mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 19:41:30 +00:00
shankar0123
0152bdf567
HIGH-10's UNIQUE (actor, role, scope_type, scope_id, tenant) uniqueness
extension lets an operator grant the same role to the same actor at
multiple scopes (e.g. r-operator on profile=p-acme AND profile=p-globex).
But ActorRoleRepository.Revoke's WHERE clause omitted (scope_type,
scope_id) — a single call deleted every variant. Selective revoke was
unrepresentable; operators had to drop all and re-grant N-1, opening
a race window where the actor's access was briefly different.
Closure across all layers (handler → service → repo → MCP → GUI client),
preserving the legacy "revoke all variants" contract for unmodified
callers:
internal/repository/auth.go
- New ActorRoleRevokeOptions struct. Zero value = legacy semantic;
non-empty ScopeType narrows to one variant.
- New ErrActorRoleNotFound sentinel for scoped no-match (HTTP 404).
internal/repository/postgres/auth.go
- Revoke signature extended with opts. Empty opts.ScopeType uses
the legacy SQL (no scope WHERE), zero-row delete = no error.
- Non-empty narrows with `scope_type = $5 AND scope_id IS NOT
DISTINCT FROM $6` — the IS-NOT-DISTINCT-FROM is load-bearing,
vanilla `=` would silently miss the (global, NULL) case because
NULL ≠ NULL in standard SQL.
- Selective revoke with zero matching rows returns
ErrActorRoleNotFound; operators get feedback on typos.
internal/service/auth/actor_role_service.go
- Revoke takes opts. Audit row's details map records the scope so
SIEMs can distinguish wide-vs-selective revokes:
`scope: "all_variants"` for the legacy path, or
`scope_type` + `scope_id` for selective. Privilege check
(auth.role.assign) and reserved-actor guard unchanged.
internal/api/handler/auth.go
- RevokeRoleFromKey parses optional `?scope_type=` / `?scope_id=`
query params via new parseRevokeScope helper.
- Validation mirrors AssignRoleToKey: scope_id forbidden with
scope_type=global, required with profile/issuer, invalid
scope_type → 400. scope_id without scope_type also → 400.
- writeAuthError maps ErrActorRoleNotFound to 404.
internal/mcp/tools_auth.go + types.go
- AuthRevokeKeyRoleInput gains optional ScopeType + ScopeID with
jsonschema descriptions explaining the dual-mode contract.
- Tool call site appends URL-encoded query params when ScopeType
is set; legacy callers (no scope_type) emit the bare DELETE
path unchanged.
web/src/api/client.ts
- authRevokeKeyRole signature: optional 3rd argument
`{ scope_type?, scope_id? }`. Pre-A-4 call sites (no opts arg)
keep firing the bare DELETE — fully backward compatible. The
GUI KeysPage's per-row revoke button (still one row per role,
pre-Fix-12) continues to use the legacy shape; future GUI work
can pass scope params for per-variant rows.
docs/operator/rbac.md
- New "Revoke: legacy 'all variants' vs scope-selective" subsection
under "From the HTTP API" with curl examples for both modes plus
the audit-row payload shape that lets SOC/SIEM tell them apart.
Regression coverage:
Repository (testcontainers, skipped under -short — 6 tests in
internal/repository/postgres/auth_revoke_scope_test.go):
TestRevokeActorRole_NoOpts_RemovesAllVariants
TestRevokeActorRole_WithScope_RemovesOnlyMatching
TestRevokeActorRole_WithGlobalScope_RemovesOnlyGlobal — pins the
IS-NOT-DISTINCT-FROM branch (global, NULL)
TestRevokeActorRole_NoMatch_ReturnsNotFound — pins the new sentinel
TestRevokeActorRole_NoOpts_NoMatch_IsNoOp — pins the legacy
idempotence contract
TestRevokeActorRole_IssuerScope_RemovesOnlyMatching — pin the
issuer-scope half (profile + issuer are symmetric scope types)
Handler (7 new tests in auth_test.go):
TestAuthHandler_RevokeRoleFromKey — extended to assert no scope
filter is forwarded when query string is empty (legacy behaviour)
TestAuthHandler_RevokeRoleFromKey_A4_ScopedProfile
TestAuthHandler_RevokeRoleFromKey_A4_ScopedGlobal
TestAuthHandler_RevokeRoleFromKey_A4_RejectsScopeIDWithGlobal
TestAuthHandler_RevokeRoleFromKey_A4_RejectsMissingScopeID
TestAuthHandler_RevokeRoleFromKey_A4_RejectsScopeIDWithoutScopeType
TestAuthHandler_RevokeRoleFromKey_A4_RejectsInvalidScopeType
TestAuthHandler_RevokeRoleFromKey_A4_ScopedNotFoundReturns404
MCP (2 new table rows in tools_per_tool_test.go):
Scoped revoke with scope_type=profile + scope_id=p-acme →
`?scope_type=profile&scope_id=p-acme`
Scoped revoke with scope_type=global (no scope_id) →
`?scope_type=global`
Service-layer test plumbing (service_test.go) updated for new opts
arg: 4 existing call sites pass repository.ActorRoleRevokeOptions{}
to keep their pre-A-4 semantics; the fakeActorRoleRepo.Revoke
implementation now mirrors the postgres scope-aware behaviour
(legacy zero-value vs scoped narrowing + ErrActorRoleNotFound on
no-match).
