Files
2026-07-13 13:39:12 +08:00

106 lines
3.4 KiB
TypeScript

import { test, mock } from "node:test";
import assert from "node:assert/strict";
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
// Hermetic auth context (6A re-wire fix): the "rejects ..." assertions assume
// login protection is ON — on a fresh DB (CI) isAuthRequired() is false and the
// policy anonymous-allows before any token check. Locally this only passed
// because the dev DATA_DIR had a real password. Isolate + enable protection.
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-mgmt-cli-token-"));
const originalDataDir = process.env.DATA_DIR;
process.env.DATA_DIR = TEST_DATA_DIR;
const core = await import("../../../src/lib/db/core.ts");
const settingsDb = await import("../../../src/lib/db/settings.ts");
await settingsDb.updateSettings({
requireLogin: true,
setupComplete: true,
password: "test-password-hash",
});
const { getLegacyCliTokenSync, getMachineTokenSync } = await import(
"../../../src/lib/machineToken.ts"
);
const { managementPolicy } = await import("../../../src/server/authz/policies/management.ts");
const { CLI_TOKEN_HEADER } = await import("../../../src/server/authz/headers.ts");
test.after(() => {
core.resetDbInstance();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
if (originalDataDir === undefined) delete process.env.DATA_DIR;
else process.env.DATA_DIR = originalDataDir;
});
function makeCtx(headers: Record<string, string>, requestExtras: Record<string, unknown> = {}) {
return {
request: {
method: "GET",
headers: new Headers(headers),
cookies: { get: () => undefined },
nextUrl: { pathname: "/api/settings" },
url: "http://localhost:20128/api/settings",
...requestExtras,
},
classification: {
routeClass: "MANAGEMENT" as const,
normalizedPath: "/api/settings",
method: "GET",
},
requestId: "test-req",
};
}
test("management policy allows valid CLI token from localhost", async () => {
const token = getMachineTokenSync();
const ctx = makeCtx(
{ host: "localhost", [CLI_TOKEN_HEADER]: token },
{ socket: { remoteAddress: "127.0.0.1" } }
);
const outcome = await managementPolicy.evaluate(ctx);
assert.equal(outcome.allow, true);
if (outcome.allow) {
assert.equal(outcome.subject.id, "cli");
}
});
test("management policy accepts legacy 32-character CLI token from localhost", async () => {
const token = getLegacyCliTokenSync();
assert.equal(token.length, 32);
const ctx = makeCtx(
{
host: "localhost",
[CLI_TOKEN_HEADER]: token,
},
{ socket: { remoteAddress: "127.0.0.1" } }
);
const outcome = await managementPolicy.evaluate(ctx);
assert.equal(outcome.allow, true);
if (outcome.allow) {
assert.equal(outcome.subject.id, "cli");
}
});
test("management policy rejects valid token from non-localhost", async () => {
const token = getMachineTokenSync();
const ctx = makeCtx(
{ host: "localhost", [CLI_TOKEN_HEADER]: token },
{ socket: { remoteAddress: "192.168.1.100" } }
);
const outcome = await managementPolicy.evaluate(ctx);
assert.equal(outcome.allow, false);
});
test("management policy rejects wrong CLI token from localhost", async () => {
const ctx = makeCtx(
{
host: "localhost",
[CLI_TOKEN_HEADER]: "deadbeefdeadbeefdeadbeefdeadbeef",
},
{ socket: { remoteAddress: "127.0.0.1" } }
);
const outcome = await managementPolicy.evaluate(ctx);
assert.equal(outcome.allow, false);
});