fifth-domain/server-tools/lake-lamp-authz/workorder-manager.test.js

70 lines
4.2 KiB
JavaScript
Raw Permalink Normal View History

"use strict";
const test = require("node:test");
const assert = require("node:assert/strict");
const fs = require("node:fs");
const os = require("node:os");
const path = require("node:path");
const { WorkOrderManager } = require("./workorder-manager");
const persona = { pid: "ICE-GL-ZY001", name: "铸渊" };
test("approval link is single use and the session is claimed once", () => {
const dir = fs.mkdtempSync(path.join(os.tmpdir(), "lake-lamp-authz-"));
try {
const manager = new WorkOrderManager({ stateFile: path.join(dir, "state.json"), sessionTtl: 3600 });
const created = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "server-login", action: "read-navigation-map", allowedActions: ["read-navigation-map", "inspect-services"] }, 100);
assert.equal(manager.inspectApproval(created.approvalToken, 101).ok, true);
assert.equal(manager.approve(created.approvalToken, 102).ok, true);
assert.equal(manager.approve(created.approvalToken, 103).ok, false);
const claimed = manager.claim(created.id, created.claimToken, 104);
assert.equal(claimed.ok, true);
assert.equal(claimed.expiresIn, 3600);
assert.equal(manager.claim(created.id, created.claimToken, 105).ok, false);
assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-login", "read-navigation-map", 106).ok, true);
assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-login", "inspect-services", 106).ok, true);
} finally {
fs.rmSync(dir, { recursive: true, force: true });
}
});
test("session is bound to one persona target scope and action", () => {
const manager = new WorkOrderManager({ sessionTtl: 3600 });
const created = manager.request({ persona, target: "BS-GZ-006", scope: "server-ops", action: "read-navigation-map" }, 100);
manager.approve(created.approvalToken, 101);
const claimed = manager.claim(created.id, created.claimToken, 102);
assert.equal(manager.verifySession(claimed.sessionToken, persona, "BS-GZ-006", "server-ops", "read-navigation-map", 103).ok, true);
assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-ops", "read-navigation-map", 103).reason, "target_mismatch");
assert.equal(manager.verifySession(claimed.sessionToken, { pid: "OTHER" }, "BS-GZ-006", "server-ops", "read-navigation-map", 103).reason, "persona_mismatch");
assert.equal(manager.verifySession(claimed.sessionToken, persona, "BS-GZ-006", "repo-push", "read-navigation-map", 103).reason, "scope_mismatch");
assert.equal(manager.verifySession(claimed.sessionToken, persona, "BS-GZ-006", "server-ops", "push-repository", 103).reason, "action_mismatch");
});
test("plaintext approval claim and session tokens are never persisted", () => {
const dir = fs.mkdtempSync(path.join(os.tmpdir(), "lake-lamp-authz-"));
try {
const stateFile = path.join(dir, "state.json");
const manager = new WorkOrderManager({ stateFile });
const created = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "repo-push", action: "push-repository" }, 100);
manager.approve(created.approvalToken, 101);
const claimed = manager.claim(created.id, created.claimToken, 102);
const state = fs.readFileSync(stateFile, "utf8");
for (const secret of [created.approvalToken, created.claimToken, claimed.sessionToken]) assert.equal(state.includes(secret), false);
} finally {
fs.rmSync(dir, { recursive: true, force: true });
}
});
test("expired work orders and sessions fail closed", () => {
const manager = new WorkOrderManager({ approvalTtl: 10, sessionTtl: 20 });
const created = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "server-login", action: "read-navigation-map" }, 100);
assert.equal(manager.approve(created.approvalToken, 111).reason, "approval_expired");
const fresh = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "server-login", action: "read-navigation-map" }, 200);
manager.approve(fresh.approvalToken, 201);
const claimed = manager.claim(fresh.id, fresh.claimToken, 202);
assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-login", "read-navigation-map", 223).reason, "session_expired");
});