Kyle Isom
15b8823810
Four packages built in parallel: - P1.2 runtime: Container runtime abstraction with podman implementation. Interface (Pull/Run/Stop/Remove/Inspect/List), ContainerSpec/ContainerInfo types, CLI arg building, version extraction from image tags. 2 tests. - P1.3 servicedef: TOML service definition file parsing. Load/Write/LoadAll, validation (required fields, unique component names), proto conversion. 5 tests. - P1.4 config: CLI and agent config loading from TOML. Duration type for time fields, env var overrides (MCP_*/MCP_AGENT_*), required field validation, sensible defaults. 7 tests. - P1.5 auth: MCIAS integration. Token validator with 30s SHA-256 cache, gRPC unary interceptor (admin role enforcement, audit logging), Login/LoadToken/SaveToken for CLI. 9 tests. All packages pass build, vet, lint, and test. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
392 lines
10 KiB
Go
392 lines
10 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"path/filepath"
|
|
"sync/atomic"
|
|
"testing"
|
|
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/metadata"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
// mockMCIAS creates a test MCIAS server that responds to /v1/token/validate.
|
|
// The handler function receives the authorization header and returns (response, statusCode).
|
|
func mockMCIAS(t *testing.T, handler func(authHeader string) (any, int)) *httptest.Server {
|
|
t.Helper()
|
|
return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
authHeader := r.Header.Get("Authorization")
|
|
resp, code := handler(authHeader)
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(code)
|
|
if err := json.NewEncoder(w).Encode(resp); err != nil {
|
|
t.Errorf("encode response: %v", err)
|
|
}
|
|
}))
|
|
}
|
|
|
|
func validatorFromServer(t *testing.T, server *httptest.Server) *MCIASValidator {
|
|
t.Helper()
|
|
v, err := NewMCIASValidator(server.URL, "")
|
|
if err != nil {
|
|
t.Fatalf("create validator: %v", err)
|
|
}
|
|
v.httpClient = server.Client()
|
|
return v
|
|
}
|
|
|
|
// callInterceptor invokes the interceptor with the given context and validator.
|
|
func callInterceptor(ctx context.Context, validator TokenValidator) (*TokenInfo, error) {
|
|
interceptor := AuthInterceptor(validator)
|
|
info := &grpc.UnaryServerInfo{FullMethod: "/mcp.v1.MCPService/TestMethod"}
|
|
|
|
var captured *TokenInfo
|
|
handler := func(ctx context.Context, req any) (any, error) {
|
|
captured = TokenInfoFromContext(ctx)
|
|
return "ok", nil
|
|
}
|
|
|
|
_, err := interceptor(ctx, nil, info, handler)
|
|
return captured, err
|
|
}
|
|
|
|
func TestInterceptorRejectsNoToken(t *testing.T) {
|
|
server := mockMCIAS(t, func(authHeader string) (any, int) {
|
|
return map[string]any{"valid": false}, http.StatusOK
|
|
})
|
|
defer server.Close()
|
|
|
|
v := validatorFromServer(t, server)
|
|
|
|
// No metadata at all.
|
|
_, err := callInterceptor(context.Background(), v)
|
|
if err == nil {
|
|
t.Fatal("expected error, got nil")
|
|
}
|
|
if s, ok := status.FromError(err); !ok || s.Code() != codes.Unauthenticated {
|
|
t.Fatalf("expected Unauthenticated, got %v", err)
|
|
}
|
|
|
|
// Metadata present but no authorization key.