Verify gate green: gofmt clean, go vet clean, go test -short across
repository/postgres, service/auth, api/handler, and mcp. The
pre-existing KeysPage.test.tsx failure observed on the baseline
commit (reproduced via `git stash` earlier in Fix 03) is unrelated;
my client.ts change adds an optional third argument and is fully
backward-compatible.
Spec at cowork/auth-bundles-fixes-2026-05-11/04-high-actor-role-revoke-scope.md.
Audit doc updated: new row A-4 (2026-05-11) CLOSED appended to the
status table at the bottom of cowork/auth-bundles-audit-2026-05-10.md.
Operator-visible advisory in CHANGELOG.md v2.1.0 release notes under
Security (non-BREAKING — legacy callers are unchanged).
Depends on Fix 01 (the scope-aware EffectivePermissions read path on
branch fix/audit-2026-05-11/crit-actor-role-scope-reads). This fix
makes the inverse op selectively reversible; without Fix 01 the read
side would mis-evaluate scoped grants anyway, making selective revoke
moot at runtime.
906 lines
35 KiB
Go
906 lines
35 KiB
Go
package handler
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/certctl-io/certctl/internal/auth"
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
authsvc "github.com/certctl-io/certctl/internal/service/auth"
|
|
)
|
|
|
|
// =============================================================================
|
|
// In-memory fakes — sufficient for handler-level translation tests. The
|
|
// service-layer privilege guards live in internal/service/auth and are
|
|
// covered there; these tests pin HTTP shape (status code, JSON envelope,
|
|
// error mapping).
|
|
// =============================================================================
|
|
|
|
type fakeAuthRoleSvc struct {
|
|
roles map[string]*authdomain.Role
|
|
rolePerms map[string][]*authdomain.RolePermission
|
|
listErr error
|
|
createErr error
|
|
deleteErr error
|
|
addPermErr error
|
|
}
|
|
|
|
func newFakeAuthRoleSvc() *fakeAuthRoleSvc {
|
|
return &fakeAuthRoleSvc{
|
|
roles: map[string]*authdomain.Role{},
|
|
rolePerms: map[string][]*authdomain.RolePermission{},
|
|
}
|
|
}
|
|
func (f *fakeAuthRoleSvc) List(_ context.Context, _ *authsvc.Caller) ([]*authdomain.Role, error) {
|
|
if f.listErr != nil {
|
|
return nil, f.listErr
|
|
}
|
|
out := make([]*authdomain.Role, 0, len(f.roles))
|
|
for _, r := range f.roles {
|
|
out = append(out, r)
|
|
}
|
|
return out, nil
|
|
}
|
|
func (f *fakeAuthRoleSvc) Get(_ context.Context, _ *authsvc.Caller, id string) (*authdomain.Role, error) {
|
|
r, ok := f.roles[id]
|
|
if !ok {
|
|
return nil, repository.ErrAuthNotFound
|
|
}
|
|
return r, nil
|
|
}
|
|
func (f *fakeAuthRoleSvc) Create(_ context.Context, _ *authsvc.Caller, role *authdomain.Role) error {
|
|
if f.createErr != nil {
|
|
return f.createErr
|
|
}
|
|
if role.ID == "" {
|
|
role.ID = "r-" + role.Name
|
|
}
|
|
f.roles[role.ID] = role
|
|
return nil
|
|
}
|
|
func (f *fakeAuthRoleSvc) Update(_ context.Context, _ *authsvc.Caller, role *authdomain.Role) error {
|
|
f.roles[role.ID] = role
|
|
return nil
|
|
}
|
|
func (f *fakeAuthRoleSvc) Delete(_ context.Context, _ *authsvc.Caller, id string) error {
|
|
if f.deleteErr != nil {
|
|
return f.deleteErr
|
|
}
|
|
delete(f.roles, id)
|
|
return nil
|
|
}
|
|
func (f *fakeAuthRoleSvc) ListPermissions(_ context.Context, _ *authsvc.Caller, roleID string) ([]*authdomain.RolePermission, error) {
|
|
return f.rolePerms[roleID], nil
|
|
}
|
|
func (f *fakeAuthRoleSvc) AddPermission(_ context.Context, _ *authsvc.Caller, roleID, permName string, scopeType authdomain.ScopeType, scopeID *string) error {
|
|
if f.addPermErr != nil {
|
|
return f.addPermErr
|
|
}
|
|
f.rolePerms[roleID] = append(f.rolePerms[roleID], &authdomain.RolePermission{
|
|
RoleID: roleID, PermissionID: "p-" + permName, ScopeType: scopeType, ScopeID: scopeID,
|
|
})
|
|
return nil
|
|
}
|
|
func (f *fakeAuthRoleSvc) RemovePermission(_ context.Context, _ *authsvc.Caller, _ string, _ string, _ authdomain.ScopeType, _ *string) error {
|
|
return nil
|
|
}
|
|
|
|
type fakeAuthPermSvc struct {
|
|
perms []*authdomain.Permission
|
|
}
|
|
|
|
func newFakeAuthPermSvc() *fakeAuthPermSvc {
|
|
out := make([]*authdomain.Permission, 0, len(authdomain.CanonicalPermissions))
|
|
for _, p := range authdomain.CanonicalPermissions {
|
|
out = append(out, &authdomain.Permission{ID: "p-" + p, Name: p, Namespace: p})
|
|
}
|
|
return &fakeAuthPermSvc{perms: out}
|
|
}
|
|
func (f *fakeAuthPermSvc) List(_ context.Context) ([]*authdomain.Permission, error) {
|
|
return f.perms, nil
|
|
}
|
|
func (f *fakeAuthPermSvc) IsRegistered(name string) bool {
|
|
for _, p := range f.perms {
|
|
if p.Name == name {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
type fakeAuthActorSvc struct {
|
|
grantErr error
|
|
revokeErr error
|
|
roles []*authdomain.ActorRole
|
|
effective []repository.EffectivePermission
|
|
// Audit 2026-05-11 A-4 — capture Revoke opts so tests can assert
|
|
// that the handler forwards scope_type / scope_id correctly.
