gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:31:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
99a012e3be26b3605d9be9b548ae06a78c308c1a
certctl/internal/api/handler/admin_est_test.go
T
shankar0123 99a012e3be auth-bundle-1 Phase 0: extract internal/auth/ from middleware package 
Bundle 1 / Phase 0: pure refactor splitting auth surface out of internal/api/middleware so Bundle 2 (OIDC + sessions) and the broader RBAC primitive (roles, permissions, scoped grants) have a clean home.

Moved to internal/auth/: NamedAPIKey, HashAPIKey, AuthConfig, NewAuthWithNamedKeys, NewAuth, UserKey, AdminKey, GetUser, IsAdmin. Added testfixtures.go (WithActor / WithAdmin / WithActorAdmin) so handler tests don't construct context manually.

Stayed in internal/api/middleware/: RequestID, Logging, NewLogging, Recovery, RateLimitConfig, NewRateLimiter (now imports auth.GetUser for per-user keying per audit Category C), CORSConfig, NewCORS, ContentType, CORS, GetRequestID, responseWriter, Chain, audit middleware (now imports auth.GetUser).

Updated 22 caller files across cmd/, internal/api/handler/, internal/api/middleware/, internal/mcp/. Existing m008_admin_gate_test.go now scans for auth.IsAdmin( substring; Phase 3 will further evolve to track auth.RequirePermission. Behavior unchanged: all handler / middleware / service / connector / cmd / mcp tests pass with no test-logic edits, only import-path renames.

Phase 0 exit criteria: internal/auth/ exists with 6 files; middleware.go went 575 -> 422 lines (auth-related ~150 lines moved out); grep -rE 'middleware\.(GetUser|IsAdmin|UserKey|AdminKey|NamedAPIKey|HashAPIKey|NewAuth)' returns 0 hits; context.WithValue(.*middleware.UserKey/AdminKey) returns 0 hits; go vet ./... clean; go test -short ./... green across all packages tested.

Branch: dev/auth-bundle-1. Per cowork/auth-bundle-1-prompt.md, do not merge to master without (1) make verify green, (2) >= 2 external testers confirm, (3) >= 90% coverage on internal/auth/ in .github/coverage-thresholds.yml.
2026-05-09 15:51:31 +00:00

