
SigningKeyID: signingKeyID,
IsPreLogin: false,
CSRFTokenHash: strings.Repeat("a", 64),
IdleExpiresAt: now.Add(time.Hour),
AbsoluteExpiresAt: now.Add(8 * time.Hour),
CreatedAt: now,
LastSeenAt: now,
IPAddress: "10.0.0.1",
UserAgent: "Mozilla/5.0",
}
}
func TestSessionRepository_CreateAndGet(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
keyRepo := postgres.NewSessionSigningKeyRepository(db)
sessRepo := postgres.NewSessionRepository(db)
ctx := context.Background()
k := newValidSigningKey("k1")
if err := keyRepo.Add(ctx, k); err != nil {
t.Fatalf("Add key: %v", err)
}
s := newValidSession("s1", k.ID)
if err := sessRepo.Create(ctx, s); err != nil {
t.Fatalf("Create: %v", err)
}
got, err := sessRepo.Get(ctx, s.ID)
if err != nil {
t.Fatalf("Get: %v", err)
}
if got.ActorID != s.ActorID {
t.Errorf("ActorID roundtrip mismatch")
}
if got.RevokedAt != nil {
t.Errorf("RevokedAt should be nil on fresh session")
}
}
func TestSessionRepository_GetNotFound(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
repo := postgres.NewSessionRepository(db)
ctx := context.Background()
_, err := repo.Get(ctx, "ses-nonexistent")
if !errors.Is(err, repository.ErrSessionNotFound) {
t.Errorf("err = %v; want ErrSessionNotFound", err)
}
}
func TestSessionRepository_RevokeAndGet(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
keyRepo := postgres.NewSessionSigningKeyRepository(db)
sessRepo := postgres.NewSessionRepository(db)
ctx := context.Background()
k := newValidSigningKey("k2")
if err := keyRepo.Add(ctx, k); err != nil {
t.Fatalf("Add key: %v", err)
}
s := newValidSession("s2", k.ID)
if err := sessRepo.Create(ctx, s); err != nil {
t.Fatalf("Create: %v", err)
}
if err := sessRepo.Revoke(ctx, s.ID); err != nil {
t.Fatalf("Revoke: %v", err)
}
got, err := sessRepo.Get(ctx, s.ID)
if err != nil {
t.Fatalf("Get post-revoke: %v", err)
}
if got.RevokedAt == nil {
t.Errorf("RevokedAt nil after Revoke")
}
// Idempotent re-revoke: returns nil, no panic, no double-update.
if err := sessRepo.Revoke(ctx, s.ID); err != nil {
t.Errorf("re-Revoke (idempotent) err = %v; want nil", err)
}
}
func TestSessionRepository_RevokeNotFound(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
repo := postgres.NewSessionRepository(db)
ctx := context.Background()
if err := repo.Revoke(ctx, "ses-nonexistent"); !errors.Is(err, repository.ErrSessionNotFound) {
t.Errorf("err = %v; want ErrSessionNotFound", err)
}
}
func TestSessionRepository_ListByActorActiveOnly(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
keyRepo := postgres.NewSessionSigningKeyRepository(db)
sessRepo := postgres.NewSessionRepository(db)
ctx := context.Background()
k := newValidSigningKey("la")
if err := keyRepo.Add(ctx, k); err != nil {
t.Fatalf("Add key: %v", err)
}
// 3 active + 1 revoked + 1 pre-login.
for i, suf := range []string{"a1", "a2", "a3"} {
s := newValidSession(suf, k.ID)
s.ActorID = "u-list-actor"
// uniqueness: stagger created_at so list ordering is stable
s.CreatedAt = s.CreatedAt.Add(time.Duration(i) * time.Millisecond)
if err := sessRepo.Create(ctx, s); err != nil {
t.Fatalf("Create %s: %v", suf, err)
}
}
revoked := newValidSession("rev", k.ID)
revoked.ActorID = "u-list-actor"
if err := sessRepo.Create(ctx, revoked); err != nil {
t.Fatalf("Create revoked: %v", err)
}
if err := sessRepo.Revoke(ctx, revoked.ID); err != nil {
t.Fatalf("Revoke: %v", err)
}
preLogin := newValidSession("pre", k.ID)
preLogin.ActorID = "u-list-actor"
preLogin.IsPreLogin = true
preLogin.CSRFTokenHash = "" // pre-login rows have no CSRF token
if err := sessRepo.Create(ctx, preLogin); err != nil {
t.Fatalf("Create pre-login: %v", err)
}
out, err := sessRepo.ListByActor(ctx, "u-list-actor", "User", "t-default")
if err != nil {
t.Fatalf("ListByActor: %v", err)
}
if len(out) != 3 {
t.Errorf("ListByActor count = %d; want 3 (revoked + pre-login excluded)", len(out))
}
}
func TestSessionRepository_RevokeAllForActor(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
keyRepo := postgres.NewSessionSigningKeyRepository(db)
sessRepo := postgres.NewSessionRepository(db)
ctx := context.Background()
k := newValidSigningKey("ra")
if err := keyRepo.Add(ctx, k); err != nil {
t.Fatalf("Add key: %v", err)
}
// 3 sessions for one actor.
