feat: authsession service

authsession/internal/service/revokedevicesession/consistency_test.go

@@ -0,0 +1,75 @@
+package revokedevicesession
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"galaxy/authsession/internal/domain/common"
+	"galaxy/authsession/internal/domain/devicesession"
+	"galaxy/authsession/internal/service/shared"
+	"galaxy/authsession/internal/testkit"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestExecuteRetriesProjectionPublishUntilSuccess(t *testing.T) {
+	t.Parallel()
+
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{
+		Errors: []error{errors.New("publish failed"), nil},
+	}
+	require.NoError(t, store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())))
+
+	service, err := New(store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	result, err := service.Execute(context.Background(), Input{
+		DeviceSessionID: "device-session-1",
+		ReasonCode:      "logout_all",
+		ActorType:       "system",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "revoked", result.Outcome)
+	require.Len(t, publisher.PublishedSnapshots(), 2)
+}
+
+func TestExecuteRepairsProjectionOnRepeatedAlreadyRevokedRequest(t *testing.T) {
+	t.Parallel()
+
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{Err: errors.New("publish failed")}
+	require.NoError(t, store.Create(context.Background(), activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())))
+
+	service, err := New(store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	_, err = service.Execute(context.Background(), Input{
+		DeviceSessionID: "device-session-1",
+		ReasonCode:      "logout_all",
+		ActorType:       "system",
+	})
+	require.Error(t, err)
+	assert.Equal(t, shared.ErrorCodeServiceUnavailable, shared.CodeOf(err))
+	require.Len(t, publisher.PublishedSnapshots(), shared.MaxProjectionPublishAttempts)
+
+	stored, getErr := store.Get(context.Background(), common.DeviceSessionID("device-session-1"))
+	require.NoError(t, getErr)
+	require.NotNil(t, stored.Revocation)
+	assert.Equal(t, devicesession.StatusRevoked, stored.Status)
+
+	publisher.Err = nil
+
+	result, err := service.Execute(context.Background(), Input{
+		DeviceSessionID: "device-session-1",
+		ReasonCode:      "logout_all",
+		ActorType:       "system",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "already_revoked", result.Outcome)
+	assert.EqualValues(t, 0, result.AffectedSessionCount)
+	require.Len(t, publisher.PublishedSnapshots(), shared.MaxProjectionPublishAttempts+1)
+}

