mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:11:31 +00:00
shankar0123
cbb47aaf5d
# Phase 11 — RBAC MCP tools
12 new tools in internal/mcp/tools_auth.go mirroring the Phase-4
+ Phase-7 HTTP surface so operators driving certctl from Claude
/ VS Code / any MCP client get the same management capability
the GUI + CLI already expose:
certctl_auth_me GET /v1/auth/me
certctl_auth_list_roles GET /v1/auth/roles
certctl_auth_get_role GET /v1/auth/roles/{id}
certctl_auth_create_role POST /v1/auth/roles
certctl_auth_update_role PUT /v1/auth/roles/{id}
certctl_auth_delete_role DELETE /v1/auth/roles/{id}
certctl_auth_list_permissions GET /v1/auth/permissions
certctl_auth_add_permission_to_role POST /v1/auth/roles/{id}/permissions
certctl_auth_remove_permission_from_role DELETE /v1/auth/roles/{id}/permissions/{perm}
certctl_auth_list_keys GET /v1/auth/keys
certctl_auth_assign_role_to_key POST /v1/auth/keys/{id}/roles
certctl_auth_revoke_role_from_key DELETE /v1/auth/keys/{id}/roles/{role_id}
Each tool routes through the existing HTTP client (no parallel
business logic), so permission gates fire server-side: a
non-admin caller's MCP tool invocation returns whatever 403 the
underlying HTTP handler emits, fenced via errorResult for LLM-
prompt-injection defense.
Input types in internal/mcp/types.go (AuthRoleIDInput,
AuthCreateRoleInput, AuthUpdateRoleInput,
AuthRolePermissionGrantInput, AuthRolePermissionRevokeInput,
AuthAssignKeyRoleInput, AuthRevokeKeyRoleInput) carry
jsonschema descriptions so the MCP consumer's tool catalogue
shows operator-friendly hints.
internal/mcp/tools_auth_test.go ships 14 tests:
- TestAuthMCP_AllToolsRegister (registration must not panic)
- TestAuthMCP_PathsAndMethods (table-driven, 12 rows pinning
each tool's HTTP method + URL)
- TestAuthMCP_ForbiddenSurfacesFencedError (12 tools × 403
mock → error surface)
internal/mcp/tools_per_tool_test.go's allHappyPathCases extended
with the 12 new rows so the in-memory dispatch coverage gate
(TestMCP_RegisterTools_DispatchableToolCount) stays green at the
new total of 139 registered tools.
Re-derived total via 'grep -cE "gomcp\.AddTool\(" internal/mcp/tools*.go':
133 (121 in tools.go + 12 in tools_auth.go).
# Phase 12 — negative-test coverage gate
Audit of the prompt's 12 negative-test paths against existing
coverage:
1. Missing actor → 401 ✓ TestRequirePermission_NoActorReturns401, TestRBACGate_NoActorReturns401
2. No roles → 403 ✓ TestRequirePermission_DeniedActorReturns403, TestRBACGate_AuditorRole_403sOnAdminRoutes
3. Role lacks specific perm → 403 ✓ same suite
4. Wrong scope → 403 ✓ TestAuthorizer_SpecificScopeMatchesExactID (wrongID arm)
5. Self-grant w/o auth.role.assign → 403 ✓ TestActorRoleService_GrantRequiresAuthRoleAssign
6. Bootstrap token wrong → 401 ✓ TestEnvTokenStrategy_WrongTokenReturnsInvalidToken, TestBootstrapHandler_Mint_WrongToken_401
7. Bootstrap used twice → 410 ✓ TestEnvTokenStrategy_OneShotConsumption, TestBootstrapHandler_Mint_TwiceReturns410
8. Bootstrap when admin exists → 410 ✓ TestEnvTokenStrategy_AdminExistsClosesPath, TestBootstrapHandler_Mint_AdminExists410
9. Role delete with assignees → 409 NEW: TestRoleService_DeleteWithActorsAssignedReturns409
10. Profile-edit loophole → gated ✓ TestProfileEdit_RequiresApprovalLoopholeClosed
11. Permission not in catalog → 400 ✓ TestRoleService_AddPermissionRejectsNonCanonical
12. Scope ID for nonexistent resource → 404 (validation deferred — no FK constraint between role_permissions.scope_id and the resource tables; documented for a future bundle)
Filled the gap at #9 with TestRoleService_DeleteWithActorsAssignedReturns409
which pins the repository sentinel pass-through (postgres FK
ON DELETE RESTRICT → repository.ErrAuthRoleInUse → service
returns the sentinel verbatim → handler maps to HTTP 409).
