feat: Phase 2 Workstream 3 — Go SDK (github.com/sentryagent/idp-sdk-go)

Single-package agentidp SDK in sdk-go/: - AgentIdPClient composing AgentRegistryClient, CredentialClient, TokenServiceClient, AuditClient — all 14 endpoints covered - Goroutine-safe TokenManager (sync.Mutex) with 60s refresh buffer - AgentIdPError implementing error interface with Code/HTTPStatus/Details - Context-aware: all service methods take context.Context as first arg - doRequest shared helper; token endpoints use form-encoded POST directly - go vet: 0 warnings | staticcheck: 0 warnings - go test ./...: 37/37 passed | coverage: 81.0% (>80% gate) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 15:23:02 +00:00
parent c93562e685
commit 91c759f455
19 changed files with 2048 additions and 12 deletions
--- a/sdk-go/token_manager_test.go
+++ b/sdk-go/token_manager_test.go
@@ -0,0 +1,169 @@
+package agentidp
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+	"testing"
+	"time"
+)
+
+func newTokenServer(t *testing.T, statusCode int, body interface{}) *httptest.Server {
+	t.Helper()
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost || r.URL.Path != "/api/v1/token" {
+			t.Errorf("unexpected request: %s %s", r.Method, r.URL.Path)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(statusCode)
+		_ = json.NewEncoder(w).Encode(body)
+	}))
+}
+
+var tokenResp = map[string]interface{}{
+	"access_token": "eyJ.abc.def",
+	"token_type":   "Bearer",
+	"expires_in":   3600,
+	"scope":        "agents:read",
+}
+
+func TestTokenManager_GetToken_Issues(t *testing.T) {
+	srv := newTokenServer(t, 200, tokenResp)
+	defer srv.Close()
+
+	tm := NewTokenManager(srv.URL, "client-id", "secret", "agents:read")
+	tok, err := tm.GetToken(context.Background())
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if tok != "eyJ.abc.def" {
+		t.Errorf("expected token eyJ.abc.def, got %q", tok)
+	}
+}
+
+func TestTokenManager_GetToken_Caches(t *testing.T) {
+	callCount := 0
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		callCount++
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(tokenResp)
+	}))
+	defer srv.Close()
+
+	tm := NewTokenManager(srv.URL, "client-id", "secret", "agents:read")
+	_, _ = tm.GetToken(context.Background())
+	_, _ = tm.GetToken(context.Background())
+
+	if callCount != 1 {
+		t.Errorf("expected 1 HTTP call (cached), got %d", callCount)
+	}
+}
+
+func TestTokenManager_GetToken_RefreshesNearExpiry(t *testing.T) {
+	callCount := 0
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		callCount++
+		resp := map[string]interface{}{
+			"access_token": "eyJ.abc.def",
+			"token_type":   "Bearer",
+			"expires_in":   3600,
+			"scope":        "agents:read",
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(resp)
+	}))
+	defer srv.Close()
+
+	tm := NewTokenManager(srv.URL, "client-id", "secret", "agents:read")
+	_, _ = tm.GetToken(context.Background())
+
+	// Force the cached token to appear nearly expired
+	tm.mu.Lock()
+	tm.cached = &cachedToken{
+		accessToken: "old-token",
+		expiresAt:   time.Now().Add(30 * time.Second), // < refreshBufferSeconds
+	}
+	tm.mu.Unlock()
+
+	tok, err := tm.GetToken(context.Background())
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if tok != "eyJ.abc.def" {
+		t.Errorf("expected refreshed token, got %q", tok)
+	}
+	if callCount != 2 {
+		t.Errorf("expected 2 HTTP calls (initial + refresh), got %d", callCount)
+	}
+}
+
+func TestTokenManager_GetToken_AuthFailure(t *testing.T) {
+	srv := newTokenServer(t, 401, map[string]interface{}{
+		"error":             "invalid_client",
+		"error_description": "Bad credentials.",
+	})
+	defer srv.Close()
+
+	tm := NewTokenManager(srv.URL, "client-id", "bad-secret", "agents:read")
+	_, err := tm.GetToken(context.Background())
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	apiErr, ok := err.(*AgentIdPError)
+	if !ok {
+		t.Fatalf("expected *AgentIdPError, got %T", err)
+	}
+	if apiErr.Code != "invalid_client" {
+		t.Errorf("expected code invalid_client, got %q", apiErr.Code)
+	}
+	if apiErr.HTTPStatus != 401 {
+		t.Errorf("expected HTTPStatus 401, got %d", apiErr.HTTPStatus)
+	}
+}
+
+func TestTokenManager_ClearCache(t *testing.T) {
+	callCount := 0
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		callCount++
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(tokenResp)
+	}))
+	defer srv.Close()
+
+	tm := NewTokenManager(srv.URL, "client-id", "secret", "agents:read")
+	_, _ = tm.GetToken(context.Background())
+	tm.ClearCache()
+	_, _ = tm.GetToken(context.Background())
+
+	if callCount != 2 {
+		t.Errorf("expected 2 HTTP calls (cache cleared), got %d", callCount)
+	}
+}
+
+func TestTokenManager_GoroutineSafe(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(tokenResp)
+	}))
+	defer srv.Close()
+
+	tm := NewTokenManager(srv.URL, "client-id", "secret", "agents:read")
+
+	var wg sync.WaitGroup
+	for i := 0; i < 20; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			tok, err := tm.GetToken(context.Background())
+			if err != nil {
+				t.Errorf("goroutine error: %v", err)
+			}
+			if tok != "eyJ.abc.def" {
+				t.Errorf("unexpected token: %q", tok)
+			}
+		}()
+	}
+	wg.Wait()
+}