`2857fe8`

auth/devicecode: orchestrator tests (11 scenarios)

Authored by mfwolffe <wolffemf@dukes.jmu.edu> yesterday

SHA: 2857fe8278a80bc115a66cb367a93a9581be99c6
Parents: 9c6f6f4
Tree: 508204a

1 changed file

Status	File	+	-
A	`internal/auth/devicecode/devicecode_test.go`	297	0

internal/auth/devicecode/devicecode_test.goadded

++// SPDX-License-Identifier: AGPL-3.0-or-later
++
++package devicecode_test
++
++import (
++	"context"
++	"errors"
++	"strings"
++	"testing"
++	"time"
++
++	"github.com/jackc/pgx/v5/pgtype"
++	"github.com/jackc/pgx/v5/pgxpool"
++
++	"github.com/tenseleyFlow/shithub/internal/auth/devicecode"
++	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"
++	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
++)
++
++// fixedArgon2Hash is a pre-computed argon2id hash of an arbitrary password.
++// Using a constant avoids running argon2 in every test setup.
++const fixedArgon2Hash = "$argon2id$v=19$m=1024,t=1,p=1$YWFhYWFhYWFhYWFhYWFhYQ$" +
++	"DvBOTSnFhCBe+Pfx/W7Sk3hG3JCm2Wj0RBgCu+CPDtY"
++
++func seedUser(t *testing.T, pool *pgxpool.Pool, username string) int64 {
++	t.Helper()
++	q := usersdb.New()
++	u, err := q.CreateUser(context.Background(), pool, usersdb.CreateUserParams{
++		Username:     username,
++		DisplayName:  strings.ToUpper(username[:1]) + username[1:],
++		PasswordHash: fixedArgon2Hash,
++	})
++	if err != nil {
++		t.Fatalf("CreateUser: %v", err)
++	}
++	em, err := q.CreateUserEmail(context.Background(), pool, usersdb.CreateUserEmailParams{
++		UserID:    u.ID,
++		Email:     username + "@example.test",
++		IsPrimary: true,
++	})
++	if err != nil {
++		t.Fatalf("CreateUserEmail: %v", err)
++	}
++	if err := q.MarkUserEmailVerified(context.Background(), pool, em.ID); err != nil {
++		t.Fatalf("MarkUserEmailVerified: %v", err)
++	}
++	return u.ID
++}
++
++func defaultsForTest() devicecode.Config {
++	return devicecode.Config{
++		ClientIDs:     []string{"shithub-cli"},
++		DefaultScopes: []string{"user:read"},
++		ExpiresIn:     15 * time.Minute,
++		PollInterval:  5 * time.Second,
++	}
++}
++
++func TestCreate_HappyPath(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	deps := devicecode.Deps{Pool: pool}
++	auth, err := devicecode.Create(context.Background(), deps, defaultsForTest(), "shithub-cli", "user:read,repo:read")
++	if err != nil {
++		t.Fatalf("Create: %v", err)
++	}
++	if auth.DeviceCode == "" || auth.UserCode == "" {
++		t.Fatalf("Create returned empty codes: %+v", auth)
++	}
++	if !strings.Contains(auth.UserCode, "-") || len(auth.UserCode) != 9 {
++		t.Errorf("user_code shape: got %q", auth.UserCode)
++	}
++	if auth.ExpiresIn != 15*time.Minute {
++		t.Errorf("expires_in: got %s", auth.ExpiresIn)
++	}
++	if got, want := auth.Scopes, []string{"user:read", "repo:read"}; !equalStrings(got, want) {
++		t.Errorf("scopes: got %v, want %v", got, want)
++	}
++}
++
++func TestCreate_RejectsUnknownClient(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	_, err := devicecode.Create(context.Background(), devicecode.Deps{Pool: pool}, defaultsForTest(), "evil-cli", "")
++	if !errors.Is(err, devicecode.ErrUnauthorizedClient) {
++		t.Fatalf("got err %v, want ErrUnauthorizedClient", err)
++	}
++}
++
++func TestCreate_RejectsUnknownScope(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	_, err := devicecode.Create(context.Background(), devicecode.Deps{Pool: pool}, defaultsForTest(), "shithub-cli", "user:read,bogus:scope")
++	if !errors.Is(err, devicecode.ErrInvalidScope) {
++		t.Fatalf("got err %v, want ErrInvalidScope", err)
++	}
++}
++
++func TestExchange_PendingThenApprovedThenOneShot(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	deps := devicecode.Deps{Pool: pool}
++	userID := seedUser(t, pool, "alice")
++
++	auth, err := devicecode.Create(context.Background(), deps, defaultsForTest(), "shithub-cli", "user:read")
++	if err != nil {
++		t.Fatalf("Create: %v", err)
++	}
++
++	// Pending: Exchange returns authorization_pending.
