tests: integration suite
This commit is contained in:
IliaDenisov
@@ -0,0 +1,265 @@
|
||||
package gatewayauthsession_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ed25519"
|
||||
"encoding/base64"
|
||||
"net/http"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"galaxy/integration/internal/harness"
|
||||
|
||||
gatewayv1 "galaxy/gateway/proto/galaxy/gateway/v1"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/status"
|
||||
)
|
||||
|
||||
func TestGatewayAuthSessionSendEmailCodeReachesAuthsessionMailDelivery(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
||||
|
||||
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{
|
||||
"email": testEmail,
|
||||
})
|
||||
require.Equal(t, http.StatusOK, response.StatusCode)
|
||||
|
||||
var body struct {
|
||||
ChallengeID string `json:"challenge_id"`
|
||||
}
|
||||
require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &body))
|
||||
require.NotEmpty(t, body.ChallengeID)
|
||||
|
||||
deliveries := h.mailStub.RecordedDeliveries()
|
||||
require.Len(t, deliveries, 1)
|
||||
require.Equal(t, testEmail, deliveries[0].Email)
|
||||
require.Len(t, deliveries[0].Code, 6)
|
||||
}
|
||||
|
||||
func TestGatewayAuthSessionConfirmCreatesProjectionAndAllowsSubscribeEvents(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
||||
|
||||
clientPrivateKey := newClientPrivateKey("confirm-projection")
|
||||
challengeID, code := h.sendChallenge(t, testEmail)
|
||||
|
||||
response := h.confirmCode(t, challengeID, code, clientPrivateKey)
|
||||
require.Equal(t, http.StatusOK, response.StatusCode)
|
||||
|
||||
var confirmBody struct {
|
||||
DeviceSessionID string `json:"device_session_id"`
|
||||
}
|
||||
require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &confirmBody))
|
||||
require.NotEmpty(t, confirmBody.DeviceSessionID)
|
||||
|
||||
record := h.readGatewaySessionRecord(t, confirmBody.DeviceSessionID)
|
||||
require.Equal(t, gatewaySessionRecord{
|
||||
DeviceSessionID: confirmBody.DeviceSessionID,
|
||||
UserID: "user-1",
|
||||
ClientPublicKey: base64.StdEncoding.EncodeToString(clientPrivateKey.Public().(ed25519.PublicKey)),
|
||||
Status: "active",
|
||||
}, record)
|
||||
|
||||
ensureCalls := h.userStub.EnsureCalls()
|
||||
require.Len(t, ensureCalls, 1)
|
||||
require.Equal(t, testEmail, ensureCalls[0].Email)
|
||||
require.Equal(t, "en", ensureCalls[0].PreferredLanguage)
|
||||
require.Equal(t, testTimeZone, ensureCalls[0].TimeZone)
|
||||
|
||||
conn := h.dialGateway(t)
|
||||
client := gatewayv1.NewEdgeGatewayClient(conn)
|
||||
|
||||
stream, err := client.SubscribeEvents(context.Background(), newSubscribeEventsRequest(confirmBody.DeviceSessionID, "request-bootstrap", clientPrivateKey))
|
||||
require.NoError(t, err)
|
||||
|
||||
event, err := stream.Recv()
|
||||
require.NoError(t, err)
|
||||
assertBootstrapEvent(t, event, h.responseSignerPublicKey, "request-bootstrap")
|
||||
}
|
||||
|
||||
func TestGatewayAuthSessionRepeatedConfirmReturnsSameSessionID(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
||||
|
||||
clientPrivateKey := newClientPrivateKey("repeated-confirm")
|
||||
challengeID, code := h.sendChallenge(t, testEmail)
|
||||
|
||||
first := h.confirmCode(t, challengeID, code, clientPrivateKey)
|
||||
second := h.confirmCode(t, challengeID, code, clientPrivateKey)
|
||||
require.Equal(t, http.StatusOK, first.StatusCode)
