feat: Phase 2 Workstream 3 — Go SDK (github.com/sentryagent/idp-sdk-go)

Single-package agentidp SDK in sdk-go/: - AgentIdPClient composing AgentRegistryClient, CredentialClient, TokenServiceClient, AuditClient — all 14 endpoints covered - Goroutine-safe TokenManager (sync.Mutex) with 60s refresh buffer - AgentIdPError implementing error interface with Code/HTTPStatus/Details - Context-aware: all service methods take context.Context as first arg - doRequest shared helper; token endpoints use form-encoded POST directly - go vet: 0 warnings | staticcheck: 0 warnings - go test ./...: 37/37 passed | coverage: 81.0% (>80% gate) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 15:23:02 +00:00
parent c93562e685
commit 91c759f455
19 changed files with 2048 additions and 12 deletions
--- a/sdk-go/credentials_test.go
+++ b/sdk-go/credentials_test.go
@@ -0,0 +1,146 @@
+package agentidp
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+var mockCred = Credential{
+	CredentialID: "cred-1",
+	ClientID:     "uuid-1",
+	Status:       "active",
+	CreatedAt:    "2026-01-01T00:00:00Z",
+}
+
+var mockCredWithSecret = CredentialWithSecret{
+	Credential:   mockCred,
+	ClientSecret: "sk_live_abc",
+}
+
+var mockPaginatedCreds = PaginatedCredentials{
+	Data:  []Credential{mockCred},
+	Total: 1,
+	Page:  1,
+	Limit: 20,
+}
+
+func TestCredentialClient_GenerateCredential(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost || r.URL.Path != "/api/v1/agents/uuid-1/credentials" {
+			t.Errorf("unexpected: %s %s", r.Method, r.URL.Path)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(201)
+		_ = json.NewEncoder(w).Encode(mockCredWithSecret)
+	}))
+	defer srv.Close()
+
+	client := newCredentialClient(srv.URL, staticToken, &http.Client{})
+	cred, err := client.GenerateCredential(context.Background(), "uuid-1")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if cred.ClientSecret != "sk_live_abc" {
+		t.Errorf("expected sk_live_abc, got %q", cred.ClientSecret)
+	}
+	if cred.CredentialID != "cred-1" {
+		t.Errorf("expected cred-1, got %q", cred.CredentialID)
+	}
+}
+
+func TestCredentialClient_ListCredentials(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet || r.URL.Path != "/api/v1/agents/uuid-1/credentials" {
+			t.Errorf("unexpected: %s %s", r.Method, r.URL.Path)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(mockPaginatedCreds)
+	}))
+	defer srv.Close()
+
+	client := newCredentialClient(srv.URL, staticToken, &http.Client{})
+	result, err := client.ListCredentials(context.Background(), "uuid-1", 0, 0)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result.Total != 1 {
+		t.Errorf("expected total 1, got %d", result.Total)
+	}
+}
+
+func TestCredentialClient_RotateCredential(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		expectedPath := "/api/v1/agents/uuid-1/credentials/cred-1/rotate"
+		if r.Method != http.MethodPost || r.URL.Path != expectedPath {
+			t.Errorf("unexpected: %s %s", r.Method, r.URL.Path)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(mockCredWithSecret)
+	}))
+	defer srv.Close()
+
+	client := newCredentialClient(srv.URL, staticToken, &http.Client{})
+	cred, err := client.RotateCredential(context.Background(), "uuid-1", "cred-1")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if cred.ClientSecret != "sk_live_abc" {
+		t.Errorf("expected sk_live_abc, got %q", cred.ClientSecret)
+	}
+}
+
+func TestCredentialClient_RevokeCredential(t *testing.T) {
+	revokedAt := "2026-01-02T00:00:00Z"
+	revoked := Credential{
+		CredentialID: "cred-1",
+		ClientID:     "uuid-1",
+		Status:       "revoked",
+		CreatedAt:    "2026-01-01T00:00:00Z",
+		RevokedAt:    &revokedAt,
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodDelete {
+			t.Errorf("expected DELETE, got %s", r.Method)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(revoked)
+	}))
+	defer srv.Close()
+
+	client := newCredentialClient(srv.URL, staticToken, &http.Client{})
+	cred, err := client.RevokeCredential(context.Background(), "uuid-1", "cred-1")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if cred.Status != "revoked" {
+		t.Errorf("expected revoked, got %q", cred.Status)
+	}
+}
+
+func TestCredentialClient_Error_Propagated(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(404)
+		_ = json.NewEncoder(w).Encode(map[string]string{
+			"code":    "AgentNotFoundError",
+			"message": "Not found.",
+		})
+	}))
+	defer srv.Close()
+
+	client := newCredentialClient(srv.URL, staticToken, &http.Client{})
+	_, err := client.GenerateCredential(context.Background(), "bad-id")
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	apiErr, ok := err.(*AgentIdPError)
+	if !ok {
+		t.Fatalf("expected *AgentIdPError, got %T", err)
+	}
+	if apiErr.HTTPStatus != 404 {
+		t.Errorf("expected 404, got %d", apiErr.HTTPStatus)
+	}
+}