fix(security): enforce tenant isolation on all agent endpoints — resolves Test C.7
P0 security fix. Any authenticated agent could previously read, modify, or decommission agents belonging to other organizations. Changes: - IAgentListFilters: add organizationId field (forced from JWT, never from query) - AgentRepository.findAll(): filter by organizationId when set - AgentService: getAgentById, updateAgent, decommissionAgent — accept organizationId and throw AuthorizationError(403) on cross-tenant access - AgentController: extract req.user.organization_id on all 5 handlers; throw 403 if claim is absent; registerAgent forces body.organizationId from JWT claim - OpenAPI spec: document tenant isolation rules per endpoint - Tests: update MOCK_USER with organization_id; add 5 new missing-org-id 403 tests; assert organizationId is passed through to service on all mutating calls Fixes field trial failure: Test C.7 (Org Isolation). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
@@ -15,6 +15,8 @@ const MockAgentService = AgentService as jest.MockedClass<typeof AgentService>;
|
||||
|
||||
// ─── helpers ─────────────────────────────────────────────────────────────────
|
||||
|
||||
const MOCK_ORG_ID = 'org-test-001';
|
||||
|
||||
const MOCK_USER: ITokenPayload = {
|
||||
sub: 'agent-id-001',
|
||||
client_id: 'agent-id-001',
|
||||
@@ -22,11 +24,12 @@ const MOCK_USER: ITokenPayload = {
|
||||
jti: 'jti-001',
|
||||
iat: 1000,
|
||||
exp: 9999999999,
|
||||
organization_id: MOCK_ORG_ID,
|
||||
};
|
||||
|
||||
const MOCK_AGENT: IAgent = {
|
||||
agentId: 'agent-id-001',
|
||||
organizationId: 'org_system',
|
||||
organizationId: MOCK_ORG_ID,
|
||||
email: 'agent@sentryagent.ai',
|
||||
agentType: 'screener',
|
||||
version: '1.0.0',
|
||||
@@ -117,6 +120,23 @@ describe('AgentController', () => {
|
||||
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
|
||||
});
|
||||
|
||||
it('should call next(AuthorizationError) when JWT has no organization_id', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.user = { ...MOCK_USER, organization_id: undefined };
|
||||
req.body = {
|
||||
email: 'agent@sentryagent.ai',
|
||||
agentType: 'screener',
|
||||
version: '1.0.0',
|
||||
capabilities: ['resume:read'],
|
||||
owner: 'team-a',
|
||||
deploymentEnv: 'production',
|
||||
};
|
||||
|
||||
await controller.registerAgent(req as Request, res as Response, next);
|
||||
|
||||
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
|
||||
});
|
||||
|
||||
it('should forward service errors to next', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.body = {
|
||||
@@ -139,7 +159,7 @@ describe('AgentController', () => {
|
||||
// ── listAgents ───────────────────────────────────────────────────────────────
|
||||
|
||||
describe('listAgents()', () => {
|
||||
it('should return 200 with paginated agents', async () => {
|
||||
it('should return 200 with paginated agents scoped to caller org', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.query = { page: '1', limit: '20' };
|
||||
const paginatedResponse = { data: [MOCK_AGENT], total: 1, page: 1, limit: 20 };
|
||||
@@ -147,6 +167,9 @@ describe('AgentController', () => {
|
||||
|
||||
await controller.listAgents(req as Request, res as Response, next);
|
||||
|
||||
expect(agentService.listAgents).toHaveBeenCalledWith(
|
||||
expect.objectContaining({ organizationId: MOCK_ORG_ID }),
|
||||
);
|
||||
expect(res.status).toHaveBeenCalledWith(200);
|
||||
expect(res.json).toHaveBeenCalledWith(paginatedResponse);
|
||||
});
|
||||
@@ -160,6 +183,15 @@ describe('AgentController', () => {
|
||||
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
|
||||
});
|
||||
|
||||
it('should call next(AuthorizationError) when JWT has no organization_id', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.user = { ...MOCK_USER, organization_id: undefined };
|
||||
|
||||
await controller.listAgents(req as Request, res as Response, next);
|
||||
|
||||
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
|
||||
});
|
||||
|
||||
it('should call next(ValidationError) when query params are invalid', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.query = { page: 'not-a-number' };
|
||||
@@ -184,13 +216,14 @@ describe('AgentController', () => {
|
||||
// ── getAgentById ─────────────────────────────────────────────────────────────
|
||||
|
||||
describe('getAgentById()', () => {
|
||||
it('should return 200 with the agent', async () => {
|
||||
it('should return 200 with the agent, passing organizationId to service', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.params = { agentId: MOCK_AGENT.agentId };