# Coverage gates
.github/coverage-thresholds.yml gains 2 entries:
- internal/auth: floor 85
- internal/service/auth: floor 85
.github/workflows/ci.yml's coverage test command extended with
./internal/auth/... and ./internal/api/router/... so the
threshold check has data to evaluate.
# Protocol-endpoint not-gated test (Category F)
internal/api/router/phase12_protocol_allowlist_test.go (new)
adds 3 router-level invariant tests:
- TestPhase12_ProtocolEndpointsNotGated: AST-walks router.go,
asserts no rbacGate(...) call references a path under any
protocol-endpoint prefix (/acme, /scep, /.well-known/est,
/.well-known/pki/ocsp, /.well-known/pki/crl).
- TestPhase12_IsProtocolEndpoint_CoversCanonicalPrefixes:
pins auth.IsProtocolEndpoint against the canonical prefix
set; if a future protocol lands without lockstep allowlist
update, this fails.
- TestPhase12_RBACGateRoutesAreUnderAPIv1: belt-and-braces —
every rbacGate-wrapped route MUST start with /api/v1/.
Catches accidental cross-prefix wraps.
Complements the existing TestRequirePermission_ProtocolEndpointBypassesGate
(middleware-level) + TestRouter_AuthExemptAllowlist_PinsActualRegistrations
(allowlist drift) so the Category F invariant is pinned at all
three layers (middleware + router + dispatch).
# Verifications
* gofmt clean repo-wide.
* go vet ./... clean.
* staticcheck across internal/auth + handler + router + cli +
service + repository + cmd + domain + mcp: clean.
* go test -short -count=1 green across internal/auth (incl.
bootstrap), internal/api/handler, internal/api/router,
internal/cli, internal/service (incl. auth),
internal/domain/auth, internal/mcp, cmd/server, cmd/cli.
439 lines
16 KiB
Go
439 lines
16 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"testing"
|
|
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// =============================================================================
|
|
// In-memory fakes. These exist solely to make the service-layer unit tests
|
|
// feasible without testcontainers. Phase 12 wires the live-Postgres
|
|
// integration suite that exercises the same code paths against the real
|
|
// schema; this file pins the privilege-escalation invariants that don't
|
|
// need a database.
|
|
// =============================================================================
|
|
|
|
type fakeRoleRepo struct {
|
|
roles map[string]*authdomain.Role
|
|
rolePerms map[string][]*authdomain.RolePermission
|
|
deleteFail error
|
|
}
|
|
|
|
func newFakeRoleRepo() *fakeRoleRepo {
|
|
return &fakeRoleRepo{
|
|
roles: map[string]*authdomain.Role{},
|
|
rolePerms: map[string][]*authdomain.RolePermission{},
|
|
}
|
|
}
|
|
|
|
func (f *fakeRoleRepo) Get(_ context.Context, id string) (*authdomain.Role, error) {
|
|
r, ok := f.roles[id]
|
|
if !ok {
|
|
return nil, repository.ErrAuthNotFound
