203 lines
7.3 KiB
TypeScript
203 lines
7.3 KiB
TypeScript
import test from "node:test";
|
|
import assert from "node:assert/strict";
|
|
import fs from "node:fs";
|
|
import os from "node:os";
|
|
import path from "node:path";
|
|
import { makeManagementSessionRequest } from "../helpers/managementSession.ts";
|
|
|
|
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-admin-audit-"));
|
|
process.env.DATA_DIR = TEST_DATA_DIR;
|
|
process.env.APP_LOG_TO_FILE = "false";
|
|
process.env.JWT_SECRET = "test-jwt-secret-for-audit-events";
|
|
process.env.INITIAL_PASSWORD = "admin-secret";
|
|
|
|
const core = await import("../../src/lib/db/core.ts");
|
|
const compliance = await import("../../src/lib/compliance/index.ts");
|
|
const loginRoute = await import("../../src/app/api/auth/login/route.ts");
|
|
const logoutRoute = await import("../../src/app/api/auth/logout/route.ts");
|
|
const providersRoute = await import("../../src/app/api/providers/route.ts");
|
|
const providerByIdRoute = await import("../../src/app/api/providers/[id]/route.ts");
|
|
const originalGetLoginCookieStore = loginRoute.authRouteInternals.getCookieStore;
|
|
const originalGetLogoutCookieStore = logoutRoute.logoutRouteInternals.getCookieStore;
|
|
|
|
function resetDb() {
|
|
core.resetDbInstance();
|
|
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
|
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
|
|
}
|
|
|
|
test.beforeEach(() => {
|
|
resetDb();
|
|
});
|
|
|
|
test.afterEach(() => {
|
|
loginRoute.authRouteInternals.getCookieStore = originalGetLoginCookieStore;
|
|
logoutRoute.logoutRouteInternals.getCookieStore = originalGetLogoutCookieStore;
|
|
});
|
|
|
|
test.after(() => {
|
|
core.resetDbInstance();
|
|
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
|
|
});
|
|
|
|
test("auth login/logout routes emit structured audit events with ip and request id", async () => {
|
|
const setCalls = [];
|
|
const deleteCalls = [];
|
|
|
|
loginRoute.authRouteInternals.getCookieStore = async () => ({
|
|
set: (...args) => setCalls.push(args),
|
|
});
|
|
logoutRoute.logoutRouteInternals.getCookieStore = async () => ({
|
|
delete: (...args) => deleteCalls.push(args),
|
|
});
|
|
|
|
const loginResponse = await loginRoute.POST(
|
|
new Request("http://localhost/api/auth/login", {
|
|
method: "POST",
|
|
headers: {
|
|
"content-type": "application/json",
|
|
"x-forwarded-for": "198.51.100.10",
|
|
"x-request-id": "req-auth-login",
|
|
},
|
|
body: JSON.stringify({ password: "admin-secret" }),
|
|
})
|
|
);
|
|
|
|
assert.equal(loginResponse.status, 200);
|
|
assert.deepEqual(await loginResponse.json(), { success: true });
|
|
assert.equal(setCalls.length, 1);
|
|
|
|
const logoutResponse = await logoutRoute.POST(
|
|
new Request("http://localhost/api/auth/logout", {
|
|
method: "POST",
|
|
headers: {
|
|
"x-forwarded-for": "198.51.100.10",
|
|
"x-request-id": "req-auth-logout",
|
|
},
|
|
})
|
|
);
|
|
|
|
assert.equal(logoutResponse.status, 200);
|
|
assert.deepEqual(await logoutResponse.json(), { success: true });
|
|
assert.deepEqual(deleteCalls, [["auth_token"]]);
|
|
|
|
const loginEvent = compliance.getAuditLog({ action: "auth.login.success" })[0];
|
|
assert.equal(loginEvent.actor, "admin");
|
|
assert.equal(loginEvent.resourceType, "auth_session");
|
|
assert.equal(loginEvent.status, "success");
|
|
assert.equal(loginEvent.ip, "198.51.100.10");
|
|
assert.equal(loginEvent.requestId, "req-auth-login");
|
|
|
|
const logoutEvent = compliance.getAuditLog({ action: "auth.logout.success" })[0];
|
|
assert.equal(logoutEvent.actor, "admin");
|
|
assert.equal(logoutEvent.resourceType, "auth_session");
|
|
assert.equal(logoutEvent.status, "success");
|
|
assert.equal(logoutEvent.requestId, "req-auth-logout");
|
|
});
|
|
|
|
test("auth login route records failed password attempts", async () => {
|
|
loginRoute.authRouteInternals.getCookieStore = async () => ({
