gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:31:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9cce2ab043280e3bcf8a83f8675bcb9229bfe1dc
certctl/internal/auth/bootstrap/service_test.go
T
shankar0123 5d79e53ad0 auth-bundle-1 follow-on: close coverage gaps to clear Phase 12 floors 
CI run #486 (post-Bundle-1 merge + Go 1.25.10 bump) failed three
coverage-threshold gates:

  internal/api/handler   74.7% < floor 75 (-0.3pp)
  internal/auth          66.3% < floor 85 (-18.7pp)
  internal/service/auth  51.1% < floor 85 (-33.9pp)

The Phase 12 gate file's "85% with negative-test coverage" claim
turned out to be aspirational — the read-side and Update-path
methods on RoleService / PermissionService / ActorRoleService had
zero unit-test coverage, and internal/auth's keystore +
HasPermission helper had zero tests. This commit closes the gap
without lowering the gate.

Per-package CI-style averages after this commit (per
scripts/check-coverage-thresholds.sh's per-function-mean):

  internal/api/handler   76.1% (+1.4pp,  margin +1.1pp)
  internal/auth          90.5% (+24.2pp, margin +5.5pp)
  internal/service/auth  93.7% (+42.6pp, margin +8.7pp)

Tests added:

  internal/service/auth/service_test.go (+18 tests, +518 LOC):
    PermissionService.List, PermissionService.GetByName,
    RoleService.Get (4 paths), RoleService.List (system caller),
    RoleService.Update (4 paths), RoleService.ListPermissions
    (3 paths), RoleService.AddPermission/RemovePermission round-trip
    + gate paths, RoleService.Delete (success + nil-caller +
    no-perm + audit), RoleService.Create (nil-caller),
    ActorRoleService.ListForActor (self-bypass + cross-actor +
    nil-caller + system + with-perm), ActorRoleService.Effective-
    Permissions (same shape), ActorRoleService.ListKeys (3 paths +
    system bypass), ActorRoleService.Revoke (4 paths), Authorizer
    edge cases (empty actorID short-circuit, empty tenantID
    default, scoped-grant-without-scope-id no-match invariant,
    repo-error wrap-and-return, HoldsAnyOf early-exit), recordAudit
    nil-arm short-circuits.

  internal/auth/keystore_test.go (NEW, +175 LOC):
    StaticKeyStore.Len, StaticKeyStore.LookupByHash hit + miss,
    MutableKeyStore seeded lookup + Len, Add registers new key,
    AddHashed registers from precomputed hash, AddHashed replaces
    on duplicate hash (idempotent boot-loader contract),
    HasPermission no-actor / default-actor-type / checker-error /
    scoped-check threading.

  internal/auth/bootstrap/service_test.go (+36 LOC):
    Service.Available nil-receiver/nil-strategy short-circuit,
    Service.Available delegates to Strategy when configured.

  internal/api/handler/auth_test.go (+208 LOC):
    GetRole returns role + permissions, GetRole 404 + 401, UpdateRole
    200 + invalid-JSON-400 + 401, ListKeys returns actor list + 401,
    RemoveRolePermission 204 (global + scoped) + 401,
    rolePermToResponse scope encoding pin via GetRole.

Verified:
  gofmt -l . clean (touched files only).
  go vet ./internal/auth/... ./internal/service/auth/...
       ./internal/api/handler/ rc=0.
  go test -count=1 -short on the four packages green.
  CI-style per-function averages computed via the live
       scripts/check-coverage-thresholds.sh arithmetic — all three
       gated packages clear their floors with margin.

Per CLAUDE.md "complete path" + "do not lower the gate to make CI
green": gate file unchanged. The 85/85/75 floors stand.
2026-05-10 02:04:36 +00:00

