248 lines
9.8 KiB
TypeScript
248 lines
9.8 KiB
TypeScript
/**
|
|
* AAO Gateway Phase 2a — admin REST API integration tests.
|
|
*
|
|
* Covers:
|
|
* - POST issues fresh sk-aao-* with raw key once; subsequent GETs hide it
|
|
* - GET supports ?team= and ?activeOnly=true
|
|
* - Revoke is idempotent (409 on second call) and hides from active list
|
|
* - Rotate is atomic: new key active, old key revoked, raw key returned
|
|
* - DELETE rejects source='config-import'
|
|
* - requireAdmin guard blocks non-admin callers
|
|
* - Validation: team regex, allowedModels shape
|
|
*/
|
|
import { describe, it, expect, beforeEach, afterEach } from 'vitest';
|
|
import express, { type Request, type RequestHandler } from 'express';
|
|
import request from 'supertest';
|
|
import { mkdtempSync, rmSync } from 'fs';
|
|
import { join } from 'path';
|
|
import { tmpdir } from 'os';
|
|
import { Repository } from '../db/repository.js';
|
|
import { createAdminGatewayApi } from './admin-gateway-api.js';
|
|
|
|
function buildAppWithAdmin(repo: Repository, role: 'admin' | 'user' = 'admin'): express.Application {
|
|
const app = express();
|
|
app.use(express.json({ limit: '4kb' }));
|
|
// Stub admin guard inline; mirrors the auth flow without Passport.
|
|
const guard: RequestHandler = (req, res, next) => {
|
|
if (role !== 'admin') {
|
|
res.status(403).json({ error: 'Forbidden' });
|
|
return;
|
|
}
|
|
(req as Request & { user?: unknown }).user = { id: 'admin-1', role: 'admin', status: 'active' };
|
|
next();
|
|
};
|
|
const router = createAdminGatewayApi({
|
|
repo,
|
|
requireAdmin: guard,
|
|
getUserId: (req) => {
|
|
const u = (req as Request & { user?: { id?: string } }).user;
|
|
return u?.id ?? null;
|
|
},
|
|
});
|
|
app.use('/api/admin/gateway/keys', router);
|
|
return app;
|
|
}
|
|
|
|
describe('admin-gateway-api', () => {
|
|
let tmpDir: string;
|
|
let repo: Repository;
|
|
let app: express.Application;
|
|
|
|
beforeEach(() => {
|
|
tmpDir = mkdtempSync(join(tmpdir(), 'admin-gw-test-'));
|
|
repo = new Repository(join(tmpDir, 'test.db'));
|
|
app = buildAppWithAdmin(repo);
|
|
});
|
|
|
|
afterEach(() => {
|
|
repo.close();
|
|
rmSync(tmpDir, { recursive: true, force: true });
|
|
});
|
|
|
|
describe('POST /', () => {
|
|
it('issues a fresh key with sk-aao prefix and returns raw once', async () => {
|
|
const res = await request(app).post('/api/admin/gateway/keys').send({ team: 'alpha' });
|
|
expect(res.status).toBe(201);
|
|
expect(res.body.team).toBe('alpha');
|
|
expect(res.body.source).toBe('admin');
|
|
expect(typeof res.body.key).toBe('string');
|
|
expect(res.body.key.startsWith('sk-aao-')).toBe(true);
|
|
expect(res.body.keyPrefix.startsWith('sk-aao-')).toBe(true);
|
|
expect(res.body.allowedModels).toBeNull();
|
|
// GET should not include raw key.
