Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 core-devops
|
5427fa39e2 | ||
 fullstack-engineer
|
9cc00245a2 |
@@ -1287,3 +1287,84 @@ func TestExecuteDelegation_CleanProxyResponse_Unchanged(t *testing.T) {
|
||||
t.Errorf("unmet sqlmock expectations: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// ---------- extractResponseText ----------
|
||||
|
||||
func TestExtractResponseText_NonJSON(t *testing.T) {
|
||||
got := extractResponseText([]byte("not json at all"))
|
||||
if got != "not json at all" {
|
||||
t.Errorf("non-JSON: got %q, want %q", got, "not json at all")
|
||||
}
|
||||
}
|
||||
|
||||
func TestExtractResponseText_ValidJSONNoResult(t *testing.T) {
|
||||
got := extractResponseText([]byte(`{"id":"1","error":{"code":-32601,"message":"method not found"}}`))
|
||||
if got != `{"id":"1","error":{"code":-32601,"message":"method not found"}}` {
|
||||
t.Errorf("no result key: got %q, want raw body", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestExtractResponseText_ResultNotMap(t *testing.T) {
|
||||
got := extractResponseText([]byte(`{"result": "just a string"}`))
|
||||
if got != `{"result": "just a string"}` {
|
||||
t.Errorf("result is string: got %q, want raw body", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestExtractResponseText_PartsTextKind(t *testing.T) {
|
||||
body := []byte(`{"result":{"parts":[{"kind":"text","text":"Hello from agent"}]}}`)
|
||||
got := extractResponseText(body)
|
||||
if got != "Hello from agent" {
|
||||
t.Errorf("parts text: got %q, want %q", got, "Hello from agent")
|
||||
}
|
||||
}
|
||||
|
||||
func TestExtractResponseText_PartsNonTextKind(t *testing.T) {
|
||||
// kind="image" is skipped; falls through to raw body since no artifacts
|
||||
body := []byte(`{"result":{"parts":[{"kind":"image","text":"should not return"}]}}`)
|
||||
got := extractResponseText(body)
|
||||
if got != string(body) {
|
||||
t.Errorf("parts non-text: got %q, want raw body", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestExtractResponseText_PartsMultipleWithTextFirst(t *testing.T) {
|
||||
body := []byte(`{"result":{"parts":[{"kind":"text","text":"first"},{"kind":"text","text":"second"}]}}`)
|
||||
got := extractResponseText(body)
|
||||
// Returns first text part found
|
||||
if got != "first" {
|
||||
t.Errorf("parts first match: got %q, want %q", got, "first")
|
||||
}
|
||||
}
|
||||
|
||||
func TestExtractResponseText_ArtifactsTextKind(t *testing.T) {
|
||||
body := []byte(`{"result":{"artifacts":[{"parts":[{"kind":"text","text":"artifact text here"}]}]}}`)
|
||||
got := extractResponseText(body)
|
||||
if got != "artifact text here" {
|
||||
t.Errorf("artifacts text: got %q, want %q", got, "artifact text here")
|
||||
}
|
||||
}
|
||||
|
||||
func TestExtractResponseText_ArtifactsNonTextKind(t *testing.T) {
|
||||
body := []byte(`{"result":{"artifacts":[{"parts":[{"kind":"image","text":"hidden"}]}]}}`)
|
||||
got := extractResponseText(body)
|
||||
if got != string(body) {
|
||||
t.Errorf("artifacts non-text: got %q, want raw body", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestExtractResponseText_EmptyPartsAndArtifacts(t *testing.T) {
|
||||
body := []byte(`{"result":{"parts":[],"artifacts":[]}}`)
|
||||
got := extractResponseText(body)
|
||||
if got != string(body) {
|
||||
t.Errorf("empty parts/artifacts: got %q, want raw body", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestExtractResponseText_EmptyText(t *testing.T) {
|
||||
body := []byte(`{"result":{"parts":[{"kind":"text","text":""}]}}`)
|
||||
got := extractResponseText(body)
|
||||
if got != "" {
|
||||
t.Errorf("empty text: got %q, want %q", got, "")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,195 +0,0 @@
|
||||
package handlers
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/DATA-DOG/go-sqlmock"
|
||||
"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
|
||||
"github.com/Molecule-AI/molecule-monorepo/platform/internal/ws"
|
||||
"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
|
||||
"github.com/alicebob/miniredis/v2"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/redis/go-redis/v9"
|
||||
)
|
||||
|
||||
// ─── Setup helpers ─────────────────────────────────────────────────────────────
|
||||
|
||||
func init() {
|
||||
gin.SetMode(gin.TestMode)
|
||||
}
|
||||
|
||||
// socketTestDB wraps sqlmock setup with the redis setup needed for wsauth.
