vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7441c9f298f1074b870577d41f1966225f0acdbd
sentryagent-idp/tests/integration/oidc-token-exchange.test.ts
SentryAgent.ai Developer 7441c9f298 fix(vv): resolve all 6 V&V issues — field trial unblocked 
All findings from the inaugural LeadValidator audit resolved and
confirmed. Release gate: PASS.

VV_ISSUE_002 (BLOCKER): 15 OpenAPI specs verified present covering
all 20 route groups (46 endpoints documented in docs/openapi/)

VV_ISSUE_003 (MAJOR): Remove any types from src/db/pool.ts —
replaced pool.query shim with unknown[] + Object.defineProperty,
zero any types, eslint-disable suppressions removed

VV_ISSUE_004 (MAJOR): Remove raw Pool from ScaffoldController and
HealthDetailedController — injected AgentRepository/CredentialRepository
and DbProbe interface respectively; added CredentialRepository.findActiveClientId()

VV_ISSUE_005 (MAJOR): Add unit tests for 5 untested services —
ComplianceStatusStore, EventPublisher, MarketplaceService,
OIDCTrustPolicyService, UsageService

VV_ISSUE_006 (MAJOR): Add integration tests for 7 missing route
groups — analytics, billing, tiers, webhooks, marketplace,
oidc-trust-policies, oidc-token-exchange

VV_ISSUE_001 (MINOR): Create missing design.md and tasks.md in 4
OpenSpec archives — all archives now complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-07 04:52:47 +00:00

133 lines
4.5 KiB
TypeScript
Raw Blame History

/**
* Integration tests for OIDC Token Exchange endpoint.
* Uses a real Postgres test DB and Redis test instance.
*
* Routes covered:
* POST /api/v1/oidc/token — exchange a GitHub OIDC JWT for a SentryAgent.ai access token
*
* This is an unauthenticated endpoint — the GitHub OIDC JWT is the credential.
* Trust-policy enforcement requires a matching oidc_trust_policies record.
*/
import crypto from 'crypto';
import request from 'supertest';
import { Application } from 'express';
import { v4 as uuidv4 } from 'uuid';
import { Pool } from 'pg';
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
process.env['DATABASE_URL'] =
process.env['TEST_DATABASE_URL'] ??
'postgresql://sentryagent:sentryagent@localhost:5432/sentryagent_idp_test';
process.env['REDIS_URL'] = process.env['TEST_REDIS_URL'] ?? 'redis://localhost:6379/1';
process.env['JWT_PRIVATE_KEY'] = privateKey;
process.env['JWT_PUBLIC_KEY'] = publicKey;
process.env['NODE_ENV'] = 'test';
process.env['DEFAULT_ORG_ID'] = 'org_system';
import { createApp } from '../../src/app';
import { closePool } from '../../src/db/pool';
import { closeRedisClient } from '../../src/cache/redis';
describe('OIDC Token Exchange Endpoint Integration Tests', () => {
let app: Application;
let pool: Pool;
beforeAll(async () => {
app = await createApp();
pool = new Pool({ connectionString: process.env['DATABASE_URL'] });
await pool.query(`
CREATE TABLE IF NOT EXISTS oidc_trust_policies (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
provider VARCHAR(20) NOT NULL,
repository VARCHAR(255) NOT NULL,
branch VARCHAR(100),
agent_id VARCHAR(40) NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)
`);
});
afterAll(async () => {
await pool.end();
await closePool();
await closeRedisClient();
});
// ─── POST /oidc/token ────────────────────────────────────────────────────────
describe('POST /api/v1/oidc/token', () => {
it('should return 400 when request body is missing', async () => {
const res = await request(app)
.post('/api/v1/oidc/token')
.send({});
expect([400, 422]).toContain(res.status);
});
it('should return 400 when provider is missing', async () => {
const res = await request(app)
.post('/api/v1/oidc/token')
.send({ token: 'fake-jwt', agentId: uuidv4() });
expect([400, 422]).toContain(res.status);
});
it('should return 400 when token is missing', async () => {
const res = await request(app)
.post('/api/v1/oidc/token')
.send({ provider: 'github', agentId: uuidv4() });
expect([400, 422]).toContain(res.status);
});
it('should return 401 or 403 for an invalid GitHub OIDC token', async () => {
// A malformed JWT will fail verification — the endpoint should reject it
const res = await request(app)
.post('/api/v1/oidc/token')
.send({
provider: 'github',
token: 'eyJhbGciOiJSUzI1NiJ9.invalid.payload',
agentId: uuidv4(),
scope: 'agents:read',
});
expect([400, 401, 403, 422]).toContain(res.status);
});
it('should return 403 when no trust policy matches the repository', async () => {
// Build a minimally valid JWT structure with github claims (but won't pass GitHub JWKS)
// The endpoint will reject after trust-policy lookup fails
const header = Buffer.from(JSON.stringify({ alg: 'RS256', typ: 'JWT' })).toString('base64url');
const claims = {
iss: 'https://token.actions.githubusercontent.com',
sub: 'repo:nonexistent/repo:ref:refs/heads/main',
repository: 'nonexistent/repo',
ref: 'refs/heads/main',
aud: 'sentryagent.ai',
};
const payload = Buffer.from(JSON.stringify(claims)).toString('base64url');
const fakeJwt = `${header}.${payload}.fakesig`;
const res = await request(app)
.post('/api/v1/oidc/token')
.send({
provider: 'github',
token: fakeJwt,
agentId: uuidv4(),
scope: 'agents:read',
});
// Either 401 (invalid JWT signature) or 403 (trust policy violation)
expect([400, 401, 403]).toContain(res.status);
});
});
});
Reference in New Issue View Git Blame Copy Permalink