|
|
revokeOpts repository.ActorRoleRevokeOptions
|
|
revokeCall struct {
|
|
actorID, roleID string
|
|
called bool
|
|
}
|
|
}
|
|
|
|
func newFakeAuthActorSvc() *fakeAuthActorSvc {
|
|
return &fakeAuthActorSvc{}
|
|
}
|
|
func (f *fakeAuthActorSvc) Grant(_ context.Context, _ *authsvc.Caller, ar *authdomain.ActorRole) error {
|
|
if f.grantErr != nil {
|
|
return f.grantErr
|
|
}
|
|
f.roles = append(f.roles, ar)
|
|
return nil
|
|
}
|
|
func (f *fakeAuthActorSvc) Revoke(_ context.Context, _ *authsvc.Caller, actorID string, _ domain.ActorType, roleID string, opts repository.ActorRoleRevokeOptions) error {
|
|
f.revokeCall.called = true
|
|
f.revokeCall.actorID = actorID
|
|
f.revokeCall.roleID = roleID
|
|
f.revokeOpts = opts
|
|
return f.revokeErr
|
|
}
|
|
func (f *fakeAuthActorSvc) ListForActor(_ context.Context, _ *authsvc.Caller, _ string, _ domain.ActorType) ([]*authdomain.ActorRole, error) {
|
|
return f.roles, nil
|
|
}
|
|
func (f *fakeAuthActorSvc) EffectivePermissions(_ context.Context, _ *authsvc.Caller, _ string, _ domain.ActorType) ([]repository.EffectivePermission, error) {
|
|
return f.effective, nil
|
|
}
|
|
func (f *fakeAuthActorSvc) ListKeys(_ context.Context, _ *authsvc.Caller) ([]repository.ActorWithRoles, error) {
|
|
out := make([]repository.ActorWithRoles, 0, len(f.roles))
|
|
for _, ar := range f.roles {
|
|
out = append(out, repository.ActorWithRoles{
|
|
ActorID: ar.ActorID,
|
|
ActorType: ar.ActorType,
|
|
TenantID: ar.TenantID,
|
|
RoleIDs: []string{ar.RoleID},
|
|
})
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
type fakePermChecker struct {
|
|
check func(ctx context.Context, actorID, actorType, tenantID, perm, scopeType string, scopeID *string) (bool, error)
|
|
}
|
|
|
|
func (f *fakePermChecker) CheckPermission(ctx context.Context, actorID, actorType, tenantID, perm, scopeType string, scopeID *string) (bool, error) {
|
|
if f.check == nil {
|
|
return true, nil
|
|
}
|
|
return f.check(ctx, actorID, actorType, tenantID, perm, scopeType, scopeID)
|
|
}
|
|
|
|
func newAuthHandlerWithFakes() (AuthHandler, *fakeAuthRoleSvc, *fakeAuthPermSvc, *fakeAuthActorSvc) {
|
|
roles := newFakeAuthRoleSvc()
|
|
perms := newFakeAuthPermSvc()
|
|
actors := newFakeAuthActorSvc()
|
|
checker := &fakePermChecker{}
|
|
return NewAuthHandler(roles, perms, actors, checker), roles, perms, actors
|
|
}
|
|
|
|
// withAuthCtx populates the Phase 3 actor context keys on a request.