|
||||
require.Equal(t, http.StatusOK, second.StatusCode)
|
||||
|
||||
var firstBody struct {
|
||||
DeviceSessionID string `json:"device_session_id"`
|
||||
}
|
||||
var secondBody struct {
|
||||
DeviceSessionID string `json:"device_session_id"`
|
||||
}
|
||||
require.NoError(t, decodeStrictJSONPayload([]byte(first.Body), &firstBody))
|
||||
require.NoError(t, decodeStrictJSONPayload([]byte(second.Body), &secondBody))
|
||||
require.Equal(t, firstBody.DeviceSessionID, secondBody.DeviceSessionID)
|
||||
}
|
||||
|
||||
func TestGatewayAuthSessionInvalidClientPublicKeyPassesThroughUnchanged(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
||||
|
||||
challengeID, _ := h.sendChallenge(t, testEmail)
|
||||
|
||||
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/confirm-email-code", map[string]string{
|
||||
"challenge_id": challengeID,
|
||||
"code": "123456",
|
||||
"client_public_key": "invalid",
|
||||
"time_zone": testTimeZone,
|
||||
})
|
||||
|
||||
require.Equal(t, http.StatusBadRequest, response.StatusCode)
|
||||
require.JSONEq(t, `{"error":{"code":"invalid_client_public_key","message":"client_public_key is not a valid base64-encoded raw 32-byte Ed25519 public key"}}`, response.Body)
|
||||
}
|
||||
|
||||
func TestGatewayAuthSessionChallengeNotFoundPassesThroughUnchanged(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
||||
|
||||
response := h.confirmCode(t, "missing-challenge", "123456", newClientPrivateKey("missing-challenge"))
|
||||
|
||||
require.Equal(t, http.StatusNotFound, response.StatusCode)
|
||||
require.JSONEq(t, `{"error":{"code":"challenge_not_found","message":"challenge not found"}}`, response.Body)
|
||||
}
|
||||
|
||||
func TestGatewayAuthSessionInvalidCodePassesThroughUnchanged(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
||||
|
||||
clientPrivateKey := newClientPrivateKey("invalid-code")
|
||||
challengeID, code := h.sendChallenge(t, testEmail)
|
||||
invalidCode := "000000"
|
||||
if code == invalidCode {
|
||||
invalidCode = "111111"
|
||||
}
|
||||
|
||||
response := h.confirmCode(t, challengeID, invalidCode, clientPrivateKey)
|
||||
|
||||
require.Equal(t, http.StatusBadRequest, response.StatusCode)
|
||||
require.JSONEq(t, `{"error":{"code":"invalid_code","message":"confirmation code is invalid"}}`, response.Body)
|
||||
}
|
||||
|
||||
func TestGatewayAuthSessionBlockedSendRemainsSuccessShapedWithoutDelivery(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
||||
h.userStub.SeedBlockedEmail(testEmail, "policy_blocked")
|
||||
|
||||
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{
|
||||
"email": testEmail,
|
||||
})
|
||||
|
||||
require.Equal(t, http.StatusOK, response.StatusCode)
|
||||
var body struct {
|
||||
ChallengeID string `json:"challenge_id"`
|
||||
}
|
||||
require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &body))
|
||||
require.NotEmpty(t, body.ChallengeID)
|
||||
require.Empty(t, h.mailStub.RecordedDeliveries())
|
||||
}
|
||||
|
||||
func TestGatewayAuthSessionSessionLimitExceededPassesThroughUnchanged(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
||||
h.seedSessionLimit(t, 1)
|
||||
|
||||
firstClientPrivateKey := newClientPrivateKey("session-limit-first")
|
||||
firstChallengeID, firstCode := h.sendChallenge(t, testEmail)
|
||||
firstConfirm := h.confirmCode(t, firstChallengeID, firstCode, firstClientPrivateKey)
