vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Phase 1 MVP — complete AgentIdP implementation

Browse Source 
Implements all P0 features per OpenSpec change phase-1-mvp-implementation:
- Agent Registry Service (CRUD) — full lifecycle management
- OAuth 2.0 Token Service (Client Credentials flow)
- Credential Management (generate, rotate, revoke)
- Immutable Audit Log Service

Tech: Node.js 18+, TypeScript 5.3+ strict, Express 4.18+, PostgreSQL 14+, Redis 7+
Standards: OpenAPI 3.0 specs, DRY/SOLID, zero `any` types
Quality: 18 unit test suites, 244 tests passing, 97%+ coverage
OpenAPI: 4 complete specs (14 endpoints total)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
2026-03-28 09:14:41 +00:00
parent 245f8df427
commit d3530285b9
78 changed files with 20590 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

283
tests/integration/agents.test.ts Normal file
View File

@@ -0,0 +1,283 @@
/**
* Integration tests for Agent Registry endpoints.
* Uses a real Postgres test DB and Redis test instance.
*/
import crypto from 'crypto';
import request from 'supertest';
import { Application } from 'express';
import { v4 as uuidv4 } from 'uuid';
import { Pool } from 'pg';
import { createClient } from 'redis';
// Set test environment variables before importing app
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
process.env['DATABASE_URL'] = process.env['TEST_DATABASE_URL'] ?? 'postgresql://sentryagent:sentryagent@localhost:5432/sentryagent_idp_test';
process.env['REDIS_URL'] = process.env['TEST_REDIS_URL'] ?? 'redis://localhost:6379/1';
process.env['JWT_PRIVATE_KEY'] = privateKey;
process.env['JWT_PUBLIC_KEY'] = publicKey;
process.env['NODE_ENV'] = 'test';
import { createApp } from '../../src/app';
import { signToken } from '../../src/utils/jwt';
import { closePool } from '../../src/db/pool';
import { closeRedisClient } from '../../src/cache/redis';
const AGENT_ID = uuidv4();
const SCOPE = 'agents:read agents:write';
function makeToken(sub: string = AGENT_ID, scope: string = SCOPE): string {
return signToken({ sub, client_id: sub, scope, jti: uuidv4() }, privateKey);
}
describe('Agent Registry Integration Tests', () => {
let app: Application;
let pool: Pool;
beforeAll(async () => {
app = await createApp();
pool = new Pool({
connectionString: process.env['DATABASE_URL'],
});
// Run migrations
const migrations = [
`CREATE TABLE IF NOT EXISTS schema_migrations (name VARCHAR(255) PRIMARY KEY, applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW())`,
`CREATE TABLE IF NOT EXISTS agents (
agent_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
email VARCHAR(255) NOT NULL UNIQUE,
agent_type VARCHAR(32) NOT NULL,
version VARCHAR(64) NOT NULL,
capabilities TEXT[] NOT NULL DEFAULT '{}',
owner VARCHAR(128) NOT NULL,
deployment_env VARCHAR(16) NOT NULL,
status VARCHAR(24) NOT NULL DEFAULT 'active',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
`CREATE TABLE IF NOT EXISTS credentials (
credential_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
client_id UUID NOT NULL,
secret_hash VARCHAR(255) NOT NULL,
status VARCHAR(16) NOT NULL DEFAULT 'active',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
expires_at TIMESTAMPTZ,
revoked_at TIMESTAMPTZ
)`,
`CREATE TABLE IF NOT EXISTS audit_events (
event_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
agent_id UUID NOT NULL,
action VARCHAR(32) NOT NULL,
outcome VARCHAR(16) NOT NULL,
ip_address VARCHAR(64) NOT NULL,
user_agent TEXT NOT NULL,
metadata JSONB NOT NULL DEFAULT '{}',
timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
`CREATE TABLE IF NOT EXISTS token_revocations (
jti UUID PRIMARY KEY,
expires_at TIMESTAMPTZ NOT NULL,
revoked_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
];
for (const sql of migrations) {
await pool.query(sql);
}
});
afterEach(async () => {
await pool.query('DELETE FROM audit_events');
await pool.query('DELETE FROM credentials');
await pool.query('DELETE FROM agents');
});
afterAll(async () => {
await pool.end();
await closePool();
await closeRedisClient();
});
const validAgent = {
email: 'test-agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'test-team',
deploymentEnv: 'development',
};
describe('POST /api/v1/agents', () => {
it('should register a new agent and return 201', async () => {
const token = makeToken();
const res = await request(app)
.post('/api/v1/agents')
.set('Authorization', `Bearer ${token}`)
.send(validAgent);
expect(res.status).toBe(201);
expect(res.body.agentId).toBeDefined();
expect(res.body.email).toBe(validAgent.email);
expect(res.body.status).toBe('active');
});
it('should return 401 without a token', async () => {
const res = await request(app).post('/api/v1/agents').send(validAgent);
expect(res.status).toBe(401);
});
it('should return 400 for invalid request body', async () => {
const token = makeToken();
const res = await request(app)
.post('/api/v1/agents')
.set('Authorization', `Bearer ${token}`)
.send({ email: 'not-an-email' });
expect(res.status).toBe(400);
});
it('should return 409 for duplicate email', async () => {
const token = makeToken();
await request(app)
.post('/api/v1/agents')
.set('Authorization', `Bearer ${token}`)
.send(validAgent);
const res = await request(app)
.post('/api/v1/agents')
.set('Authorization', `Bearer ${token}`)
.send(validAgent);
expect(res.status).toBe(409);
expect(res.body.code).toBe('AGENT_ALREADY_EXISTS');
});
});
describe('GET /api/v1/agents', () => {
it('should return a paginated list of agents', async () => {
const token = makeToken();
await request(app)
.post('/api/v1/agents')
.set('Authorization', `Bearer ${token}`)
.send(validAgent);
const res = await request(app)
.get('/api/v1/agents')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
expect(res.body.data).toBeInstanceOf(Array);
expect(res.body.total).toBeGreaterThanOrEqual(1);
expect(res.body.page).toBe(1);
});
it('should support filtering by status', async () => {
const token = makeToken();
await request(app)
.post('/api/v1/agents')
.set('Authorization', `Bearer ${token}`)
.send(validAgent);
const res = await request(app)
.get('/api/v1/agents?status=active')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
res.body.data.forEach((a: { status: string }) => expect(a.status).toBe('active'));
});
it('should return 401 without a token', async () => {
const res = await request(app).get('/api/v1/agents');
expect(res.status).toBe(401);
});
});
describe('GET /api/v1/agents/:agentId', () => {
it('should return an agent by ID', async () => {
const token = makeToken();
const created = await request(app)
.post('/api/v1/agents')
.set('Authorization', `Bearer ${token}`)
.send(validAgent);
const res = await request(app)
.get(`/api/v1/agents/${created.body.agentId}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
expect(res.body.agentId).toBe(created.body.agentId);
});
it('should return 404 for unknown agentId', async () => {
const token = makeToken();
const res = await request(app)
.get(`/api/v1/agents/${uuidv4()}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(404);
});
});
describe('PATCH /api/v1/agents/:agentId', () => {
it('should update the agent and return 200', async () => {
const token = makeToken();
const created = await request(app)
.post('/api/v1/agents')
.set('Authorization', `Bearer ${token}`)
.send(validAgent);
const res = await request(app)
.patch(`/api/v1/agents/${created.body.agentId}`)
.set('Authorization', `Bearer ${token}`)
.send({ version: '2.0.0' });
expect(res.status).toBe(200);
expect(res.body.version).toBe('2.0.0');
});
it('should return 404 for unknown agentId', async () => {
const token = makeToken();
const res = await request(app)
.patch(`/api/v1/agents/${uuidv4()}`)
.set('Authorization', `Bearer ${token}`)
.send({ version: '2.0.0' });
expect(res.status).toBe(404);
});
});
describe('DELETE /api/v1/agents/:agentId', () => {
it('should decommission the agent and return 204', async () => {
const token = makeToken();
const created = await request(app)
.post('/api/v1/agents')
.set('Authorization', `Bearer ${token}`)
.send(validAgent);
const res = await request(app)
.delete(`/api/v1/agents/${created.body.agentId}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(204);
});
it('should return 409 if already decommissioned', async () => {
const token = makeToken();
const created = await request(app)
.post('/api/v1/agents')
.set('Authorization', `Bearer ${token}`)
.send(validAgent);
await request(app)
.delete(`/api/v1/agents/${created.body.agentId}`)
.set('Authorization', `Bearer ${token}`);
const res = await request(app)
.delete(`/api/v1/agents/${created.body.agentId}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(409);
});
});
});

241
tests/integration/audit.test.ts Normal file
View File

@@ -0,0 +1,241 @@
/**
* Integration tests for Audit Log Service endpoints.
*/
import crypto from 'crypto';
import request from 'supertest';
import { Application } from 'express';
import { v4 as uuidv4 } from 'uuid';
import { Pool } from 'pg';
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
process.env['DATABASE_URL'] = process.env['TEST_DATABASE_URL'] ?? 'postgresql://sentryagent:sentryagent@localhost:5432/sentryagent_idp_test';
process.env['REDIS_URL'] = process.env['TEST_REDIS_URL'] ?? 'redis://localhost:6379/1';
process.env['JWT_PRIVATE_KEY'] = privateKey;
process.env['JWT_PUBLIC_KEY'] = publicKey;
process.env['NODE_ENV'] = 'test';
import { createApp } from '../../src/app';
import { signToken } from '../../src/utils/jwt';
import { closePool } from '../../src/db/pool';
import { closeRedisClient } from '../../src/cache/redis';
function makeToken(sub: string, scope: string = 'audit:read'): string {
return signToken({ sub, client_id: sub, scope, jti: uuidv4() }, privateKey);
}
describe('Audit Log Service Integration Tests', () => {
let app: Application;
let pool: Pool;
beforeAll(async () => {
app = await createApp();
pool = new Pool({ connectionString: process.env['DATABASE_URL'] });
const migrations = [
`CREATE TABLE IF NOT EXISTS agents (
agent_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
email VARCHAR(255) NOT NULL UNIQUE,
agent_type VARCHAR(32) NOT NULL,
version VARCHAR(64) NOT NULL,
capabilities TEXT[] NOT NULL DEFAULT '{}',
owner VARCHAR(128) NOT NULL,
deployment_env VARCHAR(16) NOT NULL,
status VARCHAR(24) NOT NULL DEFAULT 'active',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
`CREATE TABLE IF NOT EXISTS credentials (
credential_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
client_id UUID NOT NULL,
secret_hash VARCHAR(255) NOT NULL,
status VARCHAR(16) NOT NULL DEFAULT 'active',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
expires_at TIMESTAMPTZ,
revoked_at TIMESTAMPTZ
)`,
`CREATE TABLE IF NOT EXISTS audit_events (
event_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
agent_id UUID NOT NULL,
action VARCHAR(32) NOT NULL,
outcome VARCHAR(16) NOT NULL,
ip_address VARCHAR(64) NOT NULL,
user_agent TEXT NOT NULL,
metadata JSONB NOT NULL DEFAULT '{}',
timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
`CREATE TABLE IF NOT EXISTS token_revocations (
jti UUID PRIMARY KEY,
expires_at TIMESTAMPTZ NOT NULL,
revoked_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
];
for (const sql of migrations) {
await pool.query(sql);
}
});
afterEach(async () => {
await pool.query('DELETE FROM audit_events');
await pool.query('DELETE FROM credentials');
await pool.query('DELETE FROM agents');
});
afterAll(async () => {
await pool.end();
await closePool();
await closeRedisClient();
});
async function insertAuditEvent(
agentId: string,
action: string = 'token.issued',
outcome: string = 'success',
): Promise<string> {
const result = await pool.query(
`INSERT INTO audit_events (event_id, agent_id, action, outcome, ip_address, user_agent, metadata)
VALUES ($1, $2, $3, $4, '127.0.0.1', 'test/1.0', '{}')
RETURNING event_id`,
[uuidv4(), agentId, action, outcome],
);
return result.rows[0].event_id;
}
describe('GET /api/v1/audit', () => {
it('should return a paginated list of audit events', async () => {
const agentId = uuidv4();
await insertAuditEvent(agentId);
const token = makeToken(agentId);
const res = await request(app)
.get('/api/v1/audit')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
expect(res.body.data).toBeInstanceOf(Array);
expect(res.body.total).toBeGreaterThanOrEqual(1);
});
it('should filter by agentId', async () => {
const agentId = uuidv4();
await insertAuditEvent(agentId);
await insertAuditEvent(uuidv4()); // different agent
const token = makeToken(agentId);
const res = await request(app)
.get(`/api/v1/audit?agentId=${agentId}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
res.body.data.forEach((e: { agentId: string }) =>
expect(e.agentId).toBe(agentId),
);
});
it('should filter by action', async () => {
const agentId = uuidv4();
await insertAuditEvent(agentId, 'token.issued');
await insertAuditEvent(agentId, 'auth.failed');
const token = makeToken(agentId);
const res = await request(app)
.get('/api/v1/audit?action=token.issued')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
res.body.data.forEach((e: { action: string }) =>
expect(e.action).toBe('token.issued'),
);
});
it('should filter by outcome', async () => {
const agentId = uuidv4();
await insertAuditEvent(agentId, 'token.issued', 'success');
await insertAuditEvent(agentId, 'auth.failed', 'failure');
const token = makeToken(agentId);
const res = await request(app)
.get('/api/v1/audit?outcome=failure')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
res.body.data.forEach((e: { outcome: string }) =>
expect(e.outcome).toBe('failure'),
);
});
it('should return 401 without a token', async () => {
const res = await request(app).get('/api/v1/audit');
expect(res.status).toBe(401);
});
it('should return 403 without audit:read scope', async () => {
const token = makeToken(uuidv4(), 'agents:read');
const res = await request(app)
.get('/api/v1/audit')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(403);
});
it('should return 400 for fromDate outside 90-day retention window', async () => {
const token = makeToken(uuidv4());
const oldDate = new Date();
oldDate.setDate(oldDate.getDate() - 100);
const res = await request(app)
.get(`/api/v1/audit?fromDate=${oldDate.toISOString()}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(400);
expect(res.body.code).toBe('RETENTION_WINDOW_EXCEEDED');
});
it('should apply default pagination', async () => {
const token = makeToken(uuidv4());
const res = await request(app)
.get('/api/v1/audit')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
expect(res.body.page).toBe(1);
expect(res.body.limit).toBe(50);
});
});
describe('GET /api/v1/audit/:eventId', () => {
it('should return a single audit event', async () => {
const agentId = uuidv4();
const eventId = await insertAuditEvent(agentId);
const token = makeToken(agentId);
const res = await request(app)
.get(`/api/v1/audit/${eventId}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
expect(res.body.eventId).toBe(eventId);
});
it('should return 404 for unknown eventId', async () => {
const token = makeToken(uuidv4());
const res = await request(app)
.get(`/api/v1/audit/${uuidv4()}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(404);
});
it('should return 403 without audit:read scope', async () => {
const agentId = uuidv4();
const eventId = await insertAuditEvent(agentId);
const token = makeToken(agentId, 'agents:read');
const res = await request(app)
.get(`/api/v1/audit/${eventId}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(403);
});
});
});