|
|
}
|
|
return r, nil
|
|
}
|
|
func (f *fakeRoleRepo) GetByName(_ context.Context, _, name string) (*authdomain.Role, error) {
|
|
for _, r := range f.roles {
|
|
if r.Name == name {
|
|
return r, nil
|
|
}
|
|
}
|
|
return nil, repository.ErrAuthNotFound
|
|
}
|
|
func (f *fakeRoleRepo) List(_ context.Context, _ string) ([]*authdomain.Role, error) {
|
|
out := make([]*authdomain.Role, 0, len(f.roles))
|
|
for _, r := range f.roles {
|
|
out = append(out, r)
|
|
}
|
|
return out, nil
|
|
}
|
|
func (f *fakeRoleRepo) Create(_ context.Context, r *authdomain.Role) error {
|
|
f.roles[r.ID] = r
|
|
return nil
|
|
}
|
|
func (f *fakeRoleRepo) Update(_ context.Context, r *authdomain.Role) error {
|
|
f.roles[r.ID] = r
|
|
return nil
|
|
}
|
|
func (f *fakeRoleRepo) Delete(_ context.Context, id string) error {
|
|
if f.deleteFail != nil {
|
|
return f.deleteFail
|
|
}
|
|
delete(f.roles, id)
|
|
return nil
|
|
}
|
|
func (f *fakeRoleRepo) ListPermissions(_ context.Context, roleID string) ([]*authdomain.RolePermission, error) {
|
|
return f.rolePerms[roleID], nil
|
|
}
|
|
func (f *fakeRoleRepo) AddPermission(_ context.Context, g *authdomain.RolePermission) error {
|
|
f.rolePerms[g.RoleID] = append(f.rolePerms[g.RoleID], g)
|
|
return nil
|
|
}
|
|
func (f *fakeRoleRepo) RemovePermission(_ context.Context, g *authdomain.RolePermission) error {
|
|
out := f.rolePerms[g.RoleID][:0]
|
|
for _, x := range f.rolePerms[g.RoleID] {
|
|
if x.PermissionID != g.PermissionID || x.ScopeType != g.ScopeType {
|
|
out = append(out, x)
|
|
}
|
|
}
|
|
f.rolePerms[g.RoleID] = out
|
|
return nil
|
|
}
|
|
|
|
type fakePermissionRepo struct {
|
|
byName map[string]*authdomain.Permission
|
|
}
|
|
|
|
func newFakePermissionRepo() *fakePermissionRepo {
|
|
r := &fakePermissionRepo{byName: map[string]*authdomain.Permission{}}
|
|
for _, p := range authdomain.CanonicalPermissions {
|
|
r.byName[p] = &authdomain.Permission{
|
|
ID: "p-" + p,
|
|
Name: p,
|
|
Namespace: p,
|
|
}
|
|
}
|
|
return r
|
|
}
|
|
|
|
func (f *fakePermissionRepo) List(_ context.Context) ([]*authdomain.Permission, error) {
|
|
out := make([]*authdomain.Permission, 0, len(f.byName))
|
|
for _, p := range f.byName {
|
|
out = append(out, p)
|
|
}
|
|
return out, nil
|
|
}
|
|
func (f *fakePermissionRepo) GetByName(_ context.Context, name string) (*authdomain.Permission, error) {
|
|
p, ok := f.byName[name]
|
|
if !ok {
|
|
return nil, repository.ErrAuthNotFound
|
|
}
|
|
return p, nil
|
|
}
|
|
func (f *fakePermissionRepo) IsCanonical(name string) bool {
|
|
_, ok := f.byName[name]
|
|
return ok
|
|
}
|
|
|
|
// fakeActorRoleRepo mocks the actor_roles repository plus the
|
|
// EffectivePermissions JOIN. Tests configure perms[(actorID,actorType)]
|
|
// to return a specific permission set.
