niuniu/lijiaoqiao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
upload/2026-03-26-sync
lijiaoqiao/platform-token-runtime/internal/token/lifecycle_executable_test.go

333 lines
9.5 KiB
Go
Raw Permalink Normal View History

feat: sync lijiaoqiao implementation and staging validation artifacts
2026-03-31 13:40:00 +08:00
package token_test
import (
"context"
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"time"
"lijiaoqiao/platform-token-runtime/internal/auth/middleware"
"lijiaoqiao/platform-token-runtime/internal/auth/model"
"lijiaoqiao/platform-token-runtime/internal/auth/service"
)
func TestTOKLife001IssueSuccess(t *testing.T) {
t.Parallel()
rt := service.NewInMemoryTokenRuntime(nil)
ctx := context.Background()
first, err := rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2001",
Role: model.RoleOwner,
Scope: []string{"supply:*"},
TTL: 30 * time.Minute,
})
if err != nil {
t.Fatalf("issue token failed: %v", err)
}
second, err := rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2001",
Role: model.RoleOwner,
Scope: []string{"supply:*"},
TTL: 30 * time.Minute,
})
if err != nil {
t.Fatalf("issue second token failed: %v", err)
}
if first.Status != service.TokenStatusActive {
t.Fatalf("unexpected status: got=%s want=%s", first.Status, service.TokenStatusActive)
}
if !first.ExpiresAt.After(first.IssuedAt) {
t.Fatalf("expires_at must be greater than issued_at")
}
if first.TokenID == second.TokenID {
t.Fatalf("token_id should be unique")
}
}
func TestTOKLife002IssueInvalidInput(t *testing.T) {
t.Parallel()
rt := service.NewInMemoryTokenRuntime(nil)
ctx := context.Background()
_, err := rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2001",
Role: model.RoleOwner,
Scope: []string{"supply:*"},
TTL: 0,
})
if err == nil {
t.Fatalf("expected error for invalid ttl_seconds")
}
if got := rt.TokenCount(); got != 0 {
t.Fatalf("unexpected token count after invalid issue: got=%d want=0", got)
}
}
func TestTOKLife003IssueIdempotencyReplay(t *testing.T) {
t.Parallel()
rt := service.NewInMemoryTokenRuntime(nil)
ctx := context.Background()
first, err := rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2001",
Role: model.RoleOwner,
Scope: []string{"supply:*"},
TTL: 30 * time.Minute,
IdempotencyKey: "idem-life-003",
})
if err != nil {
t.Fatalf("first issue failed: %v", err)
}
second, err := rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2001",
Role: model.RoleOwner,
Scope: []string{"supply:*"},
TTL: 30 * time.Minute,
IdempotencyKey: "idem-life-003",
})
if err != nil {
t.Fatalf("replay issue failed: %v", err)
}
if first.TokenID != second.TokenID {
t.Fatalf("replayed issue must return same token_id: first=%s second=%s", first.TokenID, second.TokenID)
}
if got := rt.TokenCount(); got != 1 {
t.Fatalf("idempotent replay must not create duplicate token: got=%d want=1", got)
}
_, err = rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2001",
Role: model.RoleOwner,
Scope: []string{"supply:read"},
TTL: 30 * time.Minute,
IdempotencyKey: "idem-life-003",
})
if err == nil {
t.Fatalf("expected payload mismatch conflict for same idempotency key")
}
}
func TestTOKLife004RefreshSuccess(t *testing.T) {
t.Parallel()
rt := service.NewInMemoryTokenRuntime(nil)
ctx := context.Background()
issued, err := rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2001",
Role: model.RoleOwner,
Scope: []string{"supply:*"},
TTL: 1 * time.Minute,
})
if err != nil {
t.Fatalf("issue token failed: %v", err)
}
previousExpiresAt := issued.ExpiresAt
refreshed, err := rt.Refresh(ctx, issued.TokenID, 15*time.Minute)
if err != nil {
t.Fatalf("refresh token failed: %v", err)
}
if refreshed.Status != service.TokenStatusActive {
t.Fatalf("unexpected status after refresh: got=%s want=%s", refreshed.Status, service.TokenStatusActive)
}
if !refreshed.ExpiresAt.After(previousExpiresAt) {
t.Fatalf("expires_at should be delayed after refresh")
}
}
func TestTOKLife005RevokeSuccess(t *testing.T) {
t.Parallel()
start := time.Now()
rt := service.NewInMemoryTokenRuntime(nil)
ctx := context.Background()
issued, err := rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2001",
Role: model.RoleOwner,
Scope: []string{"supply:*"},
TTL: 10 * time.Minute,
})
if err != nil {
t.Fatalf("issue token failed: %v", err)
}
if _, err := rt.Revoke(ctx, issued.TokenID, "security_event"); err != nil {
t.Fatalf("revoke token failed: %v", err)
}
introspected, err := rt.Introspect(ctx, issued.AccessToken)
if err != nil {
t.Fatalf("introspect failed: %v", err)
}
if introspected.Status != service.TokenStatusRevoked {
t.Fatalf("unexpected status after revoke: got=%s want=%s", introspected.Status, service.TokenStatusRevoked)
}
if time.Since(start) > 5*time.Second {