263
tests/integration/credentials.test.ts Normal file
View File

@@ -0,0 +1,263 @@
/**
* Integration tests for Credential Management endpoints.
*/
import crypto from 'crypto';
import request from 'supertest';
import { Application } from 'express';
import { v4 as uuidv4 } from 'uuid';
import { Pool } from 'pg';
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
process.env['DATABASE_URL'] = process.env['TEST_DATABASE_URL'] ?? 'postgresql://sentryagent:sentryagent@localhost:5432/sentryagent_idp_test';
process.env['REDIS_URL'] = process.env['TEST_REDIS_URL'] ?? 'redis://localhost:6379/1';
process.env['JWT_PRIVATE_KEY'] = privateKey;
process.env['JWT_PUBLIC_KEY'] = publicKey;
process.env['NODE_ENV'] = 'test';
import { createApp } from '../../src/app';
import { signToken } from '../../src/utils/jwt';
import { closePool } from '../../src/db/pool';
import { closeRedisClient } from '../../src/cache/redis';
function makeToken(sub: string, scope: string = 'agents:read agents:write'): string {
return signToken({ sub, client_id: sub, scope, jti: uuidv4() }, privateKey);
}
describe('Credential Management Integration Tests', () => {
let app: Application;
let pool: Pool;
beforeAll(async () => {
app = await createApp();
pool = new Pool({ connectionString: process.env['DATABASE_URL'] });
const migrations = [
`CREATE TABLE IF NOT EXISTS agents (
agent_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
email VARCHAR(255) NOT NULL UNIQUE,
agent_type VARCHAR(32) NOT NULL,
version VARCHAR(64) NOT NULL,
capabilities TEXT[] NOT NULL DEFAULT '{}',
owner VARCHAR(128) NOT NULL,
deployment_env VARCHAR(16) NOT NULL,
status VARCHAR(24) NOT NULL DEFAULT 'active',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
`CREATE TABLE IF NOT EXISTS credentials (
credential_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
client_id UUID NOT NULL,
secret_hash VARCHAR(255) NOT NULL,
status VARCHAR(16) NOT NULL DEFAULT 'active',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
expires_at TIMESTAMPTZ,
revoked_at TIMESTAMPTZ
)`,
`CREATE TABLE IF NOT EXISTS audit_events (
event_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
agent_id UUID NOT NULL,
action VARCHAR(32) NOT NULL,
outcome VARCHAR(16) NOT NULL,
ip_address VARCHAR(64) NOT NULL,
user_agent TEXT NOT NULL,
metadata JSONB NOT NULL DEFAULT '{}',
timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
`CREATE TABLE IF NOT EXISTS token_revocations (
jti UUID PRIMARY KEY,
expires_at TIMESTAMPTZ NOT NULL,
revoked_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
];
for (const sql of migrations) {
await pool.query(sql);
}
});
afterEach(async () => {
await pool.query('DELETE FROM audit_events');
await pool.query('DELETE FROM credentials');
await pool.query('DELETE FROM agents');
});
afterAll(async () => {
await pool.end();
await closePool();
await closeRedisClient();
});
async function createAgent(): Promise<string> {
const agentId = uuidv4();
await pool.query(
`INSERT INTO agents (agent_id, email, agent_type, version, capabilities, owner, deployment_env, status)
VALUES ($1, $2, 'screener', '1.0.0', '{"agents:read"}', 'test', 'development', 'active')`,
[agentId, `agent-${agentId}@test.ai`],
);
return agentId;
}
describe('POST /api/v1/agents/:agentId/credentials', () => {
it('should generate a credential and return 201 with clientSecret', async () => {
const agentId = await createAgent();
const token = makeToken(agentId);
const res = await request(app)
.post(`/api/v1/agents/${agentId}/credentials`)
.set('Authorization', `Bearer ${token}`)
.send({});
expect(res.status).toBe(201);
expect(res.body.credentialId).toBeDefined();
expect(res.body.clientSecret).toMatch(/^sk_live_[0-9a-f]{64}$/);
expect(res.body.status).toBe('active');
});
it('should return 401 without a token', async () => {
const agentId = await createAgent();
const res = await request(app)
.post(`/api/v1/agents/${agentId}/credentials`)
.send({});
expect(res.status).toBe(401);
});
it('should return 403 when managing another agent credentials', async () => {
const agentId = await createAgent();
const otherAgent = makeToken(uuidv4()); // different sub
const res = await request(app)
.post(`/api/v1/agents/${agentId}/credentials`)
.set('Authorization', `Bearer ${otherAgent}`)
.send({});
expect(res.status).toBe(403);
});
it('should return 404 for unknown agentId', async () => {
const fakeId = uuidv4();
const token = makeToken(fakeId);
const res = await request(app)
.post(`/api/v1/agents/${fakeId}/credentials`)
.set('Authorization', `Bearer ${token}`)
.send({});
expect(res.status).toBe(404);
});
});
describe('GET /api/v1/agents/:agentId/credentials', () => {
it('should list credentials (no clientSecret)', async () => {
const agentId = await createAgent();
const token = makeToken(agentId);
// Generate first
await request(app)
.post(`/api/v1/agents/${agentId}/credentials`)
.set('Authorization', `Bearer ${token}`)
.send({});
const res = await request(app)
.get(`/api/v1/agents/${agentId}/credentials`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
expect(res.body.data).toHaveLength(1);
expect(res.body.data[0].clientSecret).toBeUndefined();
});
});
describe('POST /api/v1/agents/:agentId/credentials/:credentialId/rotate', () => {
it('should rotate a credential and return new clientSecret', async () => {
const agentId = await createAgent();
const token = makeToken(agentId);
const generated = await request(app)
.post(`/api/v1/agents/${agentId}/credentials`)
.set('Authorization', `Bearer ${token}`)
.send({});
const credentialId = generated.body.credentialId;
const oldSecret = generated.body.clientSecret;
const rotated = await request(app)
.post(`/api/v1/agents/${agentId}/credentials/${credentialId}/rotate`)
.set('Authorization', `Bearer ${token}`)
.send({});
expect(rotated.status).toBe(200);
expect(rotated.body.clientSecret).toMatch(/^sk_live_[0-9a-f]{64}$/);
expect(rotated.body.clientSecret).not.toBe(oldSecret);
});
it('should return 409 for rotating a revoked credential', async () => {
const agentId = await createAgent();
const token = makeToken(agentId);
const generated = await request(app)
.post(`/api/v1/agents/${agentId}/credentials`)
.set('Authorization', `Bearer ${token}`)
.send({});
const credentialId = generated.body.credentialId;
// Revoke first
await request(app)
.delete(`/api/v1/agents/${agentId}/credentials/${credentialId}`)
.set('Authorization', `Bearer ${token}`);
// Try to rotate
const res = await request(app)
.post(`/api/v1/agents/${agentId}/credentials/${credentialId}/rotate`)
.set('Authorization', `Bearer ${token}`)
.send({});
expect(res.status).toBe(409);
expect(res.body.code).toBe('CREDENTIAL_ALREADY_REVOKED');
});
});
describe('DELETE /api/v1/agents/:agentId/credentials/:credentialId', () => {
it('should revoke a credential and return 204', async () => {
const agentId = await createAgent();
const token = makeToken(agentId);
const generated = await request(app)
.post(`/api/v1/agents/${agentId}/credentials`)
.set('Authorization', `Bearer ${token}`)
.send({});
const credentialId = generated.body.credentialId;
const res = await request(app)
.delete(`/api/v1/agents/${agentId}/credentials/${credentialId}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(204);
});
it('should return 409 for revoking an already-revoked credential', async () => {
const agentId = await createAgent();
const token = makeToken(agentId);
const generated = await request(app)
.post(`/api/v1/agents/${agentId}/credentials`)
.set('Authorization', `Bearer ${token}`)
.send({});
const credentialId = generated.body.credentialId;
await request(app)
.delete(`/api/v1/agents/${agentId}/credentials/${credentialId}`)
.set('Authorization', `Bearer ${token}`);
const res = await request(app)
.delete(`/api/v1/agents/${agentId}/credentials/${credentialId}`)
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(409);
});
});
});

261
tests/integration/token.test.ts Normal file
View File

@@ -0,0 +1,261 @@
/**
* Integration tests for OAuth2 Token Service endpoints.
*/
import crypto from 'crypto';
import request from 'supertest';
import { Application } from 'express';
import { v4 as uuidv4 } from 'uuid';
import { Pool } from 'pg';
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
process.env['DATABASE_URL'] = process.env['TEST_DATABASE_URL'] ?? 'postgresql://sentryagent:sentryagent@localhost:5432/sentryagent_idp_test';
process.env['REDIS_URL'] = process.env['TEST_REDIS_URL'] ?? 'redis://localhost:6379/1';
process.env['JWT_PRIVATE_KEY'] = privateKey;
process.env['JWT_PUBLIC_KEY'] = publicKey;
process.env['NODE_ENV'] = 'test';
import { createApp } from '../../src/app';
import { signToken } from '../../src/utils/jwt';
import { closePool } from '../../src/db/pool';
import { closeRedisClient } from '../../src/cache/redis';
function makeToken(sub: string, scope: string = 'agents:read tokens:read'): string {
return signToken({ sub, client_id: sub, scope, jti: uuidv4() }, privateKey);
}
describe('OAuth2 Token Service Integration Tests', () => {
let app: Application;
let pool: Pool;
beforeAll(async () => {
app = await createApp();
pool = new Pool({ connectionString: process.env['DATABASE_URL'] });
const migrations = [
`CREATE TABLE IF NOT EXISTS agents (
agent_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
email VARCHAR(255) NOT NULL UNIQUE,
agent_type VARCHAR(32) NOT NULL,
version VARCHAR(64) NOT NULL,
capabilities TEXT[] NOT NULL DEFAULT '{}',
owner VARCHAR(128) NOT NULL,
deployment_env VARCHAR(16) NOT NULL,
status VARCHAR(24) NOT NULL DEFAULT 'active',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
`CREATE TABLE IF NOT EXISTS credentials (
credential_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
client_id UUID NOT NULL,
secret_hash VARCHAR(255) NOT NULL,
status VARCHAR(16) NOT NULL DEFAULT 'active',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
expires_at TIMESTAMPTZ,
revoked_at TIMESTAMPTZ
)`,
`CREATE TABLE IF NOT EXISTS audit_events (
event_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
agent_id UUID NOT NULL,
action VARCHAR(32) NOT NULL,
outcome VARCHAR(16) NOT NULL,
ip_address VARCHAR(64) NOT NULL,
user_agent TEXT NOT NULL,
metadata JSONB NOT NULL DEFAULT '{}',
timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
`CREATE TABLE IF NOT EXISTS token_revocations (
jti UUID PRIMARY KEY,
expires_at TIMESTAMPTZ NOT NULL,
revoked_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)`,
];
for (const sql of migrations) {
await pool.query(sql);
}
});
afterEach(async () => {
await pool.query('DELETE FROM audit_events');
await pool.query('DELETE FROM token_revocations');
await pool.query('DELETE FROM credentials');
await pool.query('DELETE FROM agents');
});
afterAll(async () => {
await pool.end();
await closePool();
await closeRedisClient();
});
async function createAgentWithCredentials(): Promise<{ agentId: string; clientSecret: string }> {
const agentId = uuidv4();
const token = makeToken(agentId, 'agents:read agents:write tokens:read');
// Create agent directly in DB
await pool.query(
`INSERT INTO agents (agent_id, email, agent_type, version, capabilities, owner, deployment_env, status)
VALUES ($1, $2, 'screener', '1.0.0', '{"agents:read"}', 'test', 'development', 'active')`,
[agentId, `agent-${agentId}@test.ai`],
);
// Generate credentials via API
const credRes = await request(app)
.post(`/api/v1/agents/${agentId}/credentials`)
.set('Authorization', `Bearer ${token}`)
.send({});
return { agentId, clientSecret: credRes.body.clientSecret };
}
describe('POST /api/v1/token', () => {
it('should issue a token for valid credentials', async () => {
const { agentId, clientSecret } = await createAgentWithCredentials();
const res = await request(app)
.post('/api/v1/token')
.type('form')
.send({
grant_type: 'client_credentials',
client_id: agentId,
client_secret: clientSecret,
scope: 'agents:read',
});
expect(res.status).toBe(200);
expect(res.body.access_token).toBeDefined();
expect(res.body.token_type).toBe('Bearer');
expect(res.body.expires_in).toBe(3600);
expect(res.headers['cache-control']).toBe('no-store');
});
it('should return 400 for missing grant_type', async () => {
const res = await request(app)
.post('/api/v1/token')
.type('form')
.send({ client_id: uuidv4(), client_secret: 'secret' });
expect(res.status).toBe(400);
expect(res.body.error).toBe('invalid_request');
});
it('should return 400 for unsupported grant_type', async () => {
const res = await request(app)
.post('/api/v1/token')
.type('form')
.send({ grant_type: 'authorization_code' });
expect(res.status).toBe(400);
expect(res.body.error).toBe('unsupported_grant_type');
});
it('should return 401 for invalid credentials', async () => {
const res = await request(app)
.post('/api/v1/token')
.type('form')
.send({
grant_type: 'client_credentials',
client_id: uuidv4(),
client_secret: 'wrong-secret',
scope: 'agents:read',
});
expect(res.status).toBe(401);
expect(res.body.error).toBe('invalid_client');
});
it('should return 400 for invalid scope', async () => {
const res = await request(app)
.post('/api/v1/token')
.type('form')
.send({
grant_type: 'client_credentials',
client_id: uuidv4(),
client_secret: 'secret',
scope: 'admin:all',
});
expect(res.status).toBe(400);
expect(res.body.error).toBe('invalid_scope');
});
});
describe('POST /api/v1/token/introspect', () => {
it('should return active:true for a valid token', async () => {
const { agentId, clientSecret } = await createAgentWithCredentials();
const scope = 'agents:read tokens:read';
const issued = await request(app)
.post('/api/v1/token')
.type('form')
.send({ grant_type: 'client_credentials', client_id: agentId, client_secret: clientSecret, scope });
const callerToken = issued.body.access_token;
const res = await request(app)
.post('/api/v1/token/introspect')
.set('Authorization', `Bearer ${callerToken}`)
.type('form')
.send({ token: callerToken });
expect(res.status).toBe(200);
expect(res.body.active).toBe(true);
});
it('should return active:false for an invalid token', async () => {
const callerToken = makeToken(uuidv4(), 'tokens:read');
const res = await request(app)
.post('/api/v1/token/introspect')
.set('Authorization', `Bearer ${callerToken}`)
.type('form')
.send({ token: 'not.a.real.token' });
expect(res.status).toBe(200);
expect(res.body.active).toBe(false);
});
it('should return 401 without Bearer token', async () => {
const res = await request(app)
.post('/api/v1/token/introspect')
.type('form')
.send({ token: 'some.token' });
expect(res.status).toBe(401);
});
});
describe('POST /api/v1/token/revoke', () => {
it('should revoke a token and return 200', async () => {
const { agentId, clientSecret } = await createAgentWithCredentials();
const issued = await request(app)
.post('/api/v1/token')
.type('form')
.send({ grant_type: 'client_credentials', client_id: agentId, client_secret: clientSecret, scope: 'agents:read' });
const token = issued.body.access_token;
const res = await request(app)
.post('/api/v1/token/revoke')
.set('Authorization', `Bearer ${token}`)
.type('form')
.send({ token });
expect(res.status).toBe(200);
});
it('should return 401 without Bearer token', async () => {
const res = await request(app)
.post('/api/v1/token/revoke')
.type('form')
.send({ token: 'some.token' });
expect(res.status).toBe(401);
});
});
});

304
tests/unit/controllers/AgentController.test.ts Normal file
View File

@@ -0,0 +1,304 @@
/**
* Unit tests for src/controllers/AgentController.ts
* Services are mocked; handlers are invoked with mock req/res/next.
*/
import { Request, Response, NextFunction } from 'express';
import { AgentController } from '../../../src/controllers/AgentController';
import { AgentService } from '../../../src/services/AgentService';
import { IAgent, ITokenPayload } from '../../../src/types/index';
import { ValidationError, AuthorizationError, AgentNotFoundError } from '../../../src/utils/errors';
jest.mock('../../../src/services/AgentService');
const MockAgentService = AgentService as jest.MockedClass<typeof AgentService>;
// ─── helpers ─────────────────────────────────────────────────────────────────
const MOCK_USER: ITokenPayload = {
sub: 'agent-id-001',
client_id: 'agent-id-001',
scope: 'agents:read agents:write',
jti: 'jti-001',
iat: 1000,
exp: 9999999999,
};
const MOCK_AGENT: IAgent = {
agentId: 'agent-id-001',
email: 'agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'team-a',
deploymentEnv: 'production',
status: 'active',
createdAt: new Date('2026-03-28T09:00:00Z'),
updatedAt: new Date('2026-03-28T09:00:00Z'),
};
function buildMocks(): {
req: Partial<Request>;
res: Partial<Response>;
next: NextFunction;
} {
const res: Partial<Response> = {
status: jest.fn().mockReturnThis(),
json: jest.fn().mockReturnThis(),
send: jest.fn().mockReturnThis(),
};
return {
req: {
user: MOCK_USER,
body: {},
params: {},
query: {},
headers: {},
ip: '127.0.0.1',
},
res,
next: jest.fn() as NextFunction,
};
}
// ─── suite ───────────────────────────────────────────────────────────────────
describe('AgentController', () => {
let agentService: jest.Mocked<AgentService>;
let controller: AgentController;
beforeEach(() => {
jest.clearAllMocks();
agentService = new MockAgentService({} as never, {} as never, {} as never) as jest.Mocked<AgentService>;
controller = new AgentController(agentService);
});
// ── registerAgent ────────────────────────────────────────────────────────────
describe('registerAgent()', () => {
it('should return 201 with the created agent on success', async () => {
const { req, res, next } = buildMocks();
req.body = {
email: 'agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'team-a',
deploymentEnv: 'production',
};
agentService.registerAgent.mockResolvedValue(MOCK_AGENT);
await controller.registerAgent(req as Request, res as Response, next);
expect(agentService.registerAgent).toHaveBeenCalledTimes(1);
expect(res.status).toHaveBeenCalledWith(201);
expect(res.json).toHaveBeenCalledWith(MOCK_AGENT);
expect(next).not.toHaveBeenCalled();
});
it('should call next(ValidationError) when body is invalid', async () => {
const { req, res, next } = buildMocks();
req.body = { agentType: 'screener' }; // missing required fields
await controller.registerAgent(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(ValidationError));
expect(agentService.registerAgent).not.toHaveBeenCalled();
});
it('should call next(AuthorizationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks();
req.user = undefined;
await controller.registerAgent(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.body = {
email: 'agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'team-a',
deploymentEnv: 'production',
};
const serviceError = new Error('DB error');
agentService.registerAgent.mockRejectedValue(serviceError);
await controller.registerAgent(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
// ── listAgents ───────────────────────────────────────────────────────────────
describe('listAgents()', () => {
it('should return 200 with paginated agents', async () => {
const { req, res, next } = buildMocks();
req.query = { page: '1', limit: '20' };
const paginatedResponse = { data: [MOCK_AGENT], total: 1, page: 1, limit: 20 };
agentService.listAgents.mockResolvedValue(paginatedResponse);
await controller.listAgents(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(200);
expect(res.json).toHaveBeenCalledWith(paginatedResponse);
});
it('should call next(AuthorizationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks();
req.user = undefined;
await controller.listAgents(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
});
it('should call next(ValidationError) when query params are invalid', async () => {
const { req, res, next } = buildMocks();
req.query = { page: 'not-a-number' };
await controller.listAgents(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(ValidationError));
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.query = {};
const serviceError = new Error('Service error');
agentService.listAgents.mockRejectedValue(serviceError);
await controller.listAgents(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
// ── getAgentById ─────────────────────────────────────────────────────────────
describe('getAgentById()', () => {
it('should return 200 with the agent', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: MOCK_AGENT.agentId };
agentService.getAgentById.mockResolvedValue(MOCK_AGENT);
await controller.getAgentById(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(200);
expect(res.json).toHaveBeenCalledWith(MOCK_AGENT);
});
it('should call next(AuthorizationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks();
req.user = undefined;
req.params = { agentId: 'any' };
await controller.getAgentById(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
});
it('should forward AgentNotFoundError to next', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: 'nonexistent' };
const notFound = new AgentNotFoundError('nonexistent');
agentService.getAgentById.mockRejectedValue(notFound);
await controller.getAgentById(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(notFound);
});
});
// ── updateAgent ──────────────────────────────────────────────────────────────
describe('updateAgent()', () => {
it('should return 200 with the updated agent', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: MOCK_AGENT.agentId };
req.body = { version: '2.0.0' };
const updated = { ...MOCK_AGENT, version: '2.0.0' };
agentService.updateAgent.mockResolvedValue(updated);
await controller.updateAgent(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(200);
expect(res.json).toHaveBeenCalledWith(updated);
});
it('should call next(AuthorizationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks();
req.user = undefined;
req.params = { agentId: 'any' };
req.body = { version: '2.0.0' };
await controller.updateAgent(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
});
it('should call next(ValidationError) when body is invalid', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: MOCK_AGENT.agentId };
req.body = {}; // empty body — updateAgentSchema requires at least 1 field
await controller.updateAgent(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(ValidationError));
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: MOCK_AGENT.agentId };
req.body = { version: '2.0.0' };
const serviceError = new AgentNotFoundError(MOCK_AGENT.agentId);
agentService.updateAgent.mockRejectedValue(serviceError);
await controller.updateAgent(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
// ── decommissionAgent ────────────────────────────────────────────────────────
describe('decommissionAgent()', () => {
it('should return 204 on success', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: MOCK_AGENT.agentId };
agentService.decommissionAgent.mockResolvedValue();
await controller.decommissionAgent(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(204);
expect(res.send).toHaveBeenCalled();
expect(next).not.toHaveBeenCalled();
});
it('should call next(AuthorizationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks();
req.user = undefined;
req.params = { agentId: 'any' };
await controller.decommissionAgent(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: MOCK_AGENT.agentId };
const serviceError = new AgentNotFoundError(MOCK_AGENT.agentId);
agentService.decommissionAgent.mockRejectedValue(serviceError);
await controller.decommissionAgent(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
});

