feat: sync lijiaoqiao implementation and staging validation artifacts

platform-token-runtime/internal/token/lifecycle_executable_test.go

@@ -0,0 +1,332 @@
+package token_test
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"lijiaoqiao/platform-token-runtime/internal/auth/middleware"
+	"lijiaoqiao/platform-token-runtime/internal/auth/model"
+	"lijiaoqiao/platform-token-runtime/internal/auth/service"
+)
+
+func TestTOKLife001IssueSuccess(t *testing.T) {
+	t.Parallel()
+
+	rt := service.NewInMemoryTokenRuntime(nil)
+	ctx := context.Background()
+
+	first, err := rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID: "2001",
+		Role:      model.RoleOwner,
+		Scope:     []string{"supply:*"},
+		TTL:       30 * time.Minute,
+	})
+	if err != nil {
+		t.Fatalf("issue token failed: %v", err)
+	}
+	second, err := rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID: "2001",
+		Role:      model.RoleOwner,
+		Scope:     []string{"supply:*"},
+		TTL:       30 * time.Minute,
+	})
+	if err != nil {
+		t.Fatalf("issue second token failed: %v", err)
+	}
+
+	if first.Status != service.TokenStatusActive {
+		t.Fatalf("unexpected status: got=%s want=%s", first.Status, service.TokenStatusActive)
+	}
+	if !first.ExpiresAt.After(first.IssuedAt) {
+		t.Fatalf("expires_at must be greater than issued_at")
+	}
+	if first.TokenID == second.TokenID {
+		t.Fatalf("token_id should be unique")
+	}
+}
+
+func TestTOKLife002IssueInvalidInput(t *testing.T) {
+	t.Parallel()
+
+	rt := service.NewInMemoryTokenRuntime(nil)
+	ctx := context.Background()
+	_, err := rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID: "2001",
+		Role:      model.RoleOwner,
+		Scope:     []string{"supply:*"},
+		TTL:       0,
+	})
+	if err == nil {
+		t.Fatalf("expected error for invalid ttl_seconds")
+	}
+	if got := rt.TokenCount(); got != 0 {
+		t.Fatalf("unexpected token count after invalid issue: got=%d want=0", got)
+	}
+}
+
+func TestTOKLife003IssueIdempotencyReplay(t *testing.T) {
+	t.Parallel()
+
+	rt := service.NewInMemoryTokenRuntime(nil)
+	ctx := context.Background()
+
+	first, err := rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID:      "2001",
+		Role:           model.RoleOwner,
+		Scope:          []string{"supply:*"},
+		TTL:            30 * time.Minute,
+		IdempotencyKey: "idem-life-003",
+	})
+	if err != nil {
+		t.Fatalf("first issue failed: %v", err)
+	}
+	second, err := rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID:      "2001",
+		Role:           model.RoleOwner,
+		Scope:          []string{"supply:*"},
+		TTL:            30 * time.Minute,
+		IdempotencyKey: "idem-life-003",
+	})
+	if err != nil {
+		t.Fatalf("replay issue failed: %v", err)
+	}
+
+	if first.TokenID != second.TokenID {
+		t.Fatalf("replayed issue must return same token_id: first=%s second=%s", first.TokenID, second.TokenID)
+	}
+	if got := rt.TokenCount(); got != 1 {
+		t.Fatalf("idempotent replay must not create duplicate token: got=%d want=1", got)
+	}
+
+	_, err = rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID:      "2001",
+		Role:           model.RoleOwner,
+		Scope:          []string{"supply:read"},
+		TTL:            30 * time.Minute,
+		IdempotencyKey: "idem-life-003",
+	})
+	if err == nil {
+		t.Fatalf("expected payload mismatch conflict for same idempotency key")
+	}
+}
+
+func TestTOKLife004RefreshSuccess(t *testing.T) {
+	t.Parallel()
+
+	rt := service.NewInMemoryTokenRuntime(nil)
+	ctx := context.Background()
+
+	issued, err := rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID: "2001",
+		Role:      model.RoleOwner,
+		Scope:     []string{"supply:*"},
+		TTL:       1 * time.Minute,
+	})
+	if err != nil {
+		t.Fatalf("issue token failed: %v", err)
+	}
+	previousExpiresAt := issued.ExpiresAt
+
+	refreshed, err := rt.Refresh(ctx, issued.TokenID, 15*time.Minute)
+	if err != nil {
+		t.Fatalf("refresh token failed: %v", err)
+	}
+
+	if refreshed.Status != service.TokenStatusActive {
+		t.Fatalf("unexpected status after refresh: got=%s want=%s", refreshed.Status, service.TokenStatusActive)
+	}
+	if !refreshed.ExpiresAt.After(previousExpiresAt) {
+		t.Fatalf("expires_at should be delayed after refresh")
+	}
+}
+
+func TestTOKLife005RevokeSuccess(t *testing.T) {
+	t.Parallel()
+
+	start := time.Now()
+	rt := service.NewInMemoryTokenRuntime(nil)
+	ctx := context.Background()
+
+	issued, err := rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID: "2001",
+		Role:      model.RoleOwner,
+		Scope:     []string{"supply:*"},
+		TTL:       10 * time.Minute,
+	})
+	if err != nil {
+		t.Fatalf("issue token failed: %v", err)
+	}
+	if _, err := rt.Revoke(ctx, issued.TokenID, "security_event"); err != nil {
+		t.Fatalf("revoke token failed: %v", err)
+	}
+
+	introspected, err := rt.Introspect(ctx, issued.AccessToken)
+	if err != nil {
+		t.Fatalf("introspect failed: %v", err)
+	}
+	if introspected.Status != service.TokenStatusRevoked {