++	if _, err := devicecode.Exchange(context.Background(), deps, "shithub-cli", auth.DeviceCode, "test"); !errors.Is(err, devicecode.ErrAuthorizationPending) {
++		t.Fatalf("pending: got %v, want ErrAuthorizationPending", err)
++	}
++
++	row, err := devicecode.LookupByUserCode(context.Background(), deps, auth.UserCode)
++	if err != nil {
++		t.Fatalf("LookupByUserCode: %v", err)
++	}
++	if err := devicecode.Approve(context.Background(), deps, row.ID, userID); err != nil {
++		t.Fatalf("Approve: %v", err)
++	}
++
++	// Advance last_polled_at so the slow_down gate doesn't fire on the
++	// second Exchange below; otherwise we'd race the 5-second window.
++	if _, err := pool.Exec(context.Background(),
++		"UPDATE device_authorizations SET last_polled_at = now() - interval '10 seconds' WHERE id = $1",
++		row.ID); err != nil {
++		t.Fatalf("rewind last_polled_at: %v", err)
++	}
++
++	res, err := devicecode.Exchange(context.Background(), deps, "shithub-cli", auth.DeviceCode, "test")
++	if err != nil {
++		t.Fatalf("Exchange after approve: %v", err)
++	}
++	if !strings.HasPrefix(res.AccessToken, "shithub_pat_") {
++		t.Errorf("access_token prefix: got %q", res.AccessToken)
++	}
++	if res.TokenType != "bearer" {
++		t.Errorf("token_type: got %q", res.TokenType)
++	}
++	if got, want := res.Scopes, []string{"user:read"}; !equalStrings(got, want) {
++		t.Errorf("scopes: got %v, want %v", got, want)
++	}
++
++	// One-shot lockout: a second Exchange must NOT re-issue.
++	if _, err := pool.Exec(context.Background(),
++		"UPDATE device_authorizations SET last_polled_at = now() - interval '10 seconds' WHERE id = $1",
++		row.ID); err != nil {
++		t.Fatalf("rewind last_polled_at: %v", err)
++	}
++	if _, err := devicecode.Exchange(context.Background(), deps, "shithub-cli", auth.DeviceCode, "test"); !errors.Is(err, devicecode.ErrInvalidGrant) {
++		t.Fatalf("one-shot: got %v, want ErrInvalidGrant", err)
++	}
++}
++
++func TestExchange_DeniedReturnsAccessDenied(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	deps := devicecode.Deps{Pool: pool}
++	auth, err := devicecode.Create(context.Background(), deps, defaultsForTest(), "shithub-cli", "")
++	if err != nil {
++		t.Fatalf("Create: %v", err)
++	}
++	row, _ := devicecode.LookupByUserCode(context.Background(), deps, auth.UserCode)
++	if err := devicecode.Deny(context.Background(), deps, row.ID); err != nil {
++		t.Fatalf("Deny: %v", err)
++	}
++	if _, err := devicecode.Exchange(context.Background(), deps, "shithub-cli", auth.DeviceCode, "test"); !errors.Is(err, devicecode.ErrAccessDenied) {
++		t.Fatalf("denied: got %v, want ErrAccessDenied", err)
++	}
++}
++
++func TestExchange_ExpiredReturnsExpiredToken(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	deps := devicecode.Deps{Pool: pool}
++	auth, err := devicecode.Create(context.Background(), deps, defaultsForTest(), "shithub-cli", "")
++	if err != nil {
++		t.Fatalf("Create: %v", err)
++	}
++	// Backdate expires_at past now().
++	if _, err := pool.Exec(context.Background(),
++		"UPDATE device_authorizations SET expires_at = now() - interval '1 minute' WHERE user_code = $1",
++		auth.UserCode); err != nil {
++		t.Fatalf("backdate expires_at: %v", err)
++	}
++	if _, err := devicecode.Exchange(context.Background(), deps, "shithub-cli", auth.DeviceCode, "test"); !errors.Is(err, devicecode.ErrExpiredToken) {
++		t.Fatalf("expired: got %v, want ErrExpiredToken", err)
++	}
++}
++
++func TestExchange_SlowDownAfterFastPoll(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	deps := devicecode.Deps{Pool: pool}
++	auth, err := devicecode.Create(context.Background(), deps, defaultsForTest(), "shithub-cli", "")
++	if err != nil {
++		t.Fatalf("Create: %v", err)
++	}
++	// First poll lands; expect authorization_pending and a stamped last_polled_at.
++	if _, err := devicecode.Exchange(context.Background(), deps, "shithub-cli", auth.DeviceCode, "test"); !errors.Is(err, devicecode.ErrAuthorizationPending) {
++		t.Fatalf("first poll: got %v, want ErrAuthorizationPending", err)
++	}
++	// Immediate re-poll inside the interval → slow_down.