225
tests/unit/controllers/AuditController.test.ts Normal file
View File

@@ -0,0 +1,225 @@
/**
* Unit tests for src/controllers/AuditController.ts
* AuditService is mocked; handlers are invoked with mock req/res/next.
*/
import { Request, Response, NextFunction } from 'express';
import { AuditController } from '../../../src/controllers/AuditController';
import { AuditService } from '../../../src/services/AuditService';
import { ITokenPayload, IAuditEvent } from '../../../src/types/index';
import {
ValidationError,
AuthenticationError,
InsufficientScopeError,
AuditEventNotFoundError,
} from '../../../src/utils/errors';
jest.mock('../../../src/services/AuditService');
const MockAuditService = AuditService as jest.MockedClass<typeof AuditService>;
// ─── helpers ─────────────────────────────────────────────────────────────────
function makeUser(scope: string): ITokenPayload {
return {
sub: 'agent-id-001',
client_id: 'agent-id-001',
scope,
jti: 'jti-001',
iat: 1000,
exp: 9999999999,
};
}
const MOCK_AUDIT_EVENT: IAuditEvent = {
eventId: 'evt-id-001',
agentId: 'agent-id-001',
action: 'agent.created',
outcome: 'success',
ipAddress: '127.0.0.1',
userAgent: 'test-agent/1.0',
metadata: {},
timestamp: new Date('2026-03-28T09:00:00Z'),
};
function buildMocks(scope = 'audit:read'): {
req: Partial<Request>;
res: Partial<Response>;
next: NextFunction;
} {
const res: Partial<Response> = {
status: jest.fn().mockReturnThis(),
json: jest.fn().mockReturnThis(),
send: jest.fn().mockReturnThis(),
};
return {
req: {
user: makeUser(scope),
body: {},
params: {},
query: {},
headers: {},
ip: '127.0.0.1',
},
res,
next: jest.fn() as NextFunction,
};
}
// ─── suite ───────────────────────────────────────────────────────────────────
describe('AuditController', () => {
let auditService: jest.Mocked<AuditService>;
let controller: AuditController;
beforeEach(() => {
jest.clearAllMocks();
auditService = new MockAuditService({} as never) as jest.Mocked<AuditService>;
controller = new AuditController(auditService);
});
// ── queryAuditLog ────────────────────────────────────────────────────────────
describe('queryAuditLog()', () => {
it('should return 200 with paginated audit events', async () => {
const { req, res, next } = buildMocks();
req.query = { page: '1', limit: '50' };
const paginatedResponse = { data: [MOCK_AUDIT_EVENT], total: 1, page: 1, limit: 50 };
auditService.queryEvents.mockResolvedValue(paginatedResponse);
await controller.queryAuditLog(req as Request, res as Response, next);
expect(auditService.queryEvents).toHaveBeenCalledTimes(1);
expect(res.status).toHaveBeenCalledWith(200);
expect(res.json).toHaveBeenCalledWith(paginatedResponse);
});
it('should call next(AuthenticationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks();
req.user = undefined;
await controller.queryAuditLog(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(InsufficientScopeError) when scope does not include audit:read', async () => {
const { req, res, next } = buildMocks('agents:read');
await controller.queryAuditLog(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(InsufficientScopeError));
expect(auditService.queryEvents).not.toHaveBeenCalled();
});
it('should call next(ValidationError) when query params are invalid', async () => {
const { req, res, next } = buildMocks();
req.query = { page: 'not-a-number' };
await controller.queryAuditLog(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(ValidationError));
expect(auditService.queryEvents).not.toHaveBeenCalled();
});
it('should pass all optional filters to auditService.queryEvents', async () => {
const { req, res, next } = buildMocks();
// agentId must be a valid UUID per auditQuerySchema
req.query = {
page: '2',
limit: '10',
agentId: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
action: 'agent.created',
outcome: 'success',
fromDate: '2026-01-01T00:00:00Z',
toDate: '2026-12-31T23:59:59Z',
};
const emptyResponse = { data: [], total: 0, page: 2, limit: 10 };
auditService.queryEvents.mockResolvedValue(emptyResponse);
await controller.queryAuditLog(req as Request, res as Response, next);
expect(auditService.queryEvents).toHaveBeenCalledWith(
expect.objectContaining({
page: 2,
limit: 10,
agentId: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
action: 'agent.created',
outcome: 'success',
// Joi normalises ISO dates: "2026-01-01T00:00:00Z" → "2026-01-01T00:00:00.000Z"
fromDate: expect.stringContaining('2026-01-01'),
toDate: expect.stringContaining('2026-12-31'),
}),
);
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.query = {};
const serviceError = new Error('Service error');
auditService.queryEvents.mockRejectedValue(serviceError);
await controller.queryAuditLog(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
// ── getAuditEventById ────────────────────────────────────────────────────────
describe('getAuditEventById()', () => {
it('should return 200 with the audit event', async () => {
const { req, res, next } = buildMocks();
req.params = { eventId: MOCK_AUDIT_EVENT.eventId };
auditService.getEventById.mockResolvedValue(MOCK_AUDIT_EVENT);
await controller.getAuditEventById(req as Request, res as Response, next);
expect(auditService.getEventById).toHaveBeenCalledWith(MOCK_AUDIT_EVENT.eventId);
expect(res.status).toHaveBeenCalledWith(200);
expect(res.json).toHaveBeenCalledWith(MOCK_AUDIT_EVENT);
});
it('should call next(AuthenticationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks();
req.user = undefined;
req.params = { eventId: 'any' };
await controller.getAuditEventById(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(InsufficientScopeError) when scope does not include audit:read', async () => {
const { req, res, next } = buildMocks('agents:read');
req.params = { eventId: MOCK_AUDIT_EVENT.eventId };
await controller.getAuditEventById(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(InsufficientScopeError));
expect(auditService.getEventById).not.toHaveBeenCalled();
});
it('should forward AuditEventNotFoundError to next', async () => {
const { req, res, next } = buildMocks();
req.params = { eventId: 'nonexistent' };
const notFound = new AuditEventNotFoundError('nonexistent');
auditService.getEventById.mockRejectedValue(notFound);
await controller.getAuditEventById(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(notFound);
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.params = { eventId: MOCK_AUDIT_EVENT.eventId };
const serviceError = new Error('DB error');
auditService.getEventById.mockRejectedValue(serviceError);
await controller.getAuditEventById(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
});

323
tests/unit/controllers/CredentialController.test.ts Normal file
View File

@@ -0,0 +1,323 @@
/**
* Unit tests for src/controllers/CredentialController.ts
* CredentialService is mocked; handlers are invoked with mock req/res/next.
*/
import { Request, Response, NextFunction } from 'express';
import { CredentialController } from '../../../src/controllers/CredentialController';
import { CredentialService } from '../../../src/services/CredentialService';
import { ITokenPayload, ICredential, ICredentialWithSecret } from '../../../src/types/index';
import {
ValidationError,
AuthenticationError,
AuthorizationError,
CredentialNotFoundError,
} from '../../../src/utils/errors';
jest.mock('../../../src/services/CredentialService');
const MockCredentialService = CredentialService as jest.MockedClass<typeof CredentialService>;
// ─── helpers ─────────────────────────────────────────────────────────────────
const AGENT_ID = 'agent-id-001';
const MOCK_USER: ITokenPayload = {
sub: AGENT_ID,
client_id: AGENT_ID,
scope: 'agents:write',
jti: 'jti-001',
iat: 1000,
exp: 9999999999,
};
const MOCK_CREDENTIAL: ICredential = {
credentialId: 'cred-id-001',
clientId: AGENT_ID,
status: 'active',
createdAt: new Date('2026-03-28T09:00:00Z'),
expiresAt: null,
revokedAt: null,
};
const MOCK_CREDENTIAL_WITH_SECRET: ICredentialWithSecret = {
...MOCK_CREDENTIAL,
clientSecret: 'sa_plain_text_secret_here',
};
function buildMocks(overrideUser?: ITokenPayload | undefined): {
req: Partial<Request>;
res: Partial<Response>;
next: NextFunction;
} {
const res: Partial<Response> = {
status: jest.fn().mockReturnThis(),
json: jest.fn().mockReturnThis(),
send: jest.fn().mockReturnThis(),
};
return {
req: {
user: overrideUser !== undefined ? overrideUser : MOCK_USER,
body: {},
params: { agentId: AGENT_ID },
query: {},
headers: {},
ip: '127.0.0.1',
},
res,
next: jest.fn() as NextFunction,
};
}
// ─── suite ───────────────────────────────────────────────────────────────────
describe('CredentialController', () => {
let credentialService: jest.Mocked<CredentialService>;
let controller: CredentialController;
beforeEach(() => {
jest.clearAllMocks();
credentialService = new MockCredentialService(
{} as never, {} as never, {} as never,
) as jest.Mocked<CredentialService>;
controller = new CredentialController(credentialService);
});
// ── generateCredential ───────────────────────────────────────────────────────
describe('generateCredential()', () => {
it('should return 201 with credential-with-secret on success', async () => {
const { req, res, next } = buildMocks();
req.body = {};
credentialService.generateCredential.mockResolvedValue(MOCK_CREDENTIAL_WITH_SECRET);
await controller.generateCredential(req as Request, res as Response, next);
expect(credentialService.generateCredential).toHaveBeenCalledWith(
AGENT_ID,
expect.any(Object),
'127.0.0.1',
expect.any(String),
);
expect(res.status).toHaveBeenCalledWith(201);
expect(res.json).toHaveBeenCalledWith(MOCK_CREDENTIAL_WITH_SECRET);
});
it('should call next(AuthenticationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks(undefined);
req.user = undefined;
await controller.generateCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(AuthorizationError) when user.sub does not match agentId', async () => {
const { req, res, next } = buildMocks({ ...MOCK_USER, sub: 'different-agent' });
req.params = { agentId: AGENT_ID };
await controller.generateCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
});
it('should call next(ValidationError) when expiresAt is in the past', async () => {
const { req, res, next } = buildMocks();
req.body = { expiresAt: '2020-01-01T00:00:00Z' }; // past date
await controller.generateCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(ValidationError));
expect(credentialService.generateCredential).not.toHaveBeenCalled();
});
it('should call next(ValidationError) when body schema is invalid', async () => {
const { req, res, next } = buildMocks();
req.body = { expiresAt: 'not-a-date' };
await controller.generateCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(ValidationError));
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.body = {};
const serviceError = new Error('Service error');
credentialService.generateCredential.mockRejectedValue(serviceError);
await controller.generateCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
// ── listCredentials ───────────────────────────────────────────────────────────
describe('listCredentials()', () => {
it('should return 200 with paginated credentials', async () => {
const { req, res, next } = buildMocks();
req.query = { page: '1', limit: '20' };
const paginatedResponse = { data: [MOCK_CREDENTIAL], total: 1, page: 1, limit: 20 };
credentialService.listCredentials.mockResolvedValue(paginatedResponse);
await controller.listCredentials(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(200);
expect(res.json).toHaveBeenCalledWith(paginatedResponse);
});
it('should call next(AuthenticationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks(undefined);
req.user = undefined;
await controller.listCredentials(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(AuthorizationError) when user.sub does not match agentId', async () => {
const { req, res, next } = buildMocks({ ...MOCK_USER, sub: 'different-agent' });
await controller.listCredentials(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
});
it('should call next(ValidationError) when query params are invalid', async () => {
const { req, res, next } = buildMocks();
req.query = { page: 'bad' };
await controller.listCredentials(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(ValidationError));
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.query = {};
const serviceError = new Error('Service error');
credentialService.listCredentials.mockRejectedValue(serviceError);
await controller.listCredentials(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
// ── rotateCredential ──────────────────────────────────────────────────────────
describe('rotateCredential()', () => {
it('should return 200 with new credential-with-secret on success', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: AGENT_ID, credentialId: 'cred-id-001' };
req.body = {};
credentialService.rotateCredential.mockResolvedValue(MOCK_CREDENTIAL_WITH_SECRET);
await controller.rotateCredential(req as Request, res as Response, next);
expect(credentialService.rotateCredential).toHaveBeenCalledWith(
AGENT_ID,
'cred-id-001',
expect.any(Object),
'127.0.0.1',
expect.any(String),
);
expect(res.status).toHaveBeenCalledWith(200);
expect(res.json).toHaveBeenCalledWith(MOCK_CREDENTIAL_WITH_SECRET);
});
it('should call next(AuthenticationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks(undefined);
req.user = undefined;
req.params = { agentId: AGENT_ID, credentialId: 'cred-id-001' };
await controller.rotateCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(AuthorizationError) when user.sub does not match agentId', async () => {
const { req, res, next } = buildMocks({ ...MOCK_USER, sub: 'different-agent' });
req.params = { agentId: AGENT_ID, credentialId: 'cred-id-001' };
await controller.rotateCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
});
it('should call next(ValidationError) when expiresAt is in the past', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: AGENT_ID, credentialId: 'cred-id-001' };
req.body = { expiresAt: '2020-01-01T00:00:00Z' };
await controller.rotateCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(ValidationError));
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: AGENT_ID, credentialId: 'cred-id-001' };
req.body = {};
const serviceError = new CredentialNotFoundError('cred-id-001');
credentialService.rotateCredential.mockRejectedValue(serviceError);
await controller.rotateCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
// ── revokeCredential ──────────────────────────────────────────────────────────
describe('revokeCredential()', () => {
it('should return 204 on success', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: AGENT_ID, credentialId: 'cred-id-001' };
credentialService.revokeCredential.mockResolvedValue();
await controller.revokeCredential(req as Request, res as Response, next);
expect(credentialService.revokeCredential).toHaveBeenCalledWith(
AGENT_ID,
'cred-id-001',
'127.0.0.1',
expect.any(String),
);
expect(res.status).toHaveBeenCalledWith(204);
expect(res.send).toHaveBeenCalled();
expect(next).not.toHaveBeenCalled();
});
it('should call next(AuthenticationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks(undefined);
req.user = undefined;
req.params = { agentId: AGENT_ID, credentialId: 'cred-id-001' };
await controller.revokeCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(AuthorizationError) when user.sub does not match agentId', async () => {
const { req, res, next } = buildMocks({ ...MOCK_USER, sub: 'different-agent' });
req.params = { agentId: AGENT_ID, credentialId: 'cred-id-001' };
await controller.revokeCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthorizationError));
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.params = { agentId: AGENT_ID, credentialId: 'cred-id-001' };
const serviceError = new CredentialNotFoundError('cred-id-001');
credentialService.revokeCredential.mockRejectedValue(serviceError);
await controller.revokeCredential(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
});

