gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:31:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3ef45e2ad4e60bd7d8f1ca69f91f1dfaf5bca263
certctl/internal/service/approval_test.go
T
shankar0123 8043e2bbac service: ApprovalService + ApprovalMetrics + 8 table-driven tests 
Rank 7 of the 2026-05-03 Infisical deep-research deliverable, commit 2 of 4
(cowork/rank-7-approval-workflow-primitive-prompt.md). Builds on the
foundation in commit 2025275 — wires the service layer that drives the
approval workflow. Still no handler / integration wiring; commits 3-4
land that.

Files added:
  internal/service/approval.go         - ApprovalService struct + 6
                                          methods: RequestApproval,
                                          Approve, Reject, ListPending,
                                          List, Get, ExpireStale.
                                          Same-actor RBAC check
                                          (ErrApproveBySameActor) at
                                          both Approve and Reject; the
                                          load-bearing two-person
                                          integrity gate. Bypass mode
                                          short-circuits via
                                          approveInternal(outcome=
                                          "bypassed", actorType=System).
                                          Audit + metric emission per
                                          decision via shared
                                          recordAudit helper. Tolerates
                                          nil AuditService for tests.
                                          Service depends on a narrow
                                          JobStatusUpdater interface
                                          (single-method) rather than
                                          the full repository.JobRepository
                                          — production wiring satisfies
                                          it implicitly via postgres'
                                          existing UpdateStatus.

  internal/service/approval_metrics.go - ApprovalMetrics: thread-safe
                                          counter table (decisions
                                          counter dimensioned by
                                          outcome × profile_id) + a
                                          custom durationHistogram for
                                          pending-age (le buckets:
                                          60, 300, 1800, 3600, 21600,
                                          86400, +Inf — 1m, 5m, 30m,
                                          1h, 6h, 24h, beyond).
                                          Snapshot* methods return the
                                          Prometheus exposer's input
                                          shapes. Mirrors the
                                          ExpiryAlertMetrics +
                                          VaultRenewalMetrics pattern
                                          from prior ranks.

  internal/service/approval_test.go    - 8 table-driven tests with
                                          tight in-package fakes
                                          (fakeApprovalRepo +
                                          fakeJobStateRepo):
                                            TestApproval_RequestCreatesPendingRow_BypassDisabled
                                            TestApproval_BypassMode_AutoApprovesWithSystemBypassActor
                                            TestApproval_Approve_TransitionsJobFromAwaitingApprovalToPending
                                            TestApproval_Reject_TransitionsJobFromAwaitingApprovalToCancelled
                                            TestApproval_Approve_RejectsSameActor
                                              ↑ THE LOAD-BEARING TWO-PERSON
                                                INTEGRITY TEST. PCI-DSS 6.4.5
                                                / NIST 800-53 SA-15 / SOC 2
                                                CC6.1 compliance auditors
                                                pattern-match against this.
                                                Pins same-actor rejection on
                                                both Approve and Reject paths;
                                                pins success when a different
                                                actor approves.
                                            TestApproval_Approve_RejectsAlreadyDecided
                                            TestApproval_ExpireStale_TransitionsPendingToExpired_AndCancelsJob
                                            TestApproval_MetricCounterIncrements

Verified:
  gofmt: clean.
  go vet ./internal/service/...: exit 0.
  go test -short -count=1 -run TestApproval ./internal/service/...:
    ok 0.005s — all 8 tests green.

Out of scope for this commit (lands in commits 3-4):
  - api/handler/approval.go (5 endpoints + handler-side RBAC).
  - api/openapi.yaml extensions.
  - Integration into CertificateService.TriggerRenewal +
    RenewalService.CheckExpiringCertificates + Scheduler.ReapTimedOutJobs.
  - cmd/server/main.go wiring of ApprovalService + ApprovalMetrics.
  - Config.Approval.BypassEnabled + CERTCTL_APPROVAL_BYPASS env var.
  - docs/connectors.md row + docs/approval-workflow.md runbook.

