package grpcserver import ( "context" "encoding/json" "log/slog" "net" "net/http" "net/http/httptest" "path/filepath" "testing" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/credentials/insecure" "google.golang.org/grpc/metadata" "google.golang.org/grpc/status" mcdslauth "git.wntrmute.dev/mc/mcdsl/auth" pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1" "git.wntrmute.dev/mc/mcns/internal/db" ) // mockMCIAS starts a fake MCIAS HTTP server for token validation. // Recognized tokens: // - "admin-token" -> valid, username=admin-uuid, roles=[admin] // - "user-token" -> valid, username=user-uuid, roles=[user] // - anything else -> invalid func mockMCIAS(t *testing.T) *httptest.Server { t.Helper() mux := http.NewServeMux() mux.HandleFunc("POST /v1/token/validate", func(w http.ResponseWriter, r *http.Request) { var req struct { Token string `json:"token"` } if err := json.NewDecoder(r.Body).Decode(&req); err != nil { http.Error(w, "bad request", http.StatusBadRequest) return } w.Header().Set("Content-Type", "application/json") switch req.Token { case "admin-token": _ = json.NewEncoder(w).Encode(map[string]interface{}{ "valid": true, "username": "admin-uuid", "account_type": "human", "roles": []string{"admin"}, }) case "user-token": _ = json.NewEncoder(w).Encode(map[string]interface{}{ "valid": true, "username": "user-uuid", "account_type": "human", "roles": []string{"user"}, }) default: _ = json.NewEncoder(w).Encode(map[string]interface{}{"valid": false}) } }) srv := httptest.NewServer(mux) t.Cleanup(srv.Close) return srv } // testAuthenticator creates an mcdsl/auth.Authenticator that talks to the given mock MCIAS. func testAuthenticator(t *testing.T, serverURL string) *mcdslauth.Authenticator { t.Helper() a, err := mcdslauth.New(mcdslauth.Config{ServerURL: serverURL}, slog.Default()) if err != nil { t.Fatalf("auth.New: %v", err) } return a } // openTestDB creates a temporary test database with migrations applied. func openTestDB(t *testing.T) *db.DB { t.Helper() path := filepath.Join(t.TempDir(), "test.db") d, err := db.Open(path) if err != nil { t.Fatalf("Open: %v", err) } t.Cleanup(func() { _ = d.Close() }) if err := d.Migrate(); err != nil { t.Fatalf("Migrate: %v", err) } return d } // startTestServer creates a gRPC server with auth interceptors and returns // a connected client. Passing empty cert/key strings skips TLS. func startTestServer(t *testing.T, deps Deps) *grpc.ClientConn { t.Helper() srv, err := New("", "", deps, slog.Default()) if err != nil { t.Fatalf("New: %v", err) } lis, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { t.Fatalf("Listen: %v", err) } go func() { _ = srv.Serve(lis) }() t.Cleanup(func() { srv.GracefulStop() }) //nolint:gosec // insecure credentials for testing only cc, err := grpc.NewClient( lis.Addr().String(), grpc.WithTransportCredentials(insecure.NewCredentials()), ) if err != nil { t.Fatalf("Dial: %v", err) } t.Cleanup(func() { _ = cc.Close() }) return cc } // withAuth adds a bearer token to the outgoing context metadata. func withAuth(ctx context.Context, token string) context.Context { return metadata.AppendToOutgoingContext(ctx, "authorization", "Bearer "+token) } // seedZone creates a test zone and returns it. func seedZone(t *testing.T, database *db.DB, name string) *db.Zone { t.Helper() zone, err := database.CreateZone(name, "ns1.example.com.", "admin.example.com.", 3600, 600, 86400, 300) if err != nil { t.Fatalf("seed zone %q: %v", name, err) } return zone } // seedRecord creates a test A record and returns it. func seedRecord(t *testing.T, database *db.DB, zoneName, name, value string) *db.Record { t.Helper() rec, err := database.CreateRecord(zoneName, name, "A", value, 300) if err != nil { t.Fatalf("seed record %s.