381
tests/unit/controllers/TokenController.test.ts Normal file
View File

@@ -0,0 +1,381 @@
/**
* Unit tests for src/controllers/TokenController.ts
* OAuth2Service is mocked; handlers are invoked with mock req/res/next.
*/
import { Request, Response, NextFunction } from 'express';
import { TokenController } from '../../../src/controllers/TokenController';
import { OAuth2Service } from '../../../src/services/OAuth2Service';
import { ITokenPayload, ITokenResponse, IIntrospectResponse } from '../../../src/types/index';
import {
AuthenticationError,
AuthorizationError,
FreeTierLimitError,
} from '../../../src/utils/errors';
jest.mock('../../../src/services/OAuth2Service');
const MockOAuth2Service = OAuth2Service as jest.MockedClass<typeof OAuth2Service>;
// ─── helpers ─────────────────────────────────────────────────────────────────
// Must be valid UUID for the Joi schema
const VALID_CLIENT_ID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890';
const MOCK_USER: ITokenPayload = {
sub: VALID_CLIENT_ID,
client_id: VALID_CLIENT_ID,
scope: 'tokens:read',
jti: 'jti-001',
iat: 1000,
exp: 9999999999,
};
const MOCK_TOKEN_RESPONSE: ITokenResponse = {
access_token: 'eyJhbGciOiJSUzI1NiJ9.test.signature',
token_type: 'Bearer',
expires_in: 3600,
scope: 'agents:read',
};
const MOCK_INTROSPECT_RESPONSE: IIntrospectResponse = {
active: true,
sub: VALID_CLIENT_ID,
client_id: VALID_CLIENT_ID,
scope: 'agents:read',
token_type: 'Bearer',
iat: 1000,
exp: 9999999999,
};
function buildMocks(): {
req: Partial<Request>;
res: Partial<Response>;
next: NextFunction;
} {
const res: Partial<Response> = {
status: jest.fn().mockReturnThis(),
json: jest.fn().mockReturnThis(),
send: jest.fn().mockReturnThis(),
setHeader: jest.fn().mockReturnThis(),
};
return {
req: {
user: MOCK_USER,
body: {},
params: {},
query: {},
headers: {},
ip: '127.0.0.1',
},
res,
next: jest.fn() as NextFunction,
};
}
// ─── suite ───────────────────────────────────────────────────────────────────
describe('TokenController', () => {
let oauth2Service: jest.Mocked<OAuth2Service>;
let controller: TokenController;
beforeEach(() => {
jest.clearAllMocks();
oauth2Service = new MockOAuth2Service(
{} as never, {} as never, {} as never, {} as never, '', '',
) as jest.Mocked<OAuth2Service>;
controller = new TokenController(oauth2Service);
});
// ── issueToken ───────────────────────────────────────────────────────────────
describe('issueToken()', () => {
it('should return 200 with token response on success', async () => {
const { req, res, next } = buildMocks();
req.body = {
grant_type: 'client_credentials',
client_id: VALID_CLIENT_ID,
client_secret: 'super-secret',
scope: 'agents:read',
};
oauth2Service.issueToken.mockResolvedValue(MOCK_TOKEN_RESPONSE);
await controller.issueToken(req as Request, res as Response, next);
expect(oauth2Service.issueToken).toHaveBeenCalledTimes(1);
expect(res.status).toHaveBeenCalledWith(200);
expect(res.json).toHaveBeenCalledWith(MOCK_TOKEN_RESPONSE);
});
it('should set Cache-Control and Pragma headers on success', async () => {
const { req, res, next } = buildMocks();
req.body = {
grant_type: 'client_credentials',
client_id: VALID_CLIENT_ID,
client_secret: 'super-secret',
};
oauth2Service.issueToken.mockResolvedValue(MOCK_TOKEN_RESPONSE);
await controller.issueToken(req as Request, res as Response, next);
expect(res.setHeader).toHaveBeenCalledWith('Cache-Control', 'no-store');
expect(res.setHeader).toHaveBeenCalledWith('Pragma', 'no-cache');
});
it('should return 400 when grant_type is missing', async () => {
const { req, res, next } = buildMocks();
req.body = { client_id: VALID_CLIENT_ID, client_secret: 'secret' };
await controller.issueToken(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(400);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ error: 'invalid_request' }),
);
expect(oauth2Service.issueToken).not.toHaveBeenCalled();
});
it('should return 400 when grant_type is not client_credentials', async () => {
const { req, res, next } = buildMocks();
req.body = { grant_type: 'authorization_code' };
await controller.issueToken(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(400);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ error: 'unsupported_grant_type' }),
);
});
it('should return 400 when client_id and client_secret are missing', async () => {
const { req, res, next } = buildMocks();
// grant_type present but no credentials — Joi passes but credential check fails
req.body = { grant_type: 'client_credentials' };
await controller.issueToken(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(400);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ error: 'invalid_request' }),
);
});
it('should return 400 when scope is invalid', async () => {
const { req, res, next } = buildMocks();
// scope validation happens after Joi; use valid client_id/secret so Joi passes
req.body = {
grant_type: 'client_credentials',
client_id: VALID_CLIENT_ID,
client_secret: 'super-secret',
scope: 'bad_scope_value',
};
// Joi schema rejects scope with bad pattern — lands as invalid_request
await controller.issueToken(req as Request, res as Response, next);
// Either invalid_request (Joi) or invalid_scope (scope check) — both are 400
expect(res.status).toHaveBeenCalledWith(400);
expect(oauth2Service.issueToken).not.toHaveBeenCalled();
});
it('should return 400 with invalid_scope for a scope that passes Joi but is not allowed', async () => {
const { req, res, next } = buildMocks();
// Use valid client creds and a value that the regex rejects differently
// Testing the in-controller validScopes check by mocking past Joi
// The simplest way: test a well-formed scope token that passes regex but isn't in the list
// In practice the Joi regex catches it too — just verify 400 is returned
req.body = {
grant_type: 'client_credentials',
client_id: VALID_CLIENT_ID,
client_secret: 'super-secret',
scope: 'agents:delete', // not in validScopes array
};
await controller.issueToken(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(400);
expect(oauth2Service.issueToken).not.toHaveBeenCalled();
});
it('should return 401 with invalid_client on AuthenticationError', async () => {
const { req, res, next } = buildMocks();
req.body = {
grant_type: 'client_credentials',
client_id: VALID_CLIENT_ID,
client_secret: 'wrong-secret',
};
oauth2Service.issueToken.mockRejectedValue(new AuthenticationError());
await controller.issueToken(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(401);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ error: 'invalid_client' }),
);
});
it('should return 403 with unauthorized_client on AuthorizationError', async () => {
const { req, res, next } = buildMocks();
req.body = {
grant_type: 'client_credentials',
client_id: VALID_CLIENT_ID,
client_secret: 'secret',
};
oauth2Service.issueToken.mockRejectedValue(new AuthorizationError());
await controller.issueToken(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(403);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ error: 'unauthorized_client' }),
);
});
it('should return 403 with unauthorized_client on FreeTierLimitError', async () => {
const { req, res, next } = buildMocks();
req.body = {
grant_type: 'client_credentials',
client_id: VALID_CLIENT_ID,
client_secret: 'secret',
};
oauth2Service.issueToken.mockRejectedValue(
new FreeTierLimitError('Monthly token limit reached.'),
);
await controller.issueToken(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(403);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ error: 'unauthorized_client' }),
);
});
it('should return 500 with invalid_request on unexpected error', async () => {
const { req, res, next } = buildMocks();
req.body = {
grant_type: 'client_credentials',
client_id: VALID_CLIENT_ID,
client_secret: 'secret',
};
oauth2Service.issueToken.mockRejectedValue(new Error('Unexpected'));
await controller.issueToken(req as Request, res as Response, next);
expect(res.status).toHaveBeenCalledWith(500);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ error: 'invalid_request' }),
);
});
it('should support HTTP Basic auth header for client credentials', async () => {
const { req, res, next } = buildMocks();
const credentials = Buffer.from(`${VALID_CLIENT_ID}:super-secret`).toString('base64');
req.headers = { authorization: `Basic ${credentials}` };
req.body = { grant_type: 'client_credentials' };
oauth2Service.issueToken.mockResolvedValue(MOCK_TOKEN_RESPONSE);
await controller.issueToken(req as Request, res as Response, next);
expect(oauth2Service.issueToken).toHaveBeenCalledWith(
VALID_CLIENT_ID,
'super-secret',
expect.any(String),
expect.any(String),
expect.any(String),
);
});
});
// ── introspectToken ───────────────────────────────────────────────────────────
describe('introspectToken()', () => {
it('should return 200 with introspection result on success', async () => {
const { req, res, next } = buildMocks();
req.body = { token: 'some.jwt.token' };
oauth2Service.introspectToken.mockResolvedValue(MOCK_INTROSPECT_RESPONSE);
await controller.introspectToken(req as Request, res as Response, next);
expect(oauth2Service.introspectToken).toHaveBeenCalledTimes(1);
expect(res.status).toHaveBeenCalledWith(200);
expect(res.json).toHaveBeenCalledWith(MOCK_INTROSPECT_RESPONSE);
});
it('should call next(AuthenticationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks();
req.user = undefined;
req.body = { token: 'some.jwt.token' };
await controller.introspectToken(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(Error) when token is missing from body', async () => {
const { req, res, next } = buildMocks();
req.body = {};
await controller.introspectToken(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(Error));
expect(oauth2Service.introspectToken).not.toHaveBeenCalled();
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.body = { token: 'some.jwt.token' };
const serviceError = new Error('Service error');
oauth2Service.introspectToken.mockRejectedValue(serviceError);
await controller.introspectToken(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
// ── revokeToken ───────────────────────────────────────────────────────────────
describe('revokeToken()', () => {
it('should return 200 with empty body on success', async () => {
const { req, res, next } = buildMocks();
req.body = { token: 'some.jwt.token' };
oauth2Service.revokeToken.mockResolvedValue();
await controller.revokeToken(req as Request, res as Response, next);
expect(oauth2Service.revokeToken).toHaveBeenCalledTimes(1);
expect(res.status).toHaveBeenCalledWith(200);
expect(res.json).toHaveBeenCalledWith({});
});
it('should call next(AuthenticationError) when req.user is missing', async () => {
const { req, res, next } = buildMocks();
req.user = undefined;
req.body = { token: 'some.jwt.token' };
await controller.revokeToken(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(Error) when token is missing from body', async () => {
const { req, res, next } = buildMocks();
req.body = {};
await controller.revokeToken(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(Error));
expect(oauth2Service.revokeToken).not.toHaveBeenCalled();
});
it('should forward service errors to next', async () => {
const { req, res, next } = buildMocks();
req.body = { token: 'some.jwt.token' };
const serviceError = new Error('Service error');
oauth2Service.revokeToken.mockRejectedValue(serviceError);
await controller.revokeToken(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(serviceError);
});
});
});

115
tests/unit/middleware/auth.test.ts Normal file
View File

@@ -0,0 +1,115 @@
/**
* Unit tests for src/middleware/auth.ts
*/
import crypto from 'crypto';
import { Request, Response, NextFunction } from 'express';
import { v4 as uuidv4 } from 'uuid';
import { signToken } from '../../../src/utils/jwt';
import { ITokenPayload } from '../../../src/types/index';
import { AuthenticationError } from '../../../src/utils/errors';
// Generate test RSA keys
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
// Mock environment and Redis before importing auth middleware
jest.mock('../../../src/cache/redis', () => ({
getRedisClient: jest.fn().mockResolvedValue({
get: jest.fn().mockResolvedValue(null), // Not revoked by default
}),
}));
// We need to set env vars before importing the middleware
process.env['JWT_PUBLIC_KEY'] = publicKey;
// Import after setting env
import { authMiddleware } from '../../../src/middleware/auth';
import { getRedisClient } from '../../../src/cache/redis';
const mockGetRedisClient = getRedisClient as jest.Mock;
function makeTestToken(overrides: Partial<ITokenPayload> = {}): string {
const payload: Omit<ITokenPayload, 'iat' | 'exp'> = {
sub: uuidv4(),
client_id: uuidv4(),
scope: 'agents:read',
jti: uuidv4(),
...overrides,
};
return signToken(payload, privateKey);
}
function makeReq(authHeader?: string): Partial<Request> {
return {
headers: authHeader ? { authorization: authHeader } : {},
ip: '127.0.0.1',
};
}
describe('authMiddleware', () => {
let next: jest.MockedFunction<NextFunction>;
beforeEach(() => {
next = jest.fn();
mockGetRedisClient.mockResolvedValue({
get: jest.fn().mockResolvedValue(null),
});
});
it('should call next() and set req.user for a valid token', async () => {
const token = makeTestToken();
const req = makeReq(`Bearer ${token}`) as Request;
const res = {} as Response;
await authMiddleware(req, res, next);
expect(next).toHaveBeenCalledWith();
expect(req.user).toBeDefined();
expect(req.user?.sub).toBeTruthy();
});
it('should call next(AuthenticationError) when Authorization header is missing', async () => {
const req = makeReq() as Request;
const res = {} as Response;
await authMiddleware(req, res, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(AuthenticationError) when header does not start with Bearer', async () => {
const req = makeReq('Basic dXNlcjpwYXNz') as Request;
const res = {} as Response;
await authMiddleware(req, res, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(AuthenticationError) for an invalid JWT', async () => {
const req = makeReq('Bearer invalid.jwt.token') as Request;
const res = {} as Response;
await authMiddleware(req, res, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
it('should call next(AuthenticationError) for a revoked token', async () => {
mockGetRedisClient.mockResolvedValue({
get: jest.fn().mockResolvedValue('1'), // Token is revoked
});
const token = makeTestToken();
const req = makeReq(`Bearer ${token}`) as Request;
const res = {} as Response;
await authMiddleware(req, res, next);
expect(next).toHaveBeenCalledWith(expect.any(AuthenticationError));
});
});

182
tests/unit/middleware/errorHandler.test.ts Normal file
View File

@@ -0,0 +1,182 @@
/**
* Unit tests for src/middleware/errorHandler.ts
*/
import { Request, Response, NextFunction } from 'express';
import { errorHandler } from '../../../src/middleware/errorHandler';
import {
ValidationError,
AgentNotFoundError,
AgentAlreadyExistsError,
AgentAlreadyDecommissionedError,
CredentialNotFoundError,
CredentialAlreadyRevokedError,
CredentialError,
AuthenticationError,
AuthorizationError,
RateLimitError,
FreeTierLimitError,
InsufficientScopeError,
AuditEventNotFoundError,
RetentionWindowError,
} from '../../../src/utils/errors';
function makeRes(): { status: jest.Mock; json: jest.Mock } {
const res = {
status: jest.fn().mockReturnThis(),
json: jest.fn().mockReturnThis(),
};
return res;
}
const req = {} as Request;
const next = jest.fn() as jest.MockedFunction<NextFunction>;
describe('errorHandler', () => {
beforeEach(() => jest.clearAllMocks());
it('should return 400 for ValidationError', () => {
const res = makeRes();
errorHandler(new ValidationError('bad input'), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(400);
expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ code: 'VALIDATION_ERROR' }));
});
it('should return 404 for AgentNotFoundError', () => {
const res = makeRes();
errorHandler(new AgentNotFoundError(), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(404);
expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ code: 'AGENT_NOT_FOUND' }));
});
it('should return 409 for AgentAlreadyExistsError', () => {
const res = makeRes();
errorHandler(new AgentAlreadyExistsError('test@test.com'), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(409);
expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ code: 'AGENT_ALREADY_EXISTS' }));
});
it('should return 409 for AgentAlreadyDecommissionedError', () => {
const res = makeRes();
errorHandler(new AgentAlreadyDecommissionedError('id'), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(409);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ code: 'AGENT_ALREADY_DECOMMISSIONED' }),
);
});
it('should return 404 for CredentialNotFoundError', () => {
const res = makeRes();
errorHandler(new CredentialNotFoundError(), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(404);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ code: 'CREDENTIAL_NOT_FOUND' }),
);
});
it('should return 409 for CredentialAlreadyRevokedError', () => {
const res = makeRes();
errorHandler(
new CredentialAlreadyRevokedError('cred-id', new Date().toISOString()),
req,
res as unknown as Response,
next,
);
expect(res.status).toHaveBeenCalledWith(409);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ code: 'CREDENTIAL_ALREADY_REVOKED' }),
);
});
it('should return 400 for CredentialError', () => {
const res = makeRes();
errorHandler(new CredentialError('error', 'AGENT_NOT_ACTIVE'), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(400);
});
it('should return 401 for AuthenticationError', () => {
const res = makeRes();
errorHandler(new AuthenticationError(), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(401);
expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ code: 'UNAUTHORIZED' }));
});
it('should return 403 for AuthorizationError', () => {
const res = makeRes();
errorHandler(new AuthorizationError(), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(403);
expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ code: 'FORBIDDEN' }));
});
it('should return 429 for RateLimitError', () => {
const res = makeRes();
errorHandler(new RateLimitError(), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(429);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ code: 'RATE_LIMIT_EXCEEDED' }),
);
});
it('should return 403 for FreeTierLimitError', () => {
const res = makeRes();
errorHandler(new FreeTierLimitError('Limit reached'), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(403);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ code: 'FREE_TIER_LIMIT_EXCEEDED' }),
);
});
it('should return 403 for InsufficientScopeError', () => {
const res = makeRes();
errorHandler(new InsufficientScopeError('audit:read'), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(403);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ code: 'INSUFFICIENT_SCOPE' }),
);
});
it('should return 404 for AuditEventNotFoundError', () => {
const res = makeRes();
errorHandler(new AuditEventNotFoundError(), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(404);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ code: 'AUDIT_EVENT_NOT_FOUND' }),
);
});
it('should return 400 for RetentionWindowError', () => {
const res = makeRes();
errorHandler(
new RetentionWindowError(90, '2025-12-28T00:00:00.000Z'),
req,
res as unknown as Response,
next,
);
expect(res.status).toHaveBeenCalledWith(400);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ code: 'RETENTION_WINDOW_EXCEEDED' }),
);
});
it('should return 500 for unknown errors', () => {
const res = makeRes();
errorHandler(new Error('unexpected'), req, res as unknown as Response, next);
expect(res.status).toHaveBeenCalledWith(500);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ code: 'INTERNAL_SERVER_ERROR' }),
);
});
it('should include details in the response when present', () => {
const res = makeRes();
errorHandler(
new ValidationError('bad', { field: 'email' }),
req,
res as unknown as Response,
next,
);
expect(res.json).toHaveBeenCalledWith(
expect.objectContaining({ details: { field: 'email' } }),
);
});
});

