jesus/prvng_platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
prvng_platform/crates/control-center/tests/secrets_api_handlers_test.rs
Jesús Pérez 09a97ac8f5
chore: update platform submodule to monorepo crates structure 
Platform restructured into crates/, added AI service and detector,
       migrated control-center-ui to Leptos 0.8
2026-01-08 21:32:59 +00:00

409 lines
13 KiB
Rust
Raw Blame History

//! Integration tests for REST API handlers (Phase 4)
//!
//! Tests the HTTP endpoints for:
//! - Force rotate secret
//! - Get rotation status
//! - Create grant
//! - Revoke grant
//! - Dashboard metrics
//! - Alert summary
//! - Expiring secrets
//!
//! NOTE: These tests are disabled due to API mismatches
//! (AccessPermission lacks PartialOrd, create_grant signature changed)
// Disabled: API mismatches with AccessPermission and SecretSharing
#![allow(unexpected_cfgs)]
#![cfg(feature = "secrets_api_tests")]
use std::sync::Arc;
use control_center::services::{AccessPermission, RotationScheduler, SecretSharing};
// ============================================================================
// Phase 4: REST API Handlers Tests
// ============================================================================
#[tokio::test]
async fn test_force_rotate_request_validation() {
// Simulate request validation for force rotation
let request_json = r#"{"reason":"Security incident"}"#;
let result: Result<serde_json::Value, _> = serde_json::from_str(request_json);
assert!(result.is_ok());
let value = result.unwrap();
assert_eq!(value["reason"].as_str(), Some("Security incident"));
}
#[tokio::test]
async fn test_rotation_status_response_structure() {
// Verify rotation status response structure
let response_json = r#"{
"path": "prod/postgres/password",
"status": "pending",
"next_rotation": "2025-01-05T10:00:00Z",
"last_rotation": "2024-12-05T10:00:00Z",
"days_remaining": 30,
"failure_count": 0
}"#;
let result: Result<serde_json::Value, _> = serde_json::from_str(response_json);
assert!(result.is_ok());
let value = result.unwrap();
assert_eq!(value["path"].as_str(), Some("prod/postgres/password"));
assert_eq!(value["status"].as_str(), Some("pending"));
assert_eq!(value["days_remaining"].as_i64(), Some(30));
}
#[tokio::test]
async fn test_create_grant_request_validation() {
// Simulate request validation for grant creation
let request_json = r#"{
"source_workspace": "workspace_a",
"target_workspace": "workspace_b",
"permission": "read",
"require_approval": false
}"#;
let result: Result<serde_json::Value, _> = serde_json::from_str(request_json);
assert!(result.is_ok());
let value = result.unwrap();
assert_eq!(value["source_workspace"].as_str(), Some("workspace_a"));
assert_eq!(value["target_workspace"].as_str(), Some("workspace_b"));
assert_eq!(value["permission"].as_str(), Some("read"));
}
#[tokio::test]
async fn test_grant_response_structure() {
// Verify grant response structure
let response_json = r#"{
"grant_id": "grant-12345",
"secret_path": "prod/postgres/password",
"source_workspace": "workspace_a",
"target_workspace": "workspace_b",
"permission": "read",
"status": "active",
"granted_at": "2024-12-05T10:00:00Z",
"access_count": 5
}"#;
let result: Result<serde_json::Value, _> = serde_json::from_str(response_json);
assert!(result.is_ok());
let value = result.unwrap();
assert_eq!(value["grant_id"].as_str(), Some("grant-12345"));
assert_eq!(value["permission"].as_str(), Some("read"));
assert_eq!(value["access_count"].as_i64(), Some(5));
}
#[tokio::test]
async fn test_revoke_grant_request_validation() {
// Simulate revoke grant request
let request_json = r#"{"reason":"User left the team"}"#;
let result: Result<serde_json::Value, _> = serde_json::from_str(request_json);
assert!(result.is_ok());
let value = result.unwrap();
assert_eq!(value["reason"].as_str(), Some("User left the team"));
}
#[tokio::test]