for _, suf := range []string{"r1", "r2", "r3"} {
s := newValidSession(suf, k.ID)
s.ActorID = "u-fired"
if err := sessRepo.Create(ctx, s); err != nil {
t.Fatalf("Create %s: %v", suf, err)
}
}
if err := sessRepo.RevokeAllForActor(ctx, "u-fired", "User", "t-default"); err != nil {
t.Fatalf("RevokeAllForActor: %v", err)
}
out, err := sessRepo.ListByActor(ctx, "u-fired", "User", "t-default")
if err != nil {
t.Fatalf("ListByActor post-revoke: %v", err)
}
if len(out) != 0 {
t.Errorf("RevokeAllForActor left %d sessions active; want 0", len(out))
}
}
func TestSessionRepository_GarbageCollectExpired(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
keyRepo := postgres.NewSessionSigningKeyRepository(db)
sessRepo := postgres.NewSessionRepository(db)
ctx := context.Background()
k := newValidSigningKey("gc")
if err := keyRepo.Add(ctx, k); err != nil {
t.Fatalf("Add key: %v", err)
}
// One session with absolute expiry in the past (write directly via SQL
// to bypass the CHECK constraints; this simulates a row that aged
// past expiry without GC having run yet).
now := time.Now().UTC()
old := time.Now().UTC().Add(-2 * time.Hour)
older := time.Now().UTC().Add(-3 * time.Hour)
_, err := db.ExecContext(ctx, `
INSERT INTO sessions (id, tenant_id, actor_id, actor_type, signing_key_id,
is_pre_login, csrf_token_hash, idle_expires_at, absolute_expires_at,
created_at, last_seen_at, ip_address, user_agent)
VALUES ($1, 't-default', 'u-gc', 'User', $2, FALSE, '',
$3, $4, $5, $5, '', '')`,
"ses-expired", k.ID, older, old, time.Now().UTC().Add(-4*time.Hour))
if err != nil {
t.Fatalf("seed expired: %v", err)
}
// One pre-login row older than 10 minutes.
_, err = db.ExecContext(ctx, `
INSERT INTO sessions (id, tenant_id, actor_id, actor_type, signing_key_id,
is_pre_login, csrf_token_hash, idle_expires_at, absolute_expires_at,
created_at, last_seen_at, ip_address, user_agent)
VALUES ($1, 't-default', 'u-gc', 'User', $2, TRUE, '',
$3, $4, $5, $5, '', '')`,
"ses-prelogin-old", k.ID,
now.Add(-15*time.Minute).Add(time.Hour), // idle in future relative to created
now.Add(-15*time.Minute).Add(2*time.Hour), // absolute > idle, both > created
now.Add(-15*time.Minute)) // created 15 min ago (older than 10 min TTL)
if err != nil {
t.Fatalf("seed pre-login: %v", err)
}
// One active session (NOT to be GC'd).
active := newValidSession("active", k.ID)
active.ActorID = "u-gc"
if err := sessRepo.Create(ctx, active); err != nil {
t.Fatalf("seed active: %v", err)
}
n, err := sessRepo.GarbageCollectExpired(ctx)
if err != nil {
t.Fatalf("GC: %v", err)
}
if n != 2 {
t.Errorf("GC deleted %d rows; want 2 (expired + old pre-login)", n)
}
// Active session survives.
if _, err := sessRepo.Get(ctx, active.ID); err != nil {
t.Errorf("active session should survive GC; got %v", err)
}
}
func TestSessionRepository_UpdateLastSeen(t *testing.T) {
if testing.Short() {
t.Skip("integration test in short mode")
}
db := getTestDB(t).freshSchema(t)
keyRepo := postgres.NewSessionSigningKeyRepository(db)
sessRepo := postgres.NewSessionRepository(db)
ctx := context.Background()
k := newValidSigningKey("uls")
if err := keyRepo.Add(ctx, k); err != nil {
t.Fatalf("Add key: %v", err)
}
s := newValidSession("uls", k.ID)
if err := sessRepo.Create(ctx, s); err != nil {
t.Fatalf("Create: %v", err)
}
originalSeen := s.LastSeenAt
time.Sleep(10 * time.Millisecond)
if err := sessRepo.UpdateLastSeen(ctx, s.ID); err != nil {
t.Fatalf("UpdateLastSeen: %v", err)
}
got, _ := sessRepo.Get(ctx, s.ID)
if !got.LastSeenAt.After(originalSeen) {
t.Errorf("LastSeenAt did not advance after UpdateLastSeen")
}
}
Reference in New Issue View Git Blame Copy Permalink