feat: authsession service
This commit is contained in:
Ilia Denisov
@@ -0,0 +1,141 @@
|
||||
// Package gatewayprojection defines the gateway-facing integration snapshot
|
||||
// model that stays separate from source-of-truth session entities.
|
||||
package gatewayprojection
|
||||
|
||||
import (
|
||||
"crypto/ed25519"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"galaxy/authsession/internal/domain/common"
|
||||
)
|
||||
|
||||
// Status identifies the coarse lifecycle state projected to the gateway.
|
||||
type Status string
|
||||
|
||||
const (
|
||||
// StatusActive reports that the projected session may authenticate
|
||||
// requests on the gateway hot path.
|
||||
StatusActive Status = "active"
|
||||
|
||||
// StatusRevoked reports that the projected session must be rejected on the
|
||||
// gateway hot path.
|
||||
StatusRevoked Status = "revoked"
|
||||
)
|
||||
|
||||
// IsKnown reports whether Status is one of the projection states supported by
|
||||
// the current integration model.
|
||||
func (s Status) IsKnown() bool {
|
||||
switch s {
|
||||
case StatusActive, StatusRevoked:
|
||||
return true
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// Snapshot stores the gateway-facing session projection without exposing any
|
||||
// Redis-specific field naming or storage encoding.
|
||||
type Snapshot struct {
|
||||
// DeviceSessionID identifies the projected device session.
|
||||
DeviceSessionID common.DeviceSessionID
|
||||
|
||||
// UserID identifies the projected user.
|
||||
UserID common.UserID
|
||||
|
||||
// ClientPublicKey stores the standard base64-encoded raw 32-byte Ed25519
|
||||
// public key string expected by the gateway.
|
||||
ClientPublicKey string
|
||||
|
||||
// Status reports whether the projected session is active or revoked.
|
||||
Status Status
|
||||
|
||||
// RevokedAt optionally reports when the revoke took effect.
|
||||
RevokedAt *time.Time
|
||||
|
||||
// RevokeReasonCode optionally stores the machine-readable revoke reason.
|
||||
RevokeReasonCode common.RevokeReasonCode
|
||||
|
||||
// RevokeActorType optionally stores the machine-readable revoke actor type.
|
||||
RevokeActorType common.RevokeActorType
|
||||
|
||||
// RevokeActorID optionally stores a stable revoke actor identifier.
|
||||
RevokeActorID string
|
||||
}
|
||||
|
||||
// Validate reports whether Snapshot satisfies the Stage-2 structural
|
||||
// invariants.
|
||||
func (s Snapshot) Validate() error {
|
||||
if err := s.DeviceSessionID.Validate(); err != nil {
|
||||
return fmt.Errorf("gateway projection device session id: %w", err)
|
||||
}
|
||||
if err := s.UserID.Validate(); err != nil {
|
||||
return fmt.Errorf("gateway projection user id: %w", err)
|
||||
}
|
||||
if err := validateClientPublicKey(s.ClientPublicKey); err != nil {
|
||||
return fmt.Errorf("gateway projection client public key: %w", err)
|
||||
}
|
||||
if !s.Status.IsKnown() {
|
||||
return fmt.Errorf("gateway projection status %q is unsupported", s.Status)
|
||||
}
|
||||
|
||||
if s.Status == StatusActive {
|
||||
if s.RevokedAt != nil {
|
||||
return errors.New("active gateway projection must not contain revoked time")
|
||||
}
|
||||
if !s.RevokeReasonCode.IsZero() {
|
||||
return errors.New("active gateway projection must not contain revoke reason code")
|
||||
}
|
||||
if !s.RevokeActorType.IsZero() {
|
||||
return errors.New("active gateway projection must not contain revoke actor type")
|
||||
}
|
||||
if s.RevokeActorID != "" {
|
||||
return errors.New("active gateway projection must not contain revoke actor id")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
if s.RevokedAt != nil && s.RevokedAt.IsZero() {
|
||||
return errors.New("gateway projection revoked time must not be zero")
|
||||
}
|
||||
if !s.RevokeReasonCode.IsZero() {
|
||||
if err := s.RevokeReasonCode.Validate(); err != nil {
|
||||
return fmt.Errorf("gateway projection revoke reason code: %w", err)
|
||||
}
|
||||
}
|
||||
if !s.RevokeActorType.IsZero() {
|
||||
if err := s.RevokeActorType.Validate(); err != nil {
|
||||
return fmt.Errorf("gateway projection revoke actor type: %w", err)
|
||||
}
|
||||
}
|
||||
if s.RevokeActorType.IsZero() && s.RevokeActorID != "" {
|
||||
return errors.New("gateway projection revoke actor id requires revoke actor type")
|
||||
}
|
||||
if strings.TrimSpace(s.RevokeActorID) != s.RevokeActorID {
|
||||
return errors.New("gateway projection revoke actor id must not contain surrounding whitespace")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func validateClientPublicKey(value string) error {
|
||||
switch {
|
||||
case strings.TrimSpace(value) == "":
|
||||
return errors.New("client public key must not be empty")
|
||||
