vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Phase 1 MVP — complete AgentIdP implementation

Browse Source 
Implements all P0 features per OpenSpec change phase-1-mvp-implementation:
- Agent Registry Service (CRUD) — full lifecycle management
- OAuth 2.0 Token Service (Client Credentials flow)
- Credential Management (generate, rotate, revoke)
- Immutable Audit Log Service

Tech: Node.js 18+, TypeScript 5.3+ strict, Express 4.18+, PostgreSQL 14+, Redis 7+
Standards: OpenAPI 3.0 specs, DRY/SOLID, zero `any` types
Quality: 18 unit test suites, 244 tests passing, 97%+ coverage
OpenAPI: 4 complete specs (14 endpoints total)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
2026-03-28 09:14:41 +00:00
parent 245f8df427
commit d3530285b9
78 changed files with 20590 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
tests/unit/utils/crypto.test.ts Normal file
View File

@@ -0,0 +1,62 @@
/**
* Unit tests for src/utils/crypto.ts
*/
import { generateClientSecret, hashSecret, verifySecret } from '../../../src/utils/crypto';
describe('crypto utils', () => {
describe('generateClientSecret()', () => {
it('should return a string starting with sk_live_', () => {
const secret = generateClientSecret();
expect(secret).toMatch(/^sk_live_/);
});
it('should return 64 hex chars after the prefix', () => {
const secret = generateClientSecret();
const hex = secret.slice('sk_live_'.length);
expect(hex).toHaveLength(64);
expect(hex).toMatch(/^[0-9a-f]{64}$/);
});
it('should generate unique secrets on each call', () => {
const secret1 = generateClientSecret();
const secret2 = generateClientSecret();
expect(secret1).not.toBe(secret2);
});
it('should have total length of 72 characters (8 + 64)', () => {
const secret = generateClientSecret();
expect(secret).toHaveLength(72);
});
});
describe('hashSecret() and verifySecret()', () => {
it('should hash a secret and verify it correctly', async () => {
const plain = generateClientSecret();
const hash = await hashSecret(plain);
const isValid = await verifySecret(plain, hash);
expect(isValid).toBe(true);
});
it('should return false for a wrong secret', async () => {
const plain = generateClientSecret();
const hash = await hashSecret(plain);
const isValid = await verifySecret('wrong_secret', hash);
expect(isValid).toBe(false);
});
it('should produce different hashes for the same input (salt randomness)', async () => {
const plain = generateClientSecret();
const hash1 = await hashSecret(plain);
const hash2 = await hashSecret(plain);
expect(hash1).not.toBe(hash2);
});
it('should produce a bcrypt hash string', async () => {
const plain = generateClientSecret();
const hash = await hashSecret(plain);
// bcrypt hashes start with $2a$ or $2b$
expect(hash).toMatch(/^\$2[ab]\$/);
});
});
});