|
|
func withAuthCtx(req *http.Request, actorID, actorType string) *http.Request {
|
|
ctx := req.Context()
|
|
ctx = context.WithValue(ctx, auth.ActorIDKey{}, actorID)
|
|
ctx = context.WithValue(ctx, auth.ActorTypeKey{}, actorType)
|
|
return req.WithContext(ctx)
|
|
}
|
|
|
|
// =============================================================================
|
|
// Tests
|
|
// =============================================================================
|
|
|
|
func TestAuthHandler_NoActorReturns401(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles", nil)
|
|
rec := httptest.NewRecorder()
|
|
h.ListRoles(rec, req)
|
|
if rec.Code != http.StatusUnauthorized {
|
|
t.Errorf("ListRoles without actor should yield 401; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_ListRolesReturnsAllRoles(t *testing.T) {
|
|
h, roleSvc, _, _ := newAuthHandlerWithFakes()
|
|
roleSvc.roles["r-admin"] = &authdomain.Role{ID: "r-admin", Name: "admin"}
|
|
roleSvc.roles["r-viewer"] = &authdomain.Role{ID: "r-viewer", Name: "viewer"}
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles", nil), "alice", auth.ActorTypeAPIKey)
|
|
rec := httptest.NewRecorder()
|
|
h.ListRoles(rec, req)
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("got %d; body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
var resp struct {
|
|
Roles []roleResponse `json:"roles"`
|
|
}
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
|
|
t.Fatalf("decode: %v", err)
|
|
}
|
|
if len(resp.Roles) != 2 {
|
|
t.Errorf("expected 2 roles; got %d", len(resp.Roles))
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_CreateRoleReturns201(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
body, _ := json.Marshal(createRoleRequest{Name: "custom", Description: "Test role"})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/roles", bytes.NewReader(body)), "alice", auth.ActorTypeAPIKey)
|
|
rec := httptest.NewRecorder()
|
|
h.CreateRole(rec, req)
|
|
if rec.Code != http.StatusCreated {
|
|
t.Errorf("expected 201; got %d, body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_CreateRoleRejectsEmptyName(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
body, _ := json.Marshal(createRoleRequest{Name: " ", Description: "blank"})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/roles", bytes.NewReader(body)), "alice", auth.ActorTypeAPIKey)
|
|
rec := httptest.NewRecorder()
|
|
h.CreateRole(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("blank name should be 400; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_DeleteRoleReturns204(t *testing.T) {
|
|
h, roleSvc, _, _ := newAuthHandlerWithFakes()
|
|
roleSvc.roles["r-x"] = &authdomain.Role{ID: "r-x", Name: "x"}
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/r-x", nil), "alice", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-x")
|
|
rec := httptest.NewRecorder()
|
|
h.DeleteRole(rec, req)
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Errorf("delete should be 204; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_DeleteRoleInUseReturns409(t *testing.T) {
|
|
h, roleSvc, _, _ := newAuthHandlerWithFakes()
|
|
roleSvc.deleteErr = repository.ErrAuthRoleInUse
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/r-x", nil), "alice", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-x")
|
|
rec := httptest.NewRecorder()
|
|
h.DeleteRole(rec, req)
|
|
if rec.Code != http.StatusConflict {
|
|
t.Errorf("ErrAuthRoleInUse should be 409; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_DeleteRoleNotFoundReturns404(t *testing.T) {
|
|
h, roleSvc, _, _ := newAuthHandlerWithFakes()
|
|
roleSvc.deleteErr = repository.ErrAuthNotFound
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/missing", nil), "alice", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "missing")
|
|
rec := httptest.NewRecorder()
|
|
h.DeleteRole(rec, req)
|
|
if rec.Code != http.StatusNotFound {
|
|
t.Errorf("ErrAuthNotFound should be 404; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_ForbiddenMappedTo403(t *testing.T) {
|
|
h, roleSvc, _, _ := newAuthHandlerWithFakes()
|
|
roleSvc.listErr = authsvc.ErrForbidden
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles", nil), "bob", auth.ActorTypeAPIKey)
|
|
rec := httptest.NewRecorder()
|
|
h.ListRoles(rec, req)
|
|
if rec.Code != http.StatusForbidden {
|
|
t.Errorf("ErrForbidden should be 403; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_AssignRoleToKey(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
body, _ := json.Marshal(assignRoleRequest{RoleID: "r-viewer"})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
rec := httptest.NewRecorder()
|
|
h.AssignRoleToKey(rec, req)
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Fatalf("expected 204; got %d, body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
if len(actorSvc.roles) != 1 {
|
|
t.Errorf("expected 1 grant recorded; got %d", len(actorSvc.roles))
|
|
}
|
|
if actorSvc.roles[0].RoleID != "r-viewer" || actorSvc.roles[0].ActorID != "alice" {
|
|
t.Errorf("grant fields wrong; got %+v", actorSvc.roles[0])
|
|
}
|
|
}
|
|
|
|
// Audit 2026-05-10 HIGH-10 regression matrix — pin the new
|
|
// scope_type / scope_id / expires_at fields on assignRoleRequest.
|
|
// Pre-fix, the request body accepted only `{role_id}` so per-actor
|
|
// scope-bound grants and time-bound grants weren't expressible via
|
|
// the API even though the schema reserved the columns. Post-fix,
|
|
// validation rules:
|
|
//
|
|
// - scope_type ∈ {global, profile, issuer}; defaults to global.
|
|
// - scope_id required when scope_type != global; rejected when
|
|
// scope_type == global.
|
|
// - expires_at must be in the future when present.