|
|
type fakeActorRoleRepo struct {
|
|
grants []*authdomain.ActorRole
|
|
perms map[string][]repository.EffectivePermission
|
|
}
|
|
|
|
func newFakeActorRoleRepo() *fakeActorRoleRepo {
|
|
return &fakeActorRoleRepo{
|
|
perms: map[string][]repository.EffectivePermission{},
|
|
}
|
|
}
|
|
func actorKey(id string, t authdomain.ActorTypeValue) string {
|
|
return string(t) + ":" + id
|
|
}
|
|
func (f *fakeActorRoleRepo) ListByActor(_ context.Context, actorID string, actorType authdomain.ActorTypeValue, _ string) ([]*authdomain.ActorRole, error) {
|
|
var out []*authdomain.ActorRole
|
|
for _, g := range f.grants {
|
|
if g.ActorID == actorID && g.ActorType == actorType {
|
|
out = append(out, g)
|
|
}
|
|
}
|
|
return out, nil
|
|
}
|
|
func (f *fakeActorRoleRepo) ListByRole(_ context.Context, roleID string) ([]*authdomain.ActorRole, error) {
|
|
var out []*authdomain.ActorRole
|
|
for _, g := range f.grants {
|
|
if g.RoleID == roleID {
|
|
out = append(out, g)
|
|
}
|
|
}
|
|
return out, nil
|
|
}
|
|
func (f *fakeActorRoleRepo) Grant(_ context.Context, ar *authdomain.ActorRole) error {
|
|
f.grants = append(f.grants, ar)
|
|
return nil
|
|
}
|
|
func (f *fakeActorRoleRepo) Revoke(_ context.Context, actorID string, actorType authdomain.ActorTypeValue, roleID, _ string) error {
|
|
out := f.grants[:0]
|
|
for _, g := range f.grants {
|
|
if g.ActorID == actorID && g.ActorType == actorType && g.RoleID == roleID {
|
|
continue
|
|
}
|
|
out = append(out, g)
|
|
}
|
|
f.grants = out
|
|
return nil
|
|
}
|
|
func (f *fakeActorRoleRepo) AdminExists(_ context.Context, _ string) (bool, error) {
|
|
for _, g := range f.grants {
|
|
if g.RoleID == authdomain.RoleIDAdmin && g.ActorID != authdomain.DemoAnonActorID {
|
|
return true, nil
|
|
}
|
|
}
|
|
return false, nil
|
|
}
|
|
func (f *fakeActorRoleRepo) ListDistinctActors(_ context.Context, _ string) ([]repository.ActorWithRoles, error) {
|
|
seen := map[string]*repository.ActorWithRoles{}
|
|
for _, g := range f.grants {
|
|
k := string(g.ActorType) + ":" + g.ActorID
|
|
if seen[k] == nil {
|
|
seen[k] = &repository.ActorWithRoles{
|
|
ActorID: g.ActorID,
|
|
ActorType: g.ActorType,
|
|
TenantID: g.TenantID,
|
|
}
|
|
}
|
|
seen[k].RoleIDs = append(seen[k].RoleIDs, g.RoleID)
|
|
}
|
|
out := make([]repository.ActorWithRoles, 0, len(seen))
|
|
for _, v := range seen {
|
|
out = append(out, *v)
|
|
}
|
|
return out, nil
|
|
}
|
|
func (f *fakeActorRoleRepo) EffectivePermissions(_ context.Context, actorID string, actorType authdomain.ActorTypeValue, _ string) ([]repository.EffectivePermission, error) {
|
|
return f.perms[actorKey(actorID, actorType)], nil
|
|
}
|
|
|
|
type fakeAudit struct {
|
|
calls []struct {
|
|
Actor, ActorType, Action, Category, ResourceID string
|
|
}
|
|
}
|
|
|
|
func (f *fakeAudit) RecordEvent(_ context.Context, actor string, actorType domain.ActorType, action, resourceType, resourceID string, _ map[string]interface{}) error {
|
|
f.calls = append(f.calls, struct{ Actor, ActorType, Action, Category, ResourceID string }{
|
|
actor, string(actorType), action, "", resourceID,
|
|
})
|
|
return nil
|
|
}
|
|
|
|