Reference: cowork/rank-7-approval-workflow-primitive-prompt.md.
2026-05-04 01:01:53 +00:00

387 lines
13 KiB
Go
Raw Blame History

package service
import (
"context"
"errors"
"sync"
"testing"
"time"
"github.com/certctl-io/certctl/internal/domain"
"github.com/certctl-io/certctl/internal/repository"
)
// fakeApprovalRepo is a minimal in-memory ApprovalRepository for unit
// testing the service-layer logic in isolation. Stores rows in a map
// keyed by ID; List returns rows matching a single state filter.
type fakeApprovalRepo struct {
mu sync.Mutex
rows map[string]*domain.ApprovalRequest
}
func newFakeApprovalRepo() *fakeApprovalRepo {
return &fakeApprovalRepo{rows: make(map[string]*domain.ApprovalRequest)}
}
func (f *fakeApprovalRepo) Create(ctx context.Context, req *domain.ApprovalRequest) error {
f.mu.Lock()
defer f.mu.Unlock()
if req.ID == "" {
req.ID = "ar-fake-" + time.Now().Format("150405.000000000")
}
// Enforce the partial-unique pending-per-job at the mock layer too.
for _, existing := range f.rows {
if existing.JobID == req.JobID && existing.State == domain.ApprovalStatePending {
return repository.ErrAlreadyExists
}
}
cp := *req
f.rows[req.ID] = &cp
return nil
}
func (f *fakeApprovalRepo) Get(ctx context.Context, id string) (*domain.ApprovalRequest, error) {
f.mu.Lock()
defer f.mu.Unlock()
if r, ok := f.rows[id]; ok {
cp := *r
return &cp, nil
}
return nil, repository.ErrNotFound
}
func (f *fakeApprovalRepo) GetByJobID(ctx context.Context, jobID string) (*domain.ApprovalRequest, error) {
f.mu.Lock()
defer f.mu.Unlock()
for _, r := range f.rows {
if r.JobID == jobID {
cp := *r
return &cp, nil
}
}
return nil, repository.ErrNotFound
}
func (f *fakeApprovalRepo) List(ctx context.Context, filter *repository.ApprovalFilter) ([]*domain.ApprovalRequest, error) {
f.mu.Lock()
defer f.mu.Unlock()
var out []*domain.ApprovalRequest
for _, r := range f.rows {
if filter != nil && filter.State != "" && string(r.State) != filter.State {
continue
}
if filter != nil && filter.CertificateID != "" && r.CertificateID != filter.CertificateID {
continue
}
if filter != nil && filter.RequestedBy != "" && r.RequestedBy != filter.RequestedBy {
continue
}
cp := *r
out = append(out, &cp)
}
return out, nil
}
func (f *fakeApprovalRepo) UpdateState(ctx context.Context, id string, state domain.ApprovalState,
decidedBy string, decidedAt time.Time, note string) error {
f.mu.Lock()
defer f.mu.Unlock()
r, ok := f.rows[id]
if !ok {
return repository.ErrNotFound
}
if r.State != domain.ApprovalStatePending {
return repository.ErrAlreadyExists // signals "already terminal"
}
r.State = state
r.DecidedBy = &decidedBy
r.DecidedAt = &decidedAt
if note != "" {
n := note
r.DecisionNote = &n
}
r.UpdatedAt = decidedAt
return nil
}
func (f *fakeApprovalRepo) ExpireStale(ctx context.Context, before time.Time) (int, error) {
f.mu.Lock()
defer f.mu.Unlock()
now := time.Now().UTC()
count := 0
for _, r := range f.rows {
if r.State == domain.ApprovalStatePending && (r.CreatedAt.Before(before) || r.CreatedAt.Equal(before)) {
r.State = domain.ApprovalStateExpired
s := "system-reaper"
r.DecidedBy = &s
r.DecidedAt = &now
r.UpdatedAt = now
count++
}
}
return count, nil
}
// fakeJobStateRepo implements service.JobStatusUpdater and tracks per-job
// status mutations so the tests can introspect them. It does NOT implement
// the full repository.JobRepository — ApprovalService only needs UpdateStatus.
