Phase 10: gRPC admin API with interceptor chain

Proto definitions for 4 services (RegistryService, PolicyService, AuditService, AdminService) with hand-written Go stubs using JSON codec until protobuf tooling is available. Interceptor chain: logging (method, peer IP, duration, never logs auth metadata) → auth (bearer token via MCIAS, Health bypasses) → admin (role check for GC, policy, delete, audit RPCs). All RPCs share business logic with REST handlers via internal/db and internal/gc packages. TLS 1.3 minimum on gRPC listener. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 20:46:21 -07:00
parent 562b69e875
commit 185b68ff6d
30 changed files with 3616 additions and 4 deletions
--- a/internal/grpcserver/interceptors_test.go
+++ b/internal/grpcserver/interceptors_test.go
@@ -0,0 +1,350 @@
+package grpcserver
+
+import (
+	"context"
+	"net"
+	"path/filepath"
+	"testing"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+
+	pb "git.wntrmute.dev/kyle/mcr/gen/mcr/v1"
+	"git.wntrmute.dev/kyle/mcr/internal/auth"
+	"git.wntrmute.dev/kyle/mcr/internal/db"
+)
+
+// fakeValidator is a test double for server.TokenValidator.
+type fakeValidator struct {
+	claims *auth.Claims
+	err    error
+}
+
+func (f *fakeValidator) ValidateToken(_ string) (*auth.Claims, error) {
+	return f.claims, f.err
+}
+
+// openTestDB creates a temporary test database with migrations applied.
+func openTestDB(t *testing.T) *db.DB {
+	t.Helper()
+	path := filepath.Join(t.TempDir(), "test.db")
+	d, err := db.Open(path)
+	if err != nil {
+		t.Fatalf("Open: %v", err)
+	}
+	t.Cleanup(func() { _ = d.Close() })
+	if err := d.Migrate(); err != nil {
+		t.Fatalf("Migrate: %v", err)
+	}
+	return d
+}
+
+// startTestServer creates a gRPC server and client for testing.
+// Returns the client connection and a cleanup function.
+func startTestServer(t *testing.T, deps Deps) *grpc.ClientConn {
+	t.Helper()
+
+	srv, err := New("", "", deps)
+	if err != nil {
+		t.Fatalf("New: %v", err)
+	}
+
+	lis, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("Listen: %v", err)
+	}
+
+	go func() {
+		_ = srv.Serve(lis)
+	}()
+	t.Cleanup(func() { srv.GracefulStop() })
+
+	//nolint:gosec // insecure credentials for testing only
+	cc, err := grpc.NewClient(
+		lis.Addr().String(),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithDefaultCallOptions(grpc.ForceCodecV2(pb.JSONCodec{})),
+	)
+	if err != nil {
+		t.Fatalf("Dial: %v", err)
+	}
+	t.Cleanup(func() { _ = cc.Close() })
+
+	return cc
+}
+
+// withAuth adds a bearer token to the outgoing context metadata.
+func withAuth(ctx context.Context, token string) context.Context {
+	return metadata.AppendToOutgoingContext(ctx, "authorization", "Bearer "+token)
+}
+
+func TestHealthBypassesAuth(t *testing.T) {
+	database := openTestDB(t)
+	validator := &fakeValidator{err: auth.ErrUnauthorized}
+
+	cc := startTestServer(t, Deps{
+		DB:        database,
+		Validator: validator,
+	})
+
+	client := pb.NewAdminServiceClient(cc)
+	resp, err := client.Health(context.Background(), &pb.HealthRequest{})
+	if err != nil {
+		t.Fatalf("Health: %v", err)
+	}
+	if resp.Status != "ok" {
+		t.Fatalf("Health status: got %q, want %q", resp.Status, "ok")
+	}
+}
+
+func TestAuthInterceptorNoToken(t *testing.T) {
+	database := openTestDB(t)
+	validator := &fakeValidator{err: auth.ErrUnauthorized}
+
+	cc := startTestServer(t, Deps{
+		DB:        database,
+		Validator: validator,
+	})
+