func (f *fakeAudit) RecordEventWithCategory(_ context.Context, actor string, actorType domain.ActorType, action, eventCategory, resourceType, resourceID string, _ map[string]interface{}) error {
|
|
f.calls = append(f.calls, struct{ Actor, ActorType, Action, Category, ResourceID string }{
|
|
actor, string(actorType), action, eventCategory, resourceID,
|
|
})
|
|
return nil
|
|
}
|
|
|
|
// =============================================================================
|
|
// Authorizer tests
|
|
// =============================================================================
|
|
|
|
func TestAuthorizer_GlobalGrantBeatsSpecificScope(t *testing.T) {
|
|
r := newFakeActorRoleRepo()
|
|
r.perms[actorKey("alice", authdomain.ActorTypeValue(domain.ActorTypeAPIKey))] = []repository.EffectivePermission{
|
|
{PermissionName: "cert.read", ScopeType: authdomain.ScopeTypeGlobal, ScopeID: nil},
|
|
}
|
|
az := NewAuthorizer(r)
|
|
scopeID := "iss-foo"
|
|
ok, err := az.CheckPermission(context.Background(), "alice", authdomain.ActorTypeValue(domain.ActorTypeAPIKey), authdomain.DefaultTenantID, "cert.read", authdomain.ScopeTypeIssuer, &scopeID)
|
|
if err != nil {
|
|
t.Fatalf("CheckPermission err: %v", err)
|
|
}
|
|
if !ok {
|
|
t.Errorf("global cert.read grant should match scoped request; got false")
|
|
}
|
|
}
|
|
|
|
func TestAuthorizer_NoGrantReturnsFalse(t *testing.T) {
|
|
r := newFakeActorRoleRepo()
|
|
az := NewAuthorizer(r)
|
|
ok, err := az.CheckPermission(context.Background(), "bob", authdomain.ActorTypeValue(domain.ActorTypeAPIKey), authdomain.DefaultTenantID, "cert.delete", authdomain.ScopeTypeGlobal, nil)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
if ok {
|
|
t.Errorf("actor with no grants should not pass any permission check")
|
|
}
|
|
}
|
|
|
|
func TestAuthorizer_SpecificScopeMatchesExactID(t *testing.T) {
|
|
r := newFakeActorRoleRepo()
|
|
scope := "p-corp"
|
|
r.perms[actorKey("alice", authdomain.ActorTypeValue(domain.ActorTypeAPIKey))] = []repository.EffectivePermission{
|
|
{PermissionName: "profile.edit", ScopeType: authdomain.ScopeTypeProfile, ScopeID: &scope},
|
|
}
|
|
az := NewAuthorizer(r)
|
|
matchID := "p-corp"
|
|
wrongID := "p-other"
|
|
ok, _ := az.CheckPermission(context.Background(), "alice", authdomain.ActorTypeValue(domain.ActorTypeAPIKey), authdomain.DefaultTenantID, "profile.edit", authdomain.ScopeTypeProfile, &matchID)
|
|
if !ok {
|
|
t.Errorf("scoped grant on p-corp should match request for p-corp")
|
|
}
|
|
ok, _ = az.CheckPermission(context.Background(), "alice", authdomain.ActorTypeValue(domain.ActorTypeAPIKey), authdomain.DefaultTenantID, "profile.edit", authdomain.ScopeTypeProfile, &wrongID)
|
|
if ok {
|
|
t.Errorf("scoped grant on p-corp should NOT match request for p-other")
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// RoleService tests
|
|
// =============================================================================
|
|
|
|
func newRoleServiceWithFakes() (*RoleService, *fakeAudit, *fakeActorRoleRepo) {
|
|
roleRepo := newFakeRoleRepo()
|
|
permRepo := newFakePermissionRepo()
|
|
actorRepo := newFakeActorRoleRepo()
|
|
audit := &fakeAudit{}
|
|
az := NewAuthorizer(actorRepo)
|
|