type fakeJobStateRepo struct {
mu sync.Mutex
statuses map[string]domain.JobStatus
}
func newFakeJobStateRepo() *fakeJobStateRepo {
return &fakeJobStateRepo{statuses: make(map[string]domain.JobStatus)}
}
func (f *fakeJobStateRepo) seed(id string, status domain.JobStatus) {
f.mu.Lock()
defer f.mu.Unlock()
f.statuses[id] = status
}
func (f *fakeJobStateRepo) status(id string) domain.JobStatus {
f.mu.Lock()
defer f.mu.Unlock()
return f.statuses[id]
}
func (f *fakeJobStateRepo) UpdateStatus(ctx context.Context, id string, status domain.JobStatus, errMsg string) error {
f.mu.Lock()
defer f.mu.Unlock()
f.statuses[id] = status
return nil
}
// helper builders --------------------------------------------------------
func newApprovalSvcForTest(bypass bool) (*ApprovalService, *fakeApprovalRepo, *fakeJobStateRepo) {
ar := newFakeApprovalRepo()
jr := newFakeJobStateRepo()
metrics := NewApprovalMetrics()
svc := NewApprovalService(ar, jr, nil, metrics, bypass)
return svc, ar, jr
}
func sampleCert() *domain.ManagedCertificate {
return &domain.ManagedCertificate{ID: "mc-test-cert"}
}
// tests ------------------------------------------------------------------
func TestApproval_RequestCreatesPendingRow_BypassDisabled(t *testing.T) {
svc, ar, jr := newApprovalSvcForTest(false)
jr.seed("job-1", domain.JobStatusAwaitingApproval)
id, err := svc.RequestApproval(context.Background(), sampleCert(),
"job-1", "profile-prod-cdn", "user-alice", map[string]string{"common_name": "api.example.com"})
if err != nil {
t.Fatalf("RequestApproval err: %v", err)
}
got, err := ar.Get(context.Background(), id)
if err != nil {
t.Fatalf("Get err: %v", err)
}
if got.State != domain.ApprovalStatePending {
t.Fatalf("expected state=pending, got %s", got.State)
}
if got.RequestedBy != "user-alice" {
t.Fatalf("requested_by mismatch: %s", got.RequestedBy)
}
if jr.status("job-1") != domain.JobStatusAwaitingApproval {
t.Fatalf("job should remain AwaitingApproval; got %s", jr.status("job-1"))
}
}
func TestApproval_BypassMode_AutoApprovesWithSystemBypassActor(t *testing.T) {
svc, ar, jr := newApprovalSvcForTest(true)
jr.seed("job-2", domain.JobStatusAwaitingApproval)
id, err := svc.RequestApproval(context.Background(), sampleCert(),
"job-2", "profile-iot", "user-bob", nil)
if err != nil {
t.Fatalf("bypass RequestApproval err: %v", err)
}
got, err := ar.Get(context.Background(), id)
if err != nil {
t.Fatalf("Get err: %v", err)
}
if got.State != domain.ApprovalStateApproved {
t.Fatalf("bypass should auto-approve; got state=%s", got.State)
}
if got.DecidedBy == nil || *got.DecidedBy != domain.ApprovalActorSystemBypass {
t.Fatalf("bypass should stamp decided_by=%s; got %v",
domain.ApprovalActorSystemBypass, got.DecidedBy)
}
if jr.status("job-2") != domain.JobStatusPending {
t.Fatalf("bypass should transition job to Pending; got %s", jr.status("job-2"))
}
}
func TestApproval_Approve_TransitionsJobFromAwaitingApprovalToPending(t *testing.T) {
svc, ar, jr := newApprovalSvcForTest(false)
jr.seed("job-3", domain.JobStatusAwaitingApproval)
id, _ := svc.RequestApproval(context.Background(), sampleCert(), "job-3", "p1", "user-alice", nil)
if err := svc.Approve(context.Background(), id, "user-bob", "approved per ticket SECOPS-123"); err != nil {
t.Fatalf("Approve err: %v", err)
}
got, _ := ar.Get(context.Background(), id)
if got.State != domain.ApprovalStateApproved {
t.Fatalf("expected state=approved; got %s", got.State)
}
if jr.status("job-3") != domain.JobStatusPending {