+		t.Fatalf("unexpected status after revoke: got=%s want=%s", introspected.Status, service.TokenStatusRevoked)
+	}
+	if time.Since(start) > 5*time.Second {
+		t.Fatalf("revoke propagation exceeded 5 seconds in in-memory runtime")
+	}
+}
+
+func TestTOKLife006RevokedTokenAccessDenied(t *testing.T) {
+	t.Parallel()
+
+	auditor := service.NewMemoryAuditEmitter()
+	rt := service.NewInMemoryTokenRuntime(nil)
+	authorizer := service.NewScopeRoleAuthorizer()
+	ctx := context.Background()
+
+	issued, err := rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID: "2001",
+		Role:      model.RoleOwner,
+		Scope:     []string{"supply:*"},
+		TTL:       5 * time.Minute,
+	})
+	if err != nil {
+		t.Fatalf("issue token failed: %v", err)
+	}
+	if _, err := rt.Revoke(ctx, issued.TokenID, "test_revoke"); err != nil {
+		t.Fatalf("revoke failed: %v", err)
+	}
+
+	handler := middleware.BuildTokenAuthChain(middleware.AuthMiddlewareConfig{
+		Verifier:       rt,
+		StatusResolver: rt,
+		Authorizer:     authorizer,
+		Auditor:        auditor,
+	}, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/supply/accounts", nil)
+	req.Header.Set("Authorization", "Bearer "+issued.AccessToken)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("unexpected status code: got=%d want=%d", rec.Code, http.StatusUnauthorized)
+	}
+	if code := decodeMiddlewareErrorCode(t, rec); code != service.CodeAuthTokenInactive {
+		t.Fatalf("unexpected error code: got=%s want=%s", code, service.CodeAuthTokenInactive)
+	}
+}
+
+func TestTOKLife007ExpiredTokenInactive(t *testing.T) {
+	t.Parallel()
+
+	current := time.Date(2026, 3, 29, 15, 0, 0, 0, time.UTC)
+	rt := service.NewInMemoryTokenRuntime(func() time.Time { return current })
+	ctx := context.Background()
+
+	issued, err := rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID: "2001",
+		Role:      model.RoleOwner,
+		Scope:     []string{"supply:*"},
+		TTL:       2 * time.Second,
+	})
+	if err != nil {
+		t.Fatalf("issue token failed: %v", err)
+	}
+	current = current.Add(3 * time.Second)
+
+	introspected, err := rt.Introspect(ctx, issued.AccessToken)
+	if err != nil {
+		t.Fatalf("introspect failed: %v", err)
+	}
+	if introspected.Status != service.TokenStatusExpired {
+		t.Fatalf("unexpected token status: got=%s want=%s", introspected.Status, service.TokenStatusExpired)
+	}
+
+	auditor := service.NewMemoryAuditEmitter()
+	authorizer := service.NewScopeRoleAuthorizer()
+	handler := middleware.BuildTokenAuthChain(middleware.AuthMiddlewareConfig{
+		Verifier:       rt,
+		StatusResolver: rt,
+		Authorizer:     authorizer,
+		Auditor:        auditor,
+	}, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/supply/accounts", nil)
+	req.Header.Set("Authorization", "Bearer "+issued.AccessToken)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("unexpected status code: got=%d want=%d", rec.Code, http.StatusUnauthorized)
+	}
+	if code := decodeMiddlewareErrorCode(t, rec); code != service.CodeAuthTokenInactive {
+		t.Fatalf("unexpected error code: got=%s want=%s", code, service.CodeAuthTokenInactive)
+	}
+}
+
+func TestTOKLife008ViewerWriteDenied(t *testing.T) {
+	t.Parallel()
+
+	auditor := service.NewMemoryAuditEmitter()
+	rt := service.NewInMemoryTokenRuntime(nil)
+	authorizer := service.NewScopeRoleAuthorizer()
+
+	ctx := context.Background()
+	viewer, err := rt.Issue(ctx, service.IssueTokenInput{
+		SubjectID: "2002",
+		Role:      model.RoleViewer,
+		Scope:     []string{"supply:read"},
+		TTL:       10 * time.Minute,
+	})
+	if err != nil {
+		t.Fatalf("issue viewer token failed: %v", err)
+	}
+
+	nextCalled := false
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		nextCalled = true
+		w.WriteHeader(http.StatusNoContent)
+	})
+	handler := middleware.BuildTokenAuthChain(middleware.AuthMiddlewareConfig{
+		Verifier:       rt,
+		StatusResolver: rt,
+		Authorizer:     authorizer,
+		Auditor:        auditor,
+	}, next)
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/supply/packages", nil)
+	req.Header.Set("Authorization", "Bearer "+viewer.AccessToken)
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusForbidden {
+		t.Fatalf("unexpected status code: got=%d want=%d", rec.Code, http.StatusForbidden)
+	}
+	if code := decodeMiddlewareErrorCode(t, rec); code != service.CodeAuthScopeDenied {
+		t.Fatalf("unexpected error code: got=%s want=%s", code, service.CodeAuthScopeDenied)
+	}
+	if nextCalled {
+		t.Fatalf("write handler should be blocked for viewer token")
+	}
+}
+
+type middlewareErrorEnvelope struct {
+	Error struct {
+		Code string `json:"code"`
+	} `json:"error"`
+}
+
+func decodeMiddlewareErrorCode(t *testing.T, rec *httptest.ResponseRecorder) string {
+	t.Helper()
+	var envelope middlewareErrorEnvelope
+	if err := json.Unmarshal(rec.Body.Bytes(), &envelope); err != nil {
+		t.Fatalf("failed to decode middleware error response: %v", err)
+	}
+	return envelope.Error.Code
+}