2026-07-12 11:06:21 -07:00
|
|
|
"use strict";
|
|
|
|
|
const test = require("node:test");
|
|
|
|
|
const assert = require("node:assert/strict");
|
2026-07-12 22:56:49 -07:00
|
|
|
const fs = require("node:fs");
|
|
|
|
|
const os = require("node:os");
|
|
|
|
|
const path = require("node:path");
|
2026-07-12 11:06:21 -07:00
|
|
|
const { SessionManager } = require("./session-manager");
|
2026-07-12 22:51:13 -07:00
|
|
|
const zhulan = { pid: "ICE-GL-ZL-001", name: "铸澜" };
|
2026-07-12 11:06:21 -07:00
|
|
|
|
|
|
|
|
test("one approval creates a reusable bounded session", () => {
|
|
|
|
|
const m = new SessionManager({ absoluteTtl: 100, idleTtl: 20 });
|
2026-07-15 21:34:27 +08:00
|
|
|
const { token } = m.create(zhulan, "BS-SG-001", ["code-repo"], ["sync-status"], 10);
|
|
|
|
|
assert.equal(m.verify(token, zhulan, "BS-SG-001", "code-repo", "sync-status", 11).ok, true);
|
|
|
|
|
assert.equal(m.verify(token, zhulan, "BS-SG-001", "code-repo", "sync-status", 12).ok, true);
|
2026-07-12 11:06:21 -07:00
|
|
|
});
|
|
|
|
|
test("session is bound to identity server and scope", () => {
|
|
|
|
|
const m = new SessionManager();
|
2026-07-15 21:34:27 +08:00
|
|
|
const { token } = m.create(zhulan, "BS-SG-001", ["code-repo"], ["sync-status"], 10);
|
|
|
|
|
assert.equal(m.verify(token, { pid: "ICE-GL-ZY001" }, "BS-SG-001", "code-repo", "sync-status", 11).ok, false);
|
|
|
|
|
assert.equal(m.verify(token, zhulan, "OTHER", "code-repo", "sync-status", 11).ok, false);
|
|
|
|
|
assert.equal(m.verify(token, zhulan, "BS-SG-001", "system-arch", "sync-status", 11).ok, false);
|
2026-07-12 11:06:21 -07:00
|
|
|
});
|
|
|
|
|
test("end signal revokes immediately", () => {
|
|
|
|
|
const m = new SessionManager();
|
2026-07-15 21:34:27 +08:00
|
|
|
const { token } = m.create(zhulan, "BS-SG-001", ["code-repo"], ["sync-status"], 10);
|
2026-07-12 11:06:21 -07:00
|
|
|
assert.equal(m.end(token, zhulan), true);
|
2026-07-15 21:34:27 +08:00
|
|
|
assert.equal(m.verify(token, zhulan, "BS-SG-001", "code-repo", "sync-status", 11).ok, false);
|
2026-07-12 11:06:21 -07:00
|
|
|
});
|
2026-07-12 22:56:49 -07:00
|
|
|
|
|
|
|
|
test("session survives process reload without persisting plaintext token", () => {
|
|
|
|
|
const dir = fs.mkdtempSync(path.join(os.tmpdir(), "gatekeeper-session-"));
|
|
|
|
|
const stateFile = path.join(dir, "sessions.json");
|
|
|
|
|
try {
|
|
|
|
|
const now = Date.now() / 1000;
|
|
|
|
|
const first = new SessionManager({ absoluteTtl: 100, idleTtl: 20, stateFile });
|
2026-07-15 21:34:27 +08:00
|
|
|
const created = first.create(zhulan, "BS-SG-001", ["code-repo"], ["sync-status"], now);
|
2026-07-12 22:56:49 -07:00
|
|
|
const onDisk = fs.readFileSync(stateFile, "utf8");
|
|
|
|
|
assert.equal(onDisk.includes(created.token), false);
|
|
|
|
|
|
|
|
|
|
const reloaded = new SessionManager({ absoluteTtl: 100, idleTtl: 20, stateFile });
|
2026-07-15 21:34:27 +08:00
|
|
|
assert.equal(reloaded.verify(created.token, zhulan, "BS-SG-001", "code-repo", "sync-status", now + 1).ok, true);
|
2026-07-12 22:56:49 -07:00
|
|
|
} finally {
|
|
|
|
|
fs.rmSync(dir, { recursive: true, force: true });
|
|
|
|
|
}
|
|
|
|
|
});
|