294 lines
10 KiB
Go
Raw Blame History

package handler
import (
"context"
"encoding/json"
"errors"
"net/http"
"net/http/httptest"
"strings"
"testing"
"time"
"github.com/certctl-io/certctl/internal/api/middleware"
"github.com/certctl-io/certctl/internal/auth"
"github.com/certctl-io/certctl/internal/service"
)
// EST RFC 7030 hardening master bundle Phase 7.4 — admin handler tests.
// Mirrors admin_scep_intune_test.go's structure verbatim:
// - M-008 admin-gate triplet for both endpoints (non-admin / admin=false / admin=true).
// - Method-not-allowed gates.
// - Error mapping (404 unknown PathID / 409 mTLS-disabled / 500 underlying parse error).
// fakeAdminESTService is the test stub. Records call observations so the
// M-008 admin-gate triplet can pin "service was never invoked" when the
// gate rejects the caller.
type fakeAdminESTService struct {
profilesCalled bool
reloadCalled bool
rows []service.ESTStatsSnapshot
profilesErr error
reloadPathID string
reloadErr error
}
func (f *fakeAdminESTService) Profiles(_ context.Context, _ time.Time) ([]service.ESTStatsSnapshot, error) {
f.profilesCalled = true
return f.rows, f.profilesErr
}
func (f *fakeAdminESTService) ReloadTrust(_ context.Context, pathID string) error {
f.reloadCalled = true
f.reloadPathID = pathID
return f.reloadErr
}
// ----- M-008 admin-gate triplet for Profiles (GET) -----
func TestAdminEST_Profiles_NonAdmin_Returns403(t *testing.T) {
svc := &fakeAdminESTService{}
h := NewAdminESTHandler(svc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/est/profiles", nil)
req = req.WithContext(contextWithRequestID())
w := httptest.NewRecorder()
h.Profiles(w, req)
if w.Code != http.StatusForbidden {
t.Fatalf("non-admin status = %d, want 403", w.Code)
}
if svc.profilesCalled {
t.Errorf("service was invoked despite non-admin caller — gate failed open")
}
}
func TestAdminEST_Profiles_AdminExplicitFalse_Returns403(t *testing.T) {
svc := &fakeAdminESTService{}
h := NewAdminESTHandler(svc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/est/profiles", nil)
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
ctx = context.WithValue(ctx, auth.AdminKey{}, false)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
h.Profiles(w, req)
if w.Code != http.StatusForbidden {
t.Fatalf("admin=false status = %d, want 403", w.Code)
}
if svc.profilesCalled {
t.Errorf("service was invoked despite admin=false — gate failed open")
}
}
func TestAdminEST_Profiles_AdminTrue_Returns200(t *testing.T) {
svc := &fakeAdminESTService{
rows: []service.ESTStatsSnapshot{
{PathID: "corp", IssuerID: "iss-corp"},
},
}
h := NewAdminESTHandler(svc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/est/profiles", nil)
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
ctx = context.WithValue(ctx, auth.AdminKey{}, true)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
h.Profiles(w, req)
if w.Code != http.StatusOK {
t.Fatalf("admin status = %d, want 200; body = %q", w.Code, w.Body.String())
}
var resp map[string]any
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
t.Fatalf("decode response: %v", err)
}
if pc, _ := resp["profile_count"].(float64); int(pc) != 1 {
t.Errorf("profile_count = %v, want 1", resp["profile_count"])
}
if !svc.profilesCalled {
t.Error("service should have been called")
}
}
func TestAdminEST_Profiles_MethodNotAllowed(t *testing.T) {
svc := &fakeAdminESTService{}
h := NewAdminESTHandler(svc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/est/profiles", nil)
w := httptest.NewRecorder()
h.Profiles(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Errorf("POST against GET-only endpoint status = %d, want 405", w.Code)
}
}
func TestAdminEST_Profiles_NilRowsSerializedAsEmptyArray(t *testing.T) {
svc := &fakeAdminESTService{rows: nil}
h := NewAdminESTHandler(svc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/est/profiles", nil)
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
ctx = context.WithValue(ctx, auth.AdminKey{}, true)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
h.Profiles(w, req)
body := w.Body.String()
if strings.Contains(body, `"profiles":null`) {
t.Errorf("profiles serialised as null; want []. body=%q", body)
}
}
// ----- M-008 admin-gate triplet for ReloadTrust (POST) -----
func TestAdminEST_ReloadTrust_NonAdmin_Returns403(t *testing.T) {
svc := &fakeAdminESTService{}
h := NewAdminESTHandler(svc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/est/reload-trust",
strings.NewReader(`{"path_id":"corp"}`))
req.ContentLength = int64(len(`{"path_id":"corp"}`))
req = req.WithContext(contextWithRequestID())
w := httptest.NewRecorder()
h.ReloadTrust(w, req)
if w.Code != http.StatusForbidden {
t.Fatalf("non-admin status = %d, want 403", w.Code)
}
if svc.reloadCalled {
t.Errorf("service was invoked despite non-admin caller — gate failed open")
}
}
func TestAdminEST_ReloadTrust_AdminExplicitFalse_Returns403(t *testing.T) {