case strings.TrimSpace(value) != value:
|
||||
return errors.New("client public key must not contain surrounding whitespace")
|
||||
}
|
||||
|
||||
decoded, err := base64.StdEncoding.DecodeString(value)
|
||||
if err != nil {
|
||||
return fmt.Errorf("client public key must be valid base64: %w", err)
|
||||
}
|
||||
if len(decoded) != ed25519.PublicKeySize {
|
||||
return fmt.Errorf("client public key must contain exactly %d bytes", ed25519.PublicKeySize)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -0,0 +1,146 @@
|
||||
package gatewayprojection
|
||||
|
||||
import (
|
||||
"crypto/ed25519"
|
||||
"encoding/base64"
|
||||
"github.com/stretchr/testify/require"
|
||||
"reflect"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"galaxy/authsession/internal/domain/common"
|
||||
"galaxy/authsession/internal/domain/devicesession"
|
||||
)
|
||||
|
||||
func TestStatusIsKnown(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
value Status
|
||||
want bool
|
||||
}{
|
||||
{name: "active", value: StatusActive, want: true},
|
||||
{name: "revoked", value: StatusRevoked, want: true},
|
||||
{name: "unknown", value: Status("unknown"), want: false},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
tt := tt
|
||||
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
if got := tt.value.IsKnown(); got != tt.want {
|
||||
require.Failf(t, "test failed", "IsKnown() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestSnapshotValidate(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
mutate func(*Snapshot)
|
||||
wantErr bool
|
||||
}{
|
||||
{name: "active valid"},
|
||||
{
|
||||
name: "revoked valid",
|
||||
mutate: func(snapshot *Snapshot) {
|
||||
snapshot.Status = StatusRevoked
|
||||
revokedAt := time.Unix(1_775_121_900, 0).UTC()
|
||||
snapshot.RevokedAt = &revokedAt
|
||||
snapshot.RevokeReasonCode = common.RevokeReasonCode("admin_revoke")
|
||||
snapshot.RevokeActorType = common.RevokeActorType("admin")
|
||||
snapshot.RevokeActorID = "admin-123"
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "active rejects revoke metadata",
|
||||
mutate: func(snapshot *Snapshot) {
|
||||
snapshot.RevokeReasonCode = common.RevokeReasonCode("admin_revoke")
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid key encoding",
|
||||
mutate: func(snapshot *Snapshot) {
|
||||
snapshot.ClientPublicKey = "not-base64"
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "actor id requires actor type",
|
||||
mutate: func(snapshot *Snapshot) {
|
||||
snapshot.Status = StatusRevoked
|
||||
snapshot.RevokeActorID = "admin-123"
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
tt := tt
|
||||
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
snapshot := validSnapshot()
|
||||
if tt.mutate != nil {
|
||||
tt.mutate(&snapshot)
|
||||
}
|
||||
|
||||
err := snapshot.Validate()
|
||||
if tt.wantErr && err == nil {
|
||||
require.FailNow(t, "Validate() returned nil error")
|
||||
}
|
||||
if !tt.wantErr && err != nil {
|
||||
require.Failf(t, "test failed", "Validate() returned error: %v", err)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestSnapshotStaysSeparateFromSessionDomainShape(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
snapshotType := reflect.TypeOf(Snapshot{})
|
||||
sessionType := reflect.TypeOf(devicesession.Session{})
|
||||
|
||||
clientPublicKeyField, ok := snapshotType.FieldByName("ClientPublicKey")
|
||||
if !ok {
|
||||
require.FailNow(t, "Snapshot is missing ClientPublicKey field")
|
||||
}
|
||||
if clientPublicKeyField.Type.Kind() != reflect.String {
|
||||
require.Failf(t, "test failed", "Snapshot.ClientPublicKey kind = %s, want string", clientPublicKeyField.Type.Kind())
|
||||
}
|
||||
|
||||
sessionClientPublicKeyField, ok := sessionType.FieldByName("ClientPublicKey")
|
||||
if !ok {
|
||||
require.FailNow(t, "devicesession.Session is missing ClientPublicKey field")
|
||||
}
|
||||
if clientPublicKeyField.Type == sessionClientPublicKeyField.Type {
|
||||
require.FailNow(t, "Snapshot.ClientPublicKey must stay separate from devicesession.Session.ClientPublicKey type")
|
||||
}
|
||||
|
||||
if _, ok := snapshotType.FieldByName("RevokedAtMS"); ok {
|
||||
require.FailNow(t, "Snapshot must not expose Redis-specific RevokedAtMS field")
|
||||
}
|
||||
}
|
||||
|
||||
func validSnapshot() Snapshot {
|
||||
raw := make(ed25519.PublicKey, ed25519.PublicKeySize)
|
||||
for index := range raw {
|
||||
raw[index] = byte(index + 17)
|
||||
}
|
||||
|
||||
return Snapshot{
|
||||
DeviceSessionID: common.DeviceSessionID("device-session-123"),
|
||||
UserID: common.UserID("user-123"),
|
||||
ClientPublicKey: base64.StdEncoding.EncodeToString(raw),
|
||||
Status: StatusActive,
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user