|
||||
func socketTestDB(t *testing.T) (sqlmock.Sqlmock, func()) {
|
||||
t.Helper()
|
||||
mockDB, mock, err := sqlmock.New()
|
||||
if err != nil {
|
||||
t.Fatalf("failed to create sqlmock: %v", err)
|
||||
}
|
||||
|
||||
// Start a miniredis for the wsauth token subsystem.
|
||||
mr, err := miniredis.Run()
|
||||
if err != nil {
|
||||
mockDB.Close()
|
||||
t.Fatalf("failed to start miniredis: %v", err)
|
||||
}
|
||||
db.DB = mockDB
|
||||
db.RDB = redis.NewClient(&redis.Options{Addr: mr.Addr()})
|
||||
|
||||
wsauth.ResetInboundSecretCacheForTesting()
|
||||
|
||||
cleanup := func() {
|
||||
mockDB.Close()
|
||||
mr.Close()
|
||||
wsauth.ResetInboundSecretCacheForTesting()
|
||||
}
|
||||
return mock, cleanup
|
||||
}
|
||||
|
||||
// ─── Test cases ────────────────────────────────────────────────────────────────
|
||||
// Phase 30.1/30.2 bearer-token auth gate on WebSocket upgrade.
|
||||
// SocketHandler.HandleConnect enforces:
|
||||
// - Canvas clients (no X-Workspace-ID header) → bypass auth, upgrade proceeds
|
||||
// - Workspace agents (X-Workspace-ID present) → HasAnyLiveToken probe → bearer validation
|
||||
|
||||
func TestSocketHandler_HandleConnect_CanvasClient_NoAuthRequired(t *testing.T) {
|
||||
mock, cleanup := socketTestDB(t)
|
||||
defer cleanup()
|
||||
|
||||
// Create hub and drain the Register channel via Run.
|
||||
hub := ws.NewHub(func(_, _ string) bool { return true })
|
||||
go hub.Run()
|
||||
|
||||
h := NewSocketHandler(hub)
|
||||
c, w := gin.CreateTestContext(httptest.NewRecorder())
|
||||
c.Request = httptest.NewRequest("GET", "/ws", nil)
|
||||
// No X-Workspace-ID → canvas client path.
|
||||
|
||||
h.HandleConnect(c)
|
||||
|
||||
// Canvas path has no DB expectations — HasAnyLiveToken not called.
|
||||
if err := mock.ExpectationsWereMet(); err != nil {
|
||||
t.Errorf("unmet sqlmock expectations: %v", err)
|
||||
}
|
||||
_ = w.Code // upgrade fails in test env (httptest doesn't do WS) — handler returns.
|
||||
}
|
||||
|
||||
// TestSocketHandler_HandleConnect_AgentNoLiveToken_BypassesBearerCheck verifies
|
||||
// that agents with no live tokens (legacy pre-token workspaces) are grandfathered
|
||||
// through without being asked for a bearer token.
|
||||
func TestSocketHandler_HandleConnect_AgentNoLiveToken_BypassesBearerCheck(t *testing.T) {
|
||||
mock, cleanup := socketTestDB(t)
|
||||
defer cleanup()
|
||||
|
||||
// HasAnyLiveToken → no rows (no live tokens → n=0).
|
||||
mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`).
|
||||
WithArgs("ws-agent").
|
||||
WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))
|
||||
|
||||
hub := ws.NewHub(func(_, _ string) bool { return true })
|
||||
go hub.Run()
|
||||
|
||||
h := NewSocketHandler(hub)
|
||||
c, _ := gin.CreateTestContext(httptest.NewRecorder())
|
||||
c.Request = httptest.NewRequest("GET", "/ws", nil)
|
||||
c.Request.Header.Set("X-Workspace-ID", "ws-agent")
|
||||
|
||||
h.HandleConnect(c)
|
||||
|
||||
if err := mock.ExpectationsWereMet(); err != nil {
|
||||
t.Errorf("unmet sqlmock expectations: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestSocketHandler_HandleConnect_DBErrorOnHasAnyLiveToken returns 500.