authsession/internal/service/revokedevicesession/service.go

@@ -0,0 +1,151 @@
+// Package revokedevicesession implements the trusted internal single-session
+// revoke use case.
+package revokedevicesession
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"galaxy/authsession/internal/ports"
+	"galaxy/authsession/internal/service/shared"
+	"galaxy/authsession/internal/telemetry"
+
+	"go.uber.org/zap"
+)
+
+// Input describes one trusted internal revoke-device-session request.
+type Input struct {
+	// DeviceSessionID identifies the session that should be revoked.
+	DeviceSessionID string
+
+	// ReasonCode stores the machine-readable revoke reason code.
+	ReasonCode string
+
+	// ActorType stores the machine-readable revoke actor type.
+	ActorType string
+
+	// ActorID stores the optional stable revoke actor identifier.
+	ActorID string
+}
+
+// Result describes the frozen internal revoke-device-session acknowledgement.
+type Result struct {
+	// Outcome reports whether the current call revoked the session or found it
+	// already revoked.
+	Outcome string
+
+	// DeviceSessionID identifies the session addressed by the operation.
+	DeviceSessionID string
+
+	// AffectedSessionCount reports how many sessions changed state during the
+	// current call.
+	AffectedSessionCount int64
+}
+
+// Service executes the trusted internal revoke-device-session use case.
+type Service struct {
+	sessionStore ports.SessionStore
+	publisher    ports.GatewaySessionProjectionPublisher
+	clock        ports.Clock
+	logger       *zap.Logger
+	telemetry    *telemetry.Runtime
+}
+
+// New returns a revoke-device-session service wired to the required ports.
+func New(sessionStore ports.SessionStore, publisher ports.GatewaySessionProjectionPublisher, clock ports.Clock) (*Service, error) {
+	return NewWithObservability(sessionStore, publisher, clock, nil, nil)
+}
+
+// NewWithObservability returns a revoke-device-session service wired to the
+// required ports plus optional structured logging and telemetry dependencies.
+func NewWithObservability(
+	sessionStore ports.SessionStore,
+	publisher ports.GatewaySessionProjectionPublisher,
+	clock ports.Clock,
+	logger *zap.Logger,
+	telemetryRuntime *telemetry.Runtime,
+) (*Service, error) {
+	switch {
+	case sessionStore == nil:
+		return nil, fmt.Errorf("revokedevicesession: session store must not be nil")
+	case publisher == nil:
+		return nil, fmt.Errorf("revokedevicesession: projection publisher must not be nil")
+	case clock == nil:
+		return nil, fmt.Errorf("revokedevicesession: clock must not be nil")
+	default:
+		return &Service{
+			sessionStore: sessionStore,
+			publisher:    publisher,
+			clock:        clock,
+			logger:       namedLogger(logger, "revoke_device_session"),
+			telemetry:    telemetryRuntime,
+		}, nil
+	}
+}
+
+// Execute revokes one device session and republishes the current gateway
+// projection for the resulting source-of-truth session state.
+func (s *Service) Execute(ctx context.Context, input Input) (result Result, err error) {
+	logFields := []zap.Field{
+		zap.String("component", "service"),
+		zap.String("use_case", "revoke_device_session"),
+	}
+	defer func() {
+		shared.LogServiceOutcome(s.logger, ctx, "revoke device session completed", err, logFields...)
+	}()
+
+	deviceSessionID, err := shared.ParseDeviceSessionID(input.DeviceSessionID)
+	if err != nil {
+		return Result{}, err
+	}
+	logFields = append(logFields, zap.String("device_session_id", deviceSessionID.String()))
+
+	revocation, err := shared.BuildRevocation(input.ReasonCode, input.ActorType, input.ActorID, s.clock.Now())
+	if err != nil {
+		return Result{}, err
+	}
+	logFields = append(logFields, zap.String("reason_code", revocation.ReasonCode.String()))
+
+	storeResult, err := s.sessionStore.Revoke(ctx, ports.RevokeSessionInput{
+		DeviceSessionID: deviceSessionID,
+		Revocation:      revocation,
+	})
+	if err != nil {
+		switch {
+		case errors.Is(err, ports.ErrNotFound):
+			return Result{}, shared.SessionNotFound()
+		default:
+			return Result{}, shared.ServiceUnavailable(err)
+		}
+	}
+	if err := storeResult.Validate(); err != nil {
+		return Result{}, shared.InternalError(err)
+	}
+	logFields = append(logFields, zap.String("outcome", string(storeResult.Outcome)))
+
+	if err := shared.PublishSessionProjectionWithTelemetry(ctx, s.publisher, storeResult.Session, s.telemetry, "revoke_device_session"); err != nil {
+		return Result{}, err
+	}
+
+	affectedSessionCount := int64(0)
+	if storeResult.Outcome == ports.RevokeSessionOutcomeRevoked {
+		affectedSessionCount = 1
+		s.telemetry.RecordSessionRevocations(ctx, "revoke_device_session", revocation.ReasonCode.String(), affectedSessionCount)
+	}
+	logFields = append(logFields, zap.Int64("affected_session_count", affectedSessionCount))
+
+	return Result{
+		Outcome:              string(storeResult.Outcome),
+		DeviceSessionID:      storeResult.Session.ID.String(),
+		AffectedSessionCount: affectedSessionCount,
+	}, nil
+}
+
+func namedLogger(logger *zap.Logger, name string) *zap.Logger {
+	if logger == nil {
+		logger = zap.NewNop()
+	}
+
+	return logger.Named(name)
+}

