Phase 10: gRPC admin API with interceptor chain

Proto definitions for 4 services (RegistryService, PolicyService, AuditService, AdminService) with hand-written Go stubs using JSON codec until protobuf tooling is available. Interceptor chain: logging (method, peer IP, duration, never logs auth metadata) → auth (bearer token via MCIAS, Health bypasses) → admin (role check for GC, policy, delete, audit RPCs). All RPCs share business logic with REST handlers via internal/db and internal/gc packages. TLS 1.3 minimum on gRPC listener. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 20:46:21 -07:00
parent 562b69e875
commit 185b68ff6d
30 changed files with 3616 additions and 4 deletions
--- a/internal/grpcserver/audit_test.go
+++ b/internal/grpcserver/audit_test.go
@@ -0,0 +1,95 @@
+package grpcserver
+
+import (
+	"testing"
+
+	pb "git.wntrmute.dev/kyle/mcr/gen/mcr/v1"
+)
+
+func TestListAuditEventsEmpty(t *testing.T) {
+	deps := adminDeps(t)
+	cc := startTestServer(t, deps)
+	client := pb.NewAuditServiceClient(cc)
+
+	resp, err := client.ListAuditEvents(adminCtx(), &pb.ListAuditEventsRequest{})
+	if err != nil {
+		t.Fatalf("ListAuditEvents: %v", err)
+	}
+	if len(resp.GetEvents()) != 0 {
+		t.Fatalf("expected 0 events, got %d", len(resp.Events))
+	}
+}
+
+func TestListAuditEventsWithData(t *testing.T) {
+	deps := adminDeps(t)
+
+	// Write some audit events directly.
+	err := deps.DB.WriteAuditEvent("test_event", "actor-1", "repo/test", "", "1.2.3.4", map[string]string{"key": "value"})
+	if err != nil {
+		t.Fatalf("WriteAuditEvent: %v", err)
+	}
+	err = deps.DB.WriteAuditEvent("other_event", "actor-2", "", "", "5.6.7.8", nil)
+	if err != nil {
+		t.Fatalf("WriteAuditEvent: %v", err)
+	}
+
+	cc := startTestServer(t, deps)
+	client := pb.NewAuditServiceClient(cc)
+
+	// List all events.
+	resp, err := client.ListAuditEvents(adminCtx(), &pb.ListAuditEventsRequest{})
+	if err != nil {
+		t.Fatalf("ListAuditEvents: %v", err)
+	}
+	if len(resp.GetEvents()) != 2 {
+		t.Fatalf("expected 2 events, got %d", len(resp.Events))
+	}
+
+	// Filter by event type.
+	resp, err = client.ListAuditEvents(adminCtx(), &pb.ListAuditEventsRequest{
+		EventType: "test_event",
+	})
+	if err != nil {
+		t.Fatalf("ListAuditEvents with filter: %v", err)
+	}
+	if len(resp.GetEvents()) != 1 {
+		t.Fatalf("expected 1 event, got %d", len(resp.Events))
+	}
+	if resp.Events[0].EventType != "test_event" {
+		t.Fatalf("event_type: got %q, want %q", resp.Events[0].EventType, "test_event")
+	}
+	if resp.Events[0].ActorId != "actor-1" {
+		t.Fatalf("actor_id: got %q, want %q", resp.Events[0].ActorId, "actor-1")
+	}
+	if resp.Events[0].Details["key"] != "value" {
+		t.Fatalf("details: got %v, want key=value", resp.Events[0].Details)
+	}
+}
+
+func TestListAuditEventsPagination(t *testing.T) {
+	deps := adminDeps(t)
+
+	// Write 5 events.
+	for i := range 5 {
+		err := deps.DB.WriteAuditEvent("event", "actor", "", "", "", map[string]string{
+			"index": string(rune('0' + i)),
+		})
+		if err != nil {
+			t.Fatalf("WriteAuditEvent %d: %v", i, err)
+		}
+	}
+
+	cc := startTestServer(t, deps)
+	client := pb.NewAuditServiceClient(cc)
+
+	// Get first 2 events.
+	resp, err := client.ListAuditEvents(adminCtx(), &pb.ListAuditEventsRequest{
+		Pagination: &pb.PaginationRequest{Limit: 2},
+	})
+	if err != nil {
+		t.Fatalf("ListAuditEvents: %v", err)
+	}
+	if len(resp.GetEvents()) != 2 {
+		t.Fatalf("expected 2 events, got %d", len(resp.Events))
+	}
+}