+	client := pb.NewRegistryServiceClient(cc)
+	_, err := client.ListRepositories(context.Background(), &pb.ListRepositoriesRequest{})
+	if err == nil {
+		t.Fatal("expected error for unauthenticated request")
+	}
+
+	st, ok := status.FromError(err)
+	if !ok {
+		t.Fatalf("expected gRPC status error, got %v", err)
+	}
+	if st.Code() != codes.Unauthenticated {
+		t.Fatalf("code: got %v, want Unauthenticated", st.Code())
+	}
+}
+
+func TestAuthInterceptorInvalidToken(t *testing.T) {
+	database := openTestDB(t)
+	validator := &fakeValidator{err: auth.ErrUnauthorized}
+
+	cc := startTestServer(t, Deps{
+		DB:        database,
+		Validator: validator,
+	})
+
+	ctx := withAuth(context.Background(), "bad-token")
+	client := pb.NewRegistryServiceClient(cc)
+	_, err := client.ListRepositories(ctx, &pb.ListRepositoriesRequest{})
+	if err == nil {
+		t.Fatal("expected error for invalid token")
+	}
+
+	st, ok := status.FromError(err)
+	if !ok {
+		t.Fatalf("expected gRPC status error, got %v", err)
+	}
+	if st.Code() != codes.Unauthenticated {
+		t.Fatalf("code: got %v, want Unauthenticated", st.Code())
+	}
+}
+
+func TestAuthInterceptorValidToken(t *testing.T) {
+	database := openTestDB(t)
+	validator := &fakeValidator{
+		claims: &auth.Claims{Subject: "alice", AccountType: "human", Roles: []string{"user"}},
+	}
+
+	cc := startTestServer(t, Deps{
+		DB:        database,
+		Validator: validator,
+	})
+
+	ctx := withAuth(context.Background(), "valid-token")
+	client := pb.NewRegistryServiceClient(cc)
+	resp, err := client.ListRepositories(ctx, &pb.ListRepositoriesRequest{})
+	if err != nil {
+		t.Fatalf("ListRepositories: %v", err)
+	}
+	if resp == nil {
+		t.Fatal("expected non-nil response")
+	}
+}
+
+func TestAdminInterceptorDenied(t *testing.T) {
+	database := openTestDB(t)
+	validator := &fakeValidator{
+		claims: &auth.Claims{Subject: "user-uuid", AccountType: "human", Roles: []string{"user"}},
+	}
+
+	cc := startTestServer(t, Deps{
+		DB:        database,
+		Validator: validator,
+	})
+
+	ctx := withAuth(context.Background(), "valid-token")
+
+	// Policy RPCs require admin.
+	policyClient := pb.NewPolicyServiceClient(cc)
+	_, err := policyClient.ListPolicyRules(ctx, &pb.ListPolicyRulesRequest{})
+	if err == nil {
+		t.Fatal("expected error for non-admin user")
+	}
+
+	st, ok := status.FromError(err)
+	if !ok {
+		t.Fatalf("expected gRPC status error, got %v", err)
+	}
+	if st.Code() != codes.PermissionDenied {
+		t.Fatalf("code: got %v, want PermissionDenied", st.Code())
+	}
+}
+
+func TestAdminInterceptorAllowed(t *testing.T) {
+	database := openTestDB(t)
+	validator := &fakeValidator{
+		claims: &auth.Claims{Subject: "admin-uuid", AccountType: "human", Roles: []string{"admin"}},
+	}
+
+	cc := startTestServer(t, Deps{
+		DB:        database,
+		Validator: validator,
+	})
+
+	ctx := withAuth(context.Background(), "valid-token")
+
+	// Admin user should be able to list policy rules.
+	policyClient := pb.NewPolicyServiceClient(cc)
+	resp, err := policyClient.ListPolicyRules(ctx, &pb.ListPolicyRulesRequest{})
+	if err != nil {
+		t.Fatalf("ListPolicyRules: %v", err)
+	}
+	if resp == nil {
+		t.Fatal("expected non-nil response")
+	}
+}
+
+func TestAdminRequiredMethodsCompleteness(t *testing.T) {
+	// Verify that admin-required methods match our security spec.
+	// This test catches the security defect of adding an RPC without
+	// adding it to the adminRequiredMethods map.