|
||||
require.Equal(t, http.StatusOK, firstConfirm.StatusCode)
|
||||
|
||||
const secondEmail = "pilot-second@example.com"
|
||||
h.userStub.SeedExisting(secondEmail, "user-1")
|
||||
|
||||
secondClientPrivateKey := newClientPrivateKey("session-limit-second")
|
||||
secondChallengeID, secondCode := h.sendChallenge(t, secondEmail)
|
||||
secondConfirm := h.confirmCode(t, secondChallengeID, secondCode, secondClientPrivateKey)
|
||||
|
||||
require.Equal(t, http.StatusConflict, secondConfirm.StatusCode)
|
||||
require.JSONEq(t, `{"error":{"code":"session_limit_exceeded","message":"active session limit would be exceeded"}}`, secondConfirm.Body)
|
||||
}
|
||||
|
||||
func TestGatewayAuthSessionRevokeClosesPushStreamAndRejectsReopen(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{})
|
||||
|
||||
clientPrivateKey := newClientPrivateKey("revoke")
|
||||
challengeID, code := h.sendChallenge(t, testEmail)
|
||||
confirm := h.confirmCode(t, challengeID, code, clientPrivateKey)
|
||||
require.Equal(t, http.StatusOK, confirm.StatusCode)
|
||||
|
||||
var confirmBody struct {
|
||||
DeviceSessionID string `json:"device_session_id"`
|
||||
}
|
||||
require.NoError(t, decodeStrictJSONPayload([]byte(confirm.Body), &confirmBody))
|
||||
|
||||
conn := h.dialGateway(t)
|
||||
client := gatewayv1.NewEdgeGatewayClient(conn)
|
||||
|
||||
stream, err := client.SubscribeEvents(context.Background(), newSubscribeEventsRequest(confirmBody.DeviceSessionID, "request-revoke", clientPrivateKey))
|
||||
require.NoError(t, err)
|
||||
|
||||
event, err := stream.Recv()
|
||||
require.NoError(t, err)
|
||||
assertBootstrapEvent(t, event, h.responseSignerPublicKey, "request-revoke")
|
||||
|
||||
revokeResponse := postJSONValue(t, h.authsessionInternalURL+"/api/v1/internal/sessions/"+confirmBody.DeviceSessionID+"/revoke", map[string]any{
|
||||
"reason_code": "admin_revoke",
|
||||
"actor": map[string]string{
|
||||
"type": "system",
|
||||
},
|
||||
})
|
||||
require.Equal(t, http.StatusOK, revokeResponse.StatusCode)
|
||||
|
||||
recvErrCh := make(chan error, 1)
|
||||
go func() {
|
||||
_, recvErr := stream.Recv()
|
||||
recvErrCh <- recvErr
|
||||
}()
|
||||
|
||||
select {
|
||||
case recvErr := <-recvErrCh:
|
||||
require.Equal(t, codes.FailedPrecondition, status.Code(recvErr))
|
||||
require.Equal(t, "device session is revoked", status.Convert(recvErr).Message())
|
||||
case <-time.After(5 * time.Second):
|
||||
t.Fatal("gateway stream did not close after authsession revoke")
|
||||
}
|
||||
|
||||
reopened, err := client.SubscribeEvents(context.Background(), newSubscribeEventsRequest(confirmBody.DeviceSessionID, "request-reopen", clientPrivateKey))
|
||||
if err == nil {
|
||||
_, err = reopened.Recv()
|
||||
}
|
||||
|
||||
require.Equal(t, codes.FailedPrecondition, status.Code(err))
|
||||
require.Equal(t, "device session is revoked", status.Convert(err).Message())
|
||||
}
|
||||
|
||||
func TestGatewayAuthSessionGatewayTimeoutMappingOverridesAuthsessionMessage(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{
|
||||
gatewayAuthUpstreamTimeout: 50 * time.Millisecond,
|
||||
authsessionPublicHTTPTimeout: time.Second,
|
||||
authsessionMailBehavior: harness.MailBehavior{
|
||||
Delay: 200 * time.Millisecond,
|
||||
},
|
||||
})
|
||||
|
||||
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{
