"use strict"; const test = require("node:test"); const assert = require("node:assert/strict"); const fs = require("node:fs"); const os = require("node:os"); const path = require("node:path"); const { WorkOrderManager } = require("./workorder-manager"); const persona = { pid: "ICE-GL-ZY001", name: "铸渊" }; test("approval link is single use and the session is claimed once", () => { const dir = fs.mkdtempSync(path.join(os.tmpdir(), "lake-lamp-authz-")); try { const manager = new WorkOrderManager({ stateFile: path.join(dir, "state.json"), sessionTtl: 3600 }); const created = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "server-login", action: "read-navigation-map", allowedActions: ["read-navigation-map", "inspect-services"] }, 100); assert.equal(manager.inspectApproval(created.approvalToken, 101).ok, true); assert.equal(manager.approve(created.approvalToken, 102).ok, true); assert.equal(manager.approve(created.approvalToken, 103).ok, false); const claimed = manager.claim(created.id, created.claimToken, 104); assert.equal(claimed.ok, true); assert.equal(claimed.expiresIn, 3600); assert.equal(manager.claim(created.id, created.claimToken, 105).ok, false); assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-login", "read-navigation-map", 106).ok, true); assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-login", "inspect-services", 106).ok, true); } finally { fs.rmSync(dir, { recursive: true, force: true }); } }); test("session is bound to one persona target scope and action", () => { const manager = new WorkOrderManager({ sessionTtl: 3600 }); const created = manager.request({ persona, target: "BS-GZ-006", scope: "server-ops", action: "read-navigation-map" }, 100); manager.approve(created.approvalToken, 101); const claimed = manager.claim(created.id, created.claimToken, 102); assert.equal(manager.verifySession(claimed.sessionToken, persona, "BS-GZ-006", "server-ops", "read-navigation-map", 103).ok, true); assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-ops", "read-navigation-map", 103).reason, "target_mismatch"); assert.equal(manager.verifySession(claimed.sessionToken, { pid: "OTHER" }, "BS-GZ-006", "server-ops", "read-navigation-map", 103).reason, "persona_mismatch"); assert.equal(manager.verifySession(claimed.sessionToken, persona, "BS-GZ-006", "repo-push", "read-navigation-map", 103).reason, "scope_mismatch"); assert.equal(manager.verifySession(claimed.sessionToken, persona, "BS-GZ-006", "server-ops", "push-repository", 103).reason, "action_mismatch"); }); test("plaintext approval claim and session tokens are never persisted", () => { const dir = fs.mkdtempSync(path.join(os.tmpdir(), "lake-lamp-authz-")); try { const stateFile = path.join(dir, "state.json"); const manager = new WorkOrderManager({ stateFile }); const created = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "repo-push", action: "push-repository" }, 100); manager.approve(created.approvalToken, 101); const claimed = manager.claim(created.id, created.claimToken, 102); const state = fs.readFileSync(stateFile, "utf8"); for (const secret of [created.approvalToken, created.claimToken, claimed.sessionToken]) assert.equal(state.includes(secret), false); } finally { fs.rmSync(dir, { recursive: true, force: true }); } }); test("expired work orders and sessions fail closed", () => { const manager = new WorkOrderManager({ approvalTtl: 10, sessionTtl: 20 }); const created = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "server-login", action: "read-navigation-map" }, 100); assert.equal(manager.approve(created.approvalToken, 111).reason, "approval_expired"); const fresh = manager.request({ persona, target: "JD-FD-PRIMARY", scope: "server-login", action: "read-navigation-map" }, 200); manager.approve(fresh.approvalToken, 201); const claimed = manager.claim(fresh.id, fresh.claimToken, 202); assert.equal(manager.verifySession(claimed.sessionToken, persona, "JD-FD-PRIMARY", "server-login", "read-navigation-map", 223).reason, "session_expired"); });