Initial project snapshot
This commit is contained in:
@@ -0,0 +1,138 @@
|
||||
package sessionbroker
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/example/remote-access-platform/backend/internal/platform/config"
|
||||
"github.com/example/remote-access-platform/backend/internal/platform/module"
|
||||
"github.com/example/remote-access-platform/backend/internal/platform/secrets"
|
||||
workercontracts "github.com/example/remote-access-platform/backend/pkg/contracts/worker"
|
||||
)
|
||||
|
||||
type fakeSecretResolver struct {
|
||||
response *secrets.ResolvedResourceSecret
|
||||
err error
|
||||
request secrets.ResolveResourceSecretRequest
|
||||
}
|
||||
|
||||
func testAppConfig(env string) config.AppConfig {
|
||||
return config.AppConfig{Name: "rap-api-test", Env: env}
|
||||
}
|
||||
|
||||
func (r *fakeSecretResolver) ResolveForSession(_ context.Context, req secrets.ResolveResourceSecretRequest) (*secrets.ResolvedResourceSecret, error) {
|
||||
r.request = req
|
||||
if r.err != nil {
|
||||
return nil, r.err
|
||||
}
|
||||
return r.response, nil
|
||||
}
|
||||
|
||||
func TestRuntimeAssignmentMetadataMergesResolvedSecretWithoutMutatingSessionMetadata(t *testing.T) {
|
||||
resolver := &fakeSecretResolver{
|
||||
response: &secrets.ResolvedResourceSecret{
|
||||
Descriptor: secrets.ResourceSecretDescriptor{Version: 3},
|
||||
Payload: json.RawMessage(`{"username":"user","password":"secret","domain":"corp"}`),
|
||||
},
|
||||
}
|
||||
service := NewService(module.Dependencies{
|
||||
Config: module.Config{App: testAppConfig("production")},
|
||||
}, nil, nil, nil, nil, resolver)
|
||||
sessionMetadata := mustJSON(t, map[string]any{
|
||||
"resource": map[string]any{
|
||||
"id": "resource-1",
|
||||
"organization_id": "org-1",
|
||||
"secret_ref": "rap-secret://org/org-1/resources/resource-1/primary",
|
||||
"metadata": map[string]any{
|
||||
"rdp_host": "host",
|
||||
},
|
||||
},
|
||||
})
|
||||
session := RemoteSession{
|
||||
ID: "session-1",
|
||||
OrganizationID: "org-1",
|
||||
ResourceID: "resource-1",
|
||||
WorkerID: "worker-1",
|
||||
Metadata: sessionMetadata,
|
||||
}
|
||||
metadata, secretRef, version, err := service.runtimeAssignmentMetadata(context.Background(), session, &workercontracts.WorkerLease{LeaseID: "lease-1"})
|
||||
if err != nil {
|
||||
t.Fatalf("runtimeAssignmentMetadata returned error: %v", err)
|
||||
}
|
||||
if secretRef == "" || version != 3 {
|
||||
t.Fatalf("expected secret ref and version, got ref=%q version=%d", secretRef, version)
|
||||
}
|
||||
resource := metadata["resource"].(map[string]any)
|
||||
resourceMetadata := resource["metadata"].(map[string]any)
|
||||
if resourceMetadata["username"] != "user" || resourceMetadata["password"] != "secret" || resourceMetadata["domain"] != "corp" {
|
||||
t.Fatalf("resolved secret was not merged: %#v", resourceMetadata)
|
||||
}
|
||||
var persisted map[string]any
|
||||
if err := json.Unmarshal(session.Metadata, &persisted); err != nil {
|
||||
t.Fatalf("decode persisted metadata: %v", err)
|
||||
}
|
||||
persistedResource := persisted["resource"].(map[string]any)
|
||||
persistedMetadata := persistedResource["metadata"].(map[string]any)
|
||||
if _, ok := persistedMetadata["password"]; ok {
|
||||
t.Fatalf("session metadata was mutated with plaintext secret")
|
||||
}
|
||||
if resolver.request.LeaseID != "lease-1" || resolver.request.WorkerID != "worker-1" {
|
||||
t.Fatalf("resolver request missed lease/worker proof: %#v", resolver.request)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRuntimeAssignmentMetadataRequiresResolverInProduction(t *testing.T) {
|
||||
service := NewService(module.Dependencies{
|
||||
Config: module.Config{App: testAppConfig("production")},
|
||||
}, nil, nil, nil, nil)
|
||||
session := RemoteSession{
|
||||
ID: "session-1",
|
||||
OrganizationID: "org-1",
|
||||
ResourceID: "resource-1",
|
||||
WorkerID: "worker-1",
|
||||
Metadata: mustJSON(t, map[string]any{
|
||||
"resource": map[string]any{
|
||||
"secret_ref": "rap-secret://org/org-1/resources/resource-1/primary",
|
||||
},
|
||||
}),
|
||||
}
|
||||
_, _, _, err := service.runtimeAssignmentMetadata(context.Background(), session, &workercontracts.WorkerLease{LeaseID: "lease-1"})
|
||||
if !errors.Is(err, secrets.ErrSecretEncryptionKeyMissing) {
|
||||
t.Fatalf("expected missing resolver error, got %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRuntimeAssignmentMetadataAllowsDevelopmentMetadataWithoutResolver(t *testing.T) {
|
||||
service := NewService(module.Dependencies{
|
||||
Config: module.Config{App: testAppConfig("development")},
|
||||
}, nil, nil, nil, nil)
|
||||
session := RemoteSession{
|
||||
ID: "session-1",
|
||||
OrganizationID: "org-1",
|
||||
ResourceID: "resource-1",
|
||||
WorkerID: "worker-1",
|
||||
Metadata: mustJSON(t, map[string]any{
|
||||
"resource": map[string]any{
|
||||
"secret_ref": "rap-secret://org/org-1/resources/resource-1/primary",
|
||||
"metadata": map[string]any{
|
||||
"username": "dev-user",
|
||||
"password": "dev-password",
|
||||
},
|
||||
},
|
||||
}),
|
||||
}
|
||||
metadata, secretRef, _, err := service.runtimeAssignmentMetadata(context.Background(), session, nil)
|
||||
if err != nil {
|
||||
t.Fatalf("development metadata should not require resolver: %v", err)
|
||||
}
|
||||
if secretRef != "" {
|
||||
t.Fatalf("development fallback should not audit resolver use, got %q", secretRef)
|
||||
}
|
||||
resource := metadata["resource"].(map[string]any)
|
||||
resourceMetadata := resource["metadata"].(map[string]any)
|
||||
if resourceMetadata["password"] != "dev-password" {
|
||||
t.Fatalf("development metadata was not preserved")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user