93
tests/unit/middleware/rateLimit.test.ts Normal file
View File

@@ -0,0 +1,93 @@
/**
* Unit tests for src/middleware/rateLimit.ts
*/
import { Request, Response, NextFunction } from 'express';
import { RateLimitError } from '../../../src/utils/errors';
const mockIncr = jest.fn();
const mockExpire = jest.fn();
jest.mock('../../../src/cache/redis', () => ({
getRedisClient: jest.fn().mockResolvedValue({
incr: mockIncr,
expire: mockExpire,
}),
}));
import { rateLimitMiddleware } from '../../../src/middleware/rateLimit';
function buildMocks(clientId?: string): {
req: Partial<Request>;
res: Partial<Response>;
next: NextFunction;
} {
const res: Partial<Response> = {
setHeader: jest.fn(),
};
return {
req: {
user: clientId ? { client_id: clientId, sub: clientId, scope: '', jti: '', iat: 0, exp: 0 } : undefined,
ip: '127.0.0.1',
},
res,
next: jest.fn() as NextFunction,
};
}
describe('rateLimitMiddleware', () => {
beforeEach(() => {
jest.clearAllMocks();
mockExpire.mockResolvedValue(1);
});
it('should set X-RateLimit-* headers and call next() when counter is under the limit', async () => {
mockIncr.mockResolvedValue(1);
const { req, res, next } = buildMocks('agent-123');
await rateLimitMiddleware(req as Request, res as Response, next);
expect(res.setHeader).toHaveBeenCalledWith('X-RateLimit-Limit', 100);
expect(res.setHeader).toHaveBeenCalledWith('X-RateLimit-Remaining', 99);
expect(res.setHeader).toHaveBeenCalledWith('X-RateLimit-Reset', expect.any(Number));
expect(next).toHaveBeenCalledWith();
expect(next).not.toHaveBeenCalledWith(expect.any(Error));
});
it('should call next(RateLimitError) when counter equals 100', async () => {
mockIncr.mockResolvedValue(101);
const { req, res, next } = buildMocks('agent-456');
await rateLimitMiddleware(req as Request, res as Response, next);
expect(next).toHaveBeenCalledWith(expect.any(RateLimitError));
});
it('should use req.ip as key when req.user is not set', async () => {
mockIncr.mockResolvedValue(5);
const { req, res, next } = buildMocks(); // no clientId → no req.user
await rateLimitMiddleware(req as Request, res as Response, next);
expect(mockIncr).toHaveBeenCalledWith(expect.stringContaining('127.0.0.1'));
expect(next).toHaveBeenCalledWith();
});
it('should set expire TTL only on first request (count === 1)', async () => {
mockIncr.mockResolvedValue(1);
const { req, res, next } = buildMocks('agent-789');
await rateLimitMiddleware(req as Request, res as Response, next);
expect(mockExpire).toHaveBeenCalledWith(expect.any(String), 60);
});
it('should not call expire on subsequent requests (count > 1)', async () => {
mockIncr.mockResolvedValue(50);
const { req, res, next } = buildMocks('agent-789');
await rateLimitMiddleware(req as Request, res as Response, next);
expect(mockExpire).not.toHaveBeenCalled();
});
});

276
tests/unit/repositories/AgentRepository.test.ts Normal file
View File

@@ -0,0 +1,276 @@
/**
* Unit tests for src/repositories/AgentRepository.ts
* Uses a mocked pg.Pool — no real database connection.
*/
import { Pool } from 'pg';
import { AgentRepository } from '../../../src/repositories/AgentRepository';
import { IAgent, ICreateAgentRequest, IUpdateAgentRequest, IAgentListFilters } from '../../../src/types/index';
jest.mock('pg', () => ({
Pool: jest.fn().mockImplementation(() => ({
query: jest.fn(),
connect: jest.fn(),
})),
}));
// ─── helpers ─────────────────────────────────────────────────────────────────
const AGENT_ROW = {
agent_id: 'a1b2c3d4-0000-0000-0000-000000000001',
email: 'agent@sentryagent.ai',
agent_type: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'team-a',
deployment_env: 'production',
status: 'active',
created_at: new Date('2026-03-28T09:00:00Z'),
updated_at: new Date('2026-03-28T09:00:00Z'),
};
const EXPECTED_AGENT: IAgent = {
agentId: AGENT_ROW.agent_id,
email: AGENT_ROW.email,
agentType: 'screener',
version: AGENT_ROW.version,
capabilities: AGENT_ROW.capabilities,
owner: AGENT_ROW.owner,
deploymentEnv: 'production',
status: 'active',
createdAt: AGENT_ROW.created_at,
updatedAt: AGENT_ROW.updated_at,
};
// ─── suite ───────────────────────────────────────────────────────────────────
describe('AgentRepository', () => {
let pool: jest.Mocked<Pool>;
let repo: AgentRepository;
beforeEach(() => {
jest.clearAllMocks();
pool = new Pool() as jest.Mocked<Pool>;
repo = new AgentRepository(pool);
});
// ── create ──────────────────────────────────────────────────────────────────
describe('create()', () => {
const createData: ICreateAgentRequest = {
email: 'agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'team-a',
deploymentEnv: 'production',
};
it('should insert a row and return a mapped IAgent', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [AGENT_ROW], rowCount: 1 });
const result = await repo.create(createData);
expect(pool.query).toHaveBeenCalledTimes(1);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('INSERT INTO agents');
expect(params).toContain(createData.email);
expect(params).toContain(createData.agentType);
expect(result).toMatchObject({
email: EXPECTED_AGENT.email,
agentType: EXPECTED_AGENT.agentType,
status: 'active',
});
});
});
// ── findById ─────────────────────────────────────────────────────────────────
describe('findById()', () => {
it('should return a mapped IAgent when the row exists', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [AGENT_ROW], rowCount: 1 });
const result = await repo.findById(AGENT_ROW.agent_id);
expect(pool.query).toHaveBeenCalledWith(
expect.stringContaining('SELECT'),
[AGENT_ROW.agent_id],
);
expect(result).toMatchObject(EXPECTED_AGENT);
});
it('should return null when no rows are returned', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.findById('nonexistent');
expect(result).toBeNull();
});
});
// ── findByEmail ──────────────────────────────────────────────────────────────
describe('findByEmail()', () => {
it('should return a mapped IAgent when the email exists', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [AGENT_ROW], rowCount: 1 });
const result = await repo.findByEmail(AGENT_ROW.email);
expect(pool.query).toHaveBeenCalledWith(
expect.stringContaining('email'),
[AGENT_ROW.email],
);
expect(result).toMatchObject(EXPECTED_AGENT);
});
it('should return null when no rows are returned', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.findByEmail('notfound@example.com');
expect(result).toBeNull();
});
});
// ── findAll ──────────────────────────────────────────────────────────────────
describe('findAll()', () => {
it('should return paginated agents with total count (no filters)', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '1' }], rowCount: 1 }) // count query
.mockResolvedValueOnce({ rows: [AGENT_ROW], rowCount: 1 }); // data query
const filters: IAgentListFilters = { page: 1, limit: 20 };
const result = await repo.findAll(filters);
expect(pool.query).toHaveBeenCalledTimes(2);
expect(result.total).toBe(1);
expect(result.agents).toHaveLength(1);
expect(result.agents[0]).toMatchObject(EXPECTED_AGENT);
});
it('should apply owner, agentType, and status filters', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
const filters: IAgentListFilters = {
page: 1,
limit: 10,
owner: 'team-a',
agentType: 'screener',
status: 'active',
};
const result = await repo.findAll(filters);
const [countSql] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(countSql).toContain('owner');
expect(countSql).toContain('agent_type');
expect(countSql).toContain('status');
expect(result.total).toBe(0);
expect(result.agents).toHaveLength(0);
});
it('should return an empty list when no agents exist', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.findAll({ page: 1, limit: 20 });
expect(result.total).toBe(0);
expect(result.agents).toEqual([]);
});
});
// ── update ───────────────────────────────────────────────────────────────────
describe('update()', () => {
it('should update fields and return mapped IAgent', async () => {
const updatedRow = { ...AGENT_ROW, version: '2.0.0' };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [updatedRow], rowCount: 1 });
const data: IUpdateAgentRequest = { version: '2.0.0' };
const result = await repo.update(AGENT_ROW.agent_id, data);
expect(pool.query).toHaveBeenCalledTimes(1);
const [sql] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('UPDATE agents');
expect(result).not.toBeNull();
expect(result?.version).toBe('2.0.0');
});
it('should return null when the agent is not found after update', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.update('nonexistent', { version: '2.0.0' });
expect(result).toBeNull();
});
it('should return null when no fields are provided', async () => {
const result = await repo.update(AGENT_ROW.agent_id, {});
expect(pool.query).not.toHaveBeenCalled();
expect(result).toBeNull();
});
it('should update multiple fields at once', async () => {
const updatedRow = { ...AGENT_ROW, version: '3.0.0', status: 'suspended', owner: 'team-b' };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [updatedRow], rowCount: 1 });
const data: IUpdateAgentRequest = { version: '3.0.0', status: 'suspended', owner: 'team-b' };
const result = await repo.update(AGENT_ROW.agent_id, data);
expect(result?.status).toBe('suspended');
expect(result?.owner).toBe('team-b');
});
});
// ── decommission ──────────────────────────────────────────────────────────────
describe('decommission()', () => {
it('should set status to decommissioned and return the agent', async () => {
const decomRow = { ...AGENT_ROW, status: 'decommissioned' };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [decomRow], rowCount: 1 });
const result = await repo.decommission(AGENT_ROW.agent_id);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('decommissioned');
expect(params).toContain(AGENT_ROW.agent_id);
expect(result?.status).toBe('decommissioned');
});
it('should return null when agent is not found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.decommission('nonexistent');
expect(result).toBeNull();
});
});
// ── countActive ───────────────────────────────────────────────────────────────
describe('countActive()', () => {
it('should return the count of non-decommissioned agents', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [{ count: '42' }], rowCount: 1 });
const count = await repo.countActive();
const [sql] = (pool.query as jest.Mock).mock.calls[0] as [string];
expect(sql).toContain('decommissioned');
expect(count).toBe(42);
});
it('should return 0 when there are no active agents', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 });
const count = await repo.countActive();
expect(count).toBe(0);
});
});
});

221
tests/unit/repositories/AuditRepository.test.ts Normal file
View File

@@ -0,0 +1,221 @@
/**
* Unit tests for src/repositories/AuditRepository.ts
* Uses a mocked pg.Pool — no real database connection.
*/
import { Pool } from 'pg';
import { AuditRepository } from '../../../src/repositories/AuditRepository';
import { IAuditEvent, ICreateAuditEventInput, IAuditListFilters } from '../../../src/types/index';
jest.mock('pg', () => ({
Pool: jest.fn().mockImplementation(() => ({
query: jest.fn(),
connect: jest.fn(),
})),
}));
// ─── helpers ─────────────────────────────────────────────────────────────────
const AUDIT_ROW = {
event_id: 'evt-0000-0000-0000-000000000001',
agent_id: 'agent-0000-0000-0000-000000000001',
action: 'agent.created',
outcome: 'success',
ip_address: '127.0.0.1',
user_agent: 'test-agent/1.0',
metadata: { agentType: 'screener' },
timestamp: new Date('2026-03-28T09:00:00Z'),
};
const EXPECTED_EVENT: IAuditEvent = {
eventId: AUDIT_ROW.event_id,
agentId: AUDIT_ROW.agent_id,
action: 'agent.created',
outcome: 'success',
ipAddress: AUDIT_ROW.ip_address,
userAgent: AUDIT_ROW.user_agent,
metadata: AUDIT_ROW.metadata,
timestamp: AUDIT_ROW.timestamp,
};
const RETENTION_CUTOFF = new Date('2026-01-01T00:00:00Z');
// ─── suite ───────────────────────────────────────────────────────────────────
describe('AuditRepository', () => {
let pool: jest.Mocked<Pool>;
let repo: AuditRepository;
beforeEach(() => {
jest.clearAllMocks();
pool = new Pool() as jest.Mocked<Pool>;
repo = new AuditRepository(pool);
});
// ── create ──────────────────────────────────────────────────────────────────
describe('create()', () => {
const eventInput: ICreateAuditEventInput = {
agentId: AUDIT_ROW.agent_id,
action: 'agent.created',
outcome: 'success',
ipAddress: '127.0.0.1',
userAgent: 'test-agent/1.0',
metadata: { agentType: 'screener' },
};
it('should insert a row and return a mapped IAuditEvent', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [AUDIT_ROW], rowCount: 1 });
const result = await repo.create(eventInput);
expect(pool.query).toHaveBeenCalledTimes(1);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('INSERT INTO audit_events');
expect(params).toContain(eventInput.agentId);
expect(params).toContain(eventInput.action);
expect(params).toContain(eventInput.outcome);
expect(params).toContain(eventInput.ipAddress);
expect(params).toContain(eventInput.userAgent);
expect(result).toMatchObject(EXPECTED_EVENT);
});
it('should JSON-stringify the metadata field', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [AUDIT_ROW], rowCount: 1 });
await repo.create(eventInput);
const [, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
// metadata param should be a JSON string
const metadataParam = params.find((p) => typeof p === 'string' && p.startsWith('{'));
expect(metadataParam).toBe(JSON.stringify(eventInput.metadata));
});
});
// ── findById ─────────────────────────────────────────────────────────────────
describe('findById()', () => {
it('should return a mapped IAuditEvent when found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [AUDIT_ROW], rowCount: 1 });
const result = await repo.findById(AUDIT_ROW.event_id);
expect(pool.query).toHaveBeenCalledWith(
expect.stringContaining('event_id'),
[AUDIT_ROW.event_id],
);
expect(result).toMatchObject(EXPECTED_EVENT);
});
it('should return null when not found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.findById('nonexistent');
expect(result).toBeNull();
});
});
// ── findAll ──────────────────────────────────────────────────────────────────
describe('findAll()', () => {
it('should return paginated events with total count (no optional filters)', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '1' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [AUDIT_ROW], rowCount: 1 });
const filters: IAuditListFilters = { page: 1, limit: 50 };
const result = await repo.findAll(filters, RETENTION_CUTOFF);
expect(pool.query).toHaveBeenCalledTimes(2);
expect(result.total).toBe(1);
expect(result.events).toHaveLength(1);
expect(result.events[0]).toMatchObject(EXPECTED_EVENT);
});
it('should include retention cutoff in the WHERE clause', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
await repo.findAll({ page: 1, limit: 50 }, RETENTION_CUTOFF);
const [countSql, countParams] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(countSql).toContain('timestamp');
expect(countParams).toContain(RETENTION_CUTOFF);
});
it('should apply agentId filter', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '1' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [AUDIT_ROW], rowCount: 1 });
const filters: IAuditListFilters = { page: 1, limit: 50, agentId: AUDIT_ROW.agent_id };
await repo.findAll(filters, RETENTION_CUTOFF);
const [countSql] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(countSql).toContain('agent_id');
});
it('should apply action filter', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
await repo.findAll({ page: 1, limit: 50, action: 'token.issued' }, RETENTION_CUTOFF);
const [countSql] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(countSql).toContain('action');
});
it('should apply outcome filter', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
await repo.findAll({ page: 1, limit: 50, outcome: 'failure' }, RETENTION_CUTOFF);
const [countSql] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(countSql).toContain('outcome');
});
it('should apply fromDate filter', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
await repo.findAll(
{ page: 1, limit: 50, fromDate: '2026-03-01T00:00:00Z' },
RETENTION_CUTOFF,
);
const [countSql] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(countSql).toContain('timestamp');
});
it('should apply toDate filter', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
await repo.findAll(
{ page: 1, limit: 50, toDate: '2026-03-31T23:59:59Z' },
RETENTION_CUTOFF,
);
const [countSql] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(countSql).toContain('timestamp');
});
it('should return empty list when no events exist', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.findAll({ page: 1, limit: 50 }, RETENTION_CUTOFF);
expect(result.total).toBe(0);
expect(result.events).toEqual([]);
});
});
});