|
|
func TestAssignRoleToKey_HIGH10_ProfileScopeBoundGrantPersists(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
scopeID := "p-finance"
|
|
body, _ := json.Marshal(assignRoleRequest{
|
|
RoleID: "r-operator",
|
|
ScopeType: "profile",
|
|
ScopeID: &scopeID,
|
|
})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
rec := httptest.NewRecorder()
|
|
h.AssignRoleToKey(rec, req)
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Fatalf("status = %d; body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
if len(actorSvc.roles) != 1 {
|
|
t.Fatalf("expected 1 grant; got %d", len(actorSvc.roles))
|
|
}
|
|
if got := string(actorSvc.roles[0].ScopeType); got != "profile" {
|
|
t.Errorf("ScopeType = %q; want profile", got)
|
|
}
|
|
if actorSvc.roles[0].ScopeID == nil || *actorSvc.roles[0].ScopeID != "p-finance" {
|
|
t.Errorf("ScopeID = %v; want p-finance", actorSvc.roles[0].ScopeID)
|
|
}
|
|
}
|
|
|
|
func TestAssignRoleToKey_HIGH10_TimeBoundGrantPersists(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
future := time.Now().Add(24 * time.Hour).UTC()
|
|
body, _ := json.Marshal(assignRoleRequest{
|
|
RoleID: "r-operator",
|
|
ExpiresAt: &future,
|
|
})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
rec := httptest.NewRecorder()
|
|
h.AssignRoleToKey(rec, req)
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Fatalf("status = %d; body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
if len(actorSvc.roles) != 1 || actorSvc.roles[0].ExpiresAt == nil {
|
|
t.Fatalf("expected 1 grant with ExpiresAt; got %+v", actorSvc.roles)
|
|
}
|
|
}
|
|
|
|
func TestAssignRoleToKey_HIGH10_RejectsScopeIDWithGlobalScope(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
bad := "p-finance"
|
|
body, _ := json.Marshal(assignRoleRequest{
|
|
RoleID: "r-operator",
|
|
ScopeType: "global",
|
|
ScopeID: &bad,
|
|
})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
rec := httptest.NewRecorder()
|
|
h.AssignRoleToKey(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("scope_id with scope_type=global should be 400; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAssignRoleToKey_HIGH10_RejectsMissingScopeIDOnProfile(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
body, _ := json.Marshal(assignRoleRequest{
|
|
RoleID: "r-operator",
|
|
ScopeType: "profile",
|
|
})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
rec := httptest.NewRecorder()
|
|
h.AssignRoleToKey(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("missing scope_id on scope_type=profile should be 400; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAssignRoleToKey_HIGH10_RejectsPastExpiry(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
past := time.Now().Add(-1 * time.Hour).UTC()
|
|
body, _ := json.Marshal(assignRoleRequest{
|
|
RoleID: "r-operator",
|
|
ExpiresAt: &past,
|
|
})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
rec := httptest.NewRecorder()
|
|
h.AssignRoleToKey(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("past expires_at should be 400; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAssignRoleToKey_HIGH10_RejectsInvalidScopeType(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
body, _ := json.Marshal(assignRoleRequest{
|
|
RoleID: "r-operator",
|
|
ScopeType: "tenant", // not a valid scope_type
|
|
})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
rec := httptest.NewRecorder()
|
|
h.AssignRoleToKey(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("invalid scope_type should be 400; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_AssignRoleSelfRoleAssignReturns403(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
actorSvc.grantErr = errors.New("auth.role.assign required: " + authsvc.ErrSelfRoleAssignment.Error())
|
|
// Force the wrapped sentinel:
|
|
actorSvc.grantErr = authsvc.ErrSelfRoleAssignment
|
|
body, _ := json.Marshal(assignRoleRequest{RoleID: "r-admin"})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "bob", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
rec := httptest.NewRecorder()
|
|
h.AssignRoleToKey(rec, req)
|
|
if rec.Code != http.StatusForbidden {
|
|
t.Errorf("ErrSelfRoleAssignment should be 403; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RevokeRoleFromKey(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/keys/alice/roles/r-viewer", nil), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
req.SetPathValue("role_id", "r-viewer")
|
|
rec := httptest.NewRecorder()
|
|
h.RevokeRoleFromKey(rec, req)
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Errorf("revoke should be 204; got %d", rec.Code)
|
|
}
|
|
// Audit 2026-05-11 A-4 — no scope params → legacy "revoke all
|
|
// variants" semantic propagates as the zero-value
|
|
// ActorRoleRevokeOptions to the service layer.
|
|
if actorSvc.revokeOpts.ScopeType != "" {
|
|
t.Errorf("legacy DELETE forwarded a scope filter: ScopeType=%q", actorSvc.revokeOpts.ScopeType)
|
|
}
|
|
if actorSvc.revokeOpts.ScopeID != nil {
|
|
t.Errorf("legacy DELETE forwarded a scope_id: %v", actorSvc.revokeOpts.ScopeID)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// Audit 2026-05-11 A-4 — scope-aware revoke handler tests.
