vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d216096dfb83bf2f08b73f00dfb088e1199325b4
sentryagent-idp/tests/unit/repositories/CredentialRepository.test.ts
SentryAgent.ai Developer 7328a61c44 feat(phase-2): workstream 5 — OPA Policy Engine 
- policies/authz.rego: Rego policy with path normalisation and scope enforcement
- policies/data/scopes.json: all 13 endpoint → scope mappings
- src/middleware/opa.ts: OpaMiddleware with Wasm primary path + scopes.json fallback;
  exports createOpaMiddleware() and reloadOpaPolicy() for SIGHUP hot-reload
- All four route files: opaMiddleware wired after authMiddleware
- AuditController, OAuth2Service: manual scope checks removed (now centralised in OPA)
- src/server.ts: SIGHUP handler calls reloadOpaPolicy()
- docs/devops/environment-variables.md: POLICY_DIR documented
- 38 new tests; 302/302 passing; opa.ts coverage 98.66% statements

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 23:02:11 +00:00

258 lines
11 KiB
TypeScript
Raw Blame History

/**
* Unit tests for src/repositories/CredentialRepository.ts
* Uses a mocked pg.Pool — no real database connection.
*/
import { Pool } from 'pg';
import { CredentialRepository } from '../../../src/repositories/CredentialRepository';
import { ICredential, ICredentialRow, ICredentialListFilters } from '../../../src/types/index';
jest.mock('pg', () => ({
Pool: jest.fn().mockImplementation(() => ({
query: jest.fn(),
connect: jest.fn(),
})),
}));
// ─── helpers ─────────────────────────────────────────────────────────────────
const CREDENTIAL_ROW = {
credential_id: 'cred-0000-0000-0000-000000000001',
client_id: 'agent-0000-0000-0000-000000000001',
secret_hash: '$2b$10$hashedSecret',
status: 'active',
created_at: new Date('2026-03-28T09:00:00Z'),
expires_at: null,
revoked_at: null,
};
const EXPECTED_CREDENTIAL: ICredential = {
credentialId: CREDENTIAL_ROW.credential_id,
clientId: CREDENTIAL_ROW.client_id,
status: 'active',
createdAt: CREDENTIAL_ROW.created_at,
expiresAt: null,
revokedAt: null,
};
const EXPECTED_CREDENTIAL_ROW: ICredentialRow = {
...EXPECTED_CREDENTIAL,
secretHash: CREDENTIAL_ROW.secret_hash,
vaultPath: null,
};
// ─── suite ───────────────────────────────────────────────────────────────────
describe('CredentialRepository', () => {
let pool: jest.Mocked<Pool>;
let repo: CredentialRepository;
beforeEach(() => {
jest.clearAllMocks();
pool = new Pool() as jest.Mocked<Pool>;
repo = new CredentialRepository(pool);
});
// ── create ──────────────────────────────────────────────────────────────────
describe('create()', () => {
it('should insert a credential row and return ICredential without secret hash', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [CREDENTIAL_ROW], rowCount: 1 });
const result = await repo.create(
CREDENTIAL_ROW.client_id,
CREDENTIAL_ROW.secret_hash,
null,
);
expect(pool.query).toHaveBeenCalledTimes(1);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('INSERT INTO credentials');
expect(params).toContain(CREDENTIAL_ROW.client_id);
expect(params).toContain(CREDENTIAL_ROW.secret_hash);
// Secret hash must NOT be on the returned ICredential
expect(result).toMatchObject(EXPECTED_CREDENTIAL);
expect((result as ICredentialRow).secretHash).toBeUndefined();
});
it('should pass expiresAt when provided', async () => {
const expiresAt = new Date('2027-01-01T00:00:00Z');
const rowWithExpiry = { ...CREDENTIAL_ROW, expires_at: expiresAt };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [rowWithExpiry], rowCount: 1 });
const result = await repo.create(CREDENTIAL_ROW.client_id, CREDENTIAL_ROW.secret_hash, expiresAt);
const [, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(params).toContain(expiresAt);
expect(result.expiresAt).toEqual(expiresAt);
});
});
// ── findById ─────────────────────────────────────────────────────────────────
describe('findById()', () => {
it('should return ICredentialRow (with secretHash) when found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [CREDENTIAL_ROW], rowCount: 1 });
const result = await repo.findById(CREDENTIAL_ROW.credential_id);
expect(pool.query).toHaveBeenCalledWith(
expect.stringContaining('credential_id'),
[CREDENTIAL_ROW.credential_id],
);
expect(result).toMatchObject(EXPECTED_CREDENTIAL_ROW);
expect(result?.secretHash).toBe(CREDENTIAL_ROW.secret_hash);
});
it('should return null when not found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.findById('nonexistent');
expect(result).toBeNull();
});
});
// ── findByAgentId ─────────────────────────────────────────────────────────────
describe('findByAgentId()', () => {