t.Fatalf("revoke propagation exceeded 5 seconds in in-memory runtime")
}
}
func TestTOKLife006RevokedTokenAccessDenied(t *testing.T) {
t.Parallel()
auditor := service.NewMemoryAuditEmitter()
rt := service.NewInMemoryTokenRuntime(nil)
authorizer := service.NewScopeRoleAuthorizer()
ctx := context.Background()
issued, err := rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2001",
Role: model.RoleOwner,
Scope: []string{"supply:*"},
TTL: 5 * time.Minute,
})
if err != nil {
t.Fatalf("issue token failed: %v", err)
}
if _, err := rt.Revoke(ctx, issued.TokenID, "test_revoke"); err != nil {
t.Fatalf("revoke failed: %v", err)
}
handler := middleware.BuildTokenAuthChain(middleware.AuthMiddlewareConfig{
Verifier: rt,
StatusResolver: rt,
Authorizer: authorizer,
Auditor: auditor,
}, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusNoContent)
}))
req := httptest.NewRequest(http.MethodGet, "/api/v1/supply/accounts", nil)
req.Header.Set("Authorization", "Bearer "+issued.AccessToken)
rec := httptest.NewRecorder()
handler.ServeHTTP(rec, req)
if rec.Code != http.StatusUnauthorized {
t.Fatalf("unexpected status code: got=%d want=%d", rec.Code, http.StatusUnauthorized)
}
if code := decodeMiddlewareErrorCode(t, rec); code != service.CodeAuthTokenInactive {
t.Fatalf("unexpected error code: got=%s want=%s", code, service.CodeAuthTokenInactive)
}
}
func TestTOKLife007ExpiredTokenInactive(t *testing.T) {
t.Parallel()
current := time.Date(2026, 3, 29, 15, 0, 0, 0, time.UTC)
rt := service.NewInMemoryTokenRuntime(func() time.Time { return current })
ctx := context.Background()
issued, err := rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2001",
Role: model.RoleOwner,
Scope: []string{"supply:*"},
TTL: 2 * time.Second,
})
if err != nil {
t.Fatalf("issue token failed: %v", err)
}
current = current.Add(3 * time.Second)
introspected, err := rt.Introspect(ctx, issued.AccessToken)
if err != nil {
t.Fatalf("introspect failed: %v", err)
}
if introspected.Status != service.TokenStatusExpired {
t.Fatalf("unexpected token status: got=%s want=%s", introspected.Status, service.TokenStatusExpired)
}
auditor := service.NewMemoryAuditEmitter()
authorizer := service.NewScopeRoleAuthorizer()
handler := middleware.BuildTokenAuthChain(middleware.AuthMiddlewareConfig{
Verifier: rt,
StatusResolver: rt,
Authorizer: authorizer,
Auditor: auditor,
}, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusNoContent)
}))
req := httptest.NewRequest(http.MethodGet, "/api/v1/supply/accounts", nil)
req.Header.Set("Authorization", "Bearer "+issued.AccessToken)
rec := httptest.NewRecorder()
handler.ServeHTTP(rec, req)
if rec.Code != http.StatusUnauthorized {
t.Fatalf("unexpected status code: got=%d want=%d", rec.Code, http.StatusUnauthorized)
}
if code := decodeMiddlewareErrorCode(t, rec); code != service.CodeAuthTokenInactive {
t.Fatalf("unexpected error code: got=%s want=%s", code, service.CodeAuthTokenInactive)
}
}
func TestTOKLife008ViewerWriteDenied(t *testing.T) {
t.Parallel()
auditor := service.NewMemoryAuditEmitter()
rt := service.NewInMemoryTokenRuntime(nil)
authorizer := service.NewScopeRoleAuthorizer()
ctx := context.Background()
viewer, err := rt.Issue(ctx, service.IssueTokenInput{
SubjectID: "2002",
Role: model.RoleViewer,
Scope: []string{"supply:read"},
TTL: 10 * time.Minute,
})
if err != nil {
t.Fatalf("issue viewer token failed: %v", err)
}
nextCalled := false
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
nextCalled = true
w.WriteHeader(http.StatusNoContent)
})
handler := middleware.BuildTokenAuthChain(middleware.AuthMiddlewareConfig{
Verifier: rt,
StatusResolver: rt,
Authorizer: authorizer,
Auditor: auditor,
}, next)
req := httptest.NewRequest(http.MethodPost, "/api/v1/supply/packages", nil)
req.Header.Set("Authorization", "Bearer "+viewer.AccessToken)
rec := httptest.NewRecorder()
handler.ServeHTTP(rec, req)
if rec.Code != http.StatusForbidden {
t.Fatalf("unexpected status code: got=%d want=%d", rec.Code, http.StatusForbidden)
}
if code := decodeMiddlewareErrorCode(t, rec); code != service.CodeAuthScopeDenied {
t.Fatalf("unexpected error code: got=%s want=%s", code, service.CodeAuthScopeDenied)
}
if nextCalled {
t.Fatalf("write handler should be blocked for viewer token")
}
}
type middlewareErrorEnvelope struct {
Error struct {
Code string `json:"code"`
} `json:"error"`
}
func decodeMiddlewareErrorCode(t *testing.T, rec *httptest.ResponseRecorder) string {
t.Helper()
var envelope middlewareErrorEnvelope
if err := json.Unmarshal(rec.Body.Bytes(), &envelope); err != nil {
t.Fatalf("failed to decode middleware error response: %v", err)
}
return envelope.Error.Code
}
Reference in New Issue Copy Permalink