t.Fatalf("expected job=Pending; got %s", jr.status("job-3"))
}
}
func TestApproval_Reject_TransitionsJobFromAwaitingApprovalToCancelled(t *testing.T) {
svc, ar, jr := newApprovalSvcForTest(false)
jr.seed("job-4", domain.JobStatusAwaitingApproval)
id, _ := svc.RequestApproval(context.Background(), sampleCert(), "job-4", "p1", "user-alice", nil)
if err := svc.Reject(context.Background(), id, "user-bob", "not on the approved-domains list"); err != nil {
t.Fatalf("Reject err: %v", err)
}
got, _ := ar.Get(context.Background(), id)
if got.State != domain.ApprovalStateRejected {
t.Fatalf("expected state=rejected; got %s", got.State)
}
if jr.status("job-4") != domain.JobStatusCancelled {
t.Fatalf("expected job=Cancelled; got %s", jr.status("job-4"))
}
}
func TestApproval_Approve_RejectsSameActor(t *testing.T) {
// LOAD-BEARING TWO-PERSON INTEGRITY TEST. PCI-DSS 6.4.5 / NIST 800-53
// SA-15 / SOC 2 CC6.1 compliance auditors pattern-match against this.
svc, _, jr := newApprovalSvcForTest(false)
jr.seed("job-5", domain.JobStatusAwaitingApproval)
id, _ := svc.RequestApproval(context.Background(), sampleCert(), "job-5", "p1", "user-alice", nil)
err := svc.Approve(context.Background(), id, "user-alice", "trying to self-approve")
if !errors.Is(err, ErrApproveBySameActor) {
t.Fatalf("expected ErrApproveBySameActor; got %v", err)
}
if jr.status("job-5") != domain.JobStatusAwaitingApproval {
t.Fatalf("job should remain AwaitingApproval; got %s", jr.status("job-5"))
}
// Approval as a different actor succeeds.
if err := svc.Approve(context.Background(), id, "user-bob", "approved by separate actor"); err != nil {
t.Fatalf("Approve as different actor err: %v", err)
}
if jr.status("job-5") != domain.JobStatusPending {
t.Fatalf("expected job=Pending after bob approve; got %s", jr.status("job-5"))
}
// Same-actor rejection also fails.
jr.seed("job-5b", domain.JobStatusAwaitingApproval)
id2, _ := svc.RequestApproval(context.Background(), sampleCert(), "job-5b", "p1", "user-charlie", nil)
err2 := svc.Reject(context.Background(), id2, "user-charlie", "self-reject")
if !errors.Is(err2, ErrApproveBySameActor) {
t.Fatalf("expected ErrApproveBySameActor on Reject; got %v", err2)
}
}
func TestApproval_Approve_RejectsAlreadyDecided(t *testing.T) {
svc, _, jr := newApprovalSvcForTest(false)
jr.seed("job-6", domain.JobStatusAwaitingApproval)
id, _ := svc.RequestApproval(context.Background(), sampleCert(), "job-6", "p1", "user-alice", nil)
if err := svc.Approve(context.Background(), id, "user-bob", ""); err != nil {
t.Fatalf("first Approve err: %v", err)
}
err := svc.Approve(context.Background(), id, "user-charlie", "second approve")
if !errors.Is(err, ErrApprovalAlreadyDecided) {
t.Fatalf("expected ErrApprovalAlreadyDecided; got %v", err)
}
err2 := svc.Reject(context.Background(), id, "user-charlie", "late reject")
if !errors.Is(err2, ErrApprovalAlreadyDecided) {
t.Fatalf("expected ErrApprovalAlreadyDecided on Reject; got %v", err2)
}
}
func TestApproval_ExpireStale_TransitionsPendingToExpired_AndCancelsJob(t *testing.T) {
svc, ar, jr := newApprovalSvcForTest(false)
jr.seed("job-7", domain.JobStatusAwaitingApproval)
jr.seed("job-8", domain.JobStatusAwaitingApproval)
id7, _ := svc.RequestApproval(context.Background(), sampleCert(), "job-7", "p1", "user-alice", nil)
id8, _ := svc.RequestApproval(context.Background(), sampleCert(), "job-8", "p1", "user-alice", nil)
// Backdate one of the requests to before the cutoff.