|
|
const list = await request(app).get('/api/admin/gateway/keys');
|
|
expect(list.body.keys[0].key).toBeUndefined();
|
|
});
|
|
|
|
it('validates team format', async () => {
|
|
const res = await request(app).post('/api/admin/gateway/keys').send({ team: 'has spaces' });
|
|
expect(res.status).toBe(400);
|
|
});
|
|
|
|
it('accepts allowedModels and round-trips it', async () => {
|
|
const res = await request(app)
|
|
.post('/api/admin/gateway/keys')
|
|
.send({ team: 'alpha', allowedModels: ['qwen3:8b', 'qwen3:14b'] });
|
|
expect(res.status).toBe(201);
|
|
expect(res.body.allowedModels).toEqual(['qwen3:8b', 'qwen3:14b']);
|
|
});
|
|
|
|
it('rejects malformed allowedModels', async () => {
|
|
const res = await request(app)
|
|
.post('/api/admin/gateway/keys')
|
|
.send({ team: 'alpha', allowedModels: [42, ''] });
|
|
expect(res.status).toBe(400);
|
|
});
|
|
});
|
|
|
|
describe('GET / and GET /:id', () => {
|
|
it('lists with team filter and hides revoked when activeOnly=true', async () => {
|
|
const a = (await request(app).post('/api/admin/gateway/keys').send({ team: 'alpha' })).body;
|
|
await request(app).post('/api/admin/gateway/keys').send({ team: 'beta' });
|
|
const old = (await request(app).post('/api/admin/gateway/keys').send({ team: 'alpha' })).body;
|
|
await request(app).post(`/api/admin/gateway/keys/${old.id}/revoke`).send({});
|
|
|
|
const alphaAll = await request(app).get('/api/admin/gateway/keys?team=alpha');
|
|
expect(alphaAll.body.keys).toHaveLength(2);
|
|
const alphaActive = await request(app).get('/api/admin/gateway/keys?team=alpha&activeOnly=true');
|
|
expect(alphaActive.body.keys).toHaveLength(1);
|
|
expect(alphaActive.body.keys[0].id).toBe(a.id);
|
|
});
|
|
|
|
it('GET /:id returns 404 for unknown id', async () => {
|
|
const res = await request(app).get('/api/admin/gateway/keys/nope');
|
|
expect(res.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
describe('POST /:id/revoke', () => {
|
|
it('revokes and is idempotent (409 second time)', async () => {
|
|
const created = (await request(app).post('/api/admin/gateway/keys').send({ team: 'alpha' })).body;
|
|
const first = await request(app).post(`/api/admin/gateway/keys/${created.id}/revoke`).send({});
|
|
expect(first.status).toBe(200);
|
|
expect(first.body.ok).toBe(true);
|
|
expect(first.body.revokedAt).toBeTruthy();
|
|
const second = await request(app).post(`/api/admin/gateway/keys/${created.id}/revoke`).send({});
|
|
expect(second.status).toBe(409);
|
|
});
|
|
|
|
it('returns 404 for unknown id', async () => {
|
|
const res = await request(app).post('/api/admin/gateway/keys/nope/revoke').send({});
|
|
expect(res.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
describe('POST /:id/rotate', () => {
|
|
it('atomically issues a new key and revokes the old', async () => {
|
|
const old = (await request(app).post('/api/admin/gateway/keys').send({
|
|
team: 'alpha',
|
|
allowedModels: ['qwen3:8b'],
|
|
})).body;
|
|
const res = await request(app).post(`/api/admin/gateway/keys/${old.id}/rotate`).send({});
|
|
expect(res.status).toBe(201);
|
|
expect(typeof res.body.key).toBe('string');
|
|
expect(res.body.id).not.toBe(old.id);
|
|
expect(res.body.allowedModels).toEqual(['qwen3:8b']);
|
|
expect(res.body.team).toBe('alpha');
|
|
|
|
const oldRefetch = await request(app).get(`/api/admin/gateway/keys/${old.id}`);
|
|
expect(oldRefetch.body.revokedAt).toBeTruthy();
|
|
});
|
|
|
|
it('refuses to rotate a revoked key', async () => {
|
|
const created = (await request(app).post('/api/admin/gateway/keys').send({ team: 'alpha' })).body;
|
|