|
|
// =============================================================================
|
|
|
|
func TestAuthHandler_RevokeRoleFromKey_A4_ScopedProfile(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
|
|
"/api/v1/auth/keys/alice/roles/r-operator?scope_type=profile&scope_id=p-acme", nil),
|
|
"admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
req.SetPathValue("role_id", "r-operator")
|
|
rec := httptest.NewRecorder()
|
|
h.RevokeRoleFromKey(rec, req)
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Fatalf("scoped revoke should be 204; got %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
if actorSvc.revokeOpts.ScopeType != authdomain.ScopeTypeProfile {
|
|
t.Errorf("ScopeType = %q; want profile", actorSvc.revokeOpts.ScopeType)
|
|
}
|
|
if actorSvc.revokeOpts.ScopeID == nil || *actorSvc.revokeOpts.ScopeID != "p-acme" {
|
|
t.Errorf("ScopeID = %v; want p-acme", actorSvc.revokeOpts.ScopeID)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RevokeRoleFromKey_A4_ScopedGlobal(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
|
|
"/api/v1/auth/keys/alice/roles/r-operator?scope_type=global", nil),
|
|
"admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
req.SetPathValue("role_id", "r-operator")
|
|
rec := httptest.NewRecorder()
|
|
h.RevokeRoleFromKey(rec, req)
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Fatalf("scoped revoke (global) should be 204; got %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
if actorSvc.revokeOpts.ScopeType != authdomain.ScopeTypeGlobal {
|
|
t.Errorf("ScopeType = %q; want global", actorSvc.revokeOpts.ScopeType)
|
|
}
|
|
if actorSvc.revokeOpts.ScopeID != nil {
|
|
t.Errorf("ScopeID must be nil for scope_type=global; got %v", actorSvc.revokeOpts.ScopeID)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RevokeRoleFromKey_A4_RejectsScopeIDWithGlobal(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
|
|
"/api/v1/auth/keys/alice/roles/r-operator?scope_type=global&scope_id=p-acme", nil),
|
|
"admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
req.SetPathValue("role_id", "r-operator")
|
|
rec := httptest.NewRecorder()
|
|
h.RevokeRoleFromKey(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("global+scope_id should be 400; got %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
if actorSvc.revokeCall.called {
|
|
t.Error("service should NOT have been called on validation error")
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RevokeRoleFromKey_A4_RejectsMissingScopeID(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
|
|
"/api/v1/auth/keys/alice/roles/r-operator?scope_type=profile", nil),
|
|
"admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
req.SetPathValue("role_id", "r-operator")
|
|
rec := httptest.NewRecorder()
|
|
h.RevokeRoleFromKey(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("profile-without-scope_id should be 400; got %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
if actorSvc.revokeCall.called {
|
|
t.Error("service should NOT have been called on validation error")
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RevokeRoleFromKey_A4_RejectsScopeIDWithoutScopeType(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
|
|
"/api/v1/auth/keys/alice/roles/r-operator?scope_id=p-acme", nil),
|
|
"admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
req.SetPathValue("role_id", "r-operator")
|
|
rec := httptest.NewRecorder()
|
|
h.RevokeRoleFromKey(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("scope_id-without-scope_type should be 400; got %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RevokeRoleFromKey_A4_RejectsInvalidScopeType(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
|
|
"/api/v1/auth/keys/alice/roles/r-operator?scope_type=bogus", nil),
|
|
"admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
req.SetPathValue("role_id", "r-operator")
|
|
rec := httptest.NewRecorder()
|
|
h.RevokeRoleFromKey(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("bogus scope_type should be 400; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RevokeRoleFromKey_A4_ScopedNotFoundReturns404(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
actorSvc.revokeErr = repository.ErrActorRoleNotFound
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
|
|
"/api/v1/auth/keys/alice/roles/r-operator?scope_type=profile&scope_id=p-globex", nil),
|
|
"admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "alice")
|
|
req.SetPathValue("role_id", "r-operator")
|
|
rec := httptest.NewRecorder()
|
|
h.RevokeRoleFromKey(rec, req)
|
|
if rec.Code != http.StatusNotFound {
|
|
t.Errorf("ErrActorRoleNotFound should be 404; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RevokeReservedActorReturns409(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
actorSvc.revokeErr = repository.ErrAuthReservedActor
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/keys/actor-demo-anon/roles/r-admin", nil), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "actor-demo-anon")
|
|
req.SetPathValue("role_id", "r-admin")
|
|
rec := httptest.NewRecorder()
|
|
h.RevokeRoleFromKey(rec, req)
|
|
if rec.Code != http.StatusConflict {
|
|
t.Errorf("ErrAuthReservedActor should be 409; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_AddRolePermissionInvalidJSON(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/roles/r-admin/permissions", strings.NewReader("not json")), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-admin")
|
|
rec := httptest.NewRecorder()
|
|
h.AddRolePermission(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("invalid JSON should be 400; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_AddRolePermissionDefaultScopeGlobal(t *testing.T) {
|
|
h, roleSvc, _, _ := newAuthHandlerWithFakes()
|
|
body, _ := json.Marshal(addPermissionRequest{Permission: "cert.read"})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/roles/r-admin/permissions", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-admin")
|
|
rec := httptest.NewRecorder()
|
|
h.AddRolePermission(rec, req)
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Fatalf("expected 204; got %d, body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
grants := roleSvc.rolePerms["r-admin"]
|
|
if len(grants) != 1 {
|
|
t.Fatalf("expected 1 grant; got %d", len(grants))
|
|
}
|
|
if grants[0].ScopeType != authdomain.ScopeTypeGlobal {
|
|
t.Errorf("default scope should be global; got %q", grants[0].ScopeType)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_AddRolePermissionInvalidPermission(t *testing.T) {
|
|
h, roleSvc, _, _ := newAuthHandlerWithFakes()
|
|
roleSvc.addPermErr = authsvc.ErrInvalidPermission
|
|
body, _ := json.Marshal(addPermissionRequest{Permission: "fake"})
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/roles/r-admin/permissions", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-admin")
|
|
rec := httptest.NewRecorder()
|
|
h.AddRolePermission(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("ErrInvalidPermission should be 400; got %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_ListPermissionsReturnsCanonical(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/permissions", nil), "alice", auth.ActorTypeAPIKey)
|
|
rec := httptest.NewRecorder()
|
|
h.ListPermissions(rec, req)
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("got %d", rec.Code)
|
|
}
|
|
var resp struct {
|
|
Permissions []permissionResponse `json:"permissions"`
|
|
}
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
|
|
t.Fatalf("decode: %v", err)
|
|
}
|
|
if len(resp.Permissions) != len(authdomain.CanonicalPermissions) {
|
|
t.Errorf("permission count: got %d, want %d (canonical catalogue size)", len(resp.Permissions), len(authdomain.CanonicalPermissions))
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_MeReturnsActorIdentity(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
actorSvc.roles = []*authdomain.ActorRole{
|
|
{RoleID: "r-admin", ActorID: "alice"},
|
|
}
|
|
actorSvc.effective = []repository.EffectivePermission{
|
|
{PermissionName: "cert.read", ScopeType: authdomain.ScopeTypeGlobal, ScopeID: nil},
|
|
}
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/me", nil), "alice", auth.ActorTypeAPIKey)
|
|
rec := httptest.NewRecorder()
|
|
h.Me(rec, req)
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("got %d; body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
var resp meResponse
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
|
|
t.Fatalf("decode: %v", err)
|
|
}
|
|
if resp.ActorID != "alice" {
|
|
t.Errorf("actor id = %q, want alice", resp.ActorID)
|
|
}
|
|
if !resp.Admin {
|
|
t.Errorf("alice has r-admin; admin flag should be true (back-compat)")
|
|
}
|
|
if len(resp.EffectivePermissions) != 1 || resp.EffectivePermissions[0].Permission != "cert.read" {
|
|
t.Errorf("effective_permissions wrong; got %+v", resp.EffectivePermissions)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// Coverage-floor closure (post-Bundle-1 follow-on, 2026-05-09).