|
||||
"email": testEmail,
|
||||
})
|
||||
|
||||
require.Equal(t, http.StatusServiceUnavailable, response.StatusCode)
|
||||
require.JSONEq(t, `{"error":{"code":"service_unavailable","message":"auth service is unavailable"}}`, response.Body)
|
||||
}
|
||||
|
||||
func TestGatewayAuthSessionAuthsessionServiceUnavailablePassesThroughUnchanged(t *testing.T) {
|
||||
h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{
|
||||
authsessionMailBehavior: harness.MailBehavior{
|
||||
StatusCode: http.StatusServiceUnavailable,
|
||||
RawBody: `{"error":"mail backend unavailable"}`,
|
||||
},
|
||||
})
|
||||
|
||||
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{
|
||||
"email": testEmail,
|
||||
})
|
||||
|
||||
require.Equal(t, http.StatusServiceUnavailable, response.StatusCode)
|
||||
require.JSONEq(t, `{"error":{"code":"service_unavailable","message":"service is unavailable"}}`, response.Body)
|
||||
}
|
||||
@@ -0,0 +1,406 @@
|
||||
package gatewayauthsession_test
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/ed25519"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
contractsgatewayv1 "galaxy/integration/internal/contracts/gatewayv1"
|
||||
"galaxy/integration/internal/harness"
|
||||
|
||||
gatewayv1 "galaxy/gateway/proto/galaxy/gateway/v1"
|
||||
|
||||
"github.com/redis/go-redis/v9"
|
||||
"github.com/stretchr/testify/require"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials/insecure"
|
||||
)
|
||||
|
||||
const (
|
||||
testEmail = "pilot@example.com"
|
||||
testTimeZone = "Europe/Kaliningrad"
|
||||
|
||||
defaultGatewayAuthUpstreamTimeout = 500 * time.Millisecond
|
||||
defaultAuthsessionPublicHTTPTimeout = time.Second
|
||||
defaultAuthsessionInternalHTTPTimeout = time.Second
|
||||
defaultAuthsessionDependencyTimeout = time.Second
|
||||
)
|
||||
|
||||
type gatewayAuthSessionOptions struct {
|
||||
gatewayAuthUpstreamTimeout time.Duration
|
||||
authsessionPublicHTTPTimeout time.Duration
|
||||
authsessionMailBehavior harness.MailBehavior
|
||||
}
|
||||
|
||||
type gatewayAuthSessionHarness struct {
|
||||
redis *redis.Client
|
||||
|
||||
mailStub *harness.MailStub
|
||||
userStub *harness.UserStub
|
||||
|
||||
authsessionPublicURL string
|
||||
authsessionInternalURL string
|
||||
gatewayPublicURL string
|
||||
gatewayGRPCAddr string
|
||||
|
||||
responseSignerPublicKey ed25519.PublicKey
|
||||
|
||||
gatewayProcess *harness.Process
|
||||
authsessionProcess *harness.Process
|
||||
}
|
||||
|
||||
func newGatewayAuthSessionHarness(t *testing.T, opts gatewayAuthSessionOptions) *gatewayAuthSessionHarness {
|
||||
t.Helper()
|
||||
|
||||
if opts.gatewayAuthUpstreamTimeout <= 0 {
|
||||
opts.gatewayAuthUpstreamTimeout = defaultGatewayAuthUpstreamTimeout
|
||||
}
|
||||
if opts.authsessionPublicHTTPTimeout <= 0 {
|
||||
opts.authsessionPublicHTTPTimeout = defaultAuthsessionPublicHTTPTimeout
|
||||
}
|
||||
|
||||
redisServer := harness.StartMiniredis(t)
|
||||
redisClient := redis.NewClient(&redis.Options{
|
||||
Addr: redisServer.Addr(),
|
||||
Protocol: 2,
|
||||
DisableIdentity: true,
|
||||
})
|
||||
t.Cleanup(func() {
|
||||
require.NoError(t, redisClient.Close())
|
||||
})
|
||||
|
||||
mailStub := harness.NewMailStub(t)
|
||||
mailStub.SetBehavior(opts.authsessionMailBehavior)
|
||||
|
||||
userStub := harness.NewUserStub(t)
|
||||