return NewRoleService(roleRepo, permRepo, az, audit), audit, actorRepo
|
|
}
|
|
|
|
func TestRoleService_NoCallerReturnsUnauthenticated(t *testing.T) {
|
|
rs, _, _ := newRoleServiceWithFakes()
|
|
_, err := rs.List(context.Background(), nil)
|
|
if !errors.Is(err, ErrUnauthenticated) {
|
|
t.Errorf("nil caller should return ErrUnauthenticated, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestRoleService_CallerWithoutPermissionForbidden(t *testing.T) {
|
|
rs, _, _ := newRoleServiceWithFakes()
|
|
caller := &Caller{ActorID: "bob", ActorType: domain.ActorTypeAPIKey}
|
|
_, err := rs.List(context.Background(), caller)
|
|
if !errors.Is(err, ErrForbidden) {
|
|
t.Errorf("caller without auth.role.list should be forbidden; got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestRoleService_SystemCallerBypassesGate(t *testing.T) {
|
|
rs, audit, _ := newRoleServiceWithFakes()
|
|
role := &authdomain.Role{ID: "r-x", Name: "x", Description: "test"}
|
|
if err := rs.Create(context.Background(), AsSystemCaller(), role); err != nil {
|
|
t.Fatalf("system caller should bypass auth.role.create gate; got %v", err)
|
|
}
|
|
if len(audit.calls) != 1 || audit.calls[0].Action != "role.create" {
|
|
t.Errorf("expected one role.create audit row, got %+v", audit.calls)
|
|
}
|
|
}
|
|
|
|
func TestRoleService_AddPermissionRejectsNonCanonical(t *testing.T) {
|
|
rs, _, _ := newRoleServiceWithFakes()
|
|
err := rs.AddPermission(context.Background(), AsSystemCaller(), "r-admin", "fake.permission", authdomain.ScopeTypeGlobal, nil)
|
|
if !errors.Is(err, ErrInvalidPermission) {
|
|
t.Errorf("non-canonical permission should be rejected; got %v", err)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// ActorRoleService tests — privilege-escalation guard
|
|
// =============================================================================
|
|
|
|
func newActorRoleServiceWithFakes() (*ActorRoleService, *fakeActorRoleRepo, *fakeAudit) {
|
|
roleRepo := newFakeRoleRepo()
|
|
actorRepo := newFakeActorRoleRepo()
|
|
audit := &fakeAudit{}
|
|
az := NewAuthorizer(actorRepo)
|
|
return NewActorRoleService(actorRepo, roleRepo, az, audit), actorRepo, audit
|
|
}
|
|
|
|
func TestActorRoleService_GrantRequiresAuthRoleAssign(t *testing.T) {
|
|
svc, repo, _ := newActorRoleServiceWithFakes()
|
|
// Caller bob has cert.read but NOT auth.role.assign.
|
|
repo.perms[actorKey("bob", authdomain.ActorTypeValue(domain.ActorTypeAPIKey))] = []repository.EffectivePermission{
|
|
{PermissionName: "cert.read", ScopeType: authdomain.ScopeTypeGlobal, ScopeID: nil},
|
|
}
|
|
caller := &Caller{ActorID: "bob", ActorType: domain.ActorTypeAPIKey}
|
|
err := svc.Grant(context.Background(), caller, &authdomain.ActorRole{
|
|
ActorID: "carol", ActorType: authdomain.ActorTypeValue(domain.ActorTypeAPIKey), RoleID: "r-admin",
|
|
})
|
|
if !errors.Is(err, ErrSelfRoleAssignment) {
|
|
t.Errorf("Grant without auth.role.assign should fail with ErrSelfRoleAssignment; got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestActorRoleService_GrantSucceedsWithAuthRoleAssign(t *testing.T) {
|
|
svc, repo, audit := newActorRoleServiceWithFakes()
|
|
// Caller alice holds auth.role.assign globally.