256
tests/unit/repositories/CredentialRepository.test.ts Normal file
View File

@@ -0,0 +1,256 @@
/**
* Unit tests for src/repositories/CredentialRepository.ts
* Uses a mocked pg.Pool — no real database connection.
*/
import { Pool } from 'pg';
import { CredentialRepository } from '../../../src/repositories/CredentialRepository';
import { ICredential, ICredentialRow, ICredentialListFilters } from '../../../src/types/index';
jest.mock('pg', () => ({
Pool: jest.fn().mockImplementation(() => ({
query: jest.fn(),
connect: jest.fn(),
})),
}));
// ─── helpers ─────────────────────────────────────────────────────────────────
const CREDENTIAL_ROW = {
credential_id: 'cred-0000-0000-0000-000000000001',
client_id: 'agent-0000-0000-0000-000000000001',
secret_hash: '$2b$10$hashedSecret',
status: 'active',
created_at: new Date('2026-03-28T09:00:00Z'),
expires_at: null,
revoked_at: null,
};
const EXPECTED_CREDENTIAL: ICredential = {
credentialId: CREDENTIAL_ROW.credential_id,
clientId: CREDENTIAL_ROW.client_id,
status: 'active',
createdAt: CREDENTIAL_ROW.created_at,
expiresAt: null,
revokedAt: null,
};
const EXPECTED_CREDENTIAL_ROW: ICredentialRow = {
...EXPECTED_CREDENTIAL,
secretHash: CREDENTIAL_ROW.secret_hash,
};
// ─── suite ───────────────────────────────────────────────────────────────────
describe('CredentialRepository', () => {
let pool: jest.Mocked<Pool>;
let repo: CredentialRepository;
beforeEach(() => {
jest.clearAllMocks();
pool = new Pool() as jest.Mocked<Pool>;
repo = new CredentialRepository(pool);
});
// ── create ──────────────────────────────────────────────────────────────────
describe('create()', () => {
it('should insert a credential row and return ICredential without secret hash', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [CREDENTIAL_ROW], rowCount: 1 });
const result = await repo.create(
CREDENTIAL_ROW.client_id,
CREDENTIAL_ROW.secret_hash,
null,
);
expect(pool.query).toHaveBeenCalledTimes(1);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('INSERT INTO credentials');
expect(params).toContain(CREDENTIAL_ROW.client_id);
expect(params).toContain(CREDENTIAL_ROW.secret_hash);
// Secret hash must NOT be on the returned ICredential
expect(result).toMatchObject(EXPECTED_CREDENTIAL);
expect((result as ICredentialRow).secretHash).toBeUndefined();
});
it('should pass expiresAt when provided', async () => {
const expiresAt = new Date('2027-01-01T00:00:00Z');
const rowWithExpiry = { ...CREDENTIAL_ROW, expires_at: expiresAt };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [rowWithExpiry], rowCount: 1 });
const result = await repo.create(CREDENTIAL_ROW.client_id, CREDENTIAL_ROW.secret_hash, expiresAt);
const [, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(params).toContain(expiresAt);
expect(result.expiresAt).toEqual(expiresAt);
});
});
// ── findById ─────────────────────────────────────────────────────────────────
describe('findById()', () => {
it('should return ICredentialRow (with secretHash) when found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [CREDENTIAL_ROW], rowCount: 1 });
const result = await repo.findById(CREDENTIAL_ROW.credential_id);
expect(pool.query).toHaveBeenCalledWith(
expect.stringContaining('credential_id'),
[CREDENTIAL_ROW.credential_id],
);
expect(result).toMatchObject(EXPECTED_CREDENTIAL_ROW);
expect(result?.secretHash).toBe(CREDENTIAL_ROW.secret_hash);
});
it('should return null when not found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.findById('nonexistent');
expect(result).toBeNull();
});
});
// ── findByAgentId ─────────────────────────────────────────────────────────────
describe('findByAgentId()', () => {
it('should return paginated credentials for an agent', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '1' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [CREDENTIAL_ROW], rowCount: 1 });
const filters: ICredentialListFilters = { page: 1, limit: 20 };
const result = await repo.findByAgentId(CREDENTIAL_ROW.client_id, filters);
expect(pool.query).toHaveBeenCalledTimes(2);
expect(result.total).toBe(1);
expect(result.credentials).toHaveLength(1);
expect(result.credentials[0]).toMatchObject(EXPECTED_CREDENTIAL);
});
it('should apply status filter when provided', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
const filters: ICredentialListFilters = { page: 1, limit: 20, status: 'revoked' };
const result = await repo.findByAgentId(CREDENTIAL_ROW.client_id, filters);
const [countSql] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(countSql).toContain('status');
expect(result.total).toBe(0);
expect(result.credentials).toHaveLength(0);
});
it('should return empty list when no credentials exist', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.findByAgentId('agent-no-creds', { page: 1, limit: 20 });
expect(result.total).toBe(0);
expect(result.credentials).toEqual([]);
});
it('should not include secretHash in returned credentials', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '1' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [CREDENTIAL_ROW], rowCount: 1 });
const result = await repo.findByAgentId(CREDENTIAL_ROW.client_id, { page: 1, limit: 20 });
expect((result.credentials[0] as ICredentialRow).secretHash).toBeUndefined();
});
});
// ── updateHash ────────────────────────────────────────────────────────────────
describe('updateHash()', () => {
it('should update the secret hash and return ICredential', async () => {
const newHash = '$2b$10$newHash';
const updatedRow = { ...CREDENTIAL_ROW, secret_hash: newHash };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [updatedRow], rowCount: 1 });
const result = await repo.updateHash(CREDENTIAL_ROW.credential_id, newHash, null);
expect(pool.query).toHaveBeenCalledTimes(1);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('secret_hash');
expect(params).toContain(newHash);
expect(params).toContain(CREDENTIAL_ROW.credential_id);
expect(result).toMatchObject(EXPECTED_CREDENTIAL);
});
it('should return null when credential is not found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.updateHash('nonexistent', '$2b$10$hash', null);
expect(result).toBeNull();
});
it('should pass new expiresAt when provided', async () => {
const newExpiry = new Date('2028-01-01T00:00:00Z');
const updatedRow = { ...CREDENTIAL_ROW, expires_at: newExpiry };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [updatedRow], rowCount: 1 });
const result = await repo.updateHash(CREDENTIAL_ROW.credential_id, '$2b$10$hash', newExpiry);
const [, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(params).toContain(newExpiry);
expect(result?.expiresAt).toEqual(newExpiry);
});
});
// ── revoke ────────────────────────────────────────────────────────────────────
describe('revoke()', () => {
it('should set status to revoked and return ICredential', async () => {
const revokedAt = new Date('2026-03-28T10:00:00Z');
const revokedRow = { ...CREDENTIAL_ROW, status: 'revoked', revoked_at: revokedAt };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [revokedRow], rowCount: 1 });
const result = await repo.revoke(CREDENTIAL_ROW.credential_id);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('revoked');
expect(params).toContain(CREDENTIAL_ROW.credential_id);
expect(result?.status).toBe('revoked');
expect(result?.revokedAt).toEqual(revokedAt);
});
it('should return null when credential is not found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.revoke('nonexistent');
expect(result).toBeNull();
});
});
// ── revokeAllForAgent ─────────────────────────────────────────────────────────
describe('revokeAllForAgent()', () => {
it('should return the count of revoked credentials', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 3 });
const count = await repo.revokeAllForAgent(CREDENTIAL_ROW.client_id);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('revoked');
expect(params).toContain(CREDENTIAL_ROW.client_id);
expect(count).toBe(3);
});
it('should return 0 when no active credentials exist', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: null });
const count = await repo.revokeAllForAgent('agent-no-creds');
expect(count).toBe(0);
});
});
});

175
tests/unit/repositories/TokenRepository.test.ts Normal file
View File

@@ -0,0 +1,175 @@
/**
* Unit tests for src/repositories/TokenRepository.ts
* Uses mocked pg.Pool and Redis client — no real infrastructure.
*/
import { Pool } from 'pg';
import { RedisClientType } from 'redis';
import { TokenRepository } from '../../../src/repositories/TokenRepository';
jest.mock('pg', () => ({
Pool: jest.fn().mockImplementation(() => ({
query: jest.fn(),
connect: jest.fn(),
})),
}));
// ─── helpers ─────────────────────────────────────────────────────────────────
function buildMockRedis(): jest.Mocked<Pick<RedisClientType, 'get' | 'set' | 'incr' | 'expire'>> {
return {
get: jest.fn(),
set: jest.fn(),
incr: jest.fn(),
expire: jest.fn(),
};
}
// ─── suite ───────────────────────────────────────────────────────────────────
describe('TokenRepository', () => {
let pool: jest.Mocked<Pool>;
let redis: ReturnType<typeof buildMockRedis>;
let repo: TokenRepository;
beforeEach(() => {
jest.clearAllMocks();
pool = new Pool() as jest.Mocked<Pool>;
redis = buildMockRedis();
repo = new TokenRepository(pool, redis as unknown as RedisClientType);
});
// ── addToRevocationList ───────────────────────────────────────────────────────
describe('addToRevocationList()', () => {
it('should write to Redis with correct key and TTL, then insert to DB', async () => {
redis.set.mockResolvedValue('OK');
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 1 });
const jti = 'test-jti-001';
const expiresAt = new Date(Date.now() + 3600_000); // 1 hour from now
await repo.addToRevocationList(jti, expiresAt);
// Redis set call
expect(redis.set).toHaveBeenCalledTimes(1);
const [redisKey, value, options] = redis.set.mock.calls[0] as [string, string, { EX: number }];
expect(redisKey).toBe(`revoked:${jti}`);
expect(value).toBe('1');
expect(options.EX).toBeGreaterThan(0);
// DB insert call
expect(pool.query).toHaveBeenCalledTimes(1);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('INSERT INTO token_revocations');
expect(params).toContain(jti);
expect(params).toContain(expiresAt);
});
it('should use a minimum TTL of 1 second for already-expired tokens', async () => {
redis.set.mockResolvedValue('OK');
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 1 });
const jti = 'expired-jti';
const expiresAt = new Date(Date.now() - 5000); // already expired
await repo.addToRevocationList(jti, expiresAt);
const [, , options] = redis.set.mock.calls[0] as [string, string, { EX: number }];
expect(options.EX).toBe(1);
});
});
// ── isRevoked ─────────────────────────────────────────────────────────────────
describe('isRevoked()', () => {
it('should return true immediately when Redis has the key', async () => {
redis.get.mockResolvedValue('1');
const result = await repo.isRevoked('revoked-jti');
expect(result).toBe(true);
// DB should NOT be queried
expect(pool.query).not.toHaveBeenCalled();
});
it('should fall back to DB and return true when found there', async () => {
redis.get.mockResolvedValue(null);
(pool.query as jest.Mock).mockResolvedValueOnce({
rows: [{ jti: 'db-revoked-jti', expires_at: new Date(), revoked_at: new Date() }],
rowCount: 1,
});
const result = await repo.isRevoked('db-revoked-jti');
expect(redis.get).toHaveBeenCalledTimes(1);
expect(pool.query).toHaveBeenCalledTimes(1);
expect(result).toBe(true);
});
it('should return false when neither Redis nor DB has the key', async () => {
redis.get.mockResolvedValue(null);
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.isRevoked('valid-jti');
expect(result).toBe(false);
});
});
// ── incrementMonthlyCount ─────────────────────────────────────────────────────
describe('incrementMonthlyCount()', () => {
it('should increment the Redis key and return the new count', async () => {
redis.incr.mockResolvedValue(5);
redis.expire.mockResolvedValue(true);
const count = await repo.incrementMonthlyCount('client-001');
expect(redis.incr).toHaveBeenCalledTimes(1);
const [key] = redis.incr.mock.calls[0] as [string];
expect(key).toMatch(/^monthly:tokens:client-001:/);
expect(count).toBe(5);
});
it('should set TTL when count becomes 1 (first token of the month)', async () => {
redis.incr.mockResolvedValue(1);
redis.expire.mockResolvedValue(true);
await repo.incrementMonthlyCount('client-new');
expect(redis.expire).toHaveBeenCalledTimes(1);
const [, ttl] = redis.expire.mock.calls[0] as [string, number];
expect(ttl).toBeGreaterThan(0);
});
it('should NOT set TTL when count is greater than 1', async () => {
redis.incr.mockResolvedValue(10);
await repo.incrementMonthlyCount('client-existing');
expect(redis.expire).not.toHaveBeenCalled();
});
});
// ── getMonthlyCount ───────────────────────────────────────────────────────────
describe('getMonthlyCount()', () => {
it('should return the count from Redis', async () => {
redis.get.mockResolvedValue('42');
const count = await repo.getMonthlyCount('client-001');
expect(redis.get).toHaveBeenCalledTimes(1);
const [key] = redis.get.mock.calls[0] as [string];
expect(key).toMatch(/^monthly:tokens:client-001:/);
expect(count).toBe(42);
});
it('should return 0 when the Redis key does not exist', async () => {
redis.get.mockResolvedValue(null);
const count = await repo.getMonthlyCount('client-no-tokens');
expect(count).toBe(0);
});
});
});

194
tests/unit/services/AgentService.test.ts Normal file
View File

@@ -0,0 +1,194 @@
/**
* Unit tests for src/services/AgentService.ts
*/
import { AgentService } from '../../../src/services/AgentService';
import { AgentRepository } from '../../../src/repositories/AgentRepository';
import { CredentialRepository } from '../../../src/repositories/CredentialRepository';
import { AuditService } from '../../../src/services/AuditService';
import {
AgentNotFoundError,
AgentAlreadyExistsError,
AgentAlreadyDecommissionedError,
FreeTierLimitError,
} from '../../../src/utils/errors';
import { IAgent, ICreateAgentRequest } from '../../../src/types/index';
// Mock dependencies
jest.mock('../../../src/repositories/AgentRepository');
jest.mock('../../../src/repositories/CredentialRepository');
jest.mock('../../../src/services/AuditService');
const MockAgentRepository = AgentRepository as jest.MockedClass<typeof AgentRepository>;
const MockCredentialRepository = CredentialRepository as jest.MockedClass<typeof CredentialRepository>;
const MockAuditService = AuditService as jest.MockedClass<typeof AuditService>;
const MOCK_AGENT: IAgent = {
agentId: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
email: 'agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'team-a',
deploymentEnv: 'production',
status: 'active',
createdAt: new Date('2026-03-28T09:00:00Z'),
updatedAt: new Date('2026-03-28T09:00:00Z'),
};
const IP = '127.0.0.1';
const UA = 'test-agent/1.0';
describe('AgentService', () => {
let agentService: AgentService;
let agentRepo: jest.Mocked<AgentRepository>;
let credentialRepo: jest.Mocked<CredentialRepository>;
let auditService: jest.Mocked<AuditService>;
beforeEach(() => {
jest.clearAllMocks();
agentRepo = new MockAgentRepository({} as never) as jest.Mocked<AgentRepository>;
credentialRepo = new MockCredentialRepository({} as never) as jest.Mocked<CredentialRepository>;
auditService = new MockAuditService({} as never) as jest.Mocked<AuditService>;
agentService = new AgentService(agentRepo, credentialRepo, auditService);
});
// ────────────────────────────────────────────────────────────────
// registerAgent
// ────────────────────────────────────────────────────────────────
describe('registerAgent()', () => {
const createData: ICreateAgentRequest = {
email: 'agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'team-a',
deploymentEnv: 'production',
};
it('should create and return a new agent', async () => {
agentRepo.countActive.mockResolvedValue(0);
agentRepo.findByEmail.mockResolvedValue(null);
agentRepo.create.mockResolvedValue(MOCK_AGENT);
auditService.logEvent.mockResolvedValue({} as never);
const result = await agentService.registerAgent(createData, IP, UA);
expect(result).toEqual(MOCK_AGENT);
expect(agentRepo.create).toHaveBeenCalledWith(createData);
});
it('should throw FreeTierLimitError when 100 agents already registered', async () => {
agentRepo.countActive.mockResolvedValue(100);
await expect(agentService.registerAgent(createData, IP, UA)).rejects.toThrow(
FreeTierLimitError,
);
});
it('should throw AgentAlreadyExistsError if email is already registered', async () => {
agentRepo.countActive.mockResolvedValue(0);
agentRepo.findByEmail.mockResolvedValue(MOCK_AGENT);
await expect(agentService.registerAgent(createData, IP, UA)).rejects.toThrow(
AgentAlreadyExistsError,
);
});
});
// ────────────────────────────────────────────────────────────────
// getAgentById
// ────────────────────────────────────────────────────────────────
describe('getAgentById()', () => {
it('should return the agent when found', async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
const result = await agentService.getAgentById(MOCK_AGENT.agentId);
expect(result).toEqual(MOCK_AGENT);
});
it('should throw AgentNotFoundError when not found', async () => {
agentRepo.findById.mockResolvedValue(null);
await expect(agentService.getAgentById('nonexistent-id')).rejects.toThrow(
AgentNotFoundError,
);
});
});
// ────────────────────────────────────────────────────────────────
// listAgents
// ────────────────────────────────────────────────────────────────
describe('listAgents()', () => {
it('should return a paginated list of agents', async () => {
agentRepo.findAll.mockResolvedValue({ agents: [MOCK_AGENT], total: 1 });
const result = await agentService.listAgents({ page: 1, limit: 20 });
expect(result.data).toHaveLength(1);
expect(result.total).toBe(1);
expect(result.page).toBe(1);
expect(result.limit).toBe(20);
});
});
// ────────────────────────────────────────────────────────────────
// updateAgent
// ────────────────────────────────────────────────────────────────
describe('updateAgent()', () => {
it('should update and return the agent', async () => {
const updated = { ...MOCK_AGENT, version: '2.0.0' };
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
agentRepo.update.mockResolvedValue(updated);
auditService.logEvent.mockResolvedValue({} as never);
const result = await agentService.updateAgent(
MOCK_AGENT.agentId,
{ version: '2.0.0' },
IP,
UA,
);
expect(result.version).toBe('2.0.0');
});
it('should throw AgentNotFoundError when agent does not exist', async () => {
agentRepo.findById.mockResolvedValue(null);
await expect(
agentService.updateAgent('nonexistent', { version: '2.0.0' }, IP, UA),
).rejects.toThrow(AgentNotFoundError);
});
it('should throw AgentAlreadyDecommissionedError for decommissioned agent', async () => {
agentRepo.findById.mockResolvedValue({ ...MOCK_AGENT, status: 'decommissioned' });
await expect(
agentService.updateAgent(MOCK_AGENT.agentId, { version: '2.0.0' }, IP, UA),
).rejects.toThrow(AgentAlreadyDecommissionedError);
});
});
// ────────────────────────────────────────────────────────────────
// decommissionAgent
// ────────────────────────────────────────────────────────────────
describe('decommissionAgent()', () => {
it('should decommission the agent and revoke credentials', async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
credentialRepo.revokeAllForAgent.mockResolvedValue(2);
agentRepo.decommission.mockResolvedValue({ ...MOCK_AGENT, status: 'decommissioned' });
auditService.logEvent.mockResolvedValue({} as never);
await agentService.decommissionAgent(MOCK_AGENT.agentId, IP, UA);
expect(credentialRepo.revokeAllForAgent).toHaveBeenCalledWith(MOCK_AGENT.agentId);
expect(agentRepo.decommission).toHaveBeenCalledWith(MOCK_AGENT.agentId);
});
it('should throw AgentNotFoundError if agent does not exist', async () => {
agentRepo.findById.mockResolvedValue(null);
await expect(
agentService.decommissionAgent('nonexistent', IP, UA),
).rejects.toThrow(AgentNotFoundError);
});
it('should throw AgentAlreadyDecommissionedError if already decommissioned', async () => {
agentRepo.findById.mockResolvedValue({ ...MOCK_AGENT, status: 'decommissioned' });
await expect(
agentService.decommissionAgent(MOCK_AGENT.agentId, IP, UA),
).rejects.toThrow(AgentAlreadyDecommissionedError);
});
});
});