|
||||
responseSignerPath, responseSignerPublicKey := harness.WriteResponseSignerPEM(t, t.Name())
|
||||
authsessionPublicAddr := harness.FreeTCPAddress(t)
|
||||
authsessionInternalAddr := harness.FreeTCPAddress(t)
|
||||
gatewayPublicAddr := harness.FreeTCPAddress(t)
|
||||
gatewayGRPCAddr := harness.FreeTCPAddress(t)
|
||||
|
||||
authsessionBinary := harness.BuildBinary(t, "authsession", "./authsession/cmd/authsession")
|
||||
gatewayBinary := harness.BuildBinary(t, "gateway", "./gateway/cmd/gateway")
|
||||
|
||||
authsessionEnv := map[string]string{
|
||||
"AUTHSESSION_LOG_LEVEL": "info",
|
||||
"AUTHSESSION_PUBLIC_HTTP_ADDR": authsessionPublicAddr,
|
||||
"AUTHSESSION_PUBLIC_HTTP_REQUEST_TIMEOUT": opts.authsessionPublicHTTPTimeout.String(),
|
||||
"AUTHSESSION_INTERNAL_HTTP_ADDR": authsessionInternalAddr,
|
||||
"AUTHSESSION_INTERNAL_HTTP_REQUEST_TIMEOUT": defaultAuthsessionInternalHTTPTimeout.String(),
|
||||
"AUTHSESSION_REDIS_ADDR": redisServer.Addr(),
|
||||
"AUTHSESSION_USER_SERVICE_MODE": "rest",
|
||||
"AUTHSESSION_USER_SERVICE_BASE_URL": userStub.BaseURL(),
|
||||
"AUTHSESSION_USER_SERVICE_REQUEST_TIMEOUT": defaultAuthsessionDependencyTimeout.String(),
|
||||
"AUTHSESSION_MAIL_SERVICE_MODE": "rest",
|
||||
"AUTHSESSION_MAIL_SERVICE_BASE_URL": mailStub.BaseURL(),
|
||||
"AUTHSESSION_MAIL_SERVICE_REQUEST_TIMEOUT": defaultAuthsessionDependencyTimeout.String(),
|
||||
"AUTHSESSION_REDIS_GATEWAY_SESSION_CACHE_KEY_PREFIX": "gateway:session:",
|
||||
"AUTHSESSION_REDIS_GATEWAY_SESSION_EVENTS_STREAM": "gateway:session_events",
|
||||
"OTEL_TRACES_EXPORTER": "none",
|
||||
"OTEL_METRICS_EXPORTER": "none",
|
||||
}
|
||||
authsessionProcess := harness.StartProcess(t, "authsession", authsessionBinary, authsessionEnv)
|
||||
waitForAuthsessionPublicReady(t, authsessionProcess, "http://"+authsessionPublicAddr)
|
||||
waitForAuthsessionInternalReady(t, authsessionProcess, "http://"+authsessionInternalAddr)
|
||||
|
||||
gatewayEnv := map[string]string{
|
||||
"GATEWAY_LOG_LEVEL": "info",
|
||||
"GATEWAY_PUBLIC_HTTP_ADDR": gatewayPublicAddr,
|
||||
"GATEWAY_AUTHENTICATED_GRPC_ADDR": gatewayGRPCAddr,
|
||||
"GATEWAY_SESSION_CACHE_REDIS_ADDR": redisServer.Addr(),
|
||||
"GATEWAY_SESSION_CACHE_REDIS_KEY_PREFIX": "gateway:session:",
|
||||
"GATEWAY_SESSION_EVENTS_REDIS_STREAM": "gateway:session_events",
|
||||
"GATEWAY_CLIENT_EVENTS_REDIS_STREAM": "gateway:client_events",
|
||||
"GATEWAY_REPLAY_REDIS_KEY_PREFIX": "gateway:replay:",
|
||||
"GATEWAY_RESPONSE_SIGNER_PRIVATE_KEY_PEM_PATH": filepath.Clean(responseSignerPath),
|
||||
"GATEWAY_AUTH_SERVICE_BASE_URL": "http://" + authsessionPublicAddr,
|
||||
"GATEWAY_PUBLIC_AUTH_UPSTREAM_TIMEOUT": opts.gatewayAuthUpstreamTimeout.String(),
|
||||
"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_PUBLIC_AUTH_RATE_LIMIT_REQUESTS": "100",
|
||||
"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_PUBLIC_AUTH_RATE_LIMIT_WINDOW": "1s",
|
||||
"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_PUBLIC_AUTH_RATE_LIMIT_BURST": "100",
|
||||
"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_SEND_EMAIL_CODE_IDENTITY_RATE_LIMIT_REQUESTS": "100",
|
||||
"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_SEND_EMAIL_CODE_IDENTITY_RATE_LIMIT_WINDOW": "1s",
|
||||
"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_SEND_EMAIL_CODE_IDENTITY_RATE_LIMIT_BURST": "100",