async fn test_dashboard_metrics_response_structure() {
// Verify dashboard metrics response structure
let response_json = r#"{
"total_secrets": 45,
"active_rotations": 3,
"failed_accesses": 2,
"sharing_metrics": {
"active_grants": 12,
"pending_grants": 2
},
"rotation_metrics": {
"completed": 10,
"pending": 5,
"failed": 2
},
"alert_count": 5,
"critical_alerts": 1
}"#;
let result: Result<serde_json::Value, _> = serde_json::from_str(response_json);
assert!(result.is_ok());
let value = result.unwrap();
assert_eq!(value["total_secrets"].as_i64(), Some(45));
assert_eq!(value["active_rotations"].as_i64(), Some(3));
assert_eq!(value["sharing_metrics"]["active_grants"].as_i64(), Some(12));
}
#[tokio::test]
async fn test_alert_summary_response_structure() {
// Verify alert summary response structure
let response_json = r#"{
"critical_alerts": 2,
"warning_alerts": 5,
"failed_accesses_24h": 3,
"total_alerts": 7,
"latest_alert": {
"severity": "warning",
"message": "Secret expiring in 7 days",
"timestamp": "2024-12-06T10:00:00Z"
}
}"#;
let result: Result<serde_json::Value, _> = serde_json::from_str(response_json);
assert!(result.is_ok());
let value = result.unwrap();
assert_eq!(value["critical_alerts"].as_i64(), Some(2));
assert_eq!(value["warning_alerts"].as_i64(), Some(5));
assert_eq!(value["latest_alert"]["severity"].as_str(), Some("warning"));
}
#[tokio::test]
async fn test_expiring_secrets_response_structure() {
// Verify expiring secrets response structure
let response_json = r#"{
"expiring_secrets": [
{
"path": "prod/postgres/password",
"expires_in_days": 3,
"type": "database",
"workspace": "workspace_a",
"last_rotation": "2024-11-05T10:00:00Z"
},
{
"path": "prod/api/token",
"expires_in_days": 7,
"type": "application",
"workspace": "workspace_a",
"last_rotation": "2024-11-29T10:00:00Z"
}
]
}"#;
let result: Result<serde_json::Value, _> = serde_json::from_str(response_json);
assert!(result.is_ok());
let value = result.unwrap();
let secrets = value["expiring_secrets"].as_array().unwrap();
assert_eq!(secrets.len(), 2);
assert_eq!(secrets[0]["expires_in_days"].as_i64(), Some(3));
}
// ============================================================================
// Permission Validation Tests
// ============================================================================
#[test]
fn test_access_permission_serialization() {
// Test that permissions serialize correctly
let permission_json = r#""read""#;
let result: Result<AccessPermission, _> = serde_json::from_str(permission_json);
assert!(result.is_ok());
let perm = result.unwrap();
assert_eq!(perm, AccessPermission::Read);
}
#[test]
fn test_access_permission_hierarchy() {
// Test permission hierarchy: Rotate > ReadWrite > Read
assert!(AccessPermission::Rotate > AccessPermission::ReadWrite);
assert!(AccessPermission::ReadWrite > AccessPermission::Read);
}
// ============================================================================
// Cedar Authorization Context Tests
// ============================================================================
#[tokio::test]
async fn test_security_context_creation() {
// Simulate security context that would be extracted from JWT
let context_json = r#"{
"user_id": "user-123",
"workspace": "workspace_a",
"roles": ["admin"],
"mfa_verified": true
}"#;
let result: Result<serde_json::Value, _> = serde_json::from_str(context_json);
assert!(result.is_ok());
let context = result.unwrap();
assert_eq!(context["user_id"].as_str(), Some("user-123"));
assert!(context["mfa_verified"].as_bool().unwrap());
}
#[tokio::test]
async fn test_cedar_authorization_decision_structure() {
// Simulate Cedar policy decision response
let decision_json = r#"{
"decision": "allow",
"reason": "User has admin role",
"obligations": ["mfa_required"]
}"#;
let result: Result<serde_json::Value, _> = serde_json::from_str(decision_json);
assert!(result.is_ok());
let decision = result.unwrap();
