Migrate db, auth, and config to mcdsl
- db.Open: delegate to mcdsl/db.Open - db.Migrate: rewrite migrations as mcdsl/db.Migration SQL strings, delegate to mcdsl/db.Migrate; keep SchemaVersion via mcdsl - auth: thin shim wrapping mcdsl/auth.Authenticator, keeps Claims type (with Subject, AccountType, Roles) for policy engine compat; delete cache.go (handled by mcdsl/auth); add ErrForbidden - config: embed mcdsl/config.Base for standard sections (Server with Duration fields, Database, MCIAS, Log); keep StorageConfig and WebConfig as MCR-specific; use mcdsl/config.Load[T] + Validator - WriteTimeout now defaults to 30s (mcdsl default, was 0) - All existing tests pass (auth tests rewritten for new shim API, cache expiry test removed — caching tested in mcdsl) - Net -464 lines Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -7,19 +7,17 @@ import (
|
||||
"net/http/httptest"
|
||||
"sync/atomic"
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
// newTestServer starts an httptest.Server that routes MCIAS endpoints.
|
||||
// The handler functions are pluggable per test.
|
||||
func newTestServer(t *testing.T, loginHandler, validateHandler http.HandlerFunc) *httptest.Server {
|
||||
t.Helper()
|
||||
mux := http.NewServeMux()
|
||||
if loginHandler != nil {
|
||||
mux.HandleFunc("/v1/auth/login", loginHandler)
|
||||
mux.HandleFunc("POST /v1/auth/login", loginHandler)
|
||||
}
|
||||
if validateHandler != nil {
|
||||
mux.HandleFunc("/v1/token/validate", validateHandler)
|
||||
mux.HandleFunc("POST /v1/token/validate", validateHandler)
|
||||
}
|
||||
srv := httptest.NewServer(mux)
|
||||
t.Cleanup(srv.Close)
|
||||
@@ -36,35 +34,28 @@ func newTestClient(t *testing.T, serverURL string) *Client {
|
||||
}
|
||||
|
||||
func TestLoginSuccess(t *testing.T) {
|
||||
srv := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
|
||||
var req loginRequest
|
||||
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||
http.Error(w, "bad request", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
srv := newTestServer(t, func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_ = json.NewEncoder(w).Encode(loginResponse{
|
||||
Token: "tok-abc",
|
||||
ExpiresIn: 3600,
|
||||
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
||||
"token": "tok-abc",
|
||||
"expires_at": "2099-01-01T00:00:00Z",
|
||||
})
|
||||
}, nil)
|
||||
|
||||
c := newTestClient(t, srv.URL)
|
||||
token, expiresIn, err := c.Login("alice", "secret")
|
||||
token, _, err := c.Login("alice", "secret")
|
||||
if err != nil {
|
||||
t.Fatalf("Login: %v", err)
|
||||
}
|
||||
if token != "tok-abc" {
|
||||
t.Fatalf("token: got %q, want %q", token, "tok-abc")
|
||||
}
|
||||
if expiresIn != 3600 {
|
||||
t.Fatalf("expiresIn: got %d, want %d", expiresIn, 3600)
|
||||
}
|
||||
}
|
||||
|
||||
func TestLoginFailure(t *testing.T) {
|
||||
srv := newTestServer(t, func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
_, _ = w.Write([]byte(`{"error":"invalid credentials"}`))
|
||||
}, nil)
|
||||
|
||||
c := newTestClient(t, srv.URL)
|
||||
@@ -77,17 +68,10 @@ func TestLoginFailure(t *testing.T) {
|
||||
func TestValidateSuccess(t *testing.T) {
|
||||
srv := newTestServer(t, nil, func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_ = json.NewEncoder(w).Encode(validateResponse{
|
||||
Valid: true,
|
||||
Claims: struct {
|
||||
Subject string `json:"subject"`
|
||||
AccountType string `json:"account_type"`
|
||||
Roles []string `json:"roles"`
|
||||
}{
|
||||
Subject: "alice",
|
||||
AccountType: "user",
|
||||
Roles: []string{"reader", "writer"},
|
||||
},
|
||||
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
||||
"valid": true,
|
||||
"username": "alice",
|
||||
"roles": []string{"reader", "writer"},
|
||||
})
|
||||
})
|
||||
|
||||
@@ -99,9 +83,6 @@ func TestValidateSuccess(t *testing.T) {
|
||||
if claims.Subject != "alice" {
|
||||
