Implement Phase 1: core framework, operational tooling, and runbook
Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper), db (SQLite/migrations), barrier (encrypted storage), seal (state machine with rate-limited unseal), auth (MCIAS integration with token cache), policy (priority-based ACL engine), engine (interface + registry). Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI (init, unseal, login, dashboard pages). CLI: cobra/viper subcommands (server, init, status, snapshot) with env var override support (METACRYPT_ prefix). Operational tooling: Dockerfile (multi-stage, non-root), docker-compose, hardened systemd units (service + daily backup timer), install script, backup script with retention pruning, production config examples. Runbook covering installation, configuration, daily operations, backup/restore, monitoring, troubleshooting, and security procedures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
120
internal/engine/engine_test.go
Normal file
120
internal/engine/engine_test.go
Normal file
@@ -0,0 +1,120 @@
|
||||
package engine
|
||||
|
||||
import (
|
||||
"context"
|
||||
"testing"
|
||||
|
||||
"git.wntrmute.dev/kyle/metacrypt/internal/barrier"
|
||||
)
|
||||
|
||||
// mockEngine implements Engine for testing.
|
||||
type mockEngine struct {
|
||||
engineType EngineType
|
||||
initialized bool
|
||||
unsealed bool
|
||||
}
|
||||
|
||||
func (m *mockEngine) Type() EngineType { return m.engineType }
|
||||
func (m *mockEngine) Initialize(_ context.Context, _ barrier.Barrier, _ string) error { m.initialized = true; return nil }
|
||||
func (m *mockEngine) Unseal(_ context.Context, _ barrier.Barrier, _ string) error { m.unsealed = true; return nil }
|
||||
func (m *mockEngine) Seal() error { m.unsealed = false; return nil }
|
||||
func (m *mockEngine) HandleRequest(_ context.Context, _ *Request) (*Response, error) {
|
||||
return &Response{Data: map[string]interface{}{"ok": true}}, nil
|
||||
}
|
||||
|
||||
type mockBarrier struct{}
|
||||
|
||||
func (m *mockBarrier) Unseal(_ []byte) error { return nil }
|
||||
func (m *mockBarrier) Seal() error { return nil }
|
||||
func (m *mockBarrier) IsSealed() bool { return false }
|
||||
func (m *mockBarrier) Get(_ context.Context, _ string) ([]byte, error) { return nil, barrier.ErrNotFound }
|
||||
func (m *mockBarrier) Put(_ context.Context, _ string, _ []byte) error { return nil }
|
||||
func (m *mockBarrier) Delete(_ context.Context, _ string) error { return nil }
|
||||
func (m *mockBarrier) List(_ context.Context, _ string) ([]string, error) { return nil, nil }
|
||||
|
||||
func TestRegistryMountUnmount(t *testing.T) {
|
||||
reg := NewRegistry(&mockBarrier{})
|
||||
reg.RegisterFactory(EngineTypeTransit, func() Engine {
|
||||
return &mockEngine{engineType: EngineTypeTransit}
|
||||
})
|
||||
|
||||
ctx := context.Background()
|
||||
if err := reg.Mount(ctx, "default", EngineTypeTransit); err != nil {
|
||||
t.Fatalf("Mount: %v", err)
|
||||
}
|
||||
|
||||
mounts := reg.ListMounts()
|
||||
if len(mounts) != 1 {
|
||||
t.Fatalf("ListMounts: got %d, want 1", len(mounts))
|
||||
}
|
||||
if mounts[0].Name != "default" {
|
||||
t.Errorf("mount name: got %q, want %q", mounts[0].Name, "default")
|
||||
}
|
||||
|
||||
// Duplicate mount should fail.
|
||||
if err := reg.Mount(ctx, "default", EngineTypeTransit); err != ErrMountExists {
|
||||
t.Fatalf("expected ErrMountExists, got: %v", err)
|
||||
}
|
||||
|
||||
if err := reg.Unmount("default"); err != nil {
|
||||
t.Fatalf("Unmount: %v", err)
|
||||
}
|
||||
|
||||
mounts = reg.ListMounts()
|
||||
if len(mounts) != 0 {
|
||||
t.Fatalf("after unmount: got %d mounts", len(mounts))
|
||||
}
|
||||
}
|
||||
|
||||
func TestRegistryUnmountNotFound(t *testing.T) {
|
||||
reg := NewRegistry(&mockBarrier{})
|
||||
if err := reg.Unmount("nonexistent"); err != ErrMountNotFound {
|
||||
t.Fatalf("expected ErrMountNotFound, got: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRegistryUnknownType(t *testing.T) {
|
||||
reg := NewRegistry(&mockBarrier{})
|
||||
err := reg.Mount(context.Background(), "test", EngineTypeTransit)
|
||||
if err == nil {
|
||||
t.Fatal("expected error for unknown engine type")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRegistryHandleRequest(t *testing.T) {
|
||||
reg := NewRegistry(&mockBarrier{})
|
||||
reg.RegisterFactory(EngineTypeTransit, func() Engine {
|
||||
return &mockEngine{engineType: EngineTypeTransit}
|
||||
})
|
||||
|
||||
ctx := context.Background()
|
||||
reg.Mount(ctx, "test", EngineTypeTransit)
|
||||
|
||||
resp, err := reg.HandleRequest(ctx, "test", &Request{Operation: "encrypt"})
|
||||
if err != nil {
|
||||
t.Fatalf("HandleRequest: %v", err)
|
||||
}
|
||||
if resp.Data["ok"] != true {
|
||||
t.Error("expected ok=true in response")
|
||||
}
|
||||
|
||||
_, err = reg.HandleRequest(ctx, "nonexistent", &Request{})
|
||||
if err != ErrMountNotFound {
|
||||
t.Fatalf("expected ErrMountNotFound, got: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRegistrySealAll(t *testing.T) {
|
||||
reg := NewRegistry(&mockBarrier{})
|
||||
reg.RegisterFactory(EngineTypeTransit, func() Engine {
|
||||
return &mockEngine{engineType: EngineTypeTransit}
|
||||
})
|
||||
|
||||
ctx := context.Background()
|
||||
reg.Mount(ctx, "eng1", EngineTypeTransit)
|
||||
reg.Mount(ctx, "eng2", EngineTypeTransit)
|
||||
|
||||
if err := reg.SealAll(); err != nil {
|
||||
t.Fatalf("SealAll: %v", err)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user