|
|
//
|
|
// CI run #486 caught internal/api/handler at 74.7% — 0.3pp below the
|
|
// 75 floor. The auth handlers added in Bundle 1 had several 0%-covered
|
|
// methods: GetRole, UpdateRole, ListKeys, RemoveRolePermission. The
|
|
// tests below close the gap.
|
|
// =============================================================================
|
|
|
|
func TestAuthHandler_GetRoleReturnsRoleAndPermissions(t *testing.T) {
|
|
h, roleSvc, _, _ := newAuthHandlerWithFakes()
|
|
roleSvc.roles["r-admin"] = &authdomain.Role{ID: "r-admin", Name: "admin", Description: "the admin role"}
|
|
scope := "p-corp"
|
|
roleSvc.rolePerms["r-admin"] = []*authdomain.RolePermission{
|
|
{RoleID: "r-admin", PermissionID: "p-cert.read", ScopeType: authdomain.ScopeTypeGlobal},
|
|
{RoleID: "r-admin", PermissionID: "p-profile.edit", ScopeType: authdomain.ScopeTypeProfile, ScopeID: &scope},
|
|
}
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles/r-admin", nil), "alice", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-admin")
|
|
rec := httptest.NewRecorder()
|
|
h.GetRole(rec, req)
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("GetRole code = %d; body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
var resp struct {
|
|
Role roleResponse `json:"role"`
|
|
Permissions []rolePermissionResponse `json:"permissions"`
|
|
}
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
|
|
t.Fatalf("decode: %v", err)
|
|
}
|
|
if resp.Role.ID != "r-admin" || resp.Role.Name != "admin" {
|
|
t.Errorf("Role envelope wrong: %+v", resp.Role)
|
|
}
|
|
if len(resp.Permissions) != 2 {
|
|
t.Errorf("permissions length = %d; want 2", len(resp.Permissions))
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_GetRoleNotFoundReturns404(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles/r-missing", nil), "alice", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-missing")
|
|
rec := httptest.NewRecorder()
|
|
h.GetRole(rec, req)
|
|
if rec.Code != http.StatusNotFound {
|
|
t.Errorf("GetRole(missing) code = %d; want 404", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_GetRoleNoActorReturns401(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles/r-admin", nil)
|
|
req.SetPathValue("id", "r-admin")
|
|
rec := httptest.NewRecorder()
|
|
h.GetRole(rec, req)
|
|
if rec.Code != http.StatusUnauthorized {
|
|
t.Errorf("GetRole no-actor code = %d; want 401", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_UpdateRoleReturns200(t *testing.T) {
|
|
h, roleSvc, _, _ := newAuthHandlerWithFakes()
|
|
roleSvc.roles["r-x"] = &authdomain.Role{ID: "r-x", Name: "old", Description: ""}
|
|
body := bytes.NewBufferString(`{"name":"new","description":"updated"}`)
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPut, "/api/v1/auth/roles/r-x", body), "alice", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-x")
|
|
rec := httptest.NewRecorder()
|
|
h.UpdateRole(rec, req)
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("UpdateRole code = %d; body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
var resp roleResponse
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
|
|
t.Fatalf("decode: %v", err)
|
|
}
|
|
if resp.Name != "new" || resp.Description != "updated" {
|
|
t.Errorf("UpdateRole returned %+v; want Name=new, Description=updated", resp)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_UpdateRoleInvalidJSONReturns400(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
body := strings.NewReader(`{"name":`) // truncated
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodPut, "/api/v1/auth/roles/r-x", body), "alice", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-x")
|
|
rec := httptest.NewRecorder()
|
|
h.UpdateRole(rec, req)
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("UpdateRole invalid JSON code = %d; want 400", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_UpdateRoleNoActorReturns401(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := httptest.NewRequest(http.MethodPut, "/api/v1/auth/roles/r-x", bytes.NewBufferString(`{"name":"new"}`))
|
|
req.SetPathValue("id", "r-x")
|
|
rec := httptest.NewRecorder()
|
|
h.UpdateRole(rec, req)
|
|
if rec.Code != http.StatusUnauthorized {
|
|
t.Errorf("UpdateRole no-actor code = %d; want 401", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_ListKeysReturnsActorList(t *testing.T) {
|
|
h, _, _, actorSvc := newAuthHandlerWithFakes()