it('should return paginated credentials for an agent', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '1' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [CREDENTIAL_ROW], rowCount: 1 });
const filters: ICredentialListFilters = { page: 1, limit: 20 };
const result = await repo.findByAgentId(CREDENTIAL_ROW.client_id, filters);
expect(pool.query).toHaveBeenCalledTimes(2);
expect(result.total).toBe(1);
expect(result.credentials).toHaveLength(1);
expect(result.credentials[0]).toMatchObject(EXPECTED_CREDENTIAL);
});
it('should apply status filter when provided', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
const filters: ICredentialListFilters = { page: 1, limit: 20, status: 'revoked' };
const result = await repo.findByAgentId(CREDENTIAL_ROW.client_id, filters);
const [countSql] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(countSql).toContain('status');
expect(result.total).toBe(0);
expect(result.credentials).toHaveLength(0);
});
it('should return empty list when no credentials exist', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '0' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.findByAgentId('agent-no-creds', { page: 1, limit: 20 });
expect(result.total).toBe(0);
expect(result.credentials).toEqual([]);
});
it('should not include secretHash in returned credentials', async () => {
(pool.query as jest.Mock)
.mockResolvedValueOnce({ rows: [{ count: '1' }], rowCount: 1 })
.mockResolvedValueOnce({ rows: [CREDENTIAL_ROW], rowCount: 1 });
const result = await repo.findByAgentId(CREDENTIAL_ROW.client_id, { page: 1, limit: 20 });
expect((result.credentials[0] as ICredentialRow).secretHash).toBeUndefined();
});
});
// ── updateHash ────────────────────────────────────────────────────────────────
describe('updateHash()', () => {
it('should update the secret hash and return ICredential', async () => {
const newHash = '$2b$10$newHash';
const updatedRow = { ...CREDENTIAL_ROW, secret_hash: newHash };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [updatedRow], rowCount: 1 });
const result = await repo.updateHash(CREDENTIAL_ROW.credential_id, newHash, null);
expect(pool.query).toHaveBeenCalledTimes(1);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('secret_hash');
expect(params).toContain(newHash);
expect(params).toContain(CREDENTIAL_ROW.credential_id);
expect(result).toMatchObject(EXPECTED_CREDENTIAL);
});
it('should return null when credential is not found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.updateHash('nonexistent', '$2b$10$hash', null);
expect(result).toBeNull();
});
it('should pass new expiresAt when provided', async () => {
const newExpiry = new Date('2028-01-01T00:00:00Z');
const updatedRow = { ...CREDENTIAL_ROW, expires_at: newExpiry };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [updatedRow], rowCount: 1 });
const result = await repo.updateHash(CREDENTIAL_ROW.credential_id, '$2b$10$hash', newExpiry);
const [, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(params).toContain(newExpiry);
expect(result?.expiresAt).toEqual(newExpiry);
});
});
// ── revoke ────────────────────────────────────────────────────────────────────
describe('revoke()', () => {
it('should set status to revoked and return ICredential', async () => {
const revokedAt = new Date('2026-03-28T10:00:00Z');
const revokedRow = { ...CREDENTIAL_ROW, status: 'revoked', revoked_at: revokedAt };
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [revokedRow], rowCount: 1 });
const result = await repo.revoke(CREDENTIAL_ROW.credential_id);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('revoked');
expect(params).toContain(CREDENTIAL_ROW.credential_id);
expect(result?.status).toBe('revoked');
expect(result?.revokedAt).toEqual(revokedAt);
});
it('should return null when credential is not found', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 0 });
const result = await repo.revoke('nonexistent');
expect(result).toBeNull();
});
});
// ── revokeAllForAgent ─────────────────────────────────────────────────────────
describe('revokeAllForAgent()', () => {
it('should return the count of revoked credentials', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: 3 });
const count = await repo.revokeAllForAgent(CREDENTIAL_ROW.client_id);
const [sql, params] = (pool.query as jest.Mock).mock.calls[0] as [string, unknown[]];
expect(sql).toContain('revoked');
expect(params).toContain(CREDENTIAL_ROW.client_id);
expect(count).toBe(3);
});
it('should return 0 when no active credentials exist', async () => {
(pool.query as jest.Mock).mockResolvedValueOnce({ rows: [], rowCount: null });
const count = await repo.revokeAllForAgent('agent-no-creds');
expect(count).toBe(0);
});
});
});
Reference in New Issue View Git Blame Copy Permalink