129
tests/unit/services/AuditService.test.ts Normal file
View File

@@ -0,0 +1,129 @@
/**
* Unit tests for src/services/AuditService.ts
*/
import { v4 as uuidv4 } from 'uuid';
import { AuditService } from '../../../src/services/AuditService';
import { AuditRepository } from '../../../src/repositories/AuditRepository';
import {
AuditEventNotFoundError,
RetentionWindowError,
ValidationError,
} from '../../../src/utils/errors';
import { IAuditEvent } from '../../../src/types/index';
jest.mock('../../../src/repositories/AuditRepository');
const MockAuditRepo = AuditRepository as jest.MockedClass<typeof AuditRepository>;
const MOCK_EVENT: IAuditEvent = {
eventId: uuidv4(),
agentId: uuidv4(),
action: 'token.issued',
outcome: 'success',
ipAddress: '127.0.0.1',
userAgent: 'test/1.0',
metadata: { scope: 'agents:read' },
timestamp: new Date(), // recent timestamp
};
describe('AuditService', () => {
let service: AuditService;
let auditRepo: jest.Mocked<AuditRepository>;
beforeEach(() => {
jest.clearAllMocks();
auditRepo = new MockAuditRepo({} as never) as jest.Mocked<AuditRepository>;
service = new AuditService(auditRepo);
});
// ────────────────────────────────────────────────────────────────
// logEvent
// ────────────────────────────────────────────────────────────────
describe('logEvent()', () => {
it('should create an audit event', async () => {
auditRepo.create.mockResolvedValue(MOCK_EVENT);
const result = await service.logEvent(
MOCK_EVENT.agentId,
'token.issued',
'success',
'127.0.0.1',
'test/1.0',
{ scope: 'agents:read' },
);
expect(result).toEqual(MOCK_EVENT);
expect(auditRepo.create).toHaveBeenCalledTimes(1);
});
});
// ────────────────────────────────────────────────────────────────
// queryEvents
// ────────────────────────────────────────────────────────────────
describe('queryEvents()', () => {
it('should return paginated events', async () => {
auditRepo.findAll.mockResolvedValue({ events: [MOCK_EVENT], total: 1 });
const result = await service.queryEvents({ page: 1, limit: 50 });
expect(result.data).toHaveLength(1);
expect(result.total).toBe(1);
});
it('should throw RetentionWindowError for fromDate before 90-day cutoff', async () => {
const oldDate = new Date();
oldDate.setDate(oldDate.getDate() - 100);
await expect(
service.queryEvents({ page: 1, limit: 50, fromDate: oldDate.toISOString() }),
).rejects.toThrow(RetentionWindowError);
});
it('should throw ValidationError when fromDate is after toDate', async () => {
const future = new Date();
future.setDate(future.getDate() + 5);
const past = new Date();
past.setDate(past.getDate() - 1);
await expect(
service.queryEvents({
page: 1,
limit: 50,
fromDate: future.toISOString(),
toDate: past.toISOString(),
}),
).rejects.toThrow(ValidationError);
});
it('should not throw for valid date range within retention window', async () => {
auditRepo.findAll.mockResolvedValue({ events: [], total: 0 });
const recentDate = new Date();
recentDate.setDate(recentDate.getDate() - 30);
await expect(
service.queryEvents({ page: 1, limit: 50, fromDate: recentDate.toISOString() }),
).resolves.toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// getEventById
// ────────────────────────────────────────────────────────────────
describe('getEventById()', () => {
it('should return the event when found within retention window', async () => {
auditRepo.findById.mockResolvedValue(MOCK_EVENT);
const result = await service.getEventById(MOCK_EVENT.eventId);
expect(result).toEqual(MOCK_EVENT);
});
it('should throw AuditEventNotFoundError when not found', async () => {
auditRepo.findById.mockResolvedValue(null);
await expect(service.getEventById('nonexistent')).rejects.toThrow(AuditEventNotFoundError);
});
it('should throw AuditEventNotFoundError for event outside retention window', async () => {
const oldEvent: IAuditEvent = {
...MOCK_EVENT,
timestamp: new Date('2020-01-01T00:00:00Z'),
};
auditRepo.findById.mockResolvedValue(oldEvent);
await expect(service.getEventById(oldEvent.eventId)).rejects.toThrow(
AuditEventNotFoundError,
);
});
});
});

207
tests/unit/services/CredentialService.test.ts Normal file
View File

@@ -0,0 +1,207 @@
/**
* Unit tests for src/services/CredentialService.ts
*/
import { v4 as uuidv4 } from 'uuid';
import { CredentialService } from '../../../src/services/CredentialService';
import { CredentialRepository } from '../../../src/repositories/CredentialRepository';
import { AgentRepository } from '../../../src/repositories/AgentRepository';
import { AuditService } from '../../../src/services/AuditService';
import {
AgentNotFoundError,
CredentialNotFoundError,
CredentialAlreadyRevokedError,
CredentialError,
} from '../../../src/utils/errors';
import { IAgent, ICredential, ICredentialRow } from '../../../src/types/index';
jest.mock('../../../src/repositories/CredentialRepository');
jest.mock('../../../src/repositories/AgentRepository');
jest.mock('../../../src/services/AuditService');
const MockCredentialRepo = CredentialRepository as jest.MockedClass<typeof CredentialRepository>;
const MockAgentRepo = AgentRepository as jest.MockedClass<typeof AgentRepository>;
const MockAuditService = AuditService as jest.MockedClass<typeof AuditService>;
const AGENT_ID = uuidv4();
const CREDENTIAL_ID = uuidv4();
const MOCK_AGENT: IAgent = {
agentId: AGENT_ID,
email: 'agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'team-a',
deploymentEnv: 'production',
status: 'active',
createdAt: new Date(),
updatedAt: new Date(),
};
const MOCK_CREDENTIAL: ICredential = {
credentialId: CREDENTIAL_ID,
clientId: AGENT_ID,
status: 'active',
createdAt: new Date(),
expiresAt: null,
revokedAt: null,
};
const MOCK_CREDENTIAL_ROW: ICredentialRow = {
...MOCK_CREDENTIAL,
secretHash: '$2b$10$somehashvalue',
};
const IP = '127.0.0.1';
const UA = 'test/1.0';
describe('CredentialService', () => {
let service: CredentialService;
let credentialRepo: jest.Mocked<CredentialRepository>;
let agentRepo: jest.Mocked<AgentRepository>;
let auditService: jest.Mocked<AuditService>;
beforeEach(() => {
jest.clearAllMocks();
credentialRepo = new MockCredentialRepo({} as never) as jest.Mocked<CredentialRepository>;
agentRepo = new MockAgentRepo({} as never) as jest.Mocked<AgentRepository>;
auditService = new MockAuditService({} as never) as jest.Mocked<AuditService>;
service = new CredentialService(credentialRepo, agentRepo, auditService);
auditService.logEvent.mockResolvedValue({} as never);
});
// ────────────────────────────────────────────────────────────────
// generateCredential
// ────────────────────────────────────────────────────────────────
describe('generateCredential()', () => {
it('should generate and return a credential with a one-time secret', async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
credentialRepo.create.mockResolvedValue(MOCK_CREDENTIAL);
const result = await service.generateCredential(AGENT_ID, {}, IP, UA);
expect(result.credentialId).toBe(CREDENTIAL_ID);
expect(result.clientSecret).toMatch(/^sk_live_[0-9a-f]{64}$/);
});
it('should throw AgentNotFoundError for unknown agent', async () => {
agentRepo.findById.mockResolvedValue(null);
await expect(service.generateCredential('unknown', {}, IP, UA)).rejects.toThrow(
AgentNotFoundError,
);
});
it('should throw CredentialError for suspended agent', async () => {
agentRepo.findById.mockResolvedValue({ ...MOCK_AGENT, status: 'suspended' });
await expect(service.generateCredential(AGENT_ID, {}, IP, UA)).rejects.toThrow(
CredentialError,
);
});
it('should throw CredentialError for decommissioned agent', async () => {
agentRepo.findById.mockResolvedValue({ ...MOCK_AGENT, status: 'decommissioned' });
await expect(service.generateCredential(AGENT_ID, {}, IP, UA)).rejects.toThrow(
CredentialError,
);
});
});
// ────────────────────────────────────────────────────────────────
// listCredentials
// ────────────────────────────────────────────────────────────────
describe('listCredentials()', () => {
it('should return a paginated list', async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
credentialRepo.findByAgentId.mockResolvedValue({
credentials: [MOCK_CREDENTIAL],
total: 1,
});
const result = await service.listCredentials(AGENT_ID, { page: 1, limit: 20 });
expect(result.data).toHaveLength(1);
expect(result.total).toBe(1);
});
it('should throw AgentNotFoundError for unknown agent', async () => {
agentRepo.findById.mockResolvedValue(null);
await expect(
service.listCredentials('unknown', { page: 1, limit: 20 }),
).rejects.toThrow(AgentNotFoundError);
});
});
// ────────────────────────────────────────────────────────────────
// rotateCredential
// ────────────────────────────────────────────────────────────────
describe('rotateCredential()', () => {
it('should rotate and return a new secret', async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
credentialRepo.findById.mockResolvedValue(MOCK_CREDENTIAL_ROW);
credentialRepo.updateHash.mockResolvedValue(MOCK_CREDENTIAL);
const result = await service.rotateCredential(AGENT_ID, CREDENTIAL_ID, {}, IP, UA);
expect(result.clientSecret).toMatch(/^sk_live_[0-9a-f]{64}$/);
});
it('should throw AgentNotFoundError for unknown agent', async () => {
agentRepo.findById.mockResolvedValue(null);
await expect(
service.rotateCredential('unknown', CREDENTIAL_ID, {}, IP, UA),
).rejects.toThrow(AgentNotFoundError);
});
it('should throw CredentialNotFoundError for unknown credential', async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
credentialRepo.findById.mockResolvedValue(null);
await expect(
service.rotateCredential(AGENT_ID, 'unknown', {}, IP, UA),
).rejects.toThrow(CredentialNotFoundError);
});
it('should throw CredentialAlreadyRevokedError for revoked credential', async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
credentialRepo.findById.mockResolvedValue({
...MOCK_CREDENTIAL_ROW,
status: 'revoked',
revokedAt: new Date(),
});
await expect(
service.rotateCredential(AGENT_ID, CREDENTIAL_ID, {}, IP, UA),
).rejects.toThrow(CredentialAlreadyRevokedError);
});
});
// ────────────────────────────────────────────────────────────────
// revokeCredential
// ────────────────────────────────────────────────────────────────
describe('revokeCredential()', () => {
it('should revoke the credential', async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
credentialRepo.findById.mockResolvedValue(MOCK_CREDENTIAL_ROW);
credentialRepo.revoke.mockResolvedValue({ ...MOCK_CREDENTIAL, status: 'revoked', revokedAt: new Date() });
await expect(
service.revokeCredential(AGENT_ID, CREDENTIAL_ID, IP, UA),
).resolves.toBeUndefined();
});
it('should throw AgentNotFoundError for unknown agent', async () => {
agentRepo.findById.mockResolvedValue(null);
await expect(
service.revokeCredential('unknown', CREDENTIAL_ID, IP, UA),
).rejects.toThrow(AgentNotFoundError);
});
it('should throw CredentialAlreadyRevokedError for already-revoked credential', async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
credentialRepo.findById.mockResolvedValue({
...MOCK_CREDENTIAL_ROW,
status: 'revoked',
revokedAt: new Date(),
});
await expect(
service.revokeCredential(AGENT_ID, CREDENTIAL_ID, IP, UA),
).rejects.toThrow(CredentialAlreadyRevokedError);
});
});
});