t.Fatalf("subject: got %q, want %q", claims.Subject, "alice")
|
||||
}
|
||||
if claims.AccountType != "user" {
|
||||
t.Fatalf("account_type: got %q, want %q", claims.AccountType, "user")
|
||||
}
|
||||
if len(claims.Roles) != 2 || claims.Roles[0] != "reader" || claims.Roles[1] != "writer" {
|
||||
t.Fatalf("roles: got %v, want [reader writer]", claims.Roles)
|
||||
}
|
||||
@@ -110,7 +91,7 @@ func TestValidateSuccess(t *testing.T) {
|
||||
func TestValidateRevoked(t *testing.T) {
|
||||
srv := newTestServer(t, nil, func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_ = json.NewEncoder(w).Encode(validateResponse{Valid: false})
|
||||
_ = json.NewEncoder(w).Encode(map[string]interface{}{"valid": false})
|
||||
})
|
||||
|
||||
c := newTestClient(t, srv.URL)
|
||||
@@ -126,17 +107,10 @@ func TestValidateCacheHit(t *testing.T) {
|
||||
srv := newTestServer(t, nil, func(w http.ResponseWriter, _ *http.Request) {
|
||||
callCount.Add(1)
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_ = json.NewEncoder(w).Encode(validateResponse{
|
||||
Valid: true,
|
||||
Claims: struct {
|
||||
Subject string `json:"subject"`
|
||||
AccountType string `json:"account_type"`
|
||||
Roles []string `json:"roles"`
|
||||
}{
|
||||
Subject: "bob",
|
||||
AccountType: "service",
|
||||
Roles: []string{"admin"},
|
||||
},
|
||||
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
||||
"valid": true,
|
||||
"username": "bob",
|
||||
"roles": []string{"admin"},
|
||||
})
|
||||
})
|
||||
|
||||
@@ -151,7 +125,7 @@ func TestValidateCacheHit(t *testing.T) {
|
||||
t.Fatalf("expected 1 server call after first validate, got %d", callCount.Load())
|
||||
}
|
||||
|
||||
// Second call — should come from cache.
|
||||
// Second call — should come from cache (mcdsl/auth handles this).
|
||||
claims2, err := c.ValidateToken("cached-token")
|
||||
if err != nil {
|
||||
t.Fatalf("second ValidateToken: %v", err)
|
||||
@@ -164,57 +138,3 @@ func TestValidateCacheHit(t *testing.T) {
|
||||
t.Fatalf("cached claims mismatch: %q vs %q", claims1.Subject, claims2.Subject)
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateCacheExpiry(t *testing.T) {
|
||||
var callCount atomic.Int64
|
||||
|
||||
srv := newTestServer(t, nil, func(w http.ResponseWriter, _ *http.Request) {
|
||||
callCount.Add(1)
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_ = json.NewEncoder(w).Encode(validateResponse{
|
||||
Valid: true,
|
||||
Claims: struct {
|
||||
Subject string `json:"subject"`
|
||||
AccountType string `json:"account_type"`
|
||||
Roles []string `json:"roles"`
|
||||
}{
|
||||
Subject: "charlie",
|
||||
AccountType: "user",
|
||||
Roles: nil,
|
||||
},
|
||||
})
|
||||
})
|
||||
|
||||
c := newTestClient(t, srv.URL)
|
||||
|
||||
// Inject a controllable clock.
|
||||
now := time.Now()
|
||||
c.cache.now = func() time.Time { return now }
|
||||
|
||||
// First call.
|
||||
if _, err := c.ValidateToken("expiry-token"); err != nil {
|
||||
t.Fatalf("first ValidateToken: %v", err)
|
||||
}
|
||||
if callCount.Load() != 1 {
|
||||
t.Fatalf("expected 1 server call, got %d", callCount.Load())
|
||||
}
|
||||
|
||||
// Second call within TTL — cache hit.
|
||||
if _, err := c.ValidateToken("expiry-token"); err != nil {
|
||||
t.Fatalf("second ValidateToken: %v", err)
|
||||
}
|
||||
if callCount.Load() != 1 {
|
||||
t.Fatalf("expected 1 server call (cache hit), got %d", callCount.Load())
|
||||
}
|
||||
|
||||
// Advance clock past the 30s TTL.
|
||||
c.cache.now = func() time.Time { return now.Add(31 * time.Second) }
|
||||
|
||||
// Third call — cache miss, should hit server again.
|
||||
if _, err := c.ValidateToken("expiry-token"); err != nil {
|
||||
t.Fatalf("third ValidateToken: %v", err)
|
||||
}
|
||||
if callCount.Load() != 2 {
|
||||
t.Fatalf("expected 2 server calls after cache expiry, got %d", callCount.Load())
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user