svc := &fakeAdminESTService{}
h := NewAdminESTHandler(svc)
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/est/reload-trust",
strings.NewReader(`{"path_id":"corp"}`))
req.ContentLength = int64(len(`{"path_id":"corp"}`))
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
ctx = context.WithValue(ctx, auth.AdminKey{}, false)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
h.ReloadTrust(w, req)
if w.Code != http.StatusForbidden {
t.Fatalf("admin=false status = %d, want 403", w.Code)
}
if svc.reloadCalled {
t.Errorf("service was invoked despite admin=false — gate failed open")
}
}
func TestAdminEST_ReloadTrust_HappyPath(t *testing.T) {
svc := &fakeAdminESTService{}
h := NewAdminESTHandler(svc)
body := `{"path_id":"corp"}`
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/est/reload-trust",
strings.NewReader(body))
req.ContentLength = int64(len(body))
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
ctx = context.WithValue(ctx, auth.AdminKey{}, true)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
h.ReloadTrust(w, req)
if w.Code != http.StatusOK {
t.Fatalf("status = %d, want 200; body = %q", w.Code, w.Body.String())
}
if svc.reloadPathID != "corp" {
t.Errorf("reloadPathID = %q, want %q", svc.reloadPathID, "corp")
}
}
func TestAdminEST_ReloadTrust_UnknownPathID_Returns404(t *testing.T) {
svc := &fakeAdminESTService{reloadErr: ErrAdminESTProfileNotFound}
h := NewAdminESTHandler(svc)
body := `{"path_id":"nope"}`
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/est/reload-trust",
strings.NewReader(body))
req.ContentLength = int64(len(body))
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
ctx = context.WithValue(ctx, auth.AdminKey{}, true)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
h.ReloadTrust(w, req)
if w.Code != http.StatusNotFound {
t.Errorf("unknown path_id status = %d, want 404", w.Code)
}
}
func TestAdminEST_ReloadTrust_MTLSDisabled_Returns409(t *testing.T) {
svc := &fakeAdminESTService{reloadErr: service.ErrESTMTLSDisabled}
h := NewAdminESTHandler(svc)
body := `{"path_id":"static-only"}`
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/est/reload-trust",
strings.NewReader(body))
req.ContentLength = int64(len(body))
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
ctx = context.WithValue(ctx, auth.AdminKey{}, true)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
h.ReloadTrust(w, req)
if w.Code != http.StatusConflict {
t.Errorf("mTLS-disabled status = %d, want 409", w.Code)
}
}
func TestAdminEST_ReloadTrust_ParseError_Returns500(t *testing.T) {
svc := &fakeAdminESTService{reloadErr: errors.New("trustanchor: cert in /etc/est-corp.pem expired at 2020-01-01")}
h := NewAdminESTHandler(svc)
body := `{"path_id":"corp"}`
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/est/reload-trust",
strings.NewReader(body))
req.ContentLength = int64(len(body))
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
ctx = context.WithValue(ctx, auth.AdminKey{}, true)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
h.ReloadTrust(w, req)
if w.Code != http.StatusInternalServerError {
t.Errorf("parse-error status = %d, want 500", w.Code)
}
}
func TestAdminEST_ReloadTrust_MalformedJSON_Returns400(t *testing.T) {
svc := &fakeAdminESTService{}
h := NewAdminESTHandler(svc)
body := `not-json`
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/est/reload-trust",
strings.NewReader(body))
req.ContentLength = int64(len(body))
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
ctx = context.WithValue(ctx, auth.AdminKey{}, true)
req = req.WithContext(ctx)
w := httptest.NewRecorder()
h.ReloadTrust(w, req)
if w.Code != http.StatusBadRequest {
t.Errorf("malformed-JSON status = %d, want 400", w.Code)
}
if svc.reloadCalled {
t.Errorf("service called despite malformed body")
}
}
func TestAdminEST_ReloadTrust_MethodNotAllowed(t *testing.T) {
svc := &fakeAdminESTService{}
h := NewAdminESTHandler(svc)
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/est/reload-trust", nil)
w := httptest.NewRecorder()
h.ReloadTrust(w, req)
if w.Code != http.StatusMethodNotAllowed {
t.Errorf("GET against POST-only endpoint status = %d, want 405", w.Code)
}
}
// ----- AdminESTServiceImpl plumbing -----
func TestAdminESTServiceImpl_NilMapAccepted(t *testing.T) {
svc := NewAdminESTServiceImpl(nil)
rows, err := svc.Profiles(context.Background(), time.Now())
if err != nil {
t.Fatalf("Profiles: %v", err)
}
if len(rows) != 0 {
t.Errorf("nil-map should produce empty profile list; got %d", len(rows))
}
}
func TestAdminESTServiceImpl_ReloadTrust_UnknownPath_NotFound(t *testing.T) {
svc := NewAdminESTServiceImpl(map[string]*service.ESTService{})
if err := svc.ReloadTrust(context.Background(), "nonexistent"); !errors.Is(err, ErrAdminESTProfileNotFound) {
t.Errorf("unknown path_id err = %v, want ErrAdminESTProfileNotFound", err)
}
}
Reference in New Issue View Git Blame Copy Permalink