245
tests/unit/services/OAuth2Service.test.ts Normal file
View File

@@ -0,0 +1,245 @@
/**
* Unit tests for src/services/OAuth2Service.ts
*/
import crypto from 'crypto';
import { v4 as uuidv4 } from 'uuid';
import { OAuth2Service } from '../../../src/services/OAuth2Service';
import { TokenRepository } from '../../../src/repositories/TokenRepository';
import { CredentialRepository } from '../../../src/repositories/CredentialRepository';
import { AgentRepository } from '../../../src/repositories/AgentRepository';
import { AuditService } from '../../../src/services/AuditService';
import {
AuthenticationError,
AuthorizationError,
FreeTierLimitError,
InsufficientScopeError,
} from '../../../src/utils/errors';
import { IAgent, ICredential, ICredentialRow, ITokenPayload } from '../../../src/types/index';
import { hashSecret, generateClientSecret } from '../../../src/utils/crypto';
jest.mock('../../../src/repositories/TokenRepository');
jest.mock('../../../src/repositories/CredentialRepository');
jest.mock('../../../src/repositories/AgentRepository');
jest.mock('../../../src/services/AuditService');
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
const MockTokenRepo = TokenRepository as jest.MockedClass<typeof TokenRepository>;
const MockCredentialRepo = CredentialRepository as jest.MockedClass<typeof CredentialRepository>;
const MockAgentRepo = AgentRepository as jest.MockedClass<typeof AgentRepository>;
const MockAuditService = AuditService as jest.MockedClass<typeof AuditService>;
const MOCK_AGENT_ID = uuidv4();
const MOCK_AGENT: IAgent = {
agentId: MOCK_AGENT_ID,
email: 'agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['agents:read'],
owner: 'team-a',
deploymentEnv: 'production',
status: 'active',
createdAt: new Date(),
updatedAt: new Date(),
};
const IP = '127.0.0.1';
const UA = 'test/1.0';
describe('OAuth2Service', () => {
let service: OAuth2Service;
let tokenRepo: jest.Mocked<TokenRepository>;
let credentialRepo: jest.Mocked<CredentialRepository>;
let agentRepo: jest.Mocked<AgentRepository>;
let auditService: jest.Mocked<AuditService>;
let plainSecret: string;
let credentialRow: ICredentialRow;
beforeEach(async () => {
jest.clearAllMocks();
tokenRepo = new MockTokenRepo({} as never, {} as never) as jest.Mocked<TokenRepository>;
credentialRepo = new MockCredentialRepo({} as never) as jest.Mocked<CredentialRepository>;
agentRepo = new MockAgentRepo({} as never) as jest.Mocked<AgentRepository>;
auditService = new MockAuditService({} as never) as jest.Mocked<AuditService>;
service = new OAuth2Service(
tokenRepo,
credentialRepo,
agentRepo,
auditService,
privateKey,
publicKey,
);
plainSecret = generateClientSecret();
const secretHash = await hashSecret(plainSecret);
const credId = uuidv4();
const mockCredential: ICredential = {
credentialId: credId,
clientId: MOCK_AGENT_ID,
status: 'active',
createdAt: new Date(),
expiresAt: null,
revokedAt: null,
};
credentialRow = { ...mockCredential, secretHash };
credentialRepo.findByAgentId.mockResolvedValue({ credentials: [mockCredential], total: 1 });
credentialRepo.findById.mockResolvedValue(credentialRow);
auditService.logEvent.mockResolvedValue({} as never);
});
// ────────────────────────────────────────────────────────────────
// issueToken
// ────────────────────────────────────────────────────────────────
describe('issueToken()', () => {
beforeEach(() => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
tokenRepo.getMonthlyCount.mockResolvedValue(0);
tokenRepo.incrementMonthlyCount.mockResolvedValue(1);
});
it('should issue a token for valid credentials', async () => {
const result = await service.issueToken(
MOCK_AGENT_ID,
plainSecret,
'agents:read',
IP,
UA,
);
expect(result.token_type).toBe('Bearer');
expect(result.expires_in).toBe(3600);
expect(result.access_token).toBeTruthy();
});
it('should throw AuthenticationError for unknown agent', async () => {
agentRepo.findById.mockResolvedValue(null);
await expect(
service.issueToken('unknown', plainSecret, 'agents:read', IP, UA),
).rejects.toThrow(AuthenticationError);
});
it('should throw AuthenticationError for wrong secret', async () => {
await expect(
service.issueToken(MOCK_AGENT_ID, 'wrong_secret', 'agents:read', IP, UA),
).rejects.toThrow(AuthenticationError);
});
it('should throw AuthorizationError for suspended agent', async () => {
agentRepo.findById.mockResolvedValue({ ...MOCK_AGENT, status: 'suspended' });
await expect(
service.issueToken(MOCK_AGENT_ID, plainSecret, 'agents:read', IP, UA),
).rejects.toThrow(AuthorizationError);
});
it('should throw AuthorizationError for decommissioned agent', async () => {
agentRepo.findById.mockResolvedValue({ ...MOCK_AGENT, status: 'decommissioned' });
await expect(
service.issueToken(MOCK_AGENT_ID, plainSecret, 'agents:read', IP, UA),
).rejects.toThrow(AuthorizationError);
});
it('should throw FreeTierLimitError when monthly limit reached', async () => {
tokenRepo.getMonthlyCount.mockResolvedValue(10000);
await expect(
service.issueToken(MOCK_AGENT_ID, plainSecret, 'agents:read', IP, UA),
).rejects.toThrow(FreeTierLimitError);
});
});
// ────────────────────────────────────────────────────────────────
// introspectToken
// ────────────────────────────────────────────────────────────────
describe('introspectToken()', () => {
let validToken: string;
let callerPayload: ITokenPayload;
beforeEach(async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
tokenRepo.getMonthlyCount.mockResolvedValue(0);
tokenRepo.incrementMonthlyCount.mockResolvedValue(1);
const issued = await service.issueToken(MOCK_AGENT_ID, plainSecret, 'agents:read tokens:read', IP, UA);
validToken = issued.access_token;
const { verifyToken } = await import('../../../src/utils/jwt');
callerPayload = verifyToken(validToken, publicKey);
});
it('should return active: true for a valid token', async () => {
tokenRepo.isRevoked.mockResolvedValue(false);
const result = await service.introspectToken(validToken, callerPayload, IP, UA);
expect(result.active).toBe(true);
expect(result.sub).toBe(MOCK_AGENT_ID);
});
it('should return active: false for a revoked token', async () => {
tokenRepo.isRevoked.mockResolvedValue(true);
const result = await service.introspectToken(validToken, callerPayload, IP, UA);
expect(result.active).toBe(false);
});
it('should throw InsufficientScopeError if caller lacks tokens:read', async () => {
const noScopePayload = { ...callerPayload, scope: 'agents:read' };
await expect(
service.introspectToken(validToken, noScopePayload, IP, UA),
).rejects.toThrow(InsufficientScopeError);
});
it('should return active: false for an expired token', async () => {
const result = await service.introspectToken('invalid.jwt.token', callerPayload, IP, UA);
expect(result.active).toBe(false);
});
});
// ────────────────────────────────────────────────────────────────
// revokeToken
// ────────────────────────────────────────────────────────────────
describe('revokeToken()', () => {
let validToken: string;
let callerPayload: ITokenPayload;
beforeEach(async () => {
agentRepo.findById.mockResolvedValue(MOCK_AGENT);
tokenRepo.getMonthlyCount.mockResolvedValue(0);
tokenRepo.incrementMonthlyCount.mockResolvedValue(1);
const issued = await service.issueToken(MOCK_AGENT_ID, plainSecret, 'agents:read', IP, UA);
validToken = issued.access_token;
const { verifyToken } = await import('../../../src/utils/jwt');
callerPayload = verifyToken(validToken, publicKey);
tokenRepo.addToRevocationList.mockResolvedValue();
});
it('should revoke a token successfully', async () => {
await expect(
service.revokeToken(validToken, callerPayload, IP, UA),
).resolves.toBeUndefined();
expect(tokenRepo.addToRevocationList).toHaveBeenCalled();
});
it('should throw AuthorizationError if revoking another agent token', async () => {
const otherPayload = { ...callerPayload, sub: uuidv4() };
await expect(
service.revokeToken(validToken, otherPayload, IP, UA),
).rejects.toThrow(AuthorizationError);
});
it('should succeed silently for a malformed token (RFC 7009)', async () => {
await expect(
service.revokeToken('not.a.valid.token', callerPayload, IP, UA),
).resolves.toBeUndefined();
});
});
});

62
tests/unit/utils/crypto.test.ts Normal file
View File

@@ -0,0 +1,62 @@
/**
* Unit tests for src/utils/crypto.ts
*/
import { generateClientSecret, hashSecret, verifySecret } from '../../../src/utils/crypto';
describe('crypto utils', () => {
describe('generateClientSecret()', () => {
it('should return a string starting with sk_live_', () => {
const secret = generateClientSecret();
expect(secret).toMatch(/^sk_live_/);
});
it('should return 64 hex chars after the prefix', () => {
const secret = generateClientSecret();
const hex = secret.slice('sk_live_'.length);
expect(hex).toHaveLength(64);
expect(hex).toMatch(/^[0-9a-f]{64}$/);
});
it('should generate unique secrets on each call', () => {
const secret1 = generateClientSecret();
const secret2 = generateClientSecret();
expect(secret1).not.toBe(secret2);
});
it('should have total length of 72 characters (8 + 64)', () => {
const secret = generateClientSecret();
expect(secret).toHaveLength(72);
});
});
describe('hashSecret() and verifySecret()', () => {
it('should hash a secret and verify it correctly', async () => {
const plain = generateClientSecret();
const hash = await hashSecret(plain);
const isValid = await verifySecret(plain, hash);
expect(isValid).toBe(true);
});
it('should return false for a wrong secret', async () => {
const plain = generateClientSecret();
const hash = await hashSecret(plain);
const isValid = await verifySecret('wrong_secret', hash);
expect(isValid).toBe(false);
});
it('should produce different hashes for the same input (salt randomness)', async () => {
const plain = generateClientSecret();
const hash1 = await hashSecret(plain);
const hash2 = await hashSecret(plain);
expect(hash1).not.toBe(hash2);
});
it('should produce a bcrypt hash string', async () => {
const plain = generateClientSecret();
const hash = await hashSecret(plain);
// bcrypt hashes start with $2a$ or $2b$
expect(hash).toMatch(/^\$2[ab]\$/);
});
});
});

107
tests/unit/utils/jwt.test.ts Normal file
View File

@@ -0,0 +1,107 @@
/**
* Unit tests for src/utils/jwt.ts
*/
import crypto from 'crypto';
import { signToken, verifyToken, decodeToken, getTokenExpiresIn } from '../../../src/utils/jwt';
import { ITokenPayload } from '../../../src/types/index';
import { v4 as uuidv4 } from 'uuid';
// Generate a test RSA key pair for testing
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
describe('jwt utils', () => {
const testPayload: Omit<ITokenPayload, 'iat' | 'exp'> = {
sub: uuidv4(),
client_id: uuidv4(),
scope: 'agents:read agents:write',
jti: uuidv4(),
};
describe('signToken()', () => {
it('should return a non-empty JWT string', () => {
const token = signToken(testPayload, privateKey);
expect(typeof token).toBe('string');
expect(token.length).toBeGreaterThan(0);
});
it('should return a JWT with three parts separated by dots', () => {
const token = signToken(testPayload, privateKey);
const parts = token.split('.');
expect(parts).toHaveLength(3);
});
it('should include iat and exp in the payload', () => {
const before = Math.floor(Date.now() / 1000);
const token = signToken(testPayload, privateKey);
const decoded = decodeToken(token);
const after = Math.floor(Date.now() / 1000);
expect(decoded).not.toBeNull();
if (decoded) {
expect(decoded.iat).toBeGreaterThanOrEqual(before);
expect(decoded.iat).toBeLessThanOrEqual(after);
expect(decoded.exp).toBe(decoded.iat + 3600);
}
});
});
describe('verifyToken()', () => {
it('should verify and return the payload for a valid token', () => {
const token = signToken(testPayload, privateKey);
const payload = verifyToken(token, publicKey);
expect(payload.sub).toBe(testPayload.sub);
expect(payload.client_id).toBe(testPayload.client_id);
expect(payload.scope).toBe(testPayload.scope);
expect(payload.jti).toBe(testPayload.jti);
});
it('should throw for a token signed with a different private key', () => {
const { privateKey: otherPrivateKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
const token = signToken(testPayload, otherPrivateKey);
expect(() => verifyToken(token, publicKey)).toThrow();
});
it('should throw for a tampered token', () => {
const token = signToken(testPayload, privateKey);
const parts = token.split('.');
// Tamper the payload
const tamperedToken = `${parts[0]}.TAMPERED.${parts[2]}`;
expect(() => verifyToken(tamperedToken, publicKey)).toThrow();
});
});
describe('decodeToken()', () => {
it('should decode a valid token without verifying the signature', () => {
const token = signToken(testPayload, privateKey);
const decoded = decodeToken(token);
expect(decoded).not.toBeNull();
expect(decoded?.sub).toBe(testPayload.sub);
});
it('should return null for a malformed token', () => {
const result = decodeToken('not.a.valid.token');
// jsonwebtoken.decode returns null for fully invalid tokens but
// may parse some parts — we handle both cases
expect(result === null || typeof result === 'object').toBe(true);
});
it('should return null for an empty string', () => {
const result = decodeToken('');
expect(result).toBeNull();
});
});
describe('getTokenExpiresIn()', () => {
it('should return 3600', () => {
expect(getTokenExpiresIn()).toBe(3600);
});
});
});

245
tests/unit/utils/validators.test.ts Normal file
View File

@@ -0,0 +1,245 @@
/**
* Unit tests for src/utils/validators.ts
*/
import {
createAgentSchema,
updateAgentSchema,
listAgentsQuerySchema,
tokenRequestSchema,
introspectRequestSchema,
revokeRequestSchema,
generateCredentialSchema,
listCredentialsQuerySchema,
auditQuerySchema,
} from '../../../src/utils/validators';
describe('validators', () => {
// ────────────────────────────────────────────────────────────────
// createAgentSchema
// ────────────────────────────────────────────────────────────────
describe('createAgentSchema', () => {
const valid = {
email: 'agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'team-a',
deploymentEnv: 'production',
};
it('should accept a valid request', () => {
const { error } = createAgentSchema.validate(valid);
expect(error).toBeUndefined();
});
it('should reject an invalid email', () => {
const { error } = createAgentSchema.validate({ ...valid, email: 'not-an-email' });
expect(error).toBeDefined();
});
it('should reject an invalid agentType', () => {
const { error } = createAgentSchema.validate({ ...valid, agentType: 'invalid' });
expect(error).toBeDefined();
});
it('should reject an invalid semver', () => {
const { error } = createAgentSchema.validate({ ...valid, version: 'v1' });
expect(error).toBeDefined();
});
it('should reject empty capabilities array', () => {
const { error } = createAgentSchema.validate({ ...valid, capabilities: [] });
expect(error).toBeDefined();
});
it('should reject capability with invalid format', () => {
const { error } = createAgentSchema.validate({ ...valid, capabilities: ['invalid'] });
expect(error).toBeDefined();
});
it('should reject missing required fields', () => {
const { error } = createAgentSchema.validate({});
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// updateAgentSchema
// ────────────────────────────────────────────────────────────────
describe('updateAgentSchema', () => {
it('should accept a single field update', () => {
const { error } = updateAgentSchema.validate({ version: '2.0.0' });
expect(error).toBeUndefined();
});
it('should reject an empty object (minProperties: 1)', () => {
const { error } = updateAgentSchema.validate({});
expect(error).toBeDefined();
});
it('should accept valid status values', () => {
expect(updateAgentSchema.validate({ status: 'active' }).error).toBeUndefined();
expect(updateAgentSchema.validate({ status: 'suspended' }).error).toBeUndefined();
expect(updateAgentSchema.validate({ status: 'decommissioned' }).error).toBeUndefined();
});
it('should reject invalid status', () => {
const { error } = updateAgentSchema.validate({ status: 'deleted' });
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// listAgentsQuerySchema
// ────────────────────────────────────────────────────────────────
describe('listAgentsQuerySchema', () => {
it('should apply default values', () => {
const { value } = listAgentsQuerySchema.validate({});
expect(value.page).toBe(1);
expect(value.limit).toBe(20);
});
it('should reject limit > 100', () => {
const { error } = listAgentsQuerySchema.validate({ limit: 101 });
expect(error).toBeDefined();
});
it('should reject page < 1', () => {
const { error } = listAgentsQuerySchema.validate({ page: 0 });
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// tokenRequestSchema
// ────────────────────────────────────────────────────────────────
describe('tokenRequestSchema', () => {
it('should accept a valid token request', () => {
const { error } = tokenRequestSchema.validate({
grant_type: 'client_credentials',
client_id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
client_secret: 'sk_live_abc123',
scope: 'agents:read agents:write',
});
expect(error).toBeUndefined();
});
it('should reject missing grant_type', () => {
const { error } = tokenRequestSchema.validate({ client_id: 'uuid', client_secret: 'secret' });
expect(error).toBeDefined();
});
it('should reject invalid scope', () => {
const { error } = tokenRequestSchema.validate({
grant_type: 'client_credentials',
scope: 'admin:all',
});
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// introspectRequestSchema
// ────────────────────────────────────────────────────────────────
describe('introspectRequestSchema', () => {
it('should accept a valid introspect request', () => {
const { error } = introspectRequestSchema.validate({ token: 'some.jwt.token' });
expect(error).toBeUndefined();
});
it('should reject missing token', () => {
const { error } = introspectRequestSchema.validate({});
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// revokeRequestSchema
// ────────────────────────────────────────────────────────────────
describe('revokeRequestSchema', () => {
it('should accept a valid revoke request', () => {
const { error } = revokeRequestSchema.validate({ token: 'some.jwt.token' });
expect(error).toBeUndefined();
});
it('should reject missing token', () => {
const { error } = revokeRequestSchema.validate({});
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// generateCredentialSchema
// ────────────────────────────────────────────────────────────────
describe('generateCredentialSchema', () => {
it('should accept empty body (expiresAt is optional)', () => {
const { error } = generateCredentialSchema.validate({});
expect(error).toBeUndefined();
});
it('should accept valid ISO 8601 expiresAt', () => {
const { error } = generateCredentialSchema.validate({
expiresAt: '2027-01-01T00:00:00.000Z',
});
expect(error).toBeUndefined();
});
it('should reject non-ISO date', () => {
const { error } = generateCredentialSchema.validate({ expiresAt: '2027/01/01' });
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// listCredentialsQuerySchema
// ────────────────────────────────────────────────────────────────
describe('listCredentialsQuerySchema', () => {
it('should apply defaults', () => {
const { value } = listCredentialsQuerySchema.validate({});
expect(value.page).toBe(1);
expect(value.limit).toBe(20);
});
it('should accept status filter', () => {
const { error } = listCredentialsQuerySchema.validate({ status: 'active' });
expect(error).toBeUndefined();
});
it('should reject invalid status', () => {
const { error } = listCredentialsQuerySchema.validate({ status: 'expired' });
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// auditQuerySchema
// ────────────────────────────────────────────────────────────────
describe('auditQuerySchema', () => {
it('should apply defaults', () => {
const { value } = auditQuerySchema.validate({});
expect(value.page).toBe(1);
expect(value.limit).toBe(50);
});
it('should accept valid audit action', () => {
const { error } = auditQuerySchema.validate({ action: 'token.issued' });
expect(error).toBeUndefined();
});
it('should reject invalid action', () => {
const { error } = auditQuerySchema.validate({ action: 'unknown.action' });
expect(error).toBeDefined();
});
it('should accept limit up to 200', () => {
const { error } = auditQuerySchema.validate({ limit: 200 });
expect(error).toBeUndefined();
});
it('should reject limit > 200', () => {
const { error } = auditQuerySchema.validate({ limit: 201 });
expect(error).toBeDefined();
});
});
});