|
||||
"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_CONFIRM_EMAIL_CODE_IDENTITY_RATE_LIMIT_REQUESTS": "100",
|
||||
"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_CONFIRM_EMAIL_CODE_IDENTITY_RATE_LIMIT_WINDOW": "1s",
|
||||
"GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_CONFIRM_EMAIL_CODE_IDENTITY_RATE_LIMIT_BURST": "100",
|
||||
"OTEL_TRACES_EXPORTER": "none",
|
||||
"OTEL_METRICS_EXPORTER": "none",
|
||||
}
|
||||
gatewayProcess := harness.StartProcess(t, "gateway", gatewayBinary, gatewayEnv)
|
||||
harness.WaitForHTTPStatus(t, gatewayProcess, "http://"+gatewayPublicAddr+"/healthz", http.StatusOK)
|
||||
harness.WaitForTCP(t, gatewayProcess, gatewayGRPCAddr)
|
||||
|
||||
return &gatewayAuthSessionHarness{
|
||||
redis: redisClient,
|
||||
mailStub: mailStub,
|
||||
userStub: userStub,
|
||||
authsessionPublicURL: "http://" + authsessionPublicAddr,
|
||||
authsessionInternalURL: "http://" + authsessionInternalAddr,
|
||||
gatewayPublicURL: "http://" + gatewayPublicAddr,
|
||||
gatewayGRPCAddr: gatewayGRPCAddr,
|
||||
responseSignerPublicKey: responseSignerPublicKey,
|
||||
gatewayProcess: gatewayProcess,
|
||||
authsessionProcess: authsessionProcess,
|
||||
}
|
||||
}
|
||||
|
||||
func (h *gatewayAuthSessionHarness) dialGateway(t *testing.T) *grpc.ClientConn {
|
||||
t.Helper()
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||||
defer cancel()
|
||||
|
||||
conn, err := grpc.DialContext(
|
||||
ctx,
|
||||
h.gatewayGRPCAddr,
|
||||
grpc.WithTransportCredentials(insecure.NewCredentials()),
|
||||
grpc.WithBlock(),
|
||||
)
|
||||
require.NoError(t, err)
|
||||
t.Cleanup(func() {
|
||||
require.NoError(t, conn.Close())
|
||||
})
|
||||
|
||||
return conn
|
||||
}
|
||||
|
||||
func (h *gatewayAuthSessionHarness) seedSessionLimit(t *testing.T, limit int) {
|
||||
t.Helper()
|
||||
|
||||
require.NoError(t, h.redis.Set(context.Background(), "authsession:config:active-session-limit", fmt.Sprint(limit), 0).Err())
|
||||
}
|
||||
|
||||
func (h *gatewayAuthSessionHarness) readGatewaySessionRecord(t *testing.T, deviceSessionID string) gatewaySessionRecord {
|
||||
t.Helper()
|
||||
|
||||
payload, err := h.redis.Get(context.Background(), "gateway:session:"+deviceSessionID).Bytes()
|
||||
require.NoError(t, err)
|
||||
|
||||
var record gatewaySessionRecord
|
||||
require.NoError(t, decodeStrictJSONPayload(payload, &record))
|
||||
return record
|
||||
}
|
||||
|
||||
func (h *gatewayAuthSessionHarness) sendChallenge(t *testing.T, email string) (string, string) {
|
||||
t.Helper()
|
||||
|
||||
response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{
|
||||
"email": email,
|
||||
})
|
||||
require.Equal(t, http.StatusOK, response.StatusCode)
|
||||
|
||||
var body struct {
|
||||
ChallengeID string `json:"challenge_id"`
|
||||
}
|
||||
require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &body))
|
||||
|
||||
deliveries := h.mailStub.RecordedDeliveries()
|
||||
require.NotEmpty(t, deliveries)
|
||||
return body.ChallengeID, deliveries[len(deliveries)-1].Code
|
||||
}
|
||||
|
||||
func (h *gatewayAuthSessionHarness) confirmCode(t *testing.T, challengeID string, code string, clientPrivateKey ed25519.PrivateKey) httpResponse {
|
||||
t.Helper()
|
||||
|
||||
return postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/confirm-email-code", map[string]string{
