vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e327c41211f4501f9c5e5bc5f144fab53be156bc
sentryagent-idp/tests/integration/compliance/compliance-endpoints.test.ts
SentryAgent.ai Developer fd90b2acd1 feat(phase-3): workstream 6 — SOC 2 Type II Preparation 
Implements all 22 WS6 tasks completing Phase 3 Enterprise.

Column-level encryption (AES-256-CBC, Vault-backed key) via EncryptionService
applied to credentials.secret_hash, credentials.vault_path,
webhook_subscriptions.vault_secret_path, and agent_did_keys.vault_key_path.
Backward-compatible: isEncrypted() guard skips decryption for existing
plaintext rows until next read-write cycle.

Audit chain integrity (CC7.2): AuditRepository computes SHA-256 Merkle hash
on every INSERT (hash = SHA-256(eventId+timestamp+action+outcome+agentId+orgId+prevHash)).
AuditVerificationService walks the full chain verifying hash continuity.
AuditChainVerificationJob runs hourly; sets agentidp_audit_chain_integrity
Prometheus gauge to 1 (pass) or 0 (fail).

TLS enforcement (CC6.7): TLSEnforcementMiddleware registered as first
middleware in Express stack; 301 redirect on non-https X-Forwarded-Proto
in production.

SecretsRotationJob (CC9.2): hourly scan for credentials expiring within 7
days; increments agentidp_credentials_expiring_soon_total.

ComplianceController + routes: GET /audit/verify (auth+audit:read scope,
30/min rate-limit); GET /compliance/controls (public, Cache-Control 60s).
ComplianceStatusStore: module-level map updated by jobs, consumed by controller.

Prometheus: 2 new metrics (agentidp_credentials_expiring_soon_total,
agentidp_audit_chain_integrity); 6 alerting rules in alerts.yml.

Compliance docs: soc2-controls-matrix.md, encryption-runbook.md,
audit-log-runbook.md, incident-response.md, secrets-rotation.md.

Tests: 557 unit tests passing (35 suites); 26 new tests (EncryptionService,
AuditVerificationService); 19 compliance integration tests. TypeScript clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-31 00:41:53 +00:00