%s: %v", name, zoneName, err) } return rec } // --------------------------------------------------------------------------- // Admin tests // --------------------------------------------------------------------------- func TestHealthBypassesAuth(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) client := pb.NewAdminServiceClient(cc) // No auth token -- should still succeed because Health is public. resp, err := client.Health(context.Background(), &pb.HealthRequest{}) if err != nil { t.Fatalf("Health should not require auth: %v", err) } if resp.Status != "ok" { t.Fatalf("Health status: got %q, want %q", resp.Status, "ok") } } // --------------------------------------------------------------------------- // Zone tests // --------------------------------------------------------------------------- func TestListZones(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "user-token") client := pb.NewZoneServiceClient(cc) resp, err := client.ListZones(ctx, &pb.ListZonesRequest{}) if err != nil { t.Fatalf("ListZones: %v", err) } // Seed migration creates 2 zones. if len(resp.Zones) != 2 { t.Fatalf("got %d zones, want 2 (seed zones)", len(resp.Zones)) } } func TestGetZoneFound(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "user-token") client := pb.NewZoneServiceClient(cc) zone, err := client.GetZone(ctx, &pb.GetZoneRequest{Name: "example.com"}) if err != nil { t.Fatalf("GetZone: %v", err) } if zone.Name != "example.com" { t.Fatalf("got name %q, want %q", zone.Name, "example.com") } } func TestGetZoneNotFound(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "user-token") client := pb.NewZoneServiceClient(cc) _, err := client.GetZone(ctx, &pb.GetZoneRequest{Name: "nonexistent.com"}) if err == nil { t.Fatal("expected error for nonexistent zone") } st, ok := status.FromError(err) if !ok { t.Fatalf("expected gRPC status, got %v", err) } if st.Code() != codes.NotFound { t.Fatalf("code: got %v, want NotFound", st.Code()) } } func TestCreateZoneSuccess(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewZoneServiceClient(cc) zone, err := client.CreateZone(ctx, &pb.CreateZoneRequest{ Name: "newzone.com", PrimaryNs: "ns1.newzone.com.", AdminEmail: "admin.newzone.com.", Refresh: 3600, Retry: 600, Expire: 86400, MinimumTtl: 300, }) if err != nil { t.Fatalf("CreateZone: %v", err) } if zone.Name != "newzone.com" { t.Fatalf("got name %q, want %q", zone.Name, "newzone.com") } if zone.Serial == 0 { t.Fatal("serial should not be zero") } } func TestCreateZoneDuplicate(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewZoneServiceClient(cc) _, err := client.CreateZone(ctx, &pb.CreateZoneRequest{ Name: "example.com", PrimaryNs: "ns1.example.com.", AdminEmail: "admin.example.com.", }) if err == nil { t.Fatal("expected error for duplicate zone") } st, ok := status.FromError(err) if !ok { t.Fatalf("expected gRPC status, got %v", err) } if st.Code() != codes.AlreadyExists { t.Fatalf("code: got %v, want AlreadyExists", st.Code()) } } func TestUpdateZone(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) original := seedZone(t, database, "example.com") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewZoneServiceClient(cc) updated, err := client.UpdateZone(ctx, &pb.UpdateZoneRequest{ Name: "example.com", PrimaryNs: "ns2.example.com.", AdminEmail: "newadmin.example.com.", Refresh: 7200, Retry: 1200, Expire: 172800, MinimumTtl: 600, }) if err != nil { t.Fatalf("UpdateZone: %v", err) } if updated.PrimaryNs != "ns2.example.com." { t.Fatalf("got primary_ns %q, want %q", updated.PrimaryNs, "ns2.example.com.") } if updated.Serial <= original.Serial { t.Fatalf("serial should have incremented: %d <= %d", updated.Serial, original.Serial) } } func TestDeleteZone(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewZoneServiceClient(cc) _, err := client.DeleteZone(ctx, &pb.DeleteZoneRequest{Name: "example.com"}) if err != nil { t.Fatalf("DeleteZone: %v", err) } // Verify it is gone. _, err = client.GetZone(withAuth(context.Background(), "user-token"), &pb.GetZoneRequest{Name: "example.com"}) if err == nil { t.Fatal("expected NotFound after delete") } st, _ := status.FromError(err) if st.Code() != codes.NotFound { t.Fatalf("code: got %v, want NotFound", st.Code()) } } func TestDeleteZoneNotFound(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewZoneServiceClient(cc) _, err := client.DeleteZone(ctx, &pb.DeleteZoneRequest{Name: "nonexistent.com"}) if err == nil { t.Fatal("expected error for nonexistent zone") } st, _ := status.FromError(err) if st.Code() != codes.NotFound { t.Fatalf("code: got %v, want NotFound", st.Code()) } } // --------------------------------------------------------------------------- // Record tests // --------------------------------------------------------------------------- func TestListRecords(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") seedRecord(t, database, "example.com", "www", "10.0.0.1") seedRecord(t, database, "example.com", "mail", "10.0.0.2") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "user-token") client := pb.NewRecordServiceClient(cc) resp, err := client.ListRecords(ctx, &pb.ListRecordsRequest{Zone: "example.com"}) if err != nil { t.Fatalf("ListRecords: %v", err) } if len(resp.Records) != 2 { t.Fatalf("got %d records, want 2", len(resp.Records)) } } func TestGetRecordFound(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") rec := seedRecord(t, database, "example.com", "www", "10.0.0.1") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "user-token") client := pb.NewRecordServiceClient(cc) got, err := client.GetRecord(ctx, &pb.GetRecordRequest{Id: rec.ID}) if err != nil { t.Fatalf("GetRecord: %v", err) } if got.Name != "www" { t.Fatalf("got name %q, want %q", got.Name, "www") } if got.Value != "10.0.0.1" { t.Fatalf("got value %q, want %q", got.Value, "10.0.0.1") } } func TestGetRecordNotFound(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "user-token") client := pb.NewRecordServiceClient(cc) _, err := client.GetRecord(ctx, &pb.GetRecordRequest{Id: 999999}) if err == nil { t.Fatal("expected error for nonexistent record") } st, _ := status.FromError(err) if st.Code() != codes.NotFound { t.Fatalf("code: got %v, want NotFound", st.Code()) } } func TestCreateRecordSuccess(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewRecordServiceClient(cc) rec, err := client.CreateRecord(ctx, &pb.CreateRecordRequest{ Zone: "example.com", Name: "www", Type: "A", Value: "10.0.0.1", Ttl: 300, }) if err != nil { t.Fatalf("CreateRecord: %v", err) } if rec.Name != "www" { t.Fatalf("got name %q, want %q", rec.Name, "www") } if rec.Type != "A" { t.Fatalf("got type %q, want %q", rec.Type, "A") } } func TestCreateRecordInvalidValue(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewRecordServiceClient(cc) _, err := client.CreateRecord(ctx, &pb.CreateRecordRequest{ Zone: "example.com", Name: "www", Type: "A", Value: "not-an-ip", Ttl: 300, }) if err == nil { t.Fatal("expected error for invalid A record value") } st, _ := status.FromError(err) if st.Code() != codes.InvalidArgument { t.Fatalf("code: got %v, want InvalidArgument", st.Code()) } } func TestCreateRecordCNAMEConflict(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") seedRecord(t, database, "example.com", "www", "10.0.0.1") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewRecordServiceClient(cc) // Try to create a CNAME for "www" which already has an A record. _, err := client.CreateRecord(ctx, &pb.CreateRecordRequest{ Zone: "example.com", Name: "www", Type: "CNAME", Value: "other.example.com.", Ttl: 300, }) if err == nil { t.Fatal("expected error for CNAME conflict with existing A record") } st, _ := status.FromError(err) if st.Code() != codes.AlreadyExists { t.Fatalf("code: got %v, want AlreadyExists", st.Code()) } } func TestCreateRecordAConflictWithCNAME(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") // Create a CNAME first. _, err := database.CreateRecord("example.com", "alias", "CNAME", "target.example.com.", 300) if err != nil { t.Fatalf("seed CNAME: %v", err) } cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewRecordServiceClient(cc) // Try to create an A record for "alias" which already has a CNAME. _, err = client.CreateRecord(ctx, &pb.CreateRecordRequest{ Zone: "example.com", Name: "alias", Type: "A", Value: "10.0.0.1", Ttl: 300, }) if err == nil { t.Fatal("expected error for A record conflict with existing CNAME") } st, _ := status.FromError(err) if st.Code() != codes.AlreadyExists { t.Fatalf("code: got %v, want AlreadyExists", st.Code()) } } func TestUpdateRecord(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") rec := seedRecord(t, database, "example.com", "www", "10.0.0.1") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewRecordServiceClient(cc) updated, err := client.UpdateRecord(ctx, &pb.UpdateRecordRequest{ Id: rec.ID, Name: "www", Type: "A", Value: "10.0.0.2", Ttl: 600, }) if err != nil { t.Fatalf("UpdateRecord: %v", err) } if updated.Value != "10.0.0.2" { t.Fatalf("got value %q, want %q", updated.Value, "10.0.0.2") } if updated.Ttl != 600 { t.Fatalf("got ttl %d, want 600", updated.Ttl) } } func TestUpdateRecordNotFound(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewRecordServiceClient(cc) _, err := client.UpdateRecord(ctx, &pb.UpdateRecordRequest{ Id: 999999, Name: "www", Type: "A", Value: "10.0.0.1", Ttl: 300, }) if err == nil { t.Fatal("expected error for nonexistent record") } st, _ := status.FromError(err) if st.Code() != codes.NotFound { t.Fatalf("code: got %v, want NotFound", st.Code()) } } func TestDeleteRecord(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) seedZone(t, database, "example.com") rec := seedRecord(t, database, "example.com", "www", "10.0.0.1") cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewRecordServiceClient(cc) _, err := client.DeleteRecord(ctx, &pb.DeleteRecordRequest{Id: rec.ID}) if err != nil { t.Fatalf("DeleteRecord: %v", err) } // Verify it is gone. _, err = client.GetRecord(withAuth(context.Background(), "user-token"), &pb.GetRecordRequest{Id: rec.ID}) if err == nil { t.Fatal("expected NotFound after delete") } st, _ := status.FromError(err) if st.Code() != codes.NotFound { t.Fatalf("code: got %v, want NotFound", st.Code()) } } func TestDeleteRecordNotFound(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewRecordServiceClient(cc) _, err := client.DeleteRecord(ctx, &pb.DeleteRecordRequest{Id: 999999}) if err == nil { t.Fatal("expected error for nonexistent record") } st, _ := status.FromError(err) if st.Code() != codes.NotFound { t.Fatalf("code: got %v, want NotFound", st.Code()) } } // --------------------------------------------------------------------------- // Auth interceptor tests // --------------------------------------------------------------------------- func TestAuthRequiredNoToken(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) client := pb.NewZoneServiceClient(cc) // No auth token on an auth-required method. _, err := client.ListZones(context.Background(), &pb.ListZonesRequest{}) if err == nil { t.Fatal("expected error for unauthenticated request") } st, ok := status.FromError(err) if !ok { t.Fatalf("expected gRPC status error, got %v", err) } if st.Code() != codes.Unauthenticated { t.Fatalf("code: got %v, want