Ilia Denisov
118f7c17a2
Replace the native-gRPC server bootstrap with a single `connectrpc.com/connect` HTTP/h2c listener. Connect-Go natively serves Connect, gRPC, and gRPC-Web on the same port, so browsers can now reach the authenticated surface without giving up the gRPC framing native and desktop clients may use later. The decorator stack (envelope → session → payload-hash → signature → freshness/replay → rate-limit → routing/push) is reused unchanged behind a small Connect → gRPC adapter and a `grpc.ServerStream` shim around `*connect.ServerStream`. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
159 lines
5.1 KiB
Go
159 lines
5.1 KiB
Go
package grpcapi
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"galaxy/gateway/internal/session"
|
|
|
|
"connectrpc.com/connect"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestExecuteCommandRejectsInvalidSignature(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
delegate := &recordingEdgeGatewayService{}
|
|
server, runGateway := newTestGateway(t, ServerDependencies{
|
|
Service: delegate,
|
|
SessionCache: staticSessionCache{lookupFunc: func(context.Context, string) (session.Record, error) { return newActiveSessionRecord(), nil }},
|
|
})
|
|
defer runGateway.stop(t)
|
|
|
|
addr := waitForListenAddr(t, server)
|
|
client := newEdgeClient(t, addr)
|
|
|
|
req := newValidExecuteCommandRequest()
|
|
req.Signature[0] ^= 0xff
|
|
|
|
_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(req))
|
|
require.Error(t, err)
|
|
assert.Equal(t, connect.CodeUnauthenticated, connect.CodeOf(err))
|
|
assert.Equal(t, "invalid request signature", connectErrorMessage(t, err))
|
|
assert.Zero(t, delegate.executeCalls)
|
|
}
|
|
|
|
func TestExecuteCommandRejectsWrongKey(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
delegate := &recordingEdgeGatewayService{}
|
|
server, runGateway := newTestGateway(t, ServerDependencies{
|
|
Service: delegate,
|
|
SessionCache: staticSessionCache{
|
|
lookupFunc: func(context.Context, string) (session.Record, error) {
|
|
record := newActiveSessionRecord()
|
|
record.ClientPublicKey = alternateTestClientPublicKeyBase64()
|
|
return record, nil
|
|
},
|
|
},
|
|
})
|
|
defer runGateway.stop(t)
|
|
|
|
addr := waitForListenAddr(t, server)
|
|
client := newEdgeClient(t, addr)
|
|
_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequest()))
|
|
require.Error(t, err)
|
|
assert.Equal(t, connect.CodeUnauthenticated, connect.CodeOf(err))
|
|
assert.Equal(t, "invalid request signature", connectErrorMessage(t, err))
|
|
assert.Zero(t, delegate.executeCalls)
|
|
}
|
|
|
|
func TestExecuteCommandRejectsInvalidCachedPublicKey(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
delegate := &recordingEdgeGatewayService{}
|
|
server, runGateway := newTestGateway(t, ServerDependencies{
|
|
Service: delegate,
|
|
SessionCache: staticSessionCache{
|
|
lookupFunc: func(context.Context, string) (session.Record, error) {
|
|
record := newActiveSessionRecord()
|
|
record.ClientPublicKey = "%%%not-base64%%%"
|
|
return record, nil
|
|
},
|
|
},
|
|
})
|
|
defer runGateway.stop(t)
|
|
|
|
addr := waitForListenAddr(t, server)
|
|
client := newEdgeClient(t, addr)
|
|
_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequest()))
|
|
require.Error(t, err)
|
|
assert.Equal(t, connect.CodeUnavailable, connect.CodeOf(err))
|
|
assert.Equal(t, "session cache is unavailable", connectErrorMessage(t, err))
|
|
assert.Zero(t, delegate.executeCalls)
|
|
}
|
|
|
|
func TestSubscribeEventsRejectsInvalidSignature(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
delegate := &recordingEdgeGatewayService{}
|
|
server, runGateway := newTestGateway(t, ServerDependencies{
|
|
Service: delegate,
|
|
SessionCache: staticSessionCache{lookupFunc: func(context.Context, string) (session.Record, error) { return newActiveSessionRecord(), nil }},
|
|
})
|
|
defer runGateway.stop(t)
|
|
|
|
addr := waitForListenAddr(t, server)
|
|
client := newEdgeClient(t, addr)
|
|
|
|
req := newValidSubscribeEventsRequest()
|
|
req.Signature[0] ^= 0xff
|
|
|
|
err := subscribeEventsError(t, context.Background(), client, req)
|
|
require.Error(t, err)
|
|
assert.Equal(t, connect.CodeUnauthenticated, connect.CodeOf(err))
|
|
assert.Equal(t, "invalid request signature", connectErrorMessage(t, err))
|
|
assert.Zero(t, delegate.subscribeCalls)
|
|
}
|
|
|
|
func TestSubscribeEventsRejectsWrongKey(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
delegate := &recordingEdgeGatewayService{}
|
|
server, runGateway := newTestGateway(t, ServerDependencies{
|
|
Service: delegate,
|
|
SessionCache: staticSessionCache{
|
|
lookupFunc: func(context.Context, string) (session.Record, error) {
|
|
record := newActiveSessionRecord()
|
|
record.ClientPublicKey = alternateTestClientPublicKeyBase64()
|
|
return record, nil
|
|
},
|
|
},
|
|
})
|
|
defer runGateway.stop(t)
|
|
|
|
addr := waitForListenAddr(t, server)
|
|
client := newEdgeClient(t, addr)
|
|
err := subscribeEventsError(t, context.Background(), client, newValidSubscribeEventsRequest())
|
|
require.Error(t, err)
|
|
assert.Equal(t, connect.CodeUnauthenticated, connect.CodeOf(err))
|
|
assert.Equal(t, "invalid request signature", connectErrorMessage(t, err))
|
|
assert.Zero(t, delegate.subscribeCalls)
|
|
}
|
|
|
|
func TestSubscribeEventsRejectsInvalidCachedPublicKey(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
delegate := &recordingEdgeGatewayService{}
|
|
server, runGateway := newTestGateway(t, ServerDependencies{
|
|
Service: delegate,
|
|
SessionCache: staticSessionCache{
|
|
lookupFunc: func(context.Context, string) (session.Record, error) {
|
|
record := newActiveSessionRecord()
|
|
record.ClientPublicKey = "%%%not-base64%%%"
|
|
return record, nil
|
|
},
|
|
},
|
|
})
|
|
defer runGateway.stop(t)
|
|
|
|
addr := waitForListenAddr(t, server)
|
|
client := newEdgeClient(t, addr)
|
|
err := subscribeEventsError(t, context.Background(), client, newValidSubscribeEventsRequest())
|
|
require.Error(t, err)
|
|
assert.Equal(t, connect.CodeUnavailable, connect.CodeOf(err))
|
|
assert.Equal(t, "session cache is unavailable", connectErrorMessage(t, err))
|
|
assert.Zero(t, delegate.subscribeCalls)
|
|
}
|