|
||||
"challenge_id": challengeID,
|
||||
"code": code,
|
||||
"client_public_key": encodePublicKey(clientPrivateKey.Public().(ed25519.PublicKey)),
|
||||
"time_zone": testTimeZone,
|
||||
})
|
||||
}
|
||||
|
||||
func newClientPrivateKey(label string) ed25519.PrivateKey {
|
||||
seed := sha256.Sum256([]byte("galaxy-integration-gateway-authsession-client-" + label))
|
||||
return ed25519.NewKeyFromSeed(seed[:])
|
||||
}
|
||||
|
||||
func newSubscribeEventsRequest(deviceSessionID string, requestID string, clientPrivateKey ed25519.PrivateKey) *gatewayv1.SubscribeEventsRequest {
|
||||
payloadHash := contractsgatewayv1.ComputePayloadHash(nil)
|
||||
|
||||
request := &gatewayv1.SubscribeEventsRequest{
|
||||
ProtocolVersion: contractsgatewayv1.ProtocolVersionV1,
|
||||
DeviceSessionId: deviceSessionID,
|
||||
MessageType: contractsgatewayv1.SubscribeMessageType,
|
||||
TimestampMs: time.Now().UnixMilli(),
|
||||
RequestId: requestID,
|
||||
PayloadHash: payloadHash,
|
||||
TraceId: "trace-" + requestID,
|
||||
}
|
||||
request.Signature = contractsgatewayv1.SignRequest(clientPrivateKey, contractsgatewayv1.RequestSigningFields{
|
||||
ProtocolVersion: request.GetProtocolVersion(),
|
||||
DeviceSessionID: request.GetDeviceSessionId(),
|
||||
MessageType: request.GetMessageType(),
|
||||
TimestampMS: request.GetTimestampMs(),
|
||||
RequestID: request.GetRequestId(),
|
||||
PayloadHash: request.GetPayloadHash(),
|
||||
})
|
||||
return request
|
||||
}
|
||||
|
||||
func assertBootstrapEvent(t *testing.T, event *gatewayv1.GatewayEvent, responseSignerPublicKey ed25519.PublicKey, wantRequestID string) {
|
||||
t.Helper()
|
||||
|
||||
require.Equal(t, contractsgatewayv1.ServerTimeEventType, event.GetEventType())
|
||||
require.Equal(t, wantRequestID, event.GetEventId())
|
||||
require.Equal(t, wantRequestID, event.GetRequestId())
|
||||
require.NoError(t, contractsgatewayv1.VerifyPayloadHash(event.GetPayloadBytes(), event.GetPayloadHash()))
|
||||
require.NoError(t, contractsgatewayv1.VerifyEventSignature(responseSignerPublicKey, event.GetSignature(), contractsgatewayv1.EventSigningFields{
|
||||
EventType: event.GetEventType(),
|
||||
EventID: event.GetEventId(),
|
||||
TimestampMS: event.GetTimestampMs(),
|
||||
RequestID: event.GetRequestId(),
|
||||
TraceID: event.GetTraceId(),
|
||||
PayloadHash: event.GetPayloadHash(),
|
||||
}))
|
||||
}
|
||||
|
||||
type httpResponse struct {
|
||||
StatusCode int
|
||||
Body string
|
||||
Header http.Header
|
||||
}
|
||||
|
||||
type gatewaySessionRecord struct {
|
||||
DeviceSessionID string `json:"device_session_id"`
|
||||
UserID string `json:"user_id"`
|
||||
ClientPublicKey string `json:"client_public_key"`
|
||||
Status string `json:"status"`
|
||||
RevokedAtMS *int64 `json:"revoked_at_ms,omitempty"`
|
||||
}
|
||||
|
||||
func postJSONValue(t *testing.T, targetURL string, body any) httpResponse {
|
||||
t.Helper()
|
||||
|
||||
payload, err := json.Marshal(body)
|
||||
require.NoError(t, err)
|
||||
|
||||
request, err := http.NewRequest(http.MethodPost, targetURL, bytes.NewReader(payload))
|
||||
require.NoError(t, err)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
client := &http.Client{Timeout: 5 * time.Second}
|
||||
|
||||
response, err := client.Do(request)
|
||||
require.NoError(t, err)
|
||||
defer response.Body.Close()
|
||||
|
||||