|
||||
agentService.getAgentById.mockResolvedValue(MOCK_AGENT);
|
||||
|
||||
await controller.getAgentById(req as Request, res as Response, next);
|
||||
|
||||
expect(agentService.getAgentById).toHaveBeenCalledWith(MOCK_AGENT.agentId, MOCK_ORG_ID);
|
||||
expect(res.status).toHaveBeenCalledWith(200);
|
||||
expect(res.json).toHaveBeenCalledWith(MOCK_AGENT);
|
||||
});
|
||||
@@ -205,6 +238,16 @@ describe('AgentController', () => {
|
||||
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
|
||||
});
|
||||
|
||||
it('should call next(AuthorizationError) when JWT has no organization_id', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.user = { ...MOCK_USER, organization_id: undefined };
|
||||
req.params = { agentId: MOCK_AGENT.agentId };
|
||||
|
||||
await controller.getAgentById(req as Request, res as Response, next);
|
||||
|
||||
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
|
||||
});
|
||||
|
||||
it('should forward AgentNotFoundError to next', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.params = { agentId: 'nonexistent' };
|
||||
@@ -220,7 +263,7 @@ describe('AgentController', () => {
|
||||
// ── updateAgent ──────────────────────────────────────────────────────────────
|
||||
|
||||
describe('updateAgent()', () => {
|
||||
it('should return 200 with the updated agent', async () => {
|
||||
it('should return 200 with the updated agent, passing organizationId to service', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.params = { agentId: MOCK_AGENT.agentId };
|
||||
req.body = { version: '2.0.0' };
|
||||
@@ -229,6 +272,13 @@ describe('AgentController', () => {
|
||||
|
||||
await controller.updateAgent(req as Request, res as Response, next);
|
||||
|
||||
expect(agentService.updateAgent).toHaveBeenCalledWith(
|
||||
MOCK_AGENT.agentId,
|
||||
expect.any(Object),
|
||||
expect.any(String),
|
||||
expect.any(String),
|
||||
MOCK_ORG_ID,
|
||||
);
|
||||
expect(res.status).toHaveBeenCalledWith(200);
|
||||
expect(res.json).toHaveBeenCalledWith(updated);
|
||||
});
|
||||
@@ -244,6 +294,17 @@ describe('AgentController', () => {
|
||||
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
|
||||
});
|
||||
|
||||
it('should call next(AuthorizationError) when JWT has no organization_id', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.user = { ...MOCK_USER, organization_id: undefined };
|
||||
req.params = { agentId: MOCK_AGENT.agentId };
|
||||
req.body = { version: '2.0.0' };
|
||||
|
||||
await controller.updateAgent(req as Request, res as Response, next);
|
||||
|
||||
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
|
||||
});
|
||||
|
||||
it('should call next(ValidationError) when body is invalid', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.params = { agentId: MOCK_AGENT.agentId };
|
||||
@@ -270,13 +331,19 @@ describe('AgentController', () => {
|
||||
// ── decommissionAgent ────────────────────────────────────────────────────────
|
||||
|
||||
describe('decommissionAgent()', () => {
|
||||
it('should return 204 on success', async () => {
|
||||
it('should return 204 on success, passing organizationId to service', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.params = { agentId: MOCK_AGENT.agentId };
|
||||
agentService.decommissionAgent.mockResolvedValue();
|
||||
|
||||
await controller.decommissionAgent(req as Request, res as Response, next);
|
||||
|
||||
expect(agentService.decommissionAgent).toHaveBeenCalledWith(
|
||||
MOCK_AGENT.agentId,
|
||||
expect.any(String),
|
||||
expect.any(String),
|
||||
MOCK_ORG_ID,
|
||||
);
|
||||
expect(res.status).toHaveBeenCalledWith(204);
|
||||
expect(res.send).toHaveBeenCalled();
|
||||
expect(next).not.toHaveBeenCalled();
|
||||
@@ -292,6 +359,16 @@ describe('AgentController', () => {
|
||||
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
|
||||
});
|
||||
|
||||
it('should call next(AuthorizationError) when JWT has no organization_id', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.user = { ...MOCK_USER, organization_id: undefined };
|
||||
req.params = { agentId: MOCK_AGENT.agentId };
|
||||
|
||||
await controller.decommissionAgent(req as Request, res as Response, next);
|
||||
|
||||
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
|
||||
});
|
||||
|
||||
it('should forward service errors to next', async () => {
|
||||
const { req, res, next } = buildMocks();
|
||||
req.params = { agentId: MOCK_AGENT.agentId };
|
||||
|
||||
Reference in New Issue
Block a user