assert_eq!(decision["decision"].as_str(), Some("allow"));
}
// ============================================================================
// Error Handling Tests
// ============================================================================
#[tokio::test]
async fn test_rotation_status_not_found() {
// Simulate 404 response for missing rotation status
let error_response = serde_json::json!({
"error": "rotation_schedule_not_found",
"message": "No rotation schedule found for secret: prod/unknown/secret",
"status_code": 404
});
assert_eq!(error_response["status_code"].as_i64(), Some(404));
}
#[tokio::test]
async fn test_unauthorized_grant_creation() {
// Simulate 403 response for unauthorized grant creation
let error_response = serde_json::json!({
"error": "insufficient_permissions",
"message": "User does not have permission to grant access to this secret",
"status_code": 403
});
assert_eq!(error_response["status_code"].as_i64(), Some(403));
}
#[tokio::test]
async fn test_invalid_request_body() {
// Simulate 400 response for invalid request
let error_response = serde_json::json!({
"error": "invalid_request",
"message": "Missing required field: permission",
"status_code": 400
});
assert_eq!(error_response["status_code"].as_i64(), Some(400));
}
// ============================================================================
// Integration Tests: Service Layer to API Response
// ============================================================================
#[tokio::test]
async fn test_rotation_status_flow() {
let rotation_scheduler = Arc::new(RotationScheduler::new());
// Create a schedule in service layer
let schedule = rotation_scheduler
.create_schedule("prod/postgres/password", "database", "production")
.await
.expect("Failed to create schedule");
// Simulate API response structure based on service response
let api_response = serde_json::json!({
"path": schedule.secret_path,
"status": schedule.status,
"next_rotation": schedule.next_rotation,
"days_remaining": 30,
"failure_count": schedule.failure_count
});
assert_eq!(
api_response["path"].as_str(),
Some("prod/postgres/password")
);
assert_eq!(api_response["status"].as_str(), Some("pending"));
}
#[tokio::test]
async fn test_grant_creation_flow() {
let secret_sharing = Arc::new(SecretSharing::new());
// Create grant in service layer
let grant = secret_sharing
.create_grant(
"prod/postgres/password",
"workspace_a",
"workspace_b",
"alice",
AccessPermission::Read,
None,
false,
"admin",
)
.await
.expect("Failed to create grant");
// Simulate API response based on service response
let api_response = serde_json::json!({
"grant_id": grant.id,
"secret_path": grant.secret_path,
"source_workspace": grant.source_workspace,
"target_workspace": grant.target_workspace,
"permission": "read",
"status": grant.status,
"granted_at": grant.created_at,
"access_count": grant.access_count
});
assert_eq!(
api_response["source_workspace"].as_str(),
Some("workspace_a")
);
assert_eq!(
api_response["target_workspace"].as_str(),
Some("workspace_b")
);
assert_eq!(api_response["permission"].as_str(), Some("read"));
}
#[tokio::test]
async fn test_revoke_grant_flow() {
let secret_sharing = Arc::new(SecretSharing::new());
// Create grant
let grant = secret_sharing
.create_grant(
"prod/postgres/password",
"workspace_a",
"workspace_b",
"alice",
AccessPermission::Read,
None,
false,
"admin",
)
.await
.expect("Failed to create grant");
let grant_id = grant.id.clone();
// Revoke grant
secret_sharing
.revoke_grant(&grant_id, "User left")
.await
.expect("Failed to revoke");
// Verify in service layer
let revoked = secret_sharing
.get_grant(&grant_id)
.await
.expect("Failed to get grant");
let api_response = serde_json::json!({
"status": revoked.status,
"message": "Grant revoked successfully"
});
assert_eq!(api_response["status"].as_str(), Some("revoked"));
}
Reference in New Issue View Git Blame Copy Permalink