252 lines
8.7 KiB
Go
Raw Blame History

package bootstrap
import (
"context"
"crypto/sha256"
"encoding/hex"
"errors"
"strings"
"testing"
"github.com/certctl-io/certctl/internal/domain"
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
)
type fakeMinter struct {
created []*authdomain.APIKey
createErr error
}
func (f *fakeMinter) Create(_ context.Context, k *authdomain.APIKey) error {
if f.createErr != nil {
return f.createErr
}
f.created = append(f.created, k)
return nil
}
func (f *fakeMinter) GetByName(_ context.Context, _ string) (*authdomain.APIKey, error) {
return nil, errors.New("not implemented for these tests")
}
type fakeGranter struct {
grants []*authdomain.ActorRole
err error
}
func (f *fakeGranter) Grant(_ context.Context, ar *authdomain.ActorRole) error {
f.grants = append(f.grants, ar)
return f.err
}
type fakeAudit struct {
calls []map[string]interface{}
category string
}
func (f *fakeAudit) RecordEventWithCategory(_ context.Context, _ string, _ domain.ActorType, _ string, eventCategory, _ string, _ string, details map[string]interface{}) error {
f.calls = append(f.calls, details)
f.category = eventCategory
return nil
}
type fakeKeyStore struct {
added []addedEntry
}
// TestService_Available_NilServiceOrStrategyReturnsErrDisabled pins the
// no-strategy short-circuit on the Available probe. The HTTP handler
// uses Available to decide between 410 Gone (consumed/disabled) and
// proceeding to read the request body. A nil service or nil strategy
// means the bootstrap path was not configured at all; both arms return
// ErrDisabled so the operator-facing surface is identical.
func TestService_Available_NilServiceOrStrategyReturnsErrDisabled(t *testing.T) {
var svc *Service // nil receiver
if ok, err := svc.Available(context.Background()); ok || !errors.Is(err, ErrDisabled) {
t.Errorf("nil service: Available = (%v, %v); want (false, ErrDisabled)", ok, err)
}
// non-nil service but nil strategy
svc = &Service{}
if ok, err := svc.Available(context.Background()); ok || !errors.Is(err, ErrDisabled) {
t.Errorf("nil strategy: Available = (%v, %v); want (false, ErrDisabled)", ok, err)
}
}
// TestService_Available_DelegatesToStrategy pins the happy-path
// delegation: when an admin already exists, the strategy probe returns
// `exists=true` and Available reports false (one-shot path closes once
// any admin lands).
func TestService_Available_DelegatesToStrategy(t *testing.T) {
strategy := NewEnvTokenStrategy("the-token", func(_ context.Context) (bool, error) {
return true, nil // admin exists → bootstrap path closed
})
svc := NewService(strategy, &fakeMinter{}, &fakeGranter{}, &fakeAudit{}, &fakeKeyStore{}, sha)
ok, err := svc.Available(context.Background())
if err != nil {
t.Fatalf("Available err: %v", err)
}
if ok {
t.Errorf("admin-exists probe should yield Available=false; got true")
}
}
type addedEntry struct {
name string
hash string
admin bool
}
func (f *fakeKeyStore) AddHashed(name, hash string, admin bool) {
f.added = append(f.added, addedEntry{name: name, hash: hash, admin: admin})
}
func sha(s string) string {
h := sha256.Sum256([]byte(s))
return hex.EncodeToString(h[:])
}
// TestService_ValidateAndMint_HappyPath pins the load-bearing flow:
// valid token → strategy consumed → api_keys row created → admin role
// granted → keystore updated → audit row recorded → result carries the
// plaintext key + the persisted APIKey row.
func TestService_ValidateAndMint_HappyPath(t *testing.T) {
strategy := NewEnvTokenStrategy("the-token", nil)
minter := &fakeMinter{}
granter := &fakeGranter{}
audit := &fakeAudit{}
store := &fakeKeyStore{}
svc := NewService(strategy, minter, granter, audit, store, sha)
result, err := svc.ValidateAndMint(context.Background(), "the-token", "first-admin")
if err != nil {
t.Fatalf("ValidateAndMint err = %v", err)
}
if result == nil || result.KeyValue == "" {
t.Fatalf("result.KeyValue empty")
}
if len(result.KeyValue) < 32 {
t.Errorf("KeyValue length = %d, want >= 32 (entropy budget)", len(result.KeyValue))
}
if !strategy.IsConsumed() {
t.Errorf("strategy not consumed after successful mint")
}
if len(minter.created) != 1 {
t.Fatalf("minter.Create call count = %d, want 1", len(minter.created))
}
apiKey := minter.created[0]
if apiKey.Name != "first-admin" || !apiKey.Admin || apiKey.CreatedBy != "bootstrap" {
