70 lines
4.2 KiB
JavaScript
70 lines
4.2 KiB
JavaScript
|
|
"use strict";
|
||
|
|
|
||
|
|
const test = require("node:test");
|
||
|
|
const assert = require("node:assert/strict");
|
||
|
|
const fs = require("node:fs");
|
||
|
|
const os = require("node:os");
|
||
|
|
const path = require("node:path");
|
||
|
|
const { WorkOrderManager } = require("./workorder-manager");
|
||
|
|
|
||
|
|
const persona = { pid: "ICE-GL-ZY001", name: "铸渊" };
|
||
|
|
|
||
|
|
test("approval link is single use and the session is claimed once", () => {
|
||
|
|
const dir = fs.mkdtempSync(path.join(os.tmpdir(), "lake-lamp-authz-"));
|
||
|
|
try {
|
||
|
|
const manager = new WorkOrderManager({ stateFile: path.join(dir, "state.json"), sessionTtl: 3600 });
|
||
|
|
const created = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "server-login", action: "read-navigation-map", allowedActions: ["read-navigation-map", "inspect-services"] }, 100);
|
||
|
|
assert.equal(manager.inspectApproval(created.approvalToken, 101).ok, true);
|
||
|
|
assert.equal(manager.approve(created.approvalToken, 102).ok, true);
|
||
|
|
assert.equal(manager.approve(created.approvalToken, 103).ok, false);
|
||
|
|
|
||
|
|
const claimed = manager.claim(created.id, created.claimToken, 104);
|
||
|
|
assert.equal(claimed.ok, true);
|
||
|
|
assert.equal(claimed.expiresIn, 3600);
|
||
|
|
assert.equal(manager.claim(created.id, created.claimToken, 105).ok, false);
|
||
|
|
assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-login", "read-navigation-map", 106).ok, true);
|
||
|
|
assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-login", "inspect-services", 106).ok, true);
|
||
|
|
} finally {
|
||
|
|
fs.rmSync(dir, { recursive: true, force: true });
|
||
|
|
}
|
||
|
|
});
|
||
|
|
|
||
|
|
test("session is bound to one persona target scope and action", () => {
|
||
|
|
const manager = new WorkOrderManager({ sessionTtl: 3600 });
|
||
|
|
const created = manager.request({ persona, target: "BS-GZ-006", scope: "server-ops", action: "read-navigation-map" }, 100);
|
||
|
|
manager.approve(created.approvalToken, 101);
|
||
|
|
const claimed = manager.claim(created.id, created.claimToken, 102);
|
||
|
|
|
||
|
|
assert.equal(manager.verifySession(claimed.sessionToken, persona, "BS-GZ-006", "server-ops", "read-navigation-map", 103).ok, true);
|
||
|
|
assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-ops", "read-navigation-map", 103).reason, "target_mismatch");
|
||
|
|
assert.equal(manager.verifySession(claimed.sessionToken, { pid: "OTHER" }, "BS-GZ-006", "server-ops", "read-navigation-map", 103).reason, "persona_mismatch");
|
||
|
|
assert.equal(manager.verifySession(claimed.sessionToken, persona, "BS-GZ-006", "repo-push", "read-navigation-map", 103).reason, "scope_mismatch");
|
||
|
|
assert.equal(manager.verifySession(claimed.sessionToken, persona, "BS-GZ-006", "server-ops", "push-repository", 103).reason, "action_mismatch");
|
||
|
|
});
|
||
|
|
|
||
|
|
test("plaintext approval claim and session tokens are never persisted", () => {
|
||
|
|
const dir = fs.mkdtempSync(path.join(os.tmpdir(), "lake-lamp-authz-"));
|
||
|
|
try {
|
||
|
|
const stateFile = path.join(dir, "state.json");
|
||
|
|
const manager = new WorkOrderManager({ stateFile });
|
||
|
|
const created = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "repo-push", action: "push-repository" }, 100);
|
||
|
|
manager.approve(created.approvalToken, 101);
|
||
|
|
const claimed = manager.claim(created.id, created.claimToken, 102);
|
||
|
|
const state = fs.readFileSync(stateFile, "utf8");
|
||
|
|
for (const secret of [created.approvalToken, created.claimToken, claimed.sessionToken]) assert.equal(state.includes(secret), false);
|
||
|
|
} finally {
|
||
|
|
fs.rmSync(dir, { recursive: true, force: true });
|
||
|
|
}
|
||
|
|
});
|
||
|
|
|
||
|
|
test("expired work orders and sessions fail closed", () => {
|
||
|
|
const manager = new WorkOrderManager({ approvalTtl: 10, sessionTtl: 20 });
|
||
|
|
const created = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "server-login", action: "read-navigation-map" }, 100);
|
||
|
|
assert.equal(manager.approve(created.approvalToken, 111).reason, "approval_expired");
|
||
|
|
|
||
|
|
const fresh = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "server-login", action: "read-navigation-map" }, 200);
|
||
|
|
manager.approve(fresh.approvalToken, 201);
|
||
|
|
const claimed = manager.claim(fresh.id, fresh.claimToken, 202);
|
||
|
|
assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-login", "read-navigation-map", 223).reason, "session_expired");
|
||
|
|
});
|