checkpoint mciassrv

2026-03-11 11:48:24 -07:00
parent 9e4e7aba7a
commit d75a1d6fd3
21 changed files with 5307 additions and 0 deletions
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -0,0 +1,225 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+// validConfig returns a minimal valid TOML config string.
+func validConfig() string {
+	return `
+[server]
+listen_addr = "0.0.0.0:8443"
+tls_cert    = "/etc/mcias/server.crt"
+tls_key     = "/etc/mcias/server.key"
+
+[database]
+path = "/var/lib/mcias/mcias.db"
+
+[tokens]
+issuer          = "https://auth.example.com"
+default_expiry  = "720h"
+admin_expiry    = "8h"
+service_expiry  = "8760h"
+
+[argon2]
+time    = 3
+memory  = 65536
+threads = 4
+
+[master_key]
+passphrase_env = "MCIAS_MASTER_PASSPHRASE"
+`
+}
+
+func writeTempConfig(t *testing.T, content string) string {
+	t.Helper()
+	dir := t.TempDir()
+	path := filepath.Join(dir, "mcias.toml")
+	if err := os.WriteFile(path, []byte(content), 0600); err != nil {
+		t.Fatalf("write temp config: %v", err)
+	}
+	return path
+}
+
+func TestLoadValidConfig(t *testing.T) {
+	path := writeTempConfig(t, validConfig())
+	cfg, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load returned error: %v", err)
+	}
+
+	if cfg.Server.ListenAddr != "0.0.0.0:8443" {
+		t.Errorf("ListenAddr = %q, want %q", cfg.Server.ListenAddr, "0.0.0.0:8443")
+	}
+	if cfg.Tokens.Issuer != "https://auth.example.com" {
+		t.Errorf("Issuer = %q, want %q", cfg.Tokens.Issuer, "https://auth.example.com")
+	}
+	if cfg.DefaultExpiry() != 720*time.Hour {
+		t.Errorf("DefaultExpiry = %v, want %v", cfg.DefaultExpiry(), 720*time.Hour)
+	}
+	if cfg.AdminExpiry() != 8*time.Hour {
+		t.Errorf("AdminExpiry = %v, want %v", cfg.AdminExpiry(), 8*time.Hour)
+	}
+	if cfg.ServiceExpiry() != 8760*time.Hour {
+		t.Errorf("ServiceExpiry = %v, want %v", cfg.ServiceExpiry(), 8760*time.Hour)
+	}
+	if cfg.Argon2.Time != 3 {
+		t.Errorf("Argon2.Time = %d, want 3", cfg.Argon2.Time)
+	}
+	if cfg.Argon2.Memory != 65536 {
+		t.Errorf("Argon2.Memory = %d, want 65536", cfg.Argon2.Memory)
+	}
+	if cfg.MasterKey.PassphraseEnv != "MCIAS_MASTER_PASSPHRASE" {
+		t.Errorf("MasterKey.PassphraseEnv = %q", cfg.MasterKey.PassphraseEnv)
+	}
+}
+
+func TestLoadMissingFile(t *testing.T) {
+	_, err := Load("/nonexistent/path/mcias.toml")
+	if err == nil {
+		t.Error("expected error for missing file, got nil")
+	}
+}
+
+func TestLoadInvalidTOML(t *testing.T) {
+	path := writeTempConfig(t, "this is not valid TOML {{{{")
+	_, err := Load(path)
+	if err == nil {
+		t.Error("expected error for invalid TOML, got nil")
+	}
+}
+
+func TestValidateMissingListenAddr(t *testing.T) {
+	path := writeTempConfig(t, `
+[server]
+tls_cert = "/etc/mcias/server.crt"
+tls_key  = "/etc/mcias/server.key"
+
+[database]
+path = "/var/lib/mcias/mcias.db"
+
+[tokens]
+issuer         = "https://auth.example.com"
+default_expiry = "720h"
+admin_expiry   = "8h"
+service_expiry = "8760h"
+
+[argon2]
+time    = 3
+memory  = 65536
+threads = 4
+
+[master_key]
+passphrase_env = "MCIAS_MASTER_PASSPHRASE"
+`)
+	_, err := Load(path)
+	if err == nil {
+		t.Error("expected error for missing listen_addr, got nil")
+	}
+}
+
+func TestValidateArgon2TooWeak(t *testing.T) {
+	tests := []struct {
+		name   string
+		time   uint32
+		memory uint32
+	}{
+		{"time too low", 1, 65536},
+		{"memory too low", 3, 32768},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			content := validConfig()
+			// Override argon2 section
+			path := writeTempConfig(t, content)
+			cfg, err := Load(path)
+			if err != nil {
+				t.Fatalf("baseline load failed: %v", err)
+			}
+			// Manually set unsafe params and re-validate
+			cfg.Argon2.Time = tc.time
+			cfg.Argon2.Memory = tc.memory
+			if err := cfg.validate(); err == nil {
+				t.Errorf("expected validation error for time=%d memory=%d, got nil", tc.time, tc.memory)
+			}
+		})
+	}
+}
+
+func TestValidateMasterKeyBothSet(t *testing.T) {
+	path := writeTempConfig(t, `
+[server]
+listen_addr = "0.0.0.0:8443"
+tls_cert    = "/etc/mcias/server.crt"
+tls_key     = "/etc/mcias/server.key"
+
+[database]
+path = "/var/lib/mcias/mcias.db"
+
+[tokens]
+issuer         = "https://auth.example.com"
+default_expiry = "720h"
+admin_expiry   = "8h"
+service_expiry = "8760h"
+
+[argon2]
+time    = 3
+memory  = 65536
+threads = 4
+
+[master_key]
+passphrase_env = "MCIAS_MASTER_PASSPHRASE"
+keyfile        = "/etc/mcias/master.key"
+`)
+	_, err := Load(path)
+	if err == nil {
+		t.Error("expected error when both passphrase_env and keyfile are set, got nil")
+	}
+}
+
+func TestValidateMasterKeyNoneSet(t *testing.T) {
+	path := writeTempConfig(t, `
+[server]
+listen_addr = "0.0.0.0:8443"
+tls_cert    = "/etc/mcias/server.crt"
+tls_key     = "/etc/mcias/server.key"
+
+[database]
+path = "/var/lib/mcias/mcias.db"
+
+[tokens]
+issuer         = "https://auth.example.com"
+default_expiry = "720h"
+admin_expiry   = "8h"
+service_expiry = "8760h"
+
+[argon2]
+time    = 3
+memory  = 65536
+threads = 4
+
+[master_key]
+`)
+	_, err := Load(path)
+	if err == nil {
+		t.Error("expected error when neither passphrase_env nor keyfile is set, got nil")
+	}
+}
+
+func TestDurationParsing(t *testing.T) {
+	var d duration
+	if err := d.UnmarshalText([]byte("1h30m")); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if d.Duration != 90*time.Minute {
+		t.Errorf("Duration = %v, want %v", d.Duration, 90*time.Minute)
+	}
+
+	if err := d.UnmarshalText([]byte("not-a-duration")); err == nil {
+		t.Error("expected error for invalid duration, got nil")
+	}
+}