|
|
actorSvc.roles = []*authdomain.ActorRole{
|
|
{ID: "ar-1", ActorID: "alice", ActorType: authdomain.ActorTypeValue(domain.ActorTypeAPIKey), TenantID: authdomain.DefaultTenantID, RoleID: "r-admin"},
|
|
{ID: "ar-2", ActorID: "carol", ActorType: authdomain.ActorTypeValue(domain.ActorTypeAPIKey), TenantID: authdomain.DefaultTenantID, RoleID: "r-viewer"},
|
|
}
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/keys", nil), "alice", auth.ActorTypeAPIKey)
|
|
rec := httptest.NewRecorder()
|
|
h.ListKeys(rec, req)
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("ListKeys code = %d; body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
var resp struct {
|
|
Keys []struct {
|
|
ActorID string `json:"actor_id"`
|
|
ActorType string `json:"actor_type"`
|
|
TenantID string `json:"tenant_id"`
|
|
RoleIDs []string `json:"role_ids"`
|
|
} `json:"keys"`
|
|
}
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
|
|
t.Fatalf("decode: %v", err)
|
|
}
|
|
if len(resp.Keys) != 2 {
|
|
t.Errorf("ListKeys returned %d keys; want 2", len(resp.Keys))
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_ListKeysNoActorReturns401(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/keys", nil)
|
|
rec := httptest.NewRecorder()
|
|
h.ListKeys(rec, req)
|
|
if rec.Code != http.StatusUnauthorized {
|
|
t.Errorf("ListKeys no-actor code = %d; want 401", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RemoveRolePermissionReturns204(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/r-admin/permissions/cert.read", nil), "alice", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-admin")
|
|
req.SetPathValue("perm", "cert.read")
|
|
rec := httptest.NewRecorder()
|
|
h.RemoveRolePermission(rec, req)
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Errorf("RemoveRolePermission code = %d; want 204", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RemoveRolePermissionScopedReturns204(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/r-admin/permissions/profile.edit?scope_type=profile&scope_id=p-corp", nil), "alice", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-admin")
|
|
req.SetPathValue("perm", "profile.edit")
|
|
rec := httptest.NewRecorder()
|
|
h.RemoveRolePermission(rec, req)
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Errorf("RemoveRolePermission(scoped) code = %d; want 204", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuthHandler_RemoveRolePermissionNoActorReturns401(t *testing.T) {
|
|
h, _, _, _ := newAuthHandlerWithFakes()
|
|
req := httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/r-admin/permissions/cert.read", nil)
|
|
req.SetPathValue("id", "r-admin")
|
|
req.SetPathValue("perm", "cert.read")
|
|
rec := httptest.NewRecorder()
|
|
h.RemoveRolePermission(rec, req)
|
|
if rec.Code != http.StatusUnauthorized {
|
|
t.Errorf("RemoveRolePermission no-actor code = %d; want 401", rec.Code)
|
|
}
|
|
}
|
|
|
|
// Pin the rolePermToResponse helper indirectly via GetRole; the test
|
|
// above already exercises both global + scoped permission encoding.
|
|
// Add an explicit assertion here so the helper's nil-scope branch is
|
|
// readable in coverage output.
|
|
func TestAuthHandler_GetRoleRolePermResponseEncodesScope(t *testing.T) {
|
|
h, roleSvc, _, _ := newAuthHandlerWithFakes()
|
|
roleSvc.roles["r-x"] = &authdomain.Role{ID: "r-x", Name: "x"}
|
|
scope := "iss-corp"
|
|
roleSvc.rolePerms["r-x"] = []*authdomain.RolePermission{
|
|
{RoleID: "r-x", PermissionID: "p-cert.read", ScopeType: authdomain.ScopeTypeGlobal, ScopeID: nil},
|
|
{RoleID: "r-x", PermissionID: "p-issuer.edit", ScopeType: authdomain.ScopeTypeIssuer, ScopeID: &scope},
|
|
}
|
|
req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles/r-x", nil), "alice", auth.ActorTypeAPIKey)
|
|
req.SetPathValue("id", "r-x")
|
|
rec := httptest.NewRecorder()
|
|
h.GetRole(rec, req)
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("GetRole code = %d", rec.Code)
|
|
}
|
|
if !bytes.Contains(rec.Body.Bytes(), []byte(`"scope_type":"issuer"`)) {
|
|
t.Errorf("body should include scope_type=issuer; got %s", rec.Body.String())
|
|
}
|
|
if !bytes.Contains(rec.Body.Bytes(), []byte(`"scope_id":"iss-corp"`)) {
|
|
t.Errorf("body should include scope_id=iss-corp; got %s", rec.Body.String())
|
|
}
|
|
}
|
|
|
|
// ensure 'errors' import stays used after edits.
|
|
var _ = errors.Is
|