Implement Phase 1: core framework, operational tooling, and runbook
Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper), db (SQLite/migrations), barrier (encrypted storage), seal (state machine with rate-limited unseal), auth (MCIAS integration with token cache), policy (priority-based ACL engine), engine (interface + registry). Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI (init, unseal, login, dashboard pages). CLI: cobra/viper subcommands (server, init, status, snapshot) with env var override support (METACRYPT_ prefix). Operational tooling: Dockerfile (multi-stage, non-root), docker-compose, hardened systemd units (service + daily backup timer), install script, backup script with retention pruning, production config examples. Runbook covering installation, configuration, daily operations, backup/restore, monitoring, troubleshooting, and security procedures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
52
internal/auth/auth_test.go
Normal file
52
internal/auth/auth_test.go
Normal file
@@ -0,0 +1,52 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestTokenHash(t *testing.T) {
|
||||
h1 := tokenHash("token-abc")
|
||||
h2 := tokenHash("token-abc")
|
||||
h3 := tokenHash("token-def")
|
||||
|
||||
if h1 != h2 {
|
||||
t.Error("same input should produce same hash")
|
||||
}
|
||||
if h1 == h3 {
|
||||
t.Error("different inputs should produce different hashes")
|
||||
}
|
||||
if len(h1) != 64 { // SHA-256 hex
|
||||
t.Errorf("hash length: got %d, want 64", len(h1))
|
||||
}
|
||||
}
|
||||
|
||||
func TestHasAdminRole(t *testing.T) {
|
||||
if !hasAdminRole([]string{"user", "admin"}) {
|
||||
t.Error("should detect admin role")
|
||||
}
|
||||
if hasAdminRole([]string{"user", "operator"}) {
|
||||
t.Error("should not detect admin role when absent")
|
||||
}
|
||||
if hasAdminRole(nil) {
|
||||
t.Error("nil roles should not be admin")
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewAuthenticator(t *testing.T) {
|
||||
a := NewAuthenticator(nil)
|
||||
if a == nil {
|
||||
t.Fatal("NewAuthenticator returned nil")
|
||||
}
|
||||
if a.cache == nil {
|
||||
t.Error("cache should be initialized")
|
||||
}
|
||||
}
|
||||
|
||||
func TestClearCache(t *testing.T) {
|
||||
a := NewAuthenticator(nil)
|
||||
a.cache["test"] = &cachedClaims{info: &TokenInfo{Username: "test"}}
|
||||
a.ClearCache()
|
||||
if len(a.cache) != 0 {
|
||||
t.Error("cache should be empty after clear")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user