|
||||
func TestSocketHandler_HandleConnect_DBErrorOnHasAnyLiveToken(t *testing.T) {
|
||||
mock, cleanup := socketTestDB(t)
|
||||
defer cleanup()
|
||||
|
||||
mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`).
|
||||
WithArgs("ws-agent").
|
||||
WillReturnError(sql.ErrConnDone)
|
||||
|
||||
hub := ws.NewHub(func(_, _ string) bool { return true })
|
||||
go hub.Run()
|
||||
|
||||
h := NewSocketHandler(hub)
|
||||
c, w := gin.CreateTestContext(httptest.NewRecorder())
|
||||
c.Request = httptest.NewRequest("GET", "/ws", nil)
|
||||
c.Request.Header.Set("X-Workspace-ID", "ws-agent")
|
||||
|
||||
h.HandleConnect(c)
|
||||
|
||||
if w.Code != http.StatusInternalServerError {
|
||||
t.Errorf("expected 500 on DB error, got %d", w.Code)
|
||||
}
|
||||
if err := mock.ExpectationsWereMet(); err != nil {
|
||||
t.Errorf("unmet sqlmock expectations: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestSocketHandler_HandleConnect_MissingBearerToken returns 401.
|
||||
func TestSocketHandler_HandleConnect_MissingBearerToken(t *testing.T) {
|
||||
mock, cleanup := socketTestDB(t)
|
||||
defer cleanup()
|
||||
|
||||
// hasLive=true but no Authorization header.
|
||||
mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`).
|
||||
WithArgs("ws-agent").
|
||||
WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
|
||||
|
||||
hub := ws.NewHub(func(_, _ string) bool { return true })
|
||||
go hub.Run()
|
||||
|
||||
h := NewSocketHandler(hub)
|
||||
c, w := gin.CreateTestContext(httptest.NewRecorder())
|
||||
c.Request = httptest.NewRequest("GET", "/ws", nil)
|
||||
c.Request.Header.Set("X-Workspace-ID", "ws-agent")
|
||||
// No Authorization header.
|
||||
|
||||
h.HandleConnect(c)
|
||||
|
||||
if w.Code != http.StatusUnauthorized {
|
||||
t.Errorf("expected 401 on missing bearer token, got %d", w.Code)
|
||||
}
|
||||
if err := mock.ExpectationsWereMet(); err != nil {
|
||||
t.Errorf("unmet sqlmock expectations: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestSocketHandler_HandleConnect_InvalidBearerToken returns 401.
|
||||
func TestSocketHandler_HandleConnect_InvalidBearerToken(t *testing.T) {
|
||||
mock, cleanup := socketTestDB(t)
|
||||
defer cleanup()
|
||||
|
||||
// hasLive=true.
|
||||
mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`).
|
||||
WithArgs("ws-agent").
|
||||
WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
|
||||
|
||||
// ValidateToken → lookupTokenByHash: no matching hash.
|
||||
mock.ExpectQuery(`SELECT t\.id, t\.workspace_id FROM workspace_auth_tokens t JOIN workspaces w`).
|
||||
WithArgs(sqlmock.AnyArg()).
|
||||
WillReturnError(context.DeadlineExceeded)
|
||||
|
||||
hub := ws.NewHub(func(_, _ string) bool { return true })
|
||||
go hub.Run()
|
||||
|
||||
h := NewSocketHandler(hub)
|
||||
c, w := gin.CreateTestContext(httptest.NewRecorder())
|
||||
c.Request = httptest.NewRequest("GET", "/ws", nil)
|
||||
c.Request.Header.Set("X-Workspace-ID", "ws-agent")
|
||||
c.Request.Header.Set("Authorization", "Bearer invalid-token-xyz")
|
||||
|
||||
h.HandleConnect(c)
|
||||
|
||||
if w.Code != http.StatusUnauthorized {
|
||||
t.Errorf("expected 401 on invalid bearer token, got %d", w.Code)
|
||||
}
|
||||
if err := mock.ExpectationsWereMet(); err != nil {
|
||||
t.Errorf("unmet sqlmock expectations: %v", err)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user