107
tests/unit/utils/jwt.test.ts Normal file
View File

@@ -0,0 +1,107 @@
/**
* Unit tests for src/utils/jwt.ts
*/
import crypto from 'crypto';
import { signToken, verifyToken, decodeToken, getTokenExpiresIn } from '../../../src/utils/jwt';
import { ITokenPayload } from '../../../src/types/index';
import { v4 as uuidv4 } from 'uuid';
// Generate a test RSA key pair for testing
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
describe('jwt utils', () => {
const testPayload: Omit<ITokenPayload, 'iat' | 'exp'> = {
sub: uuidv4(),
client_id: uuidv4(),
scope: 'agents:read agents:write',
jti: uuidv4(),
};
describe('signToken()', () => {
it('should return a non-empty JWT string', () => {
const token = signToken(testPayload, privateKey);
expect(typeof token).toBe('string');
expect(token.length).toBeGreaterThan(0);
});
it('should return a JWT with three parts separated by dots', () => {
const token = signToken(testPayload, privateKey);
const parts = token.split('.');
expect(parts).toHaveLength(3);
});
it('should include iat and exp in the payload', () => {
const before = Math.floor(Date.now() / 1000);
const token = signToken(testPayload, privateKey);
const decoded = decodeToken(token);
const after = Math.floor(Date.now() / 1000);
expect(decoded).not.toBeNull();
if (decoded) {
expect(decoded.iat).toBeGreaterThanOrEqual(before);
expect(decoded.iat).toBeLessThanOrEqual(after);
expect(decoded.exp).toBe(decoded.iat + 3600);
}
});
});
describe('verifyToken()', () => {
it('should verify and return the payload for a valid token', () => {
const token = signToken(testPayload, privateKey);
const payload = verifyToken(token, publicKey);
expect(payload.sub).toBe(testPayload.sub);
expect(payload.client_id).toBe(testPayload.client_id);
expect(payload.scope).toBe(testPayload.scope);
expect(payload.jti).toBe(testPayload.jti);
});
it('should throw for a token signed with a different private key', () => {
const { privateKey: otherPrivateKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
const token = signToken(testPayload, otherPrivateKey);
expect(() => verifyToken(token, publicKey)).toThrow();
});
it('should throw for a tampered token', () => {
const token = signToken(testPayload, privateKey);
const parts = token.split('.');
// Tamper the payload
const tamperedToken = `${parts[0]}.TAMPERED.${parts[2]}`;
expect(() => verifyToken(tamperedToken, publicKey)).toThrow();
});
});
describe('decodeToken()', () => {
it('should decode a valid token without verifying the signature', () => {
const token = signToken(testPayload, privateKey);
const decoded = decodeToken(token);
expect(decoded).not.toBeNull();
expect(decoded?.sub).toBe(testPayload.sub);
});
it('should return null for a malformed token', () => {
const result = decodeToken('not.a.valid.token');
// jsonwebtoken.decode returns null for fully invalid tokens but
// may parse some parts — we handle both cases
expect(result === null || typeof result === 'object').toBe(true);
});
it('should return null for an empty string', () => {
const result = decodeToken('');
expect(result).toBeNull();
});
});
describe('getTokenExpiresIn()', () => {
it('should return 3600', () => {
expect(getTokenExpiresIn()).toBe(3600);
});
});
});