242 lines
9.1 KiB
TypeScript
Raw Blame History

/**
* Integration tests for compliance API endpoints.
*
* Tests:
* 1. GET /compliance/controls returns 200 with 5 controls
* 2. GET /audit/verify with audit:read token returns 200
* 3. GET /audit/verify without token returns 401
* 4. GET /audit/verify with invalid fromDate returns 400 VALIDATION_ERROR
* 5. GET /audit/verify with fromDate > toDate returns 400 VALIDATION_ERROR
*/
import crypto from 'crypto';
import request from 'supertest';
import express, { Application } from 'express';
import { v4 as uuidv4 } from 'uuid';
// ============================================================================
// Environment setup — must be before any app imports
// ============================================================================
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});
process.env['NODE_ENV'] = 'test';
process.env['JWT_PRIVATE_KEY'] = privateKey;
process.env['JWT_PUBLIC_KEY'] = publicKey;
// ============================================================================
// Mock Redis — authMiddleware calls getRedisClient() for revocation check.
// Return a mock client that says no tokens are revoked.
// ============================================================================
jest.mock('../../../src/cache/redis', () => ({
getRedisClient: jest.fn().mockResolvedValue({
get: jest.fn().mockResolvedValue(null), // no tokens revoked
set: jest.fn().mockResolvedValue('OK'),
incr: jest.fn().mockResolvedValue(1),
expire: jest.fn().mockResolvedValue(1),
}),
closeRedisClient: jest.fn().mockResolvedValue(undefined),
}));
// ============================================================================
// Minimal app that wires only compliance routes (avoids full DB dependency)
// ============================================================================
import { createComplianceRouter } from '../../../src/routes/compliance';
import { ComplianceController } from '../../../src/controllers/ComplianceController';
import { AuditVerificationService } from '../../../src/services/AuditVerificationService';
import { Pool } from 'pg';
import { errorHandler } from '../../../src/middleware/errorHandler';
import { signToken } from '../../../src/utils/jwt';
import { _resetAuditVerificationServiceSingleton } from '../../../src/services/AuditVerificationService';
// ============================================================================
// Helpers
// ============================================================================
/** Creates a JWT token with the given scope. */
function makeToken(scope: string = 'audit:read'): string {
const agentId = uuidv4();
return signToken({ sub: agentId, client_id: agentId, scope, jti: uuidv4() }, privateKey);
}
/** Creates a minimal Express app with compliance routes only. */
function createMinimalApp(mockPool: Pool): Application {
const app = express();
app.use(express.json());
const auditVerificationService = new AuditVerificationService(mockPool);
const complianceController = new ComplianceController(auditVerificationService);
app.use('/api/v1', createComplianceRouter(complianceController));
app.use(errorHandler);
return app;
}
/** Creates a mock Pool that returns empty rows for any query. */
function makeEmptyPool(): Pool {
return {
query: jest.fn().mockResolvedValue({ rows: [] }),
} as unknown as Pool;
}
// ============================================================================
// Tests
// ============================================================================
describe('Compliance Endpoints Integration Tests', () => {
let app: Application;
let mockPool: Pool;
beforeEach(() => {
_resetAuditVerificationServiceSingleton();
mockPool = makeEmptyPool();
app = createMinimalApp(mockPool);
});
afterEach(() => {
_resetAuditVerificationServiceSingleton();
});
// ── GET /compliance/controls ──────────────────────────────────────────────
describe('GET /api/v1/compliance/controls', () => {
it('should return 200 with exactly 5 controls', async () => {
const res = await request(app).get('/api/v1/compliance/controls');
expect(res.status).toBe(200);
expect(res.body).toHaveProperty('controls');
expect(Array.isArray(res.body.controls)).toBe(true);
expect(res.body.controls).toHaveLength(5);
});
it('should include all required control IDs', async () => {
const res = await request(app).get('/api/v1/compliance/controls');
expect(res.status).toBe(200);
const ids = (res.body.controls as Array<{ id: string }>).map((c) => c.id);
expect(ids).toContain('CC6.1');
expect(ids).toContain('CC6.7');
expect(ids).toContain('CC7.2');
expect(ids).toContain('CC9.2');
expect(ids).toContain('CC7.1');
});
it('should include required fields on each control', async () => {
const res = await request(app).get('/api/v1/compliance/controls');
expect(res.status).toBe(200);
for (const control of res.body.controls as Array<Record<string, unknown>>) {
expect(control).toHaveProperty('id');
expect(control).toHaveProperty('name');
expect(control).toHaveProperty('status');
expect(control).toHaveProperty('lastChecked');
expect(['passing', 'failing', 'unknown']).toContain(control['status']);
}
});
it('should set Cache-Control header', async () => {
const res = await request(app).get('/api/v1/compliance/controls');
expect(res.status).toBe(200);
expect(res.headers['cache-control']).toBe('public, max-age=60');
});
it('should not require authentication', async () => {
// No Authorization header
const res = await request(app).get('/api/v1/compliance/controls');
expect(res.status).toBe(200);
});
});
// ── GET /audit/verify ─────────────────────────────────────────────────────
describe('GET /api/v1/audit/verify', () => {
it('should return 200 with verification result when authenticated with audit:read scope', async () => {
const token = makeToken('audit:read');
const res = await request(app)
.get('/api/v1/audit/verify')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
expect(res.body).toHaveProperty('verified');
expect(res.body).toHaveProperty('checkedCount');
expect(res.body).toHaveProperty('brokenAtEventId');
expect(typeof res.body.verified).toBe('boolean');
expect(typeof res.body.checkedCount).toBe('number');
});
it('should return 401 when no token is provided', async () => {
const res = await request(app)
.get('/api/v1/audit/verify');
expect(res.status).toBe(401);
});
it('should return 403 when token lacks audit:read scope', async () => {
const token = makeToken('agents:read');
const res = await request(app)
.get('/api/v1/audit/verify')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(403);
expect(res.body.code).toBe('INSUFFICIENT_SCOPE');
});
it('should return 400 VALIDATION_ERROR when fromDate is not a valid ISO 8601 date', async () => {
const token = makeToken('audit:read');
const res = await request(app)
.get('/api/v1/audit/verify?fromDate=not-a-date')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(400);
expect(res.body.code).toBe('VALIDATION_ERROR');
expect(res.body.details).toHaveProperty('field', 'fromDate');
});
it('should return 400 VALIDATION_ERROR when toDate is not a valid ISO 8601 date', async () => {
const token = makeToken('audit:read');
const res = await request(app)
.get('/api/v1/audit/verify?toDate=2026-13-99')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(400);
expect(res.body.code).toBe('VALIDATION_ERROR');
expect(res.body.details).toHaveProperty('field', 'toDate');
});
it('should return 400 VALIDATION_ERROR when fromDate is after toDate', async () => {
const token = makeToken('audit:read');
const res = await request(app)
.get('/api/v1/audit/verify?fromDate=2026-03-31T00:00:00.000Z&toDate=2026-03-01T00:00:00.000Z')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(400);
expect(res.body.code).toBe('VALIDATION_ERROR');
});
it('should accept valid date range params and return 200', async () => {
const token = makeToken('audit:read');
const res = await request(app)
.get('/api/v1/audit/verify?fromDate=2026-03-01T00:00:00.000Z&toDate=2026-03-31T23:59:59.999Z')
.set('Authorization', `Bearer ${token}`);
expect(res.status).toBe(200);
expect(res.body.verified).toBe(true);
expect(res.body.fromDate).toBe('2026-03-01T00:00:00.000Z');
expect(res.body.toDate).toBe('2026-03-31T23:59:59.999Z');
});
});
});
Reference in New Issue View Git Blame Copy Permalink