Unauthenticated", st.Code()) } } func TestAuthRequiredInvalidToken(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "bad-token") client := pb.NewZoneServiceClient(cc) _, err := client.ListZones(ctx, &pb.ListZonesRequest{}) if err == nil { t.Fatal("expected error for invalid token") } st, ok := status.FromError(err) if !ok { t.Fatalf("expected gRPC status error, got %v", err) } if st.Code() != codes.Unauthenticated { t.Fatalf("code: got %v, want Unauthenticated", st.Code()) } } func TestAdminRequiredDeniedForUser(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "user-token") client := pb.NewZoneServiceClient(cc) // CreateZone requires admin. _, err := client.CreateZone(ctx, &pb.CreateZoneRequest{ Name: "forbidden.com", PrimaryNs: "ns1.forbidden.com.", AdminEmail: "admin.forbidden.com.", }) if err == nil { t.Fatal("expected error for non-admin user") } st, ok := status.FromError(err) if !ok { t.Fatalf("expected gRPC status error, got %v", err) } if st.Code() != codes.PermissionDenied { t.Fatalf("code: got %v, want PermissionDenied", st.Code()) } } func TestAdminRequiredAllowedForAdmin(t *testing.T) { mcias := mockMCIAS(t) auth := testAuthenticator(t, mcias.URL) database := openTestDB(t) cc := startTestServer(t, Deps{DB: database, Authenticator: auth}) ctx := withAuth(context.Background(), "admin-token") client := pb.NewZoneServiceClient(cc) // Admin should be able to create zones. zone, err := client.CreateZone(ctx, &pb.CreateZoneRequest{ Name: "admin-created.com", PrimaryNs: "ns1.admin-created.com.", AdminEmail: "admin.admin-created.com.", }) if err != nil { t.Fatalf("CreateZone as admin: %v", err) } if zone.Name != "admin-created.com" { t.Fatalf("got name %q, want %q", zone.Name, "admin-created.com") } } // --------------------------------------------------------------------------- // Interceptor map completeness test // --------------------------------------------------------------------------- func TestMethodMapCompleteness(t *testing.T) { mm := methodMap() expectedPublic := []string{ "/mcns.v1.AdminService/Health", "/mcns.v1.AuthService/Login", } for _, method := range expectedPublic { if !mm.Public[method] { t.Errorf("method %s should be public but is not in Public", method) } } if len(mm.Public) != len(expectedPublic) { t.Errorf("Public has %d entries, expected %d", len(mm.Public), len(expectedPublic)) } expectedAuth := []string{ "/mcns.v1.AuthService/Logout", "/mcns.v1.ZoneService/ListZones", "/mcns.v1.ZoneService/GetZone", "/mcns.v1.RecordService/ListRecords", "/mcns.v1.RecordService/GetRecord", } for _, method := range expectedAuth { if !mm.AuthRequired[method] { t.Errorf("method %s should require auth but is not in AuthRequired", method) } } if len(mm.AuthRequired) != len(expectedAuth) { t.Errorf("AuthRequired has %d entries, expected %d", len(mm.AuthRequired), len(expectedAuth)) } expectedAdmin := []string{ "/mcns.v1.ZoneService/CreateZone", "/mcns.v1.ZoneService/UpdateZone", "/mcns.v1.ZoneService/DeleteZone", "/mcns.v1.RecordService/CreateRecord", "/mcns.v1.RecordService/UpdateRecord", "/mcns.v1.RecordService/DeleteRecord", } for _, method := range expectedAdmin { if !mm.AdminRequired[method] { t.Errorf("method %s should require admin but is not in AdminRequired", method) } } if len(mm.AdminRequired) != len(expectedAdmin) { t.Errorf("AdminRequired has %d entries, expected %d", len(mm.AdminRequired), len(expectedAdmin)) } // Verify no method appears in multiple maps (each RPC in exactly one map). all := make(map[string]int) for k := range mm.Public { all[k]++ } for k := range mm.AuthRequired { all[k]++ } for k := range mm.AdminRequired { all[k]++ } for method, count := range all { if count != 1 { t.Errorf("method %s appears in %d maps, expected exactly 1", method, count) } } }