245
tests/unit/utils/validators.test.ts Normal file
View File

@@ -0,0 +1,245 @@
/**
* Unit tests for src/utils/validators.ts
*/
import {
createAgentSchema,
updateAgentSchema,
listAgentsQuerySchema,
tokenRequestSchema,
introspectRequestSchema,
revokeRequestSchema,
generateCredentialSchema,
listCredentialsQuerySchema,
auditQuerySchema,
} from '../../../src/utils/validators';
describe('validators', () => {
// ────────────────────────────────────────────────────────────────
// createAgentSchema
// ────────────────────────────────────────────────────────────────
describe('createAgentSchema', () => {
const valid = {
email: 'agent@sentryagent.ai',
agentType: 'screener',
version: '1.0.0',
capabilities: ['resume:read'],
owner: 'team-a',
deploymentEnv: 'production',
};
it('should accept a valid request', () => {
const { error } = createAgentSchema.validate(valid);
expect(error).toBeUndefined();
});
it('should reject an invalid email', () => {
const { error } = createAgentSchema.validate({ ...valid, email: 'not-an-email' });
expect(error).toBeDefined();
});
it('should reject an invalid agentType', () => {
const { error } = createAgentSchema.validate({ ...valid, agentType: 'invalid' });
expect(error).toBeDefined();
});
it('should reject an invalid semver', () => {
const { error } = createAgentSchema.validate({ ...valid, version: 'v1' });
expect(error).toBeDefined();
});
it('should reject empty capabilities array', () => {
const { error } = createAgentSchema.validate({ ...valid, capabilities: [] });
expect(error).toBeDefined();
});
it('should reject capability with invalid format', () => {
const { error } = createAgentSchema.validate({ ...valid, capabilities: ['invalid'] });
expect(error).toBeDefined();
});
it('should reject missing required fields', () => {
const { error } = createAgentSchema.validate({});
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// updateAgentSchema
// ────────────────────────────────────────────────────────────────
describe('updateAgentSchema', () => {
it('should accept a single field update', () => {
const { error } = updateAgentSchema.validate({ version: '2.0.0' });
expect(error).toBeUndefined();
});
it('should reject an empty object (minProperties: 1)', () => {
const { error } = updateAgentSchema.validate({});
expect(error).toBeDefined();
});
it('should accept valid status values', () => {
expect(updateAgentSchema.validate({ status: 'active' }).error).toBeUndefined();
expect(updateAgentSchema.validate({ status: 'suspended' }).error).toBeUndefined();
expect(updateAgentSchema.validate({ status: 'decommissioned' }).error).toBeUndefined();
});
it('should reject invalid status', () => {
const { error } = updateAgentSchema.validate({ status: 'deleted' });
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// listAgentsQuerySchema
// ────────────────────────────────────────────────────────────────
describe('listAgentsQuerySchema', () => {
it('should apply default values', () => {
const { value } = listAgentsQuerySchema.validate({});
expect(value.page).toBe(1);
expect(value.limit).toBe(20);
});
it('should reject limit > 100', () => {
const { error } = listAgentsQuerySchema.validate({ limit: 101 });
expect(error).toBeDefined();
});
it('should reject page < 1', () => {
const { error } = listAgentsQuerySchema.validate({ page: 0 });
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// tokenRequestSchema
// ────────────────────────────────────────────────────────────────
describe('tokenRequestSchema', () => {
it('should accept a valid token request', () => {
const { error } = tokenRequestSchema.validate({
grant_type: 'client_credentials',
client_id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
client_secret: 'sk_live_abc123',
scope: 'agents:read agents:write',
});
expect(error).toBeUndefined();
});
it('should reject missing grant_type', () => {
const { error } = tokenRequestSchema.validate({ client_id: 'uuid', client_secret: 'secret' });
expect(error).toBeDefined();
});
it('should reject invalid scope', () => {
const { error } = tokenRequestSchema.validate({
grant_type: 'client_credentials',
scope: 'admin:all',
});
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// introspectRequestSchema
// ────────────────────────────────────────────────────────────────
describe('introspectRequestSchema', () => {
it('should accept a valid introspect request', () => {
const { error } = introspectRequestSchema.validate({ token: 'some.jwt.token' });
expect(error).toBeUndefined();
});
it('should reject missing token', () => {
const { error } = introspectRequestSchema.validate({});
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// revokeRequestSchema
// ────────────────────────────────────────────────────────────────
describe('revokeRequestSchema', () => {
it('should accept a valid revoke request', () => {
const { error } = revokeRequestSchema.validate({ token: 'some.jwt.token' });
expect(error).toBeUndefined();
});
it('should reject missing token', () => {
const { error } = revokeRequestSchema.validate({});
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// generateCredentialSchema
// ────────────────────────────────────────────────────────────────
describe('generateCredentialSchema', () => {
it('should accept empty body (expiresAt is optional)', () => {
const { error } = generateCredentialSchema.validate({});
expect(error).toBeUndefined();
});
it('should accept valid ISO 8601 expiresAt', () => {
const { error } = generateCredentialSchema.validate({
expiresAt: '2027-01-01T00:00:00.000Z',
});
expect(error).toBeUndefined();
});
it('should reject non-ISO date', () => {
const { error } = generateCredentialSchema.validate({ expiresAt: '2027/01/01' });
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// listCredentialsQuerySchema
// ────────────────────────────────────────────────────────────────
describe('listCredentialsQuerySchema', () => {
it('should apply defaults', () => {
const { value } = listCredentialsQuerySchema.validate({});
expect(value.page).toBe(1);
expect(value.limit).toBe(20);
});
it('should accept status filter', () => {
const { error } = listCredentialsQuerySchema.validate({ status: 'active' });
expect(error).toBeUndefined();
});
it('should reject invalid status', () => {
const { error } = listCredentialsQuerySchema.validate({ status: 'expired' });
expect(error).toBeDefined();
});
});
// ────────────────────────────────────────────────────────────────
// auditQuerySchema
// ────────────────────────────────────────────────────────────────
describe('auditQuerySchema', () => {
it('should apply defaults', () => {
const { value } = auditQuerySchema.validate({});
expect(value.page).toBe(1);
expect(value.limit).toBe(50);
});
it('should accept valid audit action', () => {
const { error } = auditQuerySchema.validate({ action: 'token.issued' });
expect(error).toBeUndefined();
});
it('should reject invalid action', () => {
const { error } = auditQuerySchema.validate({ action: 'unknown.action' });
expect(error).toBeDefined();
});
it('should accept limit up to 200', () => {
const { error } = auditQuerySchema.validate({ limit: 200 });
expect(error).toBeUndefined();
});
it('should reject limit > 200', () => {
const { error } = auditQuerySchema.validate({ limit: 201 });
expect(error).toBeDefined();
});
});
});