++	if _, err := devicecode.Exchange(context.Background(), deps, "shithub-cli", auth.DeviceCode, "test"); !errors.Is(err, devicecode.ErrSlowDown) {
++		t.Fatalf("second poll: got %v, want ErrSlowDown", err)
++	}
++}
++
++func TestExchange_WrongClientIDReturnsUnauthorizedClient(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	deps := devicecode.Deps{Pool: pool}
++	cfg := defaultsForTest()
++	cfg.ClientIDs = []string{"shithub-cli", "other-cli"}
++	auth, err := devicecode.Create(context.Background(), deps, cfg, "shithub-cli", "")
++	if err != nil {
++		t.Fatalf("Create: %v", err)
++	}
++	if _, err := devicecode.Exchange(context.Background(), deps, "other-cli", auth.DeviceCode, "test"); !errors.Is(err, devicecode.ErrUnauthorizedClient) {
++		t.Fatalf("got %v, want ErrUnauthorizedClient", err)
++	}
++}
++
++func TestApprove_RejectsAlreadyTerminal(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	deps := devicecode.Deps{Pool: pool}
++	userID := seedUser(t, pool, "alice")
++	auth, _ := devicecode.Create(context.Background(), deps, defaultsForTest(), "shithub-cli", "")
++	row, _ := devicecode.LookupByUserCode(context.Background(), deps, auth.UserCode)
++	if err := devicecode.Approve(context.Background(), deps, row.ID, userID); err != nil {
++		t.Fatalf("first approve: %v", err)
++	}
++	// Manually mark approved_at via Approve being called against an
++	// already-approved row.
++	if err := devicecode.Approve(context.Background(), deps, row.ID, userID); !errors.Is(err, devicecode.ErrAlreadyTerminal) {
++		t.Fatalf("second approve: got %v, want ErrAlreadyTerminal", err)
++	}
++}
++
++// equalStrings is a tiny slice-equality helper to keep imports light.
++func equalStrings(a, b []string) bool {
++	if len(a) != len(b) {
++		return false
++	}
++	for i := range a {
++		if a[i] != b[i] {
++			return false
++		}
++	}
++	return true
++}
++
++// Sanity: the orchestrator must persist a row that the lookup query
++// can find.
++func TestCreate_PersistsRow(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	deps := devicecode.Deps{Pool: pool}
++	auth, err := devicecode.Create(context.Background(), deps, defaultsForTest(), "shithub-cli", "")
++	if err != nil {
++		t.Fatalf("Create: %v", err)
++	}
++	row, err := usersdb.New().GetDeviceAuthorizationByUserCode(context.Background(), pool, auth.UserCode)
++	if err != nil {
++		t.Fatalf("lookup: %v", err)
++	}
++	if row.ApprovedAt.Valid || row.DeniedAt.Valid {
++		t.Errorf("fresh row should be pending; got approved=%v denied=%v",
++			row.ApprovedAt, row.DeniedAt)
++	}
++	if !row.ExpiresAt.Valid || row.ExpiresAt.Time.Before(time.Now()) {
++		t.Errorf("expires_at not in the future: %+v", row.ExpiresAt)
++	}
++	if row.UserID.Valid {
++		t.Errorf("user_id should be unset before approval; got %v", row.UserID)
++	}
++}
++
++// Defensive: a pgx.Int8 zero-value should marshal cleanly when we
++// Approve a row that uses it for IssuedTokenID. This is a sanity check
++// that the Approve query accepts a "null" issued_token_id at SQL level
++// (we set it later in Exchange).
++func TestApprove_SetsUserIDOnly(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	deps := devicecode.Deps{Pool: pool}
++	userID := seedUser(t, pool, "alice")
++	auth, _ := devicecode.Create(context.Background(), deps, defaultsForTest(), "shithub-cli", "")
++	row, _ := devicecode.LookupByUserCode(context.Background(), deps, auth.UserCode)
++	if err := devicecode.Approve(context.Background(), deps, row.ID, userID); err != nil {
++		t.Fatalf("Approve: %v", err)
++	}
++	got, err := usersdb.New().GetDeviceAuthorizationByUserCode(context.Background(), pool, auth.UserCode)
++	if err != nil {
++		t.Fatalf("lookup: %v", err)
++	}
++	if !got.ApprovedAt.Valid {
++		t.Errorf("approved_at not set")
++	}
++	if got.UserID != (pgtype.Int8{Int64: userID, Valid: true}) {
++		t.Errorf("user_id: got %+v, want %d", got.UserID, userID)
++	}
++	if got.IssuedTokenID.Valid {
++		t.Errorf("issued_token_id should be set only at Exchange time; got %+v", got.IssuedTokenID)
++	}
++}