|
|
md := metadata.Pairs("other-key", "value")
|
|
ctx := metadata.NewIncomingContext(context.Background(), md)
|
|
_, err = callInterceptor(ctx, v)
|
|
if err == nil {
|
|
t.Fatal("expected error with empty auth, got nil")
|
|
}
|
|
if s, ok := status.FromError(err); !ok || s.Code() != codes.Unauthenticated {
|
|
t.Fatalf("expected Unauthenticated, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestInterceptorRejectsMalformedToken(t *testing.T) {
|
|
server := mockMCIAS(t, func(authHeader string) (any, int) {
|
|
return map[string]any{"valid": false}, http.StatusOK
|
|
})
|
|
defer server.Close()
|
|
|
|
v := validatorFromServer(t, server)
|
|
|
|
md := metadata.Pairs("authorization", "NotBearer xxx")
|
|
ctx := metadata.NewIncomingContext(context.Background(), md)
|
|
|
|
_, err := callInterceptor(ctx, v)
|
|
if err == nil {
|
|
t.Fatal("expected error, got nil")
|
|
}
|
|
if s, ok := status.FromError(err); !ok || s.Code() != codes.Unauthenticated {
|
|
t.Fatalf("expected Unauthenticated, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestInterceptorRejectsInvalidToken(t *testing.T) {
|
|
server := mockMCIAS(t, func(authHeader string) (any, int) {
|
|
return &TokenInfo{Valid: false}, http.StatusOK
|
|
})
|
|
defer server.Close()
|
|
|
|
v := validatorFromServer(t, server)
|
|
|
|
md := metadata.Pairs("authorization", "Bearer bad-token")
|
|
ctx := metadata.NewIncomingContext(context.Background(), md)
|
|
|
|
_, err := callInterceptor(ctx, v)
|
|
if err == nil {
|
|
t.Fatal("expected error, got nil")
|
|
}
|
|
if s, ok := status.FromError(err); !ok || s.Code() != codes.Unauthenticated {
|
|
t.Fatalf("expected Unauthenticated, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestInterceptorRejectsNonAdmin(t *testing.T) {
|
|
server := mockMCIAS(t, func(authHeader string) (any, int) {
|
|
return &TokenInfo{
|
|
Valid: true,
|
|
Username: "regularuser",
|
|
Roles: []string{"user"},
|
|
AccountType: "human",
|
|
}, http.StatusOK
|
|
})
|
|
defer server.Close()
|
|
|
|
v := validatorFromServer(t, server)
|
|
|
|
md := metadata.Pairs("authorization", "Bearer user-token")
|
|
ctx := metadata.NewIncomingContext(context.Background(), md)
|
|
|
|
_, err := callInterceptor(ctx, v)
|
|
if err == nil {
|
|
t.Fatal("expected error, got nil")
|
|
}
|
|
if s, ok := status.FromError(err); !ok || s.Code() != codes.PermissionDenied {
|
|
t.Fatalf("expected PermissionDenied, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestInterceptorAcceptsAdmin(t *testing.T) {
|
|
server := mockMCIAS(t, func(authHeader string) (any, int) {
|
|
return &TokenInfo{
|
|
Valid: true,
|
|
Username: "kyle",
|
|
Roles: []string{"admin", "user"},
|
|
AccountType: "human",
|
|
}, http.StatusOK
|
|
})
|
|
defer server.Close()
|
|
|
|
v := validatorFromServer(t, server)
|
|
|
|
md := metadata.Pairs("authorization", "Bearer admin-token")
|
|
ctx := metadata.NewIncomingContext(context.Background(), md)
|
|
|
|
captured, err := callInterceptor(ctx, v)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
if captured == nil {
|
|
t.Fatal("expected token info in context, got nil")
|
|
}
|
|
if captured.Username != "kyle" {
|
|
t.Fatalf("username: got %q, want %q", captured.Username, "kyle")
|
|
}
|
|
if !captured.HasRole("admin") {
|
|
t.Fatal("expected admin role")
|
|
}
|
|
if captured.AccountType != "human" {
|
|
t.Fatalf("account_type: got %q, want %q", captured.AccountType, "human")
|
|
}
|
|
}
|
|
|
|
func TestTokenCaching(t *testing.T) {
|
|
var requestCount atomic.Int64
|
|
|
|
server := mockMCIAS(t, func(authHeader string) (any, int) {
|
|
requestCount.Add(1)
|
|
return &TokenInfo{
|
|
Valid: true,
|
|
Username: "kyle",
|
|
Roles: []string{"admin"},
|
|
AccountType: "human",
|
|
}, http.StatusOK
|
|
})
|
|
defer server.Close()
|
|
|
|
v := validatorFromServer(t, server)
|
|
|
|
ctx := context.Background()
|
|
|
|
// First call should hit the server.
|
|
info1, err := v.ValidateToken(ctx, "same-token")
|
|
if err != nil {
|
|
t.Fatalf("first validate: %v", err)
|
|
}
|
|
if !info1.Valid {
|
|
t.Fatal("expected valid token")
|
|
}
|
|
|
|
// Second call with the same token should be cached.
|
|
info2, err := v.ValidateToken(ctx, "same-token")
|
|
if err != nil {
|
|
t.Fatalf("second validate: %v", err)
|
|
}
|
|
if info2.Username != info1.Username {
|
|
t.Fatalf("cached result mismatch: got %q, want %q", info2.Username, info1.Username)
|
|
}
|
|
|
|
if count := requestCount.Load(); count != 1 {
|
|
t.Fatalf("expected 1 MCIAS request, got %d", count)
|
|
}
|
|
}
|
|
|
|
func TestTokenCacheSeparateEntries(t *testing.T) {
|
|
var requestCount atomic.Int64
|
|
|
|
server := mockMCIAS(t, func(authHeader string) (any, int) {
|
|
requestCount.Add(1)
|
|
// Return different usernames based on the token.