+	expected := []string{
+		"/mcr.v1.RegistryService/DeleteRepository",
+		"/mcr.v1.RegistryService/GarbageCollect",
+		"/mcr.v1.RegistryService/GetGCStatus",
+		"/mcr.v1.PolicyService/ListPolicyRules",
+		"/mcr.v1.PolicyService/CreatePolicyRule",
+		"/mcr.v1.PolicyService/GetPolicyRule",
+		"/mcr.v1.PolicyService/UpdatePolicyRule",
+		"/mcr.v1.PolicyService/DeletePolicyRule",
+		"/mcr.v1.AuditService/ListAuditEvents",
+	}
+
+	for _, method := range expected {
+		if !adminRequiredMethods[method] {
+			t.Errorf("method %s should require admin but is not in adminRequiredMethods", method)
+		}
+	}
+
+	if len(adminRequiredMethods) != len(expected) {
+		t.Errorf("adminRequiredMethods has %d entries, expected %d", len(adminRequiredMethods), len(expected))
+	}
+}
+
+func TestAuthBypassMethodsCompleteness(t *testing.T) {
+	// Health is the only method that bypasses auth.
+	expected := []string{
+		"/mcr.v1.AdminService/Health",
+	}
+
+	for _, method := range expected {
+		if !authBypassMethods[method] {
+			t.Errorf("method %s should bypass auth but is not in authBypassMethods", method)
+		}
+	}
+
+	if len(authBypassMethods) != len(expected) {
+		t.Errorf("authBypassMethods has %d entries, expected %d", len(authBypassMethods), len(expected))
+	}
+}
+
+func TestDeleteRepoRequiresAdmin(t *testing.T) {
+	database := openTestDB(t)
+	validator := &fakeValidator{
+		claims: &auth.Claims{Subject: "user-uuid", AccountType: "human", Roles: []string{"user"}},
+	}
+
+	cc := startTestServer(t, Deps{
+		DB:        database,
+		Validator: validator,
+	})
+
+	ctx := withAuth(context.Background(), "valid-token")
+	client := pb.NewRegistryServiceClient(cc)
+	_, err := client.DeleteRepository(ctx, &pb.DeleteRepositoryRequest{Name: "test"})
+	if err == nil {
+		t.Fatal("expected error for non-admin user trying to delete repo")
+	}
+
+	st, ok := status.FromError(err)
+	if !ok {
+		t.Fatalf("expected gRPC status error, got %v", err)
+	}
+	if st.Code() != codes.PermissionDenied {
+		t.Fatalf("code: got %v, want PermissionDenied", st.Code())
+	}
+}
+
+func TestGCRequiresAdmin(t *testing.T) {
+	database := openTestDB(t)
+	validator := &fakeValidator{
+		claims: &auth.Claims{Subject: "user-uuid", AccountType: "human", Roles: []string{"user"}},
+	}
+
+	cc := startTestServer(t, Deps{
+		DB:        database,
+		Validator: validator,
+	})
+
+	ctx := withAuth(context.Background(), "valid-token")
+	client := pb.NewRegistryServiceClient(cc)
+	_, err := client.GarbageCollect(ctx, &pb.GarbageCollectRequest{})
+	if err == nil {
+		t.Fatal("expected error for non-admin user trying to trigger GC")
+	}
+
+	st, ok := status.FromError(err)
+	if !ok {
+		t.Fatalf("expected gRPC status error, got %v", err)
+	}
+	if st.Code() != codes.PermissionDenied {
+		t.Fatalf("code: got %v, want PermissionDenied", st.Code())
+	}
+}
+
+func TestAuditRequiresAdmin(t *testing.T) {
+	database := openTestDB(t)
+	validator := &fakeValidator{
+		claims: &auth.Claims{Subject: "user-uuid", AccountType: "human", Roles: []string{"user"}},
+	}
+
+	cc := startTestServer(t, Deps{
+		DB:        database,
+		Validator: validator,
+	})
+
+	ctx := withAuth(context.Background(), "valid-token")
+	client := pb.NewAuditServiceClient(cc)
+	_, err := client.ListAuditEvents(ctx, &pb.ListAuditEventsRequest{})
+	if err == nil {
+		t.Fatal("expected error for non-admin user trying to list audit events")
+	}
+
+	st, ok := status.FromError(err)
+	if !ok {
+		t.Fatalf("expected gRPC status error, got %v", err)
+	}
+	if st.Code() != codes.PermissionDenied {
+		t.Fatalf("code: got %v, want PermissionDenied", st.Code())
+	}
+}