t.Errorf("api_key wrong fields: %+v", apiKey)
}
if apiKey.KeyHash != sha(result.KeyValue) {
t.Errorf("KeyHash != sha(KeyValue); persistence shape is wrong")
}
if len(granter.grants) != 1 {
t.Fatalf("granter.Grant call count = %d, want 1", len(granter.grants))
}
if granter.grants[0].RoleID != authdomain.RoleIDAdmin {
t.Errorf("granted role = %q, want %q", granter.grants[0].RoleID, authdomain.RoleIDAdmin)
}
if granter.grants[0].ActorID != "first-admin" {
t.Errorf("granted actor = %q, want first-admin", granter.grants[0].ActorID)
}
if granter.grants[0].GrantedBy != "bootstrap" {
t.Errorf("GrantedBy = %q, want bootstrap", granter.grants[0].GrantedBy)
}
if len(store.added) != 1 || store.added[0].name != "first-admin" || !store.added[0].admin {
t.Errorf("keystore.AddHashed not called with first-admin/admin=true: %+v", store.added)
}
if store.added[0].hash != apiKey.KeyHash {
t.Errorf("keystore hash != api_key hash; runtime auth would fail")
}
if len(audit.calls) != 1 {
t.Fatalf("audit RecordEventWithCategory calls = %d, want 1", len(audit.calls))
}
if audit.calls[0]["actor_name"] != "first-admin" {
t.Errorf("audit details lost actor_name: %+v", audit.calls[0])
}
if audit.category != "auth" {
t.Errorf("audit category = %q, want auth", audit.category)
}
}
// TestService_ValidateAndMint_RejectsInvalidActorName pins the
// ErrInvalidActorName mapping (HTTP 400). Strict charset prevents
// log-injection / lookalike actor names.
func TestService_ValidateAndMint_RejectsInvalidActorName(t *testing.T) {
svc := NewService(NewEnvTokenStrategy("t", nil), &fakeMinter{}, &fakeGranter{}, nil, nil, sha)
cases := []string{
"", // empty
"AB", // too short
"Has-Caps", // uppercase rejected
"contains spaces", // space rejected
strings.Repeat("a", 65), // 65 chars > 64 max
"newline\nsuffix", // log injection
"💀-evil", // non-ASCII
}
for _, name := range cases {
_, err := svc.ValidateAndMint(context.Background(), "t", name)
if !errors.Is(err, ErrInvalidActorName) {
t.Errorf("name=%q err = %v, want ErrInvalidActorName", name, err)
}
}
}
// TestService_ValidateAndMint_PropagatesStrategyError pins that a
// failed Validate (wrong token / disabled / probe error) propagates
// without persisting anything.
func TestService_ValidateAndMint_PropagatesStrategyError(t *testing.T) {
strategy := NewEnvTokenStrategy("the-token", nil)
minter := &fakeMinter{}
granter := &fakeGranter{}
store := &fakeKeyStore{}
svc := NewService(strategy, minter, granter, nil, store, sha)
_, err := svc.ValidateAndMint(context.Background(), "wrong-token", "first-admin")
if !errors.Is(err, ErrInvalidToken) {
t.Fatalf("err = %v, want ErrInvalidToken", err)
}
if len(minter.created) != 0 || len(granter.grants) != 0 || len(store.added) != 0 {
t.Errorf("persistence side effects fired despite Validate failure: minter=%d grants=%d keystore=%d", len(minter.created), len(granter.grants), len(store.added))
}
}
// TestService_ValidateAndMint_NilDepsReturnDisabled exercises the
// no-strategy / no-repo guard. Returns ErrDisabled (handler maps to
// 410). Belt-and-braces for partially-wired test or future call sites.
func TestService_ValidateAndMint_NilDepsReturnDisabled(t *testing.T) {
cases := []struct {
name string
svc *Service
}{
{"nil service", nil},
{"nil strategy", NewService(nil, &fakeMinter{}, &fakeGranter{}, nil, nil, sha)},
{"nil minter", NewService(NewEnvTokenStrategy("t", nil), nil, &fakeGranter{}, nil, nil, sha)},
{"nil granter", NewService(NewEnvTokenStrategy("t", nil), &fakeMinter{}, nil, nil, nil, sha)},
}
for _, tc := range cases {
_, err := tc.svc.ValidateAndMint(context.Background(), "t", "first-admin")
if !errors.Is(err, ErrDisabled) {
t.Errorf("%s: err = %v, want ErrDisabled", tc.name, err)
}
}
}
// TestService_GenerateAPIKey_HighEntropy pins the generated key shape:
// 64 hex chars (32 random bytes). Belt-and-braces against future
// refactors that might shrink the entropy budget.
func TestService_GenerateAPIKey_HighEntropy(t *testing.T) {
seen := map[string]bool{}
for i := 0; i < 100; i++ {
k, err := generateAPIKey()
if err != nil {
t.Fatalf("iter %d: %v", i, err)
}
if len(k) != 64 {
t.Errorf("len = %d, want 64", len(k))
}
if seen[k] {
t.Errorf("key collision in 100 iters — entropy budget regressed")
}
seen[k] = true
}
}
Reference in New Issue View Git Blame Copy Permalink