|
|
token := authHeader[len("Bearer "):]
|
|
return &TokenInfo{
|
|
Valid: true,
|
|
Username: fmt.Sprintf("user-for-%s", token),
|
|
Roles: []string{"admin"},
|
|
AccountType: "human",
|
|
}, http.StatusOK
|
|
})
|
|
defer server.Close()
|
|
|
|
v := validatorFromServer(t, server)
|
|
|
|
ctx := context.Background()
|
|
|
|
info1, err := v.ValidateToken(ctx, "token-a")
|
|
if err != nil {
|
|
t.Fatalf("validate token-a: %v", err)
|
|
}
|
|
|
|
info2, err := v.ValidateToken(ctx, "token-b")
|
|
if err != nil {
|
|
t.Fatalf("validate token-b: %v", err)
|
|
}
|
|
|
|
if info1.Username == info2.Username {
|
|
t.Fatalf("different tokens should have different cache entries, both got %q", info1.Username)
|
|
}
|
|
|
|
if count := requestCount.Load(); count != 2 {
|
|
t.Fatalf("expected 2 MCIAS requests for different tokens, got %d", count)
|
|
}
|
|
|
|
// Repeat calls should be cached.
|
|
_, err = v.ValidateToken(ctx, "token-a")
|
|
if err != nil {
|
|
t.Fatalf("cached validate token-a: %v", err)
|
|
}
|
|
_, err = v.ValidateToken(ctx, "token-b")
|
|
if err != nil {
|
|
t.Fatalf("cached validate token-b: %v", err)
|
|
}
|
|
|
|
if count := requestCount.Load(); count != 2 {
|
|
t.Fatalf("expected still 2 MCIAS requests after cache hits, got %d", count)
|
|
}
|
|
}
|
|
|
|
func TestLoadSaveToken(t *testing.T) {
|
|
dir := t.TempDir()
|
|
path := filepath.Join(dir, "subdir", "token")
|
|
|
|
token := "test-bearer-token-12345"
|
|
|
|
if err := SaveToken(path, token); err != nil {
|
|
t.Fatalf("save: %v", err)
|
|
}
|
|
|
|
// Check file permissions.
|
|
fi, err := os.Stat(path)
|
|
if err != nil {
|
|
t.Fatalf("stat: %v", err)
|
|
}
|
|
if perm := fi.Mode().Perm(); perm != 0600 {
|
|
t.Fatalf("permissions: got %o, want 0600", perm)
|
|
}
|
|
|
|
// Load and verify.
|
|
loaded, err := LoadToken(path)
|
|
if err != nil {
|
|
t.Fatalf("load: %v", err)
|
|
}
|
|
if loaded != token {
|
|
t.Fatalf("loaded: got %q, want %q", loaded, token)
|
|
}
|
|
}
|
|
|
|
func TestLogin(t *testing.T) {
|
|
expectedToken := "mcias-session-token-xyz"
|
|
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path != "/v1/auth/login" {
|
|
t.Errorf("unexpected path: %s", r.URL.Path)
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
if r.Method != http.MethodPost {
|
|
t.Errorf("unexpected method: %s", r.Method)
|
|
w.WriteHeader(http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
|
|
var body struct {
|
|
Username string `json:"username"`
|
|
Password string `json:"password"`
|
|
}
|
|
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
|
|
t.Errorf("decode request body: %v", err)
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if body.Username != "kyle" || body.Password != "secret" {
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
_ = json.NewEncoder(w).Encode(map[string]string{"error": "invalid credentials"})
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(map[string]string{"token": expectedToken})
|
|
}))
|
|
defer server.Close()
|
|
|
|
token, err := Login(server.URL, "", "kyle", "secret")
|
|
if err != nil {
|
|
t.Fatalf("login: %v", err)
|
|
}
|
|
if token != expectedToken {
|
|
t.Fatalf("token: got %q, want %q", token, expectedToken)
|
|
}
|
|
}
|
|
|
|
func TestLoginBadCredentials(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
_ = json.NewEncoder(w).Encode(map[string]string{"error": "invalid credentials"})
|
|
}))
|
|
defer server.Close()
|
|
|
|
_, err := Login(server.URL, "", "kyle", "wrong")
|
|
if err == nil {
|
|
t.Fatal("expected error for bad credentials")
|
|
}
|
|
}
|
|
|
|
func TestContextTokenInfo(t *testing.T) {
|
|
info := &TokenInfo{
|
|
Valid: true,
|
|
Username: "kyle",
|
|
Roles: []string{"admin"},
|
|
AccountType: "human",
|
|
}
|
|
|
|
ctx := ContextWithTokenInfo(context.Background(), info)
|
|
got := TokenInfoFromContext(ctx)
|
|
if got == nil {
|
|
t.Fatal("expected token info from context, got nil")
|
|
}
|
|
if got.Username != "kyle" {
|
|
t.Fatalf("username: got %q, want %q", got.Username, "kyle")
|
|
}
|
|
|
|
// Empty context should return nil.
|
|
got = TokenInfoFromContext(context.Background())
|
|
if got != nil {
|
|
t.Fatalf("expected nil from empty context, got %+v", got)
|
|
}
|
|
}
|