|
|
set() {},
|
|
});
|
|
|
|
const response = await loginRoute.POST(
|
|
new Request("http://localhost/api/auth/login", {
|
|
method: "POST",
|
|
headers: {
|
|
"content-type": "application/json",
|
|
"x-forwarded-for": "198.51.100.22",
|
|
"x-request-id": "req-auth-failed",
|
|
},
|
|
body: JSON.stringify({ password: "wrong-password" }),
|
|
})
|
|
);
|
|
|
|
assert.equal(response.status, 401);
|
|
assert.deepEqual(await response.json(), { error: "Invalid password" });
|
|
|
|
const event = compliance.getAuditLog({ action: "auth.login.failed" })[0];
|
|
assert.equal(event.actor, "anonymous");
|
|
assert.equal(event.status, "failed");
|
|
assert.equal(event.requestId, "req-auth-failed");
|
|
assert.deepEqual(event.metadata, { reason: "invalid_password", lockedOut: false });
|
|
});
|
|
|
|
test("provider create/update/delete routes emit sanitized credential audit events", async () => {
|
|
const createResponse = await providersRoute.POST(
|
|
await makeManagementSessionRequest("http://localhost/api/providers", {
|
|
method: "POST",
|
|
headers: {
|
|
"x-forwarded-for": "203.0.113.10",
|
|
"x-request-id": "req-provider-create",
|
|
},
|
|
body: {
|
|
provider: "openai",
|
|
apiKey: "sk-secret-provider-key",
|
|
name: "Primary OpenAI",
|
|
defaultModel: "gpt-4o-mini",
|
|
},
|
|
})
|
|
);
|
|
|
|
assert.equal(createResponse.status, 201);
|
|
const createBody = (await createResponse.json()) as any;
|
|
const connectionId = createBody.connection.id;
|
|
assert.equal(typeof connectionId, "string");
|
|
|
|
const updateResponse = await providerByIdRoute.PUT(
|
|
await makeManagementSessionRequest(`http://localhost/api/providers/${connectionId}`, {
|
|
method: "PUT",
|
|
headers: {
|
|
"x-forwarded-for": "203.0.113.10",
|
|
"x-request-id": "req-provider-update",
|
|
},
|
|
body: {
|
|
name: "Primary OpenAI Updated",
|
|
defaultModel: "gpt-4.1-mini",
|
|
isActive: false,
|
|
},
|
|
}),
|
|
{ params: Promise.resolve({ id: connectionId }) }
|
|
);
|
|
|
|
assert.equal(updateResponse.status, 200);
|
|
|
|
const deleteResponse = await providerByIdRoute.DELETE(
|
|
await makeManagementSessionRequest(`http://localhost/api/providers/${connectionId}`, {
|
|
method: "DELETE",
|
|
headers: {
|
|
"x-forwarded-for": "203.0.113.10",
|
|
"x-request-id": "req-provider-delete",
|
|
},
|
|
}),
|
|
{ params: Promise.resolve({ id: connectionId }) }
|
|
);
|
|
|
|
assert.equal(deleteResponse.status, 200);
|
|
|
|
const createdEvent = compliance.getAuditLog({ action: "provider.credentials.created" })[0];
|
|
assert.equal(createdEvent.status, "success");
|
|
assert.equal(createdEvent.resourceType, "provider_credentials");
|
|
assert.equal(createdEvent.requestId, "req-provider-create");
|
|
assert.equal(createdEvent.target, "openai:Primary OpenAI");
|
|
assert.equal("apiKey" in (createdEvent.metadata as any).connection, false);
|
|
|
|
const updatedEvent = compliance.getAuditLog({ action: "provider.credentials.updated" })[0];
|
|
assert.equal(updatedEvent.requestId, "req-provider-update");
|
|
assert.deepEqual((updatedEvent as any).metadata.changedFields.sort(), [
|
|
"defaultModel",
|
|
"isActive",
|
|
"name",
|
|
]);
|
|
assert.equal((updatedEvent as any).metadata.before.name, "Primary OpenAI");
|
|
(assert as any).equal((updatedEvent.metadata as any).after.name, "Primary OpenAI Updated");
|
|
(assert as any).equal("apiKey" in (updatedEvent.metadata as any).before, false);
|
|
(assert as any).equal("apiKey" in (updatedEvent.metadata as any).after, false);
|
|
|
|
const revokedEvent = compliance.getAuditLog({ action: "provider.credentials.revoked" })[0];
|
|
assert.equal(revokedEvent.requestId, "req-provider-delete");
|
|
assert.equal(revokedEvent.target, "openai:Primary OpenAI Updated");
|
|
assert.equal(revokedEvent.status, "success");
|
|
assert.equal("apiKey" in (revokedEvent.metadata as any).connection, false);
|
|
});
|