Files
2026-07-13 13:39:12 +08:00

203 lines
7.3 KiB
TypeScript

import test from "node:test";
import assert from "node:assert/strict";
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
import { makeManagementSessionRequest } from "../helpers/managementSession.ts";
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-admin-audit-"));
process.env.DATA_DIR = TEST_DATA_DIR;
process.env.APP_LOG_TO_FILE = "false";
process.env.JWT_SECRET = "test-jwt-secret-for-audit-events";
process.env.INITIAL_PASSWORD = "admin-secret";
const core = await import("../../src/lib/db/core.ts");
const compliance = await import("../../src/lib/compliance/index.ts");
const loginRoute = await import("../../src/app/api/auth/login/route.ts");
const logoutRoute = await import("../../src/app/api/auth/logout/route.ts");
const providersRoute = await import("../../src/app/api/providers/route.ts");
const providerByIdRoute = await import("../../src/app/api/providers/[id]/route.ts");
const originalGetLoginCookieStore = loginRoute.authRouteInternals.getCookieStore;
const originalGetLogoutCookieStore = logoutRoute.logoutRouteInternals.getCookieStore;
function resetDb() {
core.resetDbInstance();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
}
test.beforeEach(() => {
resetDb();
});
test.afterEach(() => {
loginRoute.authRouteInternals.getCookieStore = originalGetLoginCookieStore;
logoutRoute.logoutRouteInternals.getCookieStore = originalGetLogoutCookieStore;
});
test.after(() => {
core.resetDbInstance();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
});
test("auth login/logout routes emit structured audit events with ip and request id", async () => {
const setCalls = [];
const deleteCalls = [];
loginRoute.authRouteInternals.getCookieStore = async () => ({
set: (...args) => setCalls.push(args),
});
logoutRoute.logoutRouteInternals.getCookieStore = async () => ({
delete: (...args) => deleteCalls.push(args),
});
const loginResponse = await loginRoute.POST(
new Request("http://localhost/api/auth/login", {
method: "POST",
headers: {
"content-type": "application/json",
"x-forwarded-for": "198.51.100.10",
"x-request-id": "req-auth-login",
},
body: JSON.stringify({ password: "admin-secret" }),
})
);
assert.equal(loginResponse.status, 200);
assert.deepEqual(await loginResponse.json(), { success: true });
assert.equal(setCalls.length, 1);
const logoutResponse = await logoutRoute.POST(
new Request("http://localhost/api/auth/logout", {
method: "POST",
headers: {
"x-forwarded-for": "198.51.100.10",
"x-request-id": "req-auth-logout",
},
})
);
assert.equal(logoutResponse.status, 200);
assert.deepEqual(await logoutResponse.json(), { success: true });
assert.deepEqual(deleteCalls, [["auth_token"]]);
const loginEvent = compliance.getAuditLog({ action: "auth.login.success" })[0];
assert.equal(loginEvent.actor, "admin");
assert.equal(loginEvent.resourceType, "auth_session");
assert.equal(loginEvent.status, "success");
assert.equal(loginEvent.ip, "198.51.100.10");
assert.equal(loginEvent.requestId, "req-auth-login");
const logoutEvent = compliance.getAuditLog({ action: "auth.logout.success" })[0];
assert.equal(logoutEvent.actor, "admin");
assert.equal(logoutEvent.resourceType, "auth_session");
assert.equal(logoutEvent.status, "success");
assert.equal(logoutEvent.requestId, "req-auth-logout");
});
test("auth login route records failed password attempts", async () => {
loginRoute.authRouteInternals.getCookieStore = async () => ({
set() {},
});
const response = await loginRoute.POST(
new Request("http://localhost/api/auth/login", {
method: "POST",
headers: {
"content-type": "application/json",
"x-forwarded-for": "198.51.100.22",
"x-request-id": "req-auth-failed",
},
body: JSON.stringify({ password: "wrong-password" }),
})
);
assert.equal(response.status, 401);
assert.deepEqual(await response.json(), { error: "Invalid password" });
const event = compliance.getAuditLog({ action: "auth.login.failed" })[0];
assert.equal(event.actor, "anonymous");
assert.equal(event.status, "failed");
assert.equal(event.requestId, "req-auth-failed");
assert.deepEqual(event.metadata, { reason: "invalid_password", lockedOut: false });
});
test("provider create/update/delete routes emit sanitized credential audit events", async () => {
const createResponse = await providersRoute.POST(
await makeManagementSessionRequest("http://localhost/api/providers", {
method: "POST",
headers: {
"x-forwarded-for": "203.0.113.10",
"x-request-id": "req-provider-create",
},
body: {
provider: "openai",
apiKey: "sk-secret-provider-key",
name: "Primary OpenAI",
defaultModel: "gpt-4o-mini",
},
})
);
assert.equal(createResponse.status, 201);
const createBody = (await createResponse.json()) as any;
const connectionId = createBody.connection.id;
assert.equal(typeof connectionId, "string");
const updateResponse = await providerByIdRoute.PUT(
await makeManagementSessionRequest(`http://localhost/api/providers/${connectionId}`, {
method: "PUT",
headers: {
"x-forwarded-for": "203.0.113.10",
"x-request-id": "req-provider-update",
},
body: {
name: "Primary OpenAI Updated",
defaultModel: "gpt-4.1-mini",
isActive: false,
},
}),
{ params: Promise.resolve({ id: connectionId }) }
);
assert.equal(updateResponse.status, 200);
const deleteResponse = await providerByIdRoute.DELETE(
await makeManagementSessionRequest(`http://localhost/api/providers/${connectionId}`, {
method: "DELETE",
headers: {
"x-forwarded-for": "203.0.113.10",
"x-request-id": "req-provider-delete",
},
}),
{ params: Promise.resolve({ id: connectionId }) }
);
assert.equal(deleteResponse.status, 200);
const createdEvent = compliance.getAuditLog({ action: "provider.credentials.created" })[0];
assert.equal(createdEvent.status, "success");
assert.equal(createdEvent.resourceType, "provider_credentials");
assert.equal(createdEvent.requestId, "req-provider-create");
assert.equal(createdEvent.target, "openai:Primary OpenAI");
assert.equal("apiKey" in (createdEvent.metadata as any).connection, false);
const updatedEvent = compliance.getAuditLog({ action: "provider.credentials.updated" })[0];
assert.equal(updatedEvent.requestId, "req-provider-update");
assert.deepEqual((updatedEvent as any).metadata.changedFields.sort(), [
"defaultModel",
"isActive",
"name",
]);
assert.equal((updatedEvent as any).metadata.before.name, "Primary OpenAI");
(assert as any).equal((updatedEvent.metadata as any).after.name, "Primary OpenAI Updated");
(assert as any).equal("apiKey" in (updatedEvent.metadata as any).before, false);
(assert as any).equal("apiKey" in (updatedEvent.metadata as any).after, false);
const revokedEvent = compliance.getAuditLog({ action: "provider.credentials.revoked" })[0];
assert.equal(revokedEvent.requestId, "req-provider-delete");
assert.equal(revokedEvent.target, "openai:Primary OpenAI Updated");
assert.equal(revokedEvent.status, "success");
assert.equal("apiKey" in (revokedEvent.metadata as any).connection, false);
});