responseBody, err := io.ReadAll(response.Body)
|
||||
require.NoError(t, err)
|
||||
|
||||
return httpResponse{
|
||||
StatusCode: response.StatusCode,
|
||||
Body: string(responseBody),
|
||||
Header: response.Header.Clone(),
|
||||
}
|
||||
}
|
||||
|
||||
func decodeStrictJSONPayload(payload []byte, target any) error {
|
||||
decoder := json.NewDecoder(bytes.NewReader(payload))
|
||||
decoder.DisallowUnknownFields()
|
||||
|
||||
if err := decoder.Decode(target); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := decoder.Decode(&struct{}{}); err != io.EOF {
|
||||
if err == nil {
|
||||
return fmt.Errorf("unexpected trailing JSON input")
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func encodePublicKey(publicKey ed25519.PublicKey) string {
|
||||
return base64.StdEncoding.EncodeToString(publicKey)
|
||||
}
|
||||
|
||||
func waitForAuthsessionPublicReady(t *testing.T, process *harness.Process, baseURL string) {
|
||||
t.Helper()
|
||||
|
||||
client := &http.Client{Timeout: 250 * time.Millisecond}
|
||||
deadline := time.Now().Add(10 * time.Second)
|
||||
|
||||
for time.Now().Before(deadline) {
|
||||
response, err := postJSONValueMaybe(client, baseURL+"/api/v1/public/auth/send-email-code", map[string]string{
|
||||
"email": "",
|
||||
})
|
||||
if err == nil && response.StatusCode == http.StatusBadRequest {
|
||||
return
|
||||
}
|
||||
|
||||
time.Sleep(25 * time.Millisecond)
|
||||
}
|
||||
|
||||
t.Fatalf("wait for authsession public readiness: timeout\n%s", process.Logs())
|
||||
}
|
||||
|
||||
func waitForAuthsessionInternalReady(t *testing.T, process *harness.Process, baseURL string) {
|
||||
t.Helper()
|
||||
|
||||
client := &http.Client{Timeout: 250 * time.Millisecond}
|
||||
deadline := time.Now().Add(10 * time.Second)
|
||||
|
||||
for time.Now().Before(deadline) {
|
||||
request, err := http.NewRequest(http.MethodGet, baseURL+"/api/v1/internal/sessions/missing", nil)
|
||||
if err != nil {
|
||||
t.Fatalf("build authsession internal readiness request: %v", err)
|
||||
}
|
||||
|
||||
response, err := client.Do(request)
|
||||
if err == nil {
|
||||
_, _ = io.Copy(io.Discard, response.Body)
|
||||
response.Body.Close()
|
||||
if response.StatusCode == http.StatusNotFound {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
time.Sleep(25 * time.Millisecond)
|
||||
}
|
||||
|
||||
t.Fatalf("wait for authsession internal readiness: timeout\n%s", process.Logs())
|
||||
}
|
||||
|
||||
func postJSONValueMaybe(client *http.Client, targetURL string, body any) (httpResponse, error) {
|
||||
payload, err := json.Marshal(body)
|
||||
if err != nil {
|
||||
return httpResponse{}, err
|
||||
}
|
||||
|
||||
request, err := http.NewRequest(http.MethodPost, targetURL, bytes.NewReader(payload))
|
||||
if err != nil {
|
||||
return httpResponse{}, err
|
||||
}
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
response, err := client.Do(request)
|
||||
if err != nil {
|
||||
return httpResponse{}, err
|
||||
}
|
||||
defer response.Body.Close()
|
||||
|
||||
responseBody, err := io.ReadAll(response.Body)
|
||||
if err != nil {
|
||||
return httpResponse{}, err
|
||||
}
|
||||
|
||||
return httpResponse{
|
||||
StatusCode: response.StatusCode,
|
||||
Body: string(responseBody),
|
||||
Header: response.Header.Clone(),
|
||||
}, nil
|
||||
}
|
||||
Reference in New Issue
Block a user