authsession/internal/service/revokedevicesession/service_test.go

@@ -0,0 +1,166 @@
+package revokedevicesession
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"galaxy/authsession/internal/domain/common"
+	"galaxy/authsession/internal/domain/devicesession"
+	"galaxy/authsession/internal/domain/gatewayprojection"
+	"galaxy/authsession/internal/service/shared"
+	"galaxy/authsession/internal/testkit"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestExecuteRevokesActiveSessionAndPublishes(t *testing.T) {
+	t.Parallel()
+
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{}
+	record := activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())
+	if err := store.Create(context.Background(), record); err != nil {
+		require.Failf(t, "test failed", "Create() returned error: %v", err)
+	}
+
+	service, err := New(store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	result, err := service.Execute(context.Background(), Input{
+		DeviceSessionID: "device-session-1",
+		ReasonCode:      "logout_all",
+		ActorType:       "system",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "revoked", result.Outcome)
+	assert.EqualValues(t, 1, result.AffectedSessionCount)
+	assert.Equal(t, "device-session-1", result.DeviceSessionID)
+
+	stored, err := store.Get(context.Background(), common.DeviceSessionID("device-session-1"))
+	require.NoError(t, err)
+	require.NotNil(t, stored.Revocation)
+	assert.Equal(t, devicesession.StatusRevoked, stored.Status)
+	assert.Equal(t, devicesession.RevokeReasonLogoutAll, stored.Revocation.ReasonCode)
+	assert.Equal(t, common.RevokeActorType("system"), stored.Revocation.ActorType)
+	assert.Empty(t, stored.Revocation.ActorID)
+	assert.Equal(t, time.Unix(20, 0).UTC(), stored.Revocation.At)
+
+	published := publisher.PublishedSnapshots()
+	require.Len(t, published, 1)
+	assert.Equal(t, gatewayprojection.StatusRevoked, published[0].Status)
+	assert.Equal(t, common.DeviceSessionID("device-session-1"), published[0].DeviceSessionID)
+	assert.Equal(t, devicesession.RevokeReasonLogoutAll, published[0].RevokeReasonCode)
+	assert.Equal(t, common.RevokeActorType("system"), published[0].RevokeActorType)
+	require.NotNil(t, published[0].RevokedAt)
+	assert.Equal(t, time.Unix(20, 0).UTC(), published[0].RevokedAt.UTC())
+}
+
+func TestExecuteAlreadyRevokedReturnsZeroAffectedAndRepublishes(t *testing.T) {
+	t.Parallel()
+
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{}
+	record := revokedSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())
+	if err := store.Create(context.Background(), record); err != nil {
+		require.Failf(t, "test failed", "Create() returned error: %v", err)
+	}
+
+	service, err := New(store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	result, err := service.Execute(context.Background(), Input{
+		DeviceSessionID: "device-session-1",
+		ReasonCode:      "logout_all",
+		ActorType:       "system",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "already_revoked", result.Outcome)
+	assert.EqualValues(t, 0, result.AffectedSessionCount)
+	assert.Equal(t, "device-session-1", result.DeviceSessionID)
+
+	stored, err := store.Get(context.Background(), common.DeviceSessionID("device-session-1"))
+	require.NoError(t, err)
+	require.NotNil(t, stored.Revocation)
+	assert.Equal(t, *record.Revocation, *stored.Revocation)
+
+	published := publisher.PublishedSnapshots()
+	require.Len(t, published, 1)
+	assert.Equal(t, gatewayprojection.StatusRevoked, published[0].Status)
+	assert.Equal(t, devicesession.RevokeReasonLogoutAll, published[0].RevokeReasonCode)
+	assert.Equal(t, common.RevokeActorType("system"), published[0].RevokeActorType)
+	require.NotNil(t, published[0].RevokedAt)
+	assert.Equal(t, record.Revocation.At, *published[0].RevokedAt)
+}
+
+func TestExecuteReturnsSessionNotFound(t *testing.T) {
+	t.Parallel()
+
+	service, err := New(&testkit.InMemorySessionStore{}, &testkit.RecordingProjectionPublisher{}, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	if err != nil {
+		require.Failf(t, "test failed", "New() returned error: %v", err)
+	}
+
+	_, err = service.Execute(context.Background(), Input{
+		DeviceSessionID: "missing",
+		ReasonCode:      "logout_all",
+		ActorType:       "system",
+	})
+	assert.Equal(t, shared.ErrorCodeSessionNotFound, shared.CodeOf(err))
+}
+
+func TestExecuteReturnsServiceUnavailableWhenPublishFails(t *testing.T) {
+	t.Parallel()
+
+	store := &testkit.InMemorySessionStore{}
+	publisher := &testkit.RecordingProjectionPublisher{Err: errors.New("publish failed")}
+	record := activeSessionFixture("device-session-1", "user-1", time.Unix(10, 0).UTC())
+	if err := store.Create(context.Background(), record); err != nil {
+		require.Failf(t, "test failed", "Create() returned error: %v", err)
+	}
+
+	service, err := New(store, publisher, testkit.FixedClock{Time: time.Unix(20, 0).UTC()})
+	require.NoError(t, err)
+
+	_, err = service.Execute(context.Background(), Input{
+		DeviceSessionID: "device-session-1",
+		ReasonCode:      "logout_all",
+		ActorType:       "system",
+	})
+	assert.Equal(t, shared.ErrorCodeServiceUnavailable, shared.CodeOf(err))
+
+	stored, getErr := store.Get(context.Background(), common.DeviceSessionID("device-session-1"))
+	require.NoError(t, getErr)
+	require.NotNil(t, stored.Revocation)
+	assert.Equal(t, devicesession.StatusRevoked, stored.Status)
+	assert.Equal(t, devicesession.RevokeReasonLogoutAll, stored.Revocation.ReasonCode)
+	assert.Equal(t, common.RevokeActorType("system"), stored.Revocation.ActorType)
+}
+
+func activeSessionFixture(deviceSessionID string, userID string, createdAt time.Time) devicesession.Session {
+	key, err := common.NewClientPublicKey(make([]byte, 32))
+	if err != nil {
+		panic(err)
+	}
+
+	return devicesession.Session{
+		ID:              common.DeviceSessionID(deviceSessionID),
+		UserID:          common.UserID(userID),
+		ClientPublicKey: key,
+		Status:          devicesession.StatusActive,
+		CreatedAt:       createdAt,
+	}
+}
+
+func revokedSessionFixture(deviceSessionID string, userID string, createdAt time.Time) devicesession.Session {
+	record := activeSessionFixture(deviceSessionID, userID, createdAt)
+	record.Status = devicesession.StatusRevoked
+	record.Revocation = &devicesession.Revocation{
+		At:         createdAt.Add(time.Minute),
+		ReasonCode: devicesession.RevokeReasonLogoutAll,
+		ActorType:  common.RevokeActorType("system"),
+	}
+	return record
+}