|
|
repo.perms[actorKey("alice", authdomain.ActorTypeValue(domain.ActorTypeAPIKey))] = []repository.EffectivePermission{
|
|
{PermissionName: "auth.role.assign", ScopeType: authdomain.ScopeTypeGlobal, ScopeID: nil},
|
|
}
|
|
caller := &Caller{ActorID: "alice", ActorType: domain.ActorTypeAPIKey}
|
|
err := svc.Grant(context.Background(), caller, &authdomain.ActorRole{
|
|
ActorID: "carol", ActorType: authdomain.ActorTypeValue(domain.ActorTypeAPIKey), RoleID: "r-viewer",
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("Grant should succeed when caller holds auth.role.assign; got %v", err)
|
|
}
|
|
if len(audit.calls) != 1 || audit.calls[0].Action != "actor_role.grant" {
|
|
t.Errorf("expected one actor_role.grant audit row; got %+v", audit.calls)
|
|
}
|
|
}
|
|
|
|
func TestActorRoleService_GrantRejectsReservedDemoActor(t *testing.T) {
|
|
svc, _, _ := newActorRoleServiceWithFakes()
|
|
err := svc.Grant(context.Background(), AsSystemCaller(), &authdomain.ActorRole{
|
|
ActorID: authdomain.DemoAnonActorID,
|
|
RoleID: "r-viewer",
|
|
})
|
|
if !errors.Is(err, repository.ErrAuthReservedActor) {
|
|
t.Errorf("Grant against actor-demo-anon should be rejected; got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestActorRoleService_RevokeRejectsReservedDemoActor(t *testing.T) {
|
|
svc, _, _ := newActorRoleServiceWithFakes()
|
|
err := svc.Revoke(context.Background(), AsSystemCaller(), authdomain.DemoAnonActorID, domain.ActorTypeAnonymous, "r-admin")
|
|
if !errors.Is(err, repository.ErrAuthReservedActor) {
|
|
t.Errorf("Revoke against actor-demo-anon should be rejected; got %v", err)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// PermissionService tests
|
|
// =============================================================================
|
|
|
|
func TestPermissionService_IsRegistered(t *testing.T) {
|
|
repo := newFakePermissionRepo()
|
|
ps := NewPermissionService(repo)
|
|
if !ps.IsRegistered("cert.read") {
|
|
t.Errorf("cert.read should be in canonical catalogue")
|
|
}
|
|
if ps.IsRegistered("not.a.real.permission") {
|
|
t.Errorf("non-canonical permission should NOT be registered")
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// CallerFromContext returns ErrUnauthenticated until Phase 3 wires the
|
|
// middleware; pin the contract here so the upgrade is observable.
|
|
// =============================================================================
|
|
|
|
func TestCallerFromContext_Phase2ReturnsUnauthenticated(t *testing.T) {
|
|
_, err := CallerFromContext(context.Background())
|
|
if !errors.Is(err, ErrUnauthenticated) {
|
|
t.Errorf("Phase 2 stub should return ErrUnauthenticated; got %v. Phase 3 wires the middleware-context bridge.", err)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// Bundle 1 Phase 12 — additional negative-test paths from the prompt list:
|
|
// #9: role delete with actors assigned → ErrAuthRoleInUse (HTTP 409).
|
|
// The Authorizer wrong-scope path is already covered by
|
|
// TestAuthorizer_SpecificScopeMatchesExactID (the wrongID arm asserts
|
|
// false). The ErrInvalidPermission path is covered by
|
|
// TestRoleService_AddPermissionRejectsNonCanonical.
|
|
// =============================================================================
|
|
|
|
// TestRoleService_DeleteWithActorsAssignedReturns409 pins the
|
|
// repository sentinel pass-through: when the FK ON DELETE RESTRICT
|
|
// trips at the postgres layer, the repo returns
|
|
// repository.ErrAuthRoleInUse; the service surfaces that verbatim so
|
|
// the handler can map to HTTP 409.
|
|
func TestRoleService_DeleteWithActorsAssignedReturns409(t *testing.T) {
|
|
rs, _, _ := newRoleServiceWithFakes()
|
|
// Pin the repo to surface ErrAuthRoleInUse on Delete (simulates
|
|
// the FK guard tripping in postgres).
|
|
rs.repo.(*fakeRoleRepo).deleteFail = repository.ErrAuthRoleInUse
|
|
err := rs.Delete(context.Background(), AsSystemCaller(), "r-operator")
|
|
if !errors.Is(err, repository.ErrAuthRoleInUse) {
|
|
t.Errorf("Delete err = %v, want repository.ErrAuthRoleInUse (handler maps to 409)", err)
|
|
}
|
|
}
|