await request(app).post(`/api/admin/gateway/keys/${created.id}/revoke`).send({});
|
|
const res = await request(app).post(`/api/admin/gateway/keys/${created.id}/rotate`).send({});
|
|
expect(res.status).toBe(409);
|
|
});
|
|
});
|
|
|
|
describe('DELETE /:id', () => {
|
|
it('hard-deletes an admin-issued key', async () => {
|
|
const created = (await request(app).post('/api/admin/gateway/keys').send({ team: 'alpha' })).body;
|
|
const res = await request(app).delete(`/api/admin/gateway/keys/${created.id}`);
|
|
expect(res.status).toBe(204);
|
|
const after = await request(app).get(`/api/admin/gateway/keys/${created.id}`);
|
|
expect(after.status).toBe(404);
|
|
});
|
|
|
|
it('refuses to delete a config-import key', async () => {
|
|
const k = repo.createGatewayVirtualKey({
|
|
keyHash: 'cfg-hash',
|
|
keyPrefix: 'sk-conf-import',
|
|
team: 'imported',
|
|
source: 'config-import',
|
|
createdBy: 'config',
|
|
});
|
|
const res = await request(app).delete(`/api/admin/gateway/keys/${k.id}`);
|
|
expect(res.status).toBe(400);
|
|
expect(repo.findGatewayVirtualKeyById(k.id)).not.toBeNull();
|
|
});
|
|
});
|
|
|
|
describe('auth gating', () => {
|
|
it('non-admin caller receives 403', async () => {
|
|
const adminLess = buildAppWithAdmin(repo, 'user');
|
|
const res = await request(adminLess).get('/api/admin/gateway/keys');
|
|
expect(res.status).toBe(403);
|
|
});
|
|
});
|
|
|
|
describe('auth-disabled mount policy', () => {
|
|
// Server-level guard: createCoreServer refuses to mount this router
|
|
// when authActive=false because mounting it with a passthrough guard
|
|
// would let any anonymous caller mint valid sk-aao-* bearer tokens.
|
|
// We simulate the no-auth path by NOT mounting the router and
|
|
// asserting requests 404, matching the production behavior.
|
|
function buildAppWithoutAuth(): express.Application {
|
|
const app = express();
|
|
app.use(express.json({ limit: '4kb' }));
|
|
// Intentionally do NOT mount /api/admin/gateway/keys — this is the
|
|
// path server.ts takes when authActive===false.
|
|
return app;
|
|
}
|
|
|
|
it('returns 404 for POST when auth is disabled (route not mounted)', async () => {
|
|
const noAuthApp = buildAppWithoutAuth();
|
|
const res = await request(noAuthApp)
|
|
.post('/api/admin/gateway/keys')
|
|
.send({ team: 'alpha' });
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('returns 404 for GET when auth is disabled (route not mounted)', async () => {
|
|
const noAuthApp = buildAppWithoutAuth();
|
|
const res = await request(noAuthApp).get('/api/admin/gateway/keys');
|
|
expect(res.status).toBe(404);
|
|
});
|
|
|
|
it('returns 401 when auth IS active but caller is unauthenticated', async () => {
|
|
// With auth active, server.ts mounts requireAdmin (which 401s for
|
|
// missing user) BEFORE the router. We simulate that by wiring a
|
|
// requireAdmin that 401s without a user, then the router behind it.
|
|
const app = express();
|
|
app.use(express.json({ limit: '4kb' }));
|
|
const requireAdminLike: RequestHandler = (req, res, next) => {
|
|
const u = (req as Request & { user?: unknown }).user;
|
|
if (!u) {
|
|
res.status(401).json({ error: 'authentication required' });
|
|
return;
|
|
}
|
|
next();
|
|
};
|
|
app.use(
|
|
'/api/admin/gateway/keys',
|
|
requireAdminLike,
|
|
createAdminGatewayApi({
|
|
repo,
|
|
requireAdmin: (_req, _res, next) => next(),
|
|
getUserId: (req) =>
|
|
(req as Request & { user?: { id?: string } }).user?.id ?? null,
|
|
}),
|
|
);
|
|
const res = await request(app).post('/api/admin/gateway/keys').send({ team: 'alpha' });
|
|
expect(res.status).toBe(401);
|
|
});
|
|
});
|
|
});
|