old := time.Now().Add(-200 * time.Hour).UTC()
ar.mu.Lock()
ar.rows[id7].CreatedAt = old
ar.mu.Unlock()
cutoff := time.Now().Add(-168 * time.Hour).UTC()
count, err := svc.ExpireStale(context.Background(), cutoff)
if err != nil {
t.Fatalf("ExpireStale err: %v", err)
}
if count != 1 {
t.Fatalf("expected 1 row expired; got %d", count)
}
got7, _ := ar.Get(context.Background(), id7)
if got7.State != domain.ApprovalStateExpired {
t.Fatalf("expected job-7 expired; got %s", got7.State)
}
got8, _ := ar.Get(context.Background(), id8)
if got8.State != domain.ApprovalStatePending {
t.Fatalf("job-8 should still be pending; got %s", got8.State)
}
if jr.status("job-7") != domain.JobStatusCancelled {
t.Fatalf("expected job-7 cancelled; got %s", jr.status("job-7"))
}
if jr.status("job-8") != domain.JobStatusAwaitingApproval {
t.Fatalf("job-8 should remain AwaitingApproval; got %s", jr.status("job-8"))
}
}
func TestApproval_MetricCounterIncrements(t *testing.T) {
svc, _, jr := newApprovalSvcForTest(false)
metrics := svc.metrics
jr.seed("job-9", domain.JobStatusAwaitingApproval)
id9, _ := svc.RequestApproval(context.Background(), sampleCert(), "job-9", "p-cdn", "user-alice", nil)
_ = svc.Approve(context.Background(), id9, "user-bob", "approved")
jr.seed("job-10", domain.JobStatusAwaitingApproval)
id10, _ := svc.RequestApproval(context.Background(), sampleCert(), "job-10", "p-cdn", "user-alice", nil)
_ = svc.Reject(context.Background(), id10, "user-bob", "rejected")
jr.seed("job-11", domain.JobStatusAwaitingApproval)
id11, _ := svc.RequestApproval(context.Background(), sampleCert(), "job-11", "p-cdn", "user-alice", nil)
// Backdate + expire.
old := time.Now().Add(-200 * time.Hour).UTC()
repo := svc.approvalRepo.(*fakeApprovalRepo)
repo.mu.Lock()
repo.rows[id11].CreatedAt = old
repo.mu.Unlock()
if _, err := svc.ExpireStale(context.Background(), time.Now().Add(-168*time.Hour)); err != nil {
t.Fatalf("ExpireStale err: %v", err)
}
snap := metrics.SnapshotApprovalDecisions()
got := map[string]uint64{}
for _, e := range snap {
got[e.Outcome] = e.Count
}
if got[domain.ApprovalOutcomeApproved] != 1 {
t.Fatalf("expected 1 approved counter; got %d", got[domain.ApprovalOutcomeApproved])
}
if got[domain.ApprovalOutcomeRejected] != 1 {
t.Fatalf("expected 1 rejected counter; got %d", got[domain.ApprovalOutcomeRejected])
}
if got[domain.ApprovalOutcomeExpired] != 1 {
t.Fatalf("expected 1 expired counter; got %d", got[domain.ApprovalOutcomeExpired])
}
// Histogram observed at least 3 samples.
hist := metrics.SnapshotApprovalPendingAgeHistogram()
if hist.Count < 3 {
t.Fatalf("expected at least 3 histogram samples; got %d", hist.Count)
}
}
Reference in New Issue View Git Blame Copy Permalink