Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates

2026-04-26 04:46:22 +02:00 · 2026-03-23 16:45:40 +10:00 · 2026-03-23 16:45:40 +10:00 · 41cbfd6e0a
commit 41cbfd6e0a
parent 694e32be26
178 changed files with 36008 additions and 399 deletions
--- a/internal/infrastructure/auth/jwt_test.go
+++ b/internal/infrastructure/auth/jwt_test.go
@ -0,0 +1,115 @@
+package auth
+
+import (
+	"testing"
+	"time"
+)
+
+var testSecret = []byte("test-secret-must-be-at-least-32-bytes-long!")
+
+func TestSign_Verify_RoundTrip(t *testing.T) {
+	claims := Claims{
+		Sub:  "admin",
+		Role: "admin",
+		Exp:  time.Now().Add(time.Hour).Unix(),
+	}
+
+	token, err := Sign(claims, testSecret)
+	if err != nil {
+		t.Fatalf("Sign: %v", err)
+	}
+
+	got, err := Verify(token, testSecret)
+	if err != nil {
+		t.Fatalf("Verify: %v", err)
+	}
+
+	if got.Sub != "admin" {
+		t.Errorf("Sub = %q, want admin", got.Sub)
+	}
+	if got.Role != "admin" {
+		t.Errorf("Role = %q, want admin", got.Role)
+	}
+	if got.Iss != "sentinel-soc" {
+		t.Errorf("Iss = %q, want sentinel-soc", got.Iss)
+	}
+}
+
+func TestVerify_ExpiredToken(t *testing.T) {
+	token, _ := Sign(Claims{
+		Sub: "user",
+		Role: "viewer",
+		Exp: time.Now().Add(-time.Hour).Unix(),
+	}, testSecret)
+
+	_, err := Verify(token, testSecret)
+	if err != ErrExpiredToken {
+		t.Errorf("expected ErrExpiredToken, got %v", err)
+	}
+}
+
+func TestVerify_InvalidSignature(t *testing.T) {
+	token, _ := Sign(Claims{
+		Sub: "user",
+		Role: "viewer",
+		Exp: time.Now().Add(time.Hour).Unix(),
+	}, testSecret)
+
+	wrongSecret := []byte("wrong-secret-that-is-also-32-bytes-x")
+	_, err := Verify(token, wrongSecret)
+	if err != ErrInvalidToken {
+		t.Errorf("expected ErrInvalidToken, got %v", err)
+	}
+}
+
+func TestVerify_MalformedToken(t *testing.T) {
+	_, err := Verify("not.a.valid.jwt", testSecret)
+	if err != ErrInvalidToken {
+		t.Errorf("expected ErrInvalidToken, got %v", err)
+	}
+
+	_, err = Verify("", testSecret)
+	if err != ErrInvalidToken {
+		t.Errorf("expected ErrInvalidToken for empty token, got %v", err)
+	}
+}
+
+func TestSign_ShortSecret(t *testing.T) {
+	_, err := Sign(Claims{Sub: "x", Exp: time.Now().Add(time.Hour).Unix()}, []byte("short"))
+	if err != ErrInvalidSecret {
+		t.Errorf("expected ErrInvalidSecret, got %v", err)
+	}
+}
+
+func TestNewAccessToken(t *testing.T) {
+	token, err := NewAccessToken("analyst", "analyst", testSecret, 0)
+	if err != nil {
+		t.Fatalf("NewAccessToken: %v", err)
+	}
+	claims, err := Verify(token, testSecret)
+	if err != nil {
+		t.Fatalf("Verify: %v", err)
+	}
+	if claims.Sub != "analyst" || claims.Role != "analyst" {
+		t.Errorf("unexpected claims: %+v", claims)
+	}
+	// Default TTL = 15 min, check expiry is within 16 min
+	if claims.Exp > time.Now().Add(16*time.Minute).Unix() {
+		t.Error("access token TTL too long")
+	}
+}
+
+func TestNewRefreshToken(t *testing.T) {
+	token, err := NewRefreshToken("admin", "admin", testSecret, 0)
+	if err != nil {
+		t.Fatalf("NewRefreshToken: %v", err)
+	}
+	claims, err := Verify(token, testSecret)
+	if err != nil {
+		t.Fatalf("Verify: %v", err)
+	}
+	// Default TTL = 7 days
+	if claims.Exp < time.Now().Add(6*24*time.Hour).